Map security event relationships with visual families
Visual families represent relationships between entities in a security event and help identify key actors and the flow of a security incident.
Additionally, visual families define which entity types can be involved in the event. When mapping event fields to entities, the allowable entity types are predetermined by the visual family assigned to that event type.Visual families are applied to events from a specific type or product, and are dynamically aggregated with other events to create a visual entity graph for the entire alert and case. You can view this graph from the Event configuration > visualization page or the Case explorer.
Google SecOps provides a collection of predefined visual families that cater to many common alert types. The default visual family includes all entity types and fundamental relationships. Each visual family consists of multiple rules. Each rule contains up to four sources, up to four destinations, and a connection type. Both sources and destinations represent entity types relevant to the alert, and connections between them are either Linked or Typed.* Typed connections link the primary entities (actors) within an alert. They typically represent represent an action performed by one entity on another (or itself) and are displayed as an arrowed line. Each visual family must contain a single typed connection rule.
* Linked connections connect two or more logically related entities, such as a hostname and IP address, or an email and username. They are represented by a dotted line, signifying this logical relationship.
Define a visual family
- Identify the event requiring a visual family.
- Classify and map the fields
to their respective entity types. For this example, we will use the following
Suspicious Connection event.
{ "name": "Suspicious Connection", "product": "SecOps", "event_type": "Suspicious connection", "hostname": "USER_PC", "process_sha256": "6857fee8812490499164bb7efb7f457d038e82140bb1fa0adbd0dc018e404f84", "process_name": "notepad.exe", "destination_domain": "google.com", "destination_ip_address": "8.8.8.8" }
-
Classify event fields to specific entity types as follows:
Field Entity Type hostname SourceHostName process_name SourceProcessName process_sha256 FileHash destination_domain DestinationDomain destination_ip_address DestinationAddress - Navigate to Settings > Ontology > Visual Families.
- Select add Add and enter a name and description.
-
Define the mandatory typed connection rule by identifying the primary action. In this example, because a process created a connection to a domain, the process entity is the source and the domain entity is the destination.
-
Define logically related entities with linked connection rules.
Using the same event example, you can observe several relations:
- `SourceProcessName` was executed on the `SourceHostName`.
- The `SourceProcessName` hash is the `FileHash` entity
- `DestinationDomain` and `DestinationAddress` represent the process destination.
- Save the visual family. Once saved, you can optionally add an image that represents the
visual family in the Settings > Ontology > Visual Families table.
Completing these steps creates the following graph:
Floating entities
Floating entities are those that appear in a graph without any connections to other entities. This can occur for two main reasons:- The visual family doesn't have a rule to connect the floating entity type to an existing entity type in the event.
- The event itself is missing the data needed to map the source or destination entities.
Need more help? Get answers from Community members and Google SecOps professionals.