Entity Delimiters allow you to decide for each entity type and data source how
you want to map the incoming entity. You have full control whether to disable
delimiters for incoming entities, map a specific delimiter (up to 64
characters) or even use a regex instead.
For example, you might have several files come in as one entity separated by
commas and you want the system to treat each entity separately – in this
case you would set the delimiter to be a comma.
The entity delimiter can be used in one of two places:
Event Configuration > Mapping screen
Playbook action > Siemplify Create Entity
Event configuration > Mapping screen
Here you can configure mapping at field level. At the top of the screen, you
can click the Raw Event Properties icon to see the raw data from the event in the particular alert. The
screen itself shows a list of the Entity Fields and the System Fields with an
edit option allowing you to make changes to map the raw data to how you want
the information presented in the platform.
The following fields are available in the Map Fields Dialog box for each
entity or system field.
Field
Description
Extracted Field
Main field name in the raw event field to take information from.
Pro-tip. Use Contains or Starts with in order to divide the data into
separate fields. This can be useful if you have multiple fields like
url_1, url_2 to create multiple entries. Note that entities can
only equal "is" as each one is unique
Alternative Field 1
Fallback field in the raw event field to take information from if the
primary field cannot be located.
Alternative Field 2
Fallback field in the raw event field to take information from if both
primary and secondary cannot be located
Extraction Function
This function allows you to extract particular data or manipulate the
data from the raw event field. Three options. None: the raw data is
presented as is. Delimiter: Delimiter can be defined with a
character (or up to 64 characters) to divide the data into separate
entities. The default is Delimiter = , (comma) Regex: Uses a regex
to divide data into separate entities
Transformation Function
This enables you to "transform" information from the data
source to be compatible with the Siemplify database. Available functions
are:
TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX,
TO_IP_ADDRESS. Once you have chosen the function, you would add the
appropriate parameter. For example: select the
function FROM_CUSTOM_DATETIME and reformat the date and time to
%Y-%m-%DT%H:%M:%S Note that the transformation function applies
after the extraction function and in case of multiple entities created
by the extraction function – it will apply the transformation on
each one of them separately
Using delimiters in playbooks
You can also use delimiters in the Siemplify Create Entity action. For
example, in the Entities Identifiers field, you could have a list of IP
addresses separated by semi-colons. In the Delimiter field, you would add a
semi-colon. Note that the action will appear with a comma by default.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eEntity Delimiters in Google SecOps SOAR allow users to define how incoming data is mapped for each entity type and data source, providing options to disable delimiters, use specific delimiters (up to 64 characters), or utilize regex.\u003c/p\u003e\n"],["\u003cp\u003eDelimiters can be configured in two primary locations: the Event Configuration > Mapping screen for field-level mapping, and within the Playbook action > Siemplify Create Entity for manipulating entity identifiers.\u003c/p\u003e\n"],["\u003cp\u003eThe Mapping screen offers fields such as Extracted Field, Alternative Field 1 & 2, Extraction Function (None, Delimiter, Regex), and Transformation Function to customize data extraction and transformation from raw events.\u003c/p\u003e\n"],["\u003cp\u003eThe Extraction Function in the Mapping screen lets users divide data into separate entities using a specified delimiter or regex, with the default delimiter being a comma.\u003c/p\u003e\n"],["\u003cp\u003eThe Transformation Function allows for the alteration of data formats to be compatible with the Siemplify database after extraction, with functions like TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, and TO_IP_ADDRESS available.\u003c/p\u003e\n"]]],[],null,["# Working with Entity Delimiters\n==============================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nEntity Delimiters allow you to decide for each entity type and data source how\nyou want to map the incoming entity. You have full control whether to disable\ndelimiters for incoming entities, map a specific delimiter (up to 64\ncharacters) or even use a regex instead.\n\nFor example, you might have several files come in as one entity separated by\ncommas and you want the system to treat each entity separately -- in this\ncase you would set the delimiter to be a comma.\n\nThe entity delimiter can be used in one of two places:\n\n- Event Configuration \\\u003e Mapping screen\n- Playbook action \\\u003e Siemplify Create Entity\n\nEvent configuration \\\u003e Mapping screen\n-------------------------------------\n\nHere you can configure mapping at field level. At the top of the screen, you\ncan click the **Raw Event Properties** icon to see the raw data from the event in the particular alert. The\nscreen itself shows a list of the Entity Fields and the System Fields with an\nedit option allowing you to make changes to map the raw data to how you want\nthe information presented in the platform.\n\n\nThe following fields are available in the Map Fields Dialog box for each\nentity or system field.\n\nUsing delimiters in playbooks\n-----------------------------\n\n\nYou can also use delimiters in the Siemplify Create Entity action. For\nexample, in the Entities Identifiers field, you could have a list of IP\naddresses separated by semi-colons. In the Delimiter field, you would add a\nsemi-colon. Note that the action will appear with a comma by default.\n[](/static/chronicle/images/soar/entitydelimiters.png)\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
