This document explains how you can add or edit entity enrichment properties directly from investigation pages as part of your
case investigation in Google Security Operations to work more efficiently during case analysis. You can add up to 100 entity properties to a single entity.
Add or edit entity properties across pages
Add or edit an entity enrichment property on the following pages:
Investigation: In the case view, click Explore to open the Investigation page.
Entity Explorer: In the case view, click the Entity Highlights widget and select the relevant entity.
Cases (Entities Highlights): In the case view, click an entity in
the Entity Highlights widget and then click View more to
open a side drawer with entity properties.
Cases (Entities Graph): In the case view, click the Entities Graph
widget and then click Entity. A side drawer opens with entity
properties.
Add an entity property
As part of the investigation, include other entity keys to enrich your case
investigation. Identify the kind of malware being used to better understand
the threat. This example shows how to create a new entity property called
Malware_family.
To add an entity property, follow these steps:
Go to the Cases queue.
Select the Virus Found or Security Risk Found case, and click
Explore to open the Investigation page.
Click addAdd.
Enter Malware_family as the Key and
Trojan.Generic as the Value.
Click Save to add the new entity property.
The new enrichment provides an additional layer of understanding during
your case investigation.
Add new or existing entities
To add new or existing entities, follow these steps:
Clickmore_vertAlert Options
and select Add Entity.
In the Add entities to alert dialog, select an entity from
either Add existing entities or Add new entity.
Enter an identifier and click
add
Add>Apply.
Edit an entity property
This example follows a use case where a file is marked as suspicious with
low confidence in a case related to a potential malware threat. After
running a TI enrichment block and investigation, you're confident that the
file is malicious and want to update the confidence_level
from Low to High.
To edit an entity property, follow these steps:
Go to the Cases page.
Go to the Virus Found or security risk found case, and
click Explore to open the Investigation page.
Click
tag
File Hash Entity on the Investigation page.
Hold the pointer over the confidence_level value in the side
drawer.
Click
more_vert
More and select View or edit property.
In the View or Edit Entity Property dialog, change the value of Confidence_level from Low
to High to highlight the potential risk of the hash entity. You can
also select a display format to control how the data appears in the side drawer.
Click Save.
The confidence level of the entity is updated and reflected in the side
drawer.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eEntity properties can be added or edited within Google SecOps SOAR to enhance case investigations, allowing up to 100 properties per entity.\u003c/p\u003e\n"],["\u003cp\u003eEntity properties can be modified through the Investigation, Entity Explorer, and Cases pages, offering flexibility in how users manage and interact with entity data.\u003c/p\u003e\n"],["\u003cp\u003eUsers can edit entity property values, such as changing a file hash's confidence level from "Low" to "High," to better reflect the risk assessment within a case.\u003c/p\u003e\n"],["\u003cp\u003eNew entity properties, like adding a "Malware_family" key, can be added to provide additional context and details during an investigation, enriching the available information.\u003c/p\u003e\n"],["\u003cp\u003eDisplay Format changes only alter the way data is shown without changing the underlying information of the entity property, and some entity properties, like isAttacker, once set to true, cannot be changed back to false.\u003c/p\u003e\n"]]],[],null,["# Add or edit entity properties\n=============================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how you can add or edit entity enrichment properties directly from investigation pages as part of your\ncase investigation in Google Security Operations to work more efficiently during case analysis. You can add up to 100 entity properties to a single entity.\n| **Note:** To add or edit entity properties, ensure the appropriate permissions are granted in the corresponding module in **Settings** . For more information, see [Working with permission groups](/chronicle/docs/soar/admin-tasks/permissions/working-with-permission-groups).\n\nAdd or edit entity properties across pages\n------------------------------------------\n\nAdd or edit an entity enrichment property on the following pages:\n\n- **Investigation** : In the case view, click **Explore** to open the **Investigation** page.\n- **Entity Explorer** : In the case view, click the **Entity Highlights** widget and select the relevant entity.\n- **Cases (Entities Highlights)** : In the case view, click an entity in the **Entity Highlights** widget and then click **View more** to open a side drawer with entity properties.\n- **Cases (Entities Graph)** : In the case view, click the **Entities Graph** widget and then click **Entity**. A side drawer opens with entity properties.\n\n### Add an entity property\n\n\nAs part of the investigation, include other entity keys to enrich your case\ninvestigation. Identify the kind of malware being used to better understand\nthe threat. This example shows how to create a new entity property called\n`Malware_family`.\n\nTo add an entity property, follow these steps:\n\n1. Go to the **Cases** queue.\n2. Select the **Virus Found or Security Risk Found** case, and click **Explore** to open the **Investigation** page.\n3. Click add **Add**.\n4. Enter `Malware_family` as the **Key** and `Trojan.Generic` as the **Value**.\n5. Click **Save** to add the new entity property.\n\nThe new enrichment provides an additional layer of understanding during\nyour case investigation.\n\n### Add new or existing entities\n\nTo add new or existing entities, follow these steps:\n\n1. Clickmore_vert**Alert Options** and select **Add Entity**.\n2. In the **Add entities to alert** dialog, select an entity from either **Add existing entities** or **Add new entity**.\n3. Enter an identifier and click add **Add** \\\u003e **Apply**.\n\n### Edit an entity property\n\n\nThis example follows a use case where a file is marked as suspicious with\nlow confidence in a case related to a potential malware threat. After\nrunning a TI enrichment block and investigation, you're confident that the\nfile is malicious and want to update the `confidence_level`\nfrom **Low** to **High**.\n\nTo edit an entity property, follow these steps:\n\n1. Go to the **Cases** page.\n2. Go to the **Virus Found or security risk found** case, and click **Explore** to open the **Investigation** page.\n3. Click tag **File Hash Entity** on the **Investigation** page.\n4. Hold the pointer over the **confidence_level** value in the side drawer.\n5. Click more_vert **More** and select **View or edit property**.\n6. In the **View or Edit Entity Property** dialog, change the value of **Confidence_level** from **Low** to **High** to highlight the potential risk of the hash entity. You can also select a display format to control how the data appears in the side drawer. **Note:** The display format affects only how the value is shown in the UI. It doesn't change the underlying data.\n7. Click **Save**.\n\nThe confidence level of the entity is updated and reflected in the side\ndrawer.\n| **Note:** You can't change entity properties, such as `isAttacker`, `isVulnerable`, and `isPivot` to **false** once it's set to **true**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
