Entity selection

Supported in:

Google Security Operations ingests alerts from various sources. Each alert is ingested with its underlying base security events. Those security events are analyzed and their indicators — including IP addresses, usernames, and domains — are extracted into objects. Those objects are called entities. Each entity contains its own properties.

View the properties of an entity

  1. From the Cases page, select a case. In the default case view, the entities are displayed under Entity Highlights (in both the Case Overview tab and the Alerts tab.)
  2. Click View Details to view the properties of an entity. A side drawer opens to display all of the properties for that entity for the alert.
  3. Click an entity name to open the Entity Explorer in a new tab. The Entity Explorer displays all cases associated with the selected entity.

Entity Selection action

When an alert is ingested, a playbook is initiated and makes the appropriate decisions on how to proceed with the alert. Google SecOps performs these actions automatically or semi-automatically based on the playbook triggers upon any alert ingestion.

Each action in the playbook has a group of entities it runs on. The Entity Selection action creates new groups. Choose an action and then select a group of entities compatible with that action. For example, you might create a group containing only internal entities for actions designed to work specifically with them.

You may want to create a different group that recognizes and works on different sets of entities. Use the Entity Selection action to create a new entity group to run actions upon, based on entity properties.

Create a new group

To create a new group, follow these steps:

  1. In the Playbooks page, click Open Step Selection.
  2. In the Step Selection tab, select Actions and then select Flow.
  3. Drag Entity Selection into the second box labeled Drag a step over here.
  4. Double-click the box that is now labeled Entity Selection to create a new group of entities that can be used in other actions.
  5. Add the conditions needed to select the new group of entities. For example, select all IP Address entities that were enriched by VirusTotal v3 and found malicious by more than 10 engines.

    entityselect9
  6. You can now choose the new group in all the actions that follow the Entity Selection action.

Need more help? Get answers from Community members and Google SecOps professionals.