This document explains how Google Security Operations extracts and uses entities
from ingested alerts. When Google SecOps ingests an alert,
it also includes the underlying security events. These events are analyzed to
extract key indicators—such as IP addresses, usernames, and domains—which are
then modeled as objects called entities. Each entity includes its own set
of properties.
View the properties of an entity
On the Cases page, select a case. In the default case view, the
entities appear in the Entity Highlights section on the Case Overview and Alerts tabs.
Click View Details to open a side drawer that shows all properties of
the selected entity.
Click an entity name to open the Entity Explorer in a new tab. The
Entity Explorer displays all cases associated with the selected entity.
Entity Selection action
When an alert is ingested, a playbook is automatically or semi-automatically
triggered, depending on the configured conditions. Google SecOps uses
these playbooks to determine how to handle the alert.
Each action within a playbook operates on a specific group of entities. The
Entity Selection action lets you define these groups based on entity
properties. For example, you can create a group containing only internal
entities to be used with actions tailored for internal assets.
Use the Entity Selection action to build different groups depending on
the logic you want to apply. When you use this method, it helps each action
operate only on the relevant entities.
Create a new entity group
To create an entity group using the Entity Selection action, follow these steps:
Go to the Playbooks page and click Open Step Selection.
In the Step Selection tab, select Actions > Flow.
Drag Entity Selection into the second box labeled Drag a step over
here.
Double-click the Entity Selection box to
configure the new group of entities.
Add the conditions needed to select the new group of entities. For example,
select all IP address entities that were enriched by VirusTotal v3 and flagged as
malicious by more than 10 engines.
Once defined, the new entity group becomes available for all subsequent actions in the playbook.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eGoogle SecOps ingests alerts and extracts indicators like IP addresses and usernames into objects called entities, each with their own properties.\u003c/p\u003e\n"],["\u003cp\u003eEntities can be viewed in the \u003cstrong\u003eCases\u003c/strong\u003e page under \u003cstrong\u003eEntity Highlights\u003c/strong\u003e, and the \u003cstrong\u003eEntity Explorer\u003c/strong\u003e shows all cases an entity is involved in.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003cstrong\u003eEntity Selection\u003c/strong\u003e action allows for the creation of new entity groups based on entity properties, which can be used in subsequent playbook actions.\u003c/p\u003e\n"],["\u003cp\u003eTo create a new group, navigate to \u003cstrong\u003ePlaybooks\u003c/strong\u003e, select \u003cstrong\u003eActions\u003c/strong\u003e then \u003cstrong\u003eFlow\u003c/strong\u003e, and drag \u003cstrong\u003eEntity Selection\u003c/strong\u003e into the designated area to define conditions for the new entity group.\u003c/p\u003e\n"],["\u003cp\u003eThe new entity group created can then be selected for use in any subsequent action that follows the \u003cstrong\u003eEntity Selection\u003c/strong\u003e action.\u003c/p\u003e\n"]]],[],null,["# Entity selection\n================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how Google Security Operations extracts and uses entities\nfrom ingested alerts. When Google SecOps ingests an alert,\nit also includes the underlying security events. These events are analyzed to\nextract key indicators---such as IP addresses, usernames, and domains---which are\nthen modeled as objects called *entities*. Each entity includes its own set\nof properties.\n\nView the properties of an entity\n--------------------------------\n\n1. On the **Cases** page, select a case. In the default case view, the entities appear in the **Entity Highlights** section on the **Case Overview** and **Alerts** tabs.\n2. Click **View Details** to open a side drawer that shows all properties of the selected entity.\n3. Click an entity name to open the **Entity Explorer** in a new tab. The **Entity Explorer** displays all cases associated with the selected entity.\n\nEntity Selection action\n-----------------------\n\n\nWhen an alert is ingested, a playbook is automatically or semi-automatically\ntriggered, depending on the configured conditions. Google SecOps uses\nthese playbooks to determine how to handle the alert.\n\n\nEach action within a playbook operates on a specific group of entities. The\n**Entity Selection** action lets you define these groups based on entity\nproperties. For example, you can create a group containing only internal\nentities to be used with actions tailored for internal assets.\n\n\nUse the **Entity Selection** action to build different groups depending on\nthe logic you want to apply. When you use this method, it helps each action\noperate only on the relevant entities.\n\n### Create a new entity group\n\nTo create an entity group using the **Entity Selection** action, follow these steps:\n\n1. Go to the **Playbooks** page and click **Open Step Selection**.\n2. In the **Step Selection** tab, select **Actions \\\u003e Flow**.\n3. Drag **Entity Selection** into the second box labeled **Drag a step over\n here**.\n4. Double-click the **Entity Selection** box to configure the new group of entities.\n5. Add the conditions needed to select the new group of entities. For example, select all IP address entities that were enriched by VirusTotal v3 and flagged as malicious by more than 10 engines.\n6. Once defined, the new entity group becomes available for all subsequent actions in the playbook.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
