This topic has information about the Entities page in CSE UI, which lists all of the Entities in CSE and their Activity Scores, and the Entities > Details page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.
The Entities page is useful for monitoring Entities that are close to having an Insight created. On the Entities > Details page, you can view Signals and Insights for an Entity, and, as desired, manually create an Insight from Signals associated with the Entity.
About the Entities list page
To view the Entities page, click Entities at the top of the CSE UI.
Here’s a screenshot of the Entities page.
- This area shows the total number of unique Entities in CSE.
- In the Filters area, you can filter the list of Entities by Activity Score, Hostname, IP Address, Username, Tags, Type, and Suppressed.
- In this area you can sort Entities by Activity Score, Name, or Type.
- Shows the Entity Type and its value.
- The current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see Understanding Entity Activity Scores, in the Insight Generation Process topic.
- If you see a link below the Entity value, it’s a tag. You can click it to filter Entities by that tag.
- If an Entity has the Suppressed indicator, that means that the Signal has been excluded from Insight generation, using the Suppression toggle on the Entity Details page, as described in the following section.
- The Criticality column shows whether a Criticality has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default".
About the Entities Details page
When you click an Entity on the Entities page, a details page for the Entity appears.
- Suppression slider. Shows whether or not the Entity is currently suppressed. You can use the slider to suppress the Entity so that it is excluded from the Insight generation process.
- Tags. Lists any tags assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity.
- Inventory. If the selected Entity is standard Entity type—an IP address, hostname, or username—this area provides selected information about the Inventory object associated with the Entity. You can click Show Full Details to see the complete object. (Inventory information is not provided for custom entity type.)
- Details. The value of the Entity, for example, an IP Address, Hostname, Username, Hostname, or the value of a custom Entity type.
- Related Entities. Related entities may appear if the current entity is an IP address. A related entity is a hostname or MAC address from which we have observed a Record in the log stream for which an IP and hostname or MAC appears in the same device within the Record.
- Audit Log. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed.
- Activity tab. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals.
- Related Entities tab. If related entities exist, this tab allows you to filter them by time.
- The Current State section lists Signals that were generated for the Entity during the current Detection Window that are not already part of an Insight. (The Detection Window is the period over which CSE evaluates Signals, which is 14 days, by default. The Detection Windows is configured on the Content > Custom Insights page in the CSE UI.)
- The Prior Activity section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity.
Create an Insight
You can create an Insight for an Entity based on one or more Signals on the Entity. To do so, checkmark each Signal you want to include in the Insight, and click Create Insight.
The page refreshes and shows the selected Signals grouped in a new Insight.