Skip to main content
Sumo Logic

Create an Entity Group

You can use Entity Groups to automatically group entities in terms of criteria, like name or IP Address.

An administrator can use CSE’s Entity Groups feature to define groups of Entities and to assign attributes to them at the group level. You can define the members of an Entity Group based on Entity name, an IP address range, or membership in a group in an Inventory system like Active Directory. Note that membership in an Entity Group is not configured by explicitly assigning individual Entities to the group. Instead you define an Entity Group in terms of criteria, like name or IP address, so that when Entities are created in the future, they will automatically inherit the properties of Entity Groups they match without manual edits. 

You can assign criticality, tags, and suppression status to an Entity Group, and those settings will be applied to all of the Entities in the group.

Consider an Entity Group configured to: 

  • Include any host in the Active Directory “laptops” group, and 
  • Set a (pre-configured) criticality to group members. 

Each laptop in the “laptops” group will automatically inherit the criticality defined for the Entity Group, and so will laptops assigned to the “laptops” group in the future. In other words, when an Entity is added to CSE, if it matches the membership criteria of an existing Entity Group, it will be automatically added to that group. 

Note that when an Insight is created, any tags that are assigned to the primary Entity in the Insight are automatically inherited by the Insight. So, tags that an Entity inherits from an Entity Group will also be inherited by Insights that fire on the Entity. (Such inheritance is not retro-active: Insights that fired on an Entity prior to the Entity being tagged won’t be tagged.) 

Overlapping Entity Groups

It’s possible to define Entity Groups that overlap, in terms of the Entities they contain. However, for the sake of simplicity, we recommend you configure your Entity Groups to not overlap. If an Entity does belong to more than one group, CSE applies tags, criticality, and suppression status in this order: 

  1. Entity Groups based on Inventory source and group are processed in alphabetical order, by Entity Group name.
  2. Entity Groups based on IP address ranges are processed in order from most specific (smallest block) to least specific (largest block).
  3. Entity Groups based on name are processed in order, by the length of the match string configured as either Prefix or Suffix, then alphabetically, by Entity Group name.

Create an Entity Group based on Entity attributes

Follow these instructions to create an Entity Group based on Entity name or whether the Entity is within a specified range of IP addresses.

  1. Click the gear icon in the Cloud SIEM UI and choose Groups under Entities.
    gear-menu.png
  2. On the Entity Groups page, click Create.
    entity-group-list-page.png
  3. The Create Entity Group popup appears. (In the screenshot below, values are already entered.)
    create-entity-group-values.png
  4. Name. Enter a name for the Entity Group.
  5. Description. (Optional.)
  6. Group Entities matching the following. Select Values
  7. Entity Type. Select one of the following Entity types:
    • IP Address
    • MAC Address
    • Username
    • Hostname
  8. Match Condition. Select one of the following match types:
    • Prefix. After you select this option, a Prefix field appears. Enter a string that matches the leading characters of the names of the Entities you want to include in the group. 
    • Suffix. After you select this option, a Suffix field appears. Enter a string that matches the the trailing characters of the names of the Entities you want to include in the group. 
    • IP Address Range. After you select this option, an IP Address Range field appears. Enter a CIDR block of IP addresses. 
    • Sensor Zone. This field is present if you selected IP Address as the Entity Type above. Optionally, select a Sensor Zone from the pulldown. 
  9. Tags. Select any tags you’d like to apply to Entities in the group.
  10. Criticality. If desired, select a Criticality.
  11. Suppression. Select Suppressed if you want to suppress Signals on Entities in the group. 

Create an Entity Group based on inventory group membership

Follow these instructions to create an Entity Group that corresponds to a group in an inventory service in your infrastructure.

  1. Click the gear icon in the Cloud SIEM UI and choose Groups under Entities.
    gear-menu.png
  2. On the Entity Groups page, click Create.
    entity-group-list-page.png
  3. The Create Entity Group popup appears. (In the screenshot below, values are already entered.)
    create-entity-group-inventory.png
  4. Name. Enter a name for the Entity Group
  5. Description. (Optional.)
  6. Group Entities matching the following. Select Inventory
  7. Inventory Type. Select one of:
    • Computer
    • User
  8. Source. Select an inventory source from the pull-down list.
  9. Group. Enter the name of the group in the inventory system that contains the entities you want to add to the Entity Group.
  10. Tags. Select any tags you’d like to apply to Entities in the group.
  11. Criticality. If desired, select a Criticality.
  12. Suppression. Select Suppressed if you want to suppress Signals on Entities in the group. 

Using tags in CSE rule expressions

If you've applied a tag to an Entity, you can use the tag in a rule expression. For example, if you've attached a keyword tag "DB Server" to an Entity, this array_contains statement will return "true" if the Entity in a Record's srcDevice_ip field has the tag "DB Server"

array_contains(fieldsTags["srcDevice_ip"], "DB Server")

API support

You can use the CSE /entity-group-configuration API to create, read, update and delete Entity Groups. For more information, see CSE APIs