Create a Custom Entity Type

This topic has instructions for how to create custom Entity types in Cloud SIEM.

In Cloud SIEM, Entities are fundamental to the Insight generation process. When a Cloud SIEM Rule fires, it generates a Signal for each “on-Entity” attribute configured for the rule. Cloud SIEM correlates Signals by Entity to create Insights. This process is described in the Insight Generation Process topic.

Cloud SIEM has a number of built-in Entity types, for example, IP Address, Hostname, and Username.

When you create a Rule, in the Signal configuration section, the Rules Editor prompts you to select an “On-Entity” attribute from a list of all of the Cloud SIEM schema attributes that hold Entities. What if you want to correlate Signals by something other than an item that is one of Cloud SIEM standard Entity types? That’s what custom Entity types are for.

If you’d like to be able to correlate Signals by a different type of Entity, you can create a custom Entity type. For example, you might want to correlate Signals by file hash. When you create a custom Entity type, you identify the Cloud SIEM schema attributes that hold data of the custom type. Given the example of a file hash Entity type, you would select attributes that contain file hashes, like file_hash_md5, file_hash_sha1, and so on. The attributes you configure for your custom Entity type will be available in the On-Entity selector list in the Then Create a Signal section of the rule configuration UI. 

Just as for Entities of built-in types listed above—IP addresses, MAC addresses, hostnames, and so on—when a rule fires on a custom Entity, if the Entity doesn’t already exist in Cloud SIEM, it is added, and can be viewed on the Entity list page.

To create a custom Entity type:

1. In the top menu, click Configuration and choose Custom Types from the Entities column.
2. Click Create on the Custom Entity Types page. 
   
3. The Create Custom Entity Type popup appears.
   
4. Name. Enter a meaningful name for the custom Entity type. The name can include alphanumeric characters and spaces. The name you enter will appear as the Name of the custom Entity type on the Custom Entity Type page. 
5. Identifier. Enter a unique identifier for the custom Entity type. The Identifier can include lowercase alphanumeric characters. The Identifier of the Entity type doesn’t appear in the Cloud SIEM UI, but is used by the Cloud SIEM backend.
   note

   The Entity type Identifier cannot be changed once you’ve saved it.

6. Fields. Use the dropdown list to select the schema attribute or attributes you want to associate with the custom Entity type.
7. Click Create.