View and Manage Entities
This topic has information about the Entities page in Cloud SIEM UI, which lists all of the Entities in Cloud SIEM and their Activity Scores, and the Entities > Details page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.
The Entities page is useful for monitoring Entities that are close to having an Insight created. On the Entities > Details page, you can view Signals and Insights for an Entity, and, as desired, manually create an Insight from Signals associated with the Entity.
You can also update the tags, suppression state, and Criticality assigned to Entities, as described below in the Update Multiple Entities section below.Â
Watch this micro lesson to learn more about Entities.
About Entities​
In Cloud SIEM, an Entity is a unique actor that a Signal fired upon. Cloud SIEM has a number of built-in Entity types:
- Command
- Domain
- File
- Hash
- Hostname
- IP Address
- MAC Address
- Process
- URL
- User Agent
- Username
You can create custom Entity types as well. For more information, see Create a Custom Entity Type.
When a Signal is fired, if an Entity doesn’t already exist in Cloud SIEM for the item that the Signal fired on, Cloud SIEM creates an Entity for it. For more information about Entities and Signal and Insight generation, see Insight Generation Process.
About the Entities list page​
Classic UI. To view Entities, click Entities at the top of the screen.
New UI. To view Entities, in the main Sumo Logic menu select Cloud SIEM > Entities. You can also click the Go To... menu at the top of the screen and select Entities.
Letter | Description |
---|---|
a | This area shows the total number of unique Entities in Cloud SIEM. |
b | In the Filters area, you can filter the list of Entities by Activity Score, Hostname, IP Address, Username, Tags, Type, and Suppressed. |
c | In this area you can sort Entities by Activity Score, Name, or Type. |
d | The Import Metadata option allows you to upload a .csv file of updates to Entity tags, suppression state, and Criticality, as described in Update Multiple Entities. |
e | Shows the Entity Type and its value. |
f | If an Entity has the Suppressed indicator, that means that Signals will not be fired on the Entity. |
g | The Criticality column shows whether a Criticality has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default". |
h | The current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see Understanding Entity Activity Scores, in the Insight Generation Process topic. |
i | The total amount of Signal severity for the Entity. |
If you see a link below the Entity value, it’s a tag. You can click it to filter Entities by that tag.
About the Entities Details page​
When you click an Entity on the Entities page, a details page for the Entity appears.
Letter | Description |
---|---|
a | Suppression. Shows whether or not the Entity is currently suppressed. You can use the slider to suppress the Entity so that it is excluded from the Insight generation process. |
b | Automations. Click to view automations available to be run on the Entity. |
c | Tags. Lists any tags assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity. |
d | Criticality. An Entity’s Criticality is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration. You can reset the Criticality here. |
e | Signal Severity Total. The total amount of Signal severity for the Entity. |
f | Indicators. The indicators on the Entity, whether from enrichments or threat intelligence. |
g | Metadata. This section lists the contents of enrichment fields that were added during Record processing. |
h | Network Blocks. Network blocks for the Entity. |
i | Inventory. If the selected Entity is standard Entity type (as opposed to a custom Entity type), this area provides selected information about the Inventory object associated with the Entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from Entities in Insights data to provide context to Signals. |
j | Notes. Contains any notes added to the Entity. |
k | Audit Log. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed. |
l | Recent Activity. Provides a count of how many Signals or Insights included the Entity within the last 30 days. Click the plus sign (+) next to Signals or Insights to expand the list. |
m | Activity. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals. |
n | Enrichments tab. If you use Cloud SIEM’s automation as a service, Entity enrichments obtained from Cloud SOAR may be available on this tab. |
o | Timeline. A timeline appears for the Entity's activity over a three-day period. For more information, see About the Entity Timeline tab. |
p | Related Entities. Entities related to the current Entity. |
q | Automations. Automations that have been run on the Entity. |
r | Create Insight. You can use this option to create an Insight on the Entity, as described below in Create an Insight, below. |
s | The Current State section lists Signals that were generated for the Entity during the current Detection Window that are not already part of an Insight. (The Detection Window is the period over which Cloud SIEM evaluates Signals, which is 14 days, by default. The Detection Window is configured on the Content > Custom Insights page in the Cloud SIEM UI.) |
Below the Current State section there may be a Prior Activity section. This section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity.Â
About the Entity Timeline tab​
The Entity Timeline tab provides visibility into Entity inventory data, Entity relationships, Records, Signals, and Insights over a default three-day time period. This view gives information about what else the Entity doing before, during, and after Signals and Insights involving the Entity were generated.
The right side of the tab organizes Records by Record Type and vendor, with a Record count. For example, the screenshot below indicates that there were two email Records from Microsoft Office 365 at 4:41:02 AM. The orange icon to the left of the Record summary indicates that the Record aggregation contains a Signal. The indented item below the Record summary is a link to the Signal.
Similarly, a red icon indicates that the Record set contains an Insight, and the link below the summary is a link to the Insight.
You can view a summary of the Records in a Record set by clicking on it. The Records are listed on the right side of the Entity Timeline tab. To view the complete Record, click the link in the upper right corner of the card for a Record.
Create an Insight​
You can create an Insight for an Entity based on one or more Signals on the Entity. To do so, checkmark each Signal you want to include in the Insight, and click Create Insight.
The page refreshes and shows the selected Signals grouped in a new Insight.
Update multiple Entities​
This section describes how to update the tags, suppression state, or Criticality for one or more Entities.
Update Entities from the UI​
- Classic UI. Click Entities at the top of the screen.
New UI. In the main Sumo Logic menu select Cloud SIEM > Entities. You can also click the Go To... menu at the top of the screen and select Entities. - Note that there is a checkbox at the left end of each Entity row, and one above the Entities list.Â
- Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update.
- Note that once you select an Entity, three options appear at the top of the Entities list.
See the instructions for each option below:
Update tags​
- After selecting the Entities you want to update, click Update Tags.Â
- Click the down arrow to display the options:
- Add. Select this option to add one or more tags to the Entity, without affecting any tags already assigned to the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select  multiple tags to add.
- Remove. Select his option to remove one or more tags from the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select multiple tags to remove. If a selected Entity doesn't have the specified tags, no change will be made to the Entity.Â
- Replace. Select this option to remove all of the tags currently assigned to the Entity and add one or more specified tags. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value.Â
infoWhen you use the Replace option, be sure to specify new tags. If you do not, the existing tags will still be removed.
- As you select tags, they’ll appear in the update popup.
- When you are done selecting tags, click Update Entity Tags.
Update suppression​
- After selecting the Entities you want to update, click Update Suppression.Â
- The Update Suppression popup appears, with the suppression toggle set to Not Suppressed.
- If you want to unsuppress the selected Entities, click Update Entity Suppression. Otherwise, if you want to suppress the Entity, toggle the slider to Suppressed, supply a comment if desired, and then click Update Entity Suppression.Â
Update Criticality​
- After selecting the Entities you want to update, click Update Criticality.Â
- The Update Criticality popup appears.
- If you want to assign default Criticality to the selected Entities, click Update Entity Criticality. Otherwise, use the down arrow to view defined Criticalities, select one, and then click Update Entity Criticality.
Import Entity updates from a CSV file​
You can update Entities by uploading a .csv file to Cloud SIEM.Â
CSV file format​
There are two supported formats. The difference is in how you identify the target Entity.Â
- Format 1—You use the
id
field to specify a target Entity.id, suppressed, criticality, tags, tags_to_add, tags_to_remove
- Format 2—You use the
type
andvalue
fields to specify the target Entity.type, value, suppressed, criticality, tags, tags_to_add, tags_to_remove
Regardless of the format you use, there are a couple of approaches to updating Entity tags.
- You can use
tags_to_add
andtags_to_remove
to add new tags and remove existing tags, respectively. - You can use a
tags
value to specify replacement tags. This will remove all existing tags and add all of the specified replacement tags.
See the next section for column definitions.
CSV columns​
The table below defines the columns in the .csv file.
Note that:
- The first row of the .csv file must contain all supported columns.
- The .csv file must contain either values in the
id
column or values in both thetype
andvalue
column, and a value in at least one other column. - If a row has a value in the
tags
column, it can’t have values in either thetags_to_add
or theÂtags_to_remove
column.
Column | Description |
---|---|
id | This field is required for Format 1. To form the id field value, concatenate the Entity type and the value of the Entity, separated by a dash character (-) where the Entity type is one of the following:_ip _hostname _username _mac _process _command _hash _domain _useragent _email _url _file <CustomEntityTypeId> The id for an IP address would look like:_ip-1.2.3.4 You can optionally specify an Entity’s sensor zone as a part of the id column, in this format:_<entity_type>-<sensor_zone>-<entity_value> For example: _ip-zone1-172.18.20.3 |
type | This field is required for Format 2. Identifies the type of Entity, one of: _ip _hostname _username _mac _process _command _hash _domain _useragent _email _url _file <CustomEntityTypeId> |
value | This field is required for Format 2. The value of the Entity, for example, for an IP address: 1.2.3.4 |
sensor_zone | Identifies the sensor zone for the Entity. Don’t include this column if you are specifying Entity sensor zones in the id column, as described above. |
suppressed | When true, Cloud SIEM suppresses the Entity. |
criticality | Assigns a Criticality to the Entity. (An Entity’s Criticality is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration.) You can only specify a Criticality that has already been configured in Cloud SIEM. Allowable values:default <CustomCriticality> |
tags | The tags to assign to the target. This column can’t be present if the file contains a tags_to_add or tags_to_remove column. Specify a schema key tag as key:value .To assign multiple tags, enclose them in double quotes. For example: "<tag>,<tag>,<tag>" or "<key>:<value>,<key>:<value>" |
tags_to_add | The tag to assign to the target Entity. This column can’t be present if the file contains a tags column. Specify a schema key tag as key:value . |
tags_to_remove | The tag to remove from the target Entity. This column can’t be present if the file contains a tags column. Specify a schema key tag as key:value . |
Example CSV files​
Format 1 example
id,suppressed,criticality,tags,tags_to_add,tags_to_remove
_ip-zone1-10.0.0.5,false,default,,Office-Based,
_ip-zone1-10.0.0.6,true,default,,Office-Based,Remote
_ip-zone1-10.0.0.7,false,default,,Office-Based,
Format 2 example
type,value,sensor_zone,suppressed,criticality,tags,tags_to_add,tags_to_remove
_ip,10.0.0.5,zone1,false,default,Frequent-Travel,,
_ip,10.0.0.6,zone1,true,default,,Office-Based,Remote
_ip,10.0.0.7,zone1,false,default,,Office-Based,
Upload CSV file​
After creating file, click Import Metadata in the upper right of the Entities page and upload the file.Â