Skip to main content

View and Manage Entities

This topic has information about the Entities page in Cloud SIEM UI, which lists all of the Entities in Cloud SIEM and their Activity Scores, and the Entities > Details page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.

The Entities page is useful for monitoring Entities that are close to having an Insight created. On the Entities > Details page, you can view Signals and Insights for an Entity, and, as desired, manually create an Insight from Signals associated with the Entity.

You can also update the tags, suppression state, and Criticality assigned to Entities, as described below in the Update Multiple Entities section below. 

Watch this micro lesson to learn more about Entities.

About Entities​

In Cloud SIEM, an Entity is a unique actor that a Signal fired upon. Cloud SIEM has a number of built-in Entity types:

  • Command
  • Domain
  • Email
  • File
  • Hash
  • Hostname
  • IP Address
  • MAC Address
  • Process
  • URL
  • User Agent
  • Username

You can create custom Entity types as well. For more information, see Create a Custom Entity Type.

When a Signal is fired, if an Entity doesn’t already exist in Cloud SIEM for the item that the Signal fired on, Cloud SIEM creates an Entity for it. For more information about Entities and Signal and Insight generation, see Insight Generation Process.

About the Entities list page​

Classic UI. To view Entities, click Entities at the top of the screen.

New UI. To view Entities, in the main Sumo Logic menu select Cloud SIEM > Entities. You can also click the Go To... menu at the top of the screen and select Entities.

Entities page
LetterDescription
aThis area shows the total number of unique Entities in Cloud SIEM.
bIn the Filters area, you can filter the list of Entities by Activity Score, Hostname, IP Address, Username, Tags, Type, and Suppressed.
cIn this area you can sort Entities by Activity Score, Name, or Type. 
dThe Import Metadata option allows you to upload a .csv file of updates to Entity tags, suppression state, and Criticality, as described in Update Multiple Entities.
eShows the Entity Type and its value. 
fIf an Entity has the Suppressed indicator, that means that Signals will not be fired on the Entity. 
gThe Criticality column shows whether a Criticality has been assigned to the Entity. A Criticality adjusts the severity of Signals for specific Entities based on some risk factor or other consideration. If a Criticality hasn't been assigned to an Entity, the column contains "default".
hThe current Activity Score for the Entity, which by default is the sum of the severities of the Signals that have fired on the Entity over the previous two weeks. For more information, see Understanding Entity Activity Scores, in the Insight Generation Process topic.
iThe total amount of Signal severity for the Entity.

If you see a link below the Entity value, it’s a tag. You can click it to filter Entities by that tag.

About the Entities Details page​

When you click an Entity on the Entities page, a details page for the Entity appears.

Entity details page
LetterDescription
aSuppression. Shows whether or not the Entity is currently suppressed. You can use the slider to suppress the Entity so that it is excluded from the Insight generation process. 
bAutomations. Click to view automations available to be run on the Entity.
cTags. Lists any tags assigned to the Entity. You can add a new tag, select a tag to assign, or remove a tag from the Entity.
dCriticality. An Entity’s Criticality is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration. You can reset the Criticality here.
eSignal Severity Total. The total amount of Signal severity for the Entity.
fIndicators. The indicators on the Entity, whether from enrichments or threat intelligence.
gMetadata. This section lists the contents of enrichment fields that were added during Record processing.
hNetwork Blocks. Network blocks for the Entity.
iInventory. If the selected Entity is standard Entity type (as opposed to a custom Entity type), this area provides selected information about the Inventory object associated with the Entity. (Inventory information is not provided for custom entity types.) Inventory data is customer or 3rd-party provided information that describes devices and users along with contact information and job descriptions. Cloud SIEM joins inventory data on demand with data from Entities in Insights data to provide context to Signals.
jNotes. Contains any notes added to the Entity.
kAudit Log. This area will list any audit events that have been logged for the Entity. An audit log is generated each time an Entity is suppressed or unsuppressed.
lRecent Activity. Provides a count of how many Signals or Insights included the Entity within the last 30 days. Click the plus sign (+) next to Signals or Insights to expand the list.
mActivity. This tab displays a visualization of Signals on the Entity over time.The x-axis is time, the y-axis is severity. The icons represent Signals.
nEnrichments tab. If you use Cloud SIEM’s automation as a service, Entity enrichments obtained from Cloud SOAR may be available on this tab.
oTimeline. A timeline appears for the Entity's activity over a three-day period. For more information, see About the Entity Timeline tab.
pRelated Entities. Entities related to the current Entity.
qAutomations. Automations that have been run on the Entity.
rCreate Insight. You can use this option to create an Insight on the Entity, as described below in Create an Insight, below.
sThe Current State section lists Signals that were generated for the Entity during the current Detection Window that are not already part of an Insight. (The Detection Window is the period over which Cloud SIEM evaluates Signals, which is 14 days, by default. The Detection Window is configured on the Content > Custom Insights page in the Cloud SIEM UI.)

Below the Current State section there may be a Prior Activity section. This section lists Signals that were generated for the Entity prior to the current Detection window, and all Insights for the Entity. 

About the Entity Timeline tab​

The Entity Timeline tab provides visibility into Entity inventory data, Entity relationships, Records, Signals, and Insights over a default three-day time period. This view gives information about what else the Entity doing before, during, and after Signals and Insights involving the Entity were generated.

The right side of the tab organizes Records by Record Type and vendor, with a Record count. For example, the screenshot below indicates that there were two email Records from Microsoft Office 365 at 4:41:02 AM. The orange icon to the left of the Record summary indicates that the Record aggregation contains a Signal. The indented item below the Record summary is a link to the Signal.

Similarly, a red icon indicates that the Record set contains an Insight, and the link below the summary is a link to the Insight.

Entity timeline

You can view a summary of the Records in a Record set by clicking on it. The Records are listed on the right side of the Entity Timeline tab. To view the complete Record, click the link in the upper right corner of the card for a Record.

Timeline records

Create an Insight​

You can create an Insight for an Entity based on one or more Signals on the Entity. To do so, checkmark each Signal you want to include in the Insight, and click Create Insight.

Create Insight

The page refreshes and shows the selected Signals grouped in a new Insight.

Update multiple Entities​

This section describes how to update the tags, suppression state, or Criticality for one or more Entities.

Update Entities from the UI​

  1. Classic UI. Click Entities at the top of the screen.
    New UI. In the main Sumo Logic menu select Cloud SIEM > Entities. You can also click the Go To... menu at the top of the screen and select Entities.
  2. Note that there is a checkbox at the left end of each Entity row, and one above the Entities list. 
    Entities page
  3. Click the top checkbox to select all of the Entities on the page, or click the checkbox next to each Entity you want to update.
  4. Note that once you select an Entity, three options appear at the top of the Entities list.
    Update options
    See the instructions for each option below:

Update tags​

  1. After selecting the Entities you want to update, click Update Tags. 
  2. Click the down arrow to display the options:
    Tag options
    • Add. Select this option to add one or more tags to the Entity, without affecting any tags already assigned to the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select  multiple tags to add.
    • Remove. Select his option to remove one or more tags from the Entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select multiple tags to remove. If a selected Entity doesn't have the specified tags, no change will be made to the Entity. 
    • Replace. Select this option to remove all of the tags currently assigned to the Entity and add one or more specified tags. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. 
    info

    When you use the Replace option, be sure to specify new tags. If you do not, the existing tags will still be removed.

  3. As you select tags, they’ll appear in the update popup.
    Add tags to Entities
  4. When you are done selecting tags, click Update Entity Tags.

Update suppression​

  1. After selecting the Entities you want to update, click Update Suppression. 
  2. The Update Suppression popup appears, with the suppression toggle set to Not Suppressed.
    Update suppression
  3. If you want to unsuppress the selected Entities, click Update Entity Suppression. Otherwise, if you want to suppress the Entity, toggle the slider to Suppressed, supply a comment if desired, and then click Update Entity Suppression. 

Update Criticality​

  1. After selecting the Entities you want to update, click Update Criticality. 
  2. The Update Criticality popup appears.
    Update criticalities
  3. If you want to assign default Criticality to the selected Entities, click Update Entity Criticality. Otherwise, use the down arrow to view defined Criticalities, select one, and then click Update Entity Criticality.

Import Entity updates from a CSV file​

You can update Entities by uploading a .csv file to Cloud SIEM. 

CSV file format​

There are two supported formats. The difference is in how you identify the target Entity. 

  • Format 1—You use the id field to specify a target Entity. id, suppressed, criticality, tags, tags_to_add, tags_to_remove
  • Format 2—You use the type and value fields to specify the target Entity. type, value, suppressed, criticality, tags, tags_to_add, tags_to_remove

Regardless of the format you use, there are a couple of approaches to updating Entity tags.

  • You can use tags_to_add and tags_to_remove to add new tags and remove existing tags, respectively.
  • You can use a tags value to specify replacement tags. This will remove all existing tags and add all of the specified replacement tags.

See the next section for column definitions.

CSV columns​

The table below defines the columns in the .csv file.

Note that:

  • The first row of the .csv file must contain all supported columns.
  • The .csv file must contain either values in the id column or values in both the type and value column, and a value in at least one other column.
  • If a row has a value in the tags column, it can’t have values in either the tags_to_add or the tags_to_remove column.
ColumnDescription
idThis field is required for Format 1.
To form the id field value, concatenate the Entity type and the value of the Entity, separated by a dash character (-) where the Entity type is one of the following:
_ip
_hostname
_username
_mac
_process
_command
_hash
_domain
_useragent
_email
_url
_file
<CustomEntityTypeId>

The id for an IP address would look like:

_ip-1.2.3.4

You can optionally specify an Entity’s sensor zone as a part of the id column, in this format:

_<entity_type>-<sensor_zone>-<entity_value>

For example:

_ip-zone1-172.18.20.3
typeThis field is required for Format 2.
Identifies the type of Entity, one of:
_ip
_hostname
_username
_mac
_process
_command
_hash
_domain
_useragent
_email
_url
_file
<CustomEntityTypeId>
valueThis field is required for Format 2.
The value of the Entity, for example, for an IP address:
1.2.3.4
sensor_zoneIdentifies the sensor zone for the Entity.

Don’t include this column if you are specifying Entity sensor zones in the id column, as described above.
suppressedWhen true, Cloud SIEM suppresses the Entity.
criticalityAssigns a Criticality to the Entity. (An Entity’s Criticality is a setting that adjusts the severity of Signals that fire on the Entity, based on a risk factor or other consideration.) You can only specify a Criticality that has already been configured in Cloud SIEM. Allowable values:
default
<CustomCriticality>
tagsThe tags to assign to the target. This column can’t be present if the file contains a tags_to_add or tags_to_remove column.
Specify a schema key tag as key:value.
To assign multiple tags, enclose them in double quotes. For example:
"<tag>,<tag>,<tag>" or "<key>:<value>,<key>:<value>"
tags_to_addThe tag to assign to the target Entity. This column can’t be present if the file contains a tags column.
Specify a schema key tag as key:value.
tags_to_removeThe tag to remove from the target Entity. This column can’t be present if the file contains a tags column.
Specify a schema key tag as key:value.

Example CSV files​

Format 1 example

id,suppressed,criticality,tags,tags_to_add,tags_to_remove
_ip-zone1-10.0.0.5,false,default,,Office-Based,
_ip-zone1-10.0.0.6,true,default,,Office-Based,Remote
_ip-zone1-10.0.0.7,false,default,,Office-Based,

Format 2 example

type,value,sensor_zone,suppressed,criticality,tags,tags_to_add,tags_to_remove
_ip,10.0.0.5,zone1,false,default,Frequent-Travel,,
_ip,10.0.0.6,zone1,true,default,,Office-Based,Remote
_ip,10.0.0.7,zone1,false,default,,Office-Based,

Upload CSV file​

After creating file, click Import Metadata in the upper right of the Entities page and upload the file. 

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.