This article covers how to filter entities by certain criteria and how to enrich entities for efficient threat investigation and troubleshooting.
Both tangible and intangible entities, considered high-value assets for the company, can be managed and monitored through a single interface on the platform, providing essential insights for effective entity management. These entities include a wide range of digital and physical assets, such as applications, users, network infrastructure, and devices, each playing a critical role in the organization's operations.
The platform supports onboarding of these entities from various third-party Configuration Management Database (CMDB) sources, including popular cloud service providers like Google Cloud, AWS, GitHub, and Azure, as well as IT operations management platforms such as OpsRamp. Additionally, entities can be sourced from dedicated security solutions like Chronicle, enabling seamless integration for continuous monitoring and incident detection.
For organizations that do not use these integration sources, the Resolution Intelligence Cloud also provides flexibility with a CSV import option. This feature enables direct import of entity data from CSV files, ensuring that organizations can efficiently onboard entities to the platform without requiring any third-party integration setup. This versatility in entity management enhances the organization’s visibility and control over its assets, regardless of integration limitations.
Built-in intelligence for entity categorization and classification
The platform uses its intelligence to classify entities into different categories.
Various categories under which entities are grouped are devices, applications & services, data & storage, identities & access, network, people & organization, and policy & documentation.
Description for each category:
-
Applications & services
- Entities related to software applications, services, and deployments. Includes code repositories, deployments, and communication channels.
-
Compute & Devices
- Entities related to computing resources and physical devices. Includes hosts, containers, disks, and network endpoints.
-
Data & Storage
- Entities related to data storage and repositories. Includes databases, backups, data objects, and data stores.
-
Identities & Access
- Entities related to user identities and access control. Includes users, access keys, access policies, and authentication mechanisms.
-
Networks
- Entities related to network infrastructure and communication. Includes network interfaces, gateways, subnets, and VPN endpoints.
-
People & Organization
- Entities related to individuals and organizational structures. Includes persons, teams, organizations, and sites.
-
Policy & Documentation
- Entities related to policies, procedures, and documentation. Includes policies, procedures, requirements, and standards.
Learn about each class within different entity categories here.
Find Entities by Category, Class, or Name in the Entities Overview
You can search for an entity by category, class, or entity name:
-
Searching by Entity Name:
Entering an entity name generates a list of matching entities. Clicking on a specific entity in the search results takes you to the Entity Details page, where you can view associated signals, situations created, and situations converted to ActOns for that entity. -
Searching by Category or Class:
Entering a category or class name groups the results accordingly. Clicking on a category or class redirects you to the Entity Inventory page, providing an organized view of related entities.
On the Entities Overview page, clicking on a specific class under a category displays only active entities by default unless you explicitly select a different state.
With a large inventory of entities, you can also use filters on the Entities Overview page to refine your search. Filters allow you to narrow down entities based on attributes like critical, group users, ingested source, location, source, state, tag, and type. Clicking on a filtered result redirects you to the Entity Inventory page for further exploration.
Note:
At the domain level, you can apply organization and tenant filters in addition to the other available filter options. Similarly, at the organization level, you can filter entities by tenant along with the other filter options.
Entity Inventory
The entity inventory contains all entities published from integrated sources and/or imported via CSV. It provides a comprehensive view of entities within the tenant, enabling you to:
- Flag the criticality of an entity
- Add tags
- Associate functions to enrich the entity and provide more context
Enriching entities enhances visibility and provides valuable insights. When a threat signal is detected from an entity, SOC analysts can access detailed information to investigate and troubleshoot the threat efficiently.
Find a Specific Entity in the Inventory
You can search for a specific entity based on its classification. The entity inventory provides details such as:
- Entity attributes: Category, source, group users, ingested source, type, state, and location.
- Associated metadata: Tags and functions linked to the entity, along with its criticality.
-
Hierarchy details:
- At the domain level, you can view the organization and tenant to which the entity belongs.
- At the organization level, you can view the tenant to which the entity belongs.
Filter and Enrich Entities
To filter entities and perform actions like assigning tags, assigning functions, or marking criticality, refer to the Applying Filters to the List of Entities in Entity Inventory article.
To create enrichment policies and enrich entities based on the enrichment criteria, refer to the Entity Enrichment Policies article.
Entity details
You can have detailed information of every entity that you are monitoring on the platform, such as threat signals detected, source from which the entity is discovered, associated functions, situations created, and converted ActOns from situations, for a specific entity.
To view information associated with any specific entity, refer to viewing a specific entity article.
Comments
0 comments
Please sign in to leave a comment.