This article covers how to filter entities by certain criteria and how to enrich entities for efficient threat investigation and troubleshooting.
Tangible and intangible entities are regarded as of high value to the company. You can view all the entities that are synced to the platform on a single interface to gain valuable insights into entities. Examples of such entities include applications, users, network assets, and devices. These are onboarded to the platform from third-party CMDB (Configuration Management Database) sources, such as Google Cloud, AWS, GitHub, Azure, and OpsRamp, and security sources such as Chronicle for continuous monitoring.
Built-in intelligence for entity categorization and classification
The platform uses its intelligence to classify the entities into different categories.
Various categories under which the entities are grouped are devices, applications & services, data & storage, identities & access, network, people & organization, and policy & documentation.
Description for each category:
-
Applications & services
- Entities related to software applications, services, and deployments. Includes code repositories, deployments, and communication channels.
-
Compute & Devices
- Entities related to computing resources and physical devices. Includes hosts, containers, disks, and network endpoints.
-
Data & Storage
- Entities related to data storage and repositories. Includes databases, backups, data objects, and data stores.
-
Identities & Access
- Entities related to user identities and access control. Includes users, access keys, access policies, and authentication mechanisms.
-
Networks
- Entities related to network infrastructure and communication. Includes network interfaces, gateways, subnets, and VPN endpoints.
-
People & Organization
- Entities related to individuals and organizational structures. Includes persons, teams, organizations, and sites.
-
Policy & Documentation
- Entities related to policies, procedures, and documentation. Includes policies, procedures, requirements, and standards.
Find entities by category, class or entity in entity overview
You can search for an entity by category, class, or entity name. Searching by providing the entity name displays the list of entities matching the given term. Clicking on a particular entity from the search results will take you to the Entity Details page where you can view the signals detected, situations created, and situations converted to ActOns for this entity. On the other hand, searching by providing the category or class name displays the entities grouped by class or category. Clicking on a category or class of entities will take you to the Entity Inventory page.
Also, with thousands of entities in the inventory, you can use filters on the entity overview page to filter the entities by functions, location, source, state, tags and type. Clicking on the generated results will take you to the entity inventory page.
Note:
If you are at a domain level, you can filter entities by organization, tenants, and other filter options. At the organization level, you can filter entities by tenant and other filter options.
Entity inventory
All the entities published from the integrated sources are available in the inventory. It gives visibility of entities in the organization, from where you can flag the criticality of an entity, add tags, and associate functions to enrich this entity and have more context around a specific entity.
Enriching entities gives more insights at the entity level. When a threat signal is detected from an entity, SOC analysts can have adequate information about the entity to investigate the threat and handle troubleshooting of the detected threat efficiently.
Refer to this article to learn more about how you enrich the entities.
Find for a specific entity in entity inventory
Based on the entity classification, you can search for the required entity and have a glance over the entity category, class, type of entity, state, location of the entity, source from where the entity is discovered, tags associated with the entity, functions associated with the entity, organization, and tenant in which the entity is.
Entity details
You can have detailed information of every entity that you are monitoring on the platform, such as threat signals detected, source from which the entity is discovered, associated functions, situations created, and converted ActOns from situations, for a specific entity.
Categorizing Entities: Classes and Description
The following table gives a brief description of each class in different entity categories.
Category | Class | Description |
---|---|---|
Applications & Services
|
Application |
A software product or application deployed in a computing environment. |
Account | An organizational account for a service or a set of services (e.g. AWS, Okta, Bitbucket Team, Google G-Suite account, Apple Developer Account). Each account should be connected to a Service. | |
Channel | A communication channel used for exchanging messages or notifications, such as a Slack channel or AWS SNS topic. | |
Key | A cryptographic key is used for authentication, encryption, or signing purposes. | |
Deployment | The process of distributing and activating code, applications, infrastructure, or services changes. | |
Task | A computational task, such as an AWS Batch job or ECS task, represents a unit of work to be executed. | |
Service | A service provided by a vendor or organization, offering specific functionality or features. | |
Subscription | A subscription to a service or channel, indicates a formal agreement to receive updates or access. | |
Module | A software or hardware module, such as an npm module or Java library, provides specific functionality or features. | |
Project | A software development project or generic project. | |
Compute & Devices
|
Application | A software product or application deployed in a computing environment. |
Channel | A communication channel used for exchanging messages or notifications, such as a Slack channel or AWS SNS topic. | |
Cluster | A cluster of compute or database resources/workloads. | |
Container | A standardized unit of software that packages code, dependencies, and configurations for deployment. | |
Device | A physical device or media, such as a server, laptop, workstation, smartphone, tablet, router, firewall, switch, Wi-Fi access point, or USB drive. The exact data type is described in the _type property of the Entity. | |
Host | A compute instance that itself owns a whole network stack and serves as an environment for workloads. Typically, it runs an operating system. The exact host type is described in the _type property of the entity. The UUID of the host should be captured in the _id property of the entity. | |
Image | A system image, such as an AWS AMI (Amazon Machine Image), used for creating virtual machines or containers. | |
Queue | A scheduling queue of computing processes or devices. | |
Workload | A virtual compute instance, such as an AWS EC2 instance, Docker container, AWS Lambda function, application process, or VMware instance. The exact workload type is described in the _type property of the Entity. | |
HostAgent | A software agent or sensor that runs on a host or endpoint, monitoring and managing security or performance. | |
Data & Storage
|
Backup | A specific repository or data store containing backup data. |
CodeRepo | A repository for storing source code, which may include version control and collaboration features. | |
DataCollection | A database table used for storing structured data records. | |
DataObject | An individual data object, such as an AWS S3 object, SharePoint document, source code, or a file (on disk). The exact data type is described in the _type property of the Entity. | |
DataStore | A virtual repository where data is stored, such as AWS S3 bucket, AWS RDS cluster, AWS DynamoDB table, Bitbucket repository, SharePoint site, or Docker registry. The exact type is described in the _type property of the Entity. | |
Database | A database cluster or instance. | |
Disk | A disk storage device such as an AWS EBS volume. | |
Secret | A secret used for secure communication or access, such as encryption keys or passwords. | |
Vault | A collection of secrets, such as encryption keys or passwords, used for secure storage and access control. | |
Logs | A specific repository or destination containing application, network, or system logs for analysis and monitoring purposes. | |
Repository | A repository containing resources, such as a Docker container registry repository hosting Docker container images. | |
Identities & Access
|
Access key | A key used to grant access, such as ssh-key, access-key, api-key/token, mfa-token/device, etc. |
AccessPolicy | A policy for access control assigned to a Host, Role, User, UserGroup, or Service. It governs permissions and restrictions. | |
AccessRole | An access control role mapped to a Principal (e.g. user, group, or service). It defines the actions a user or service can perform. | |
Group | A collection of entities grouped together for organizational or access control purposes. | |
Directory | A directory service for organizing and managing user accounts, permissions, and resources, such as LDAP or Active Directory. | |
Certificate | A digital Certificate such as an SSL or S/MIME certificate. | |
Key | A cryptographic key used for authentication, encryption, or signing purposes. | |
User | A user account or login used to access systems or services, such as Okta, AWS IAM, or SSH users. | |
Networks
|
Domain | An internet domain. |
DomainRecord | The DNS record associated with a domain, used for mapping domain names to IP addresses. | |
DomainZone | The DNS zone configuration for an internet domain, specifying authoritative name servers and domain records. | |
Firewall | A piece of hardware or software that protects a network, host, or application. | |
Gateway | A gateway or proxy device or service used to connect different networks or protocols, such as a network router or application gateway. | |
IpAddress | A re-assignable IP address resource entity, used for identifying devices on a network. | |
Network | A network infrastructure, such as an AWS VPC or subnet, used for connecting computing resources and devices. | |
NetworkEndpoint | A network endpoint for connecting to or accessing network resources, such as NFS mount targets or VPN endpoints. | |
NetworkInterface | A re-assignable software-defined network interface resource entity, used for connecting devices to a network. | |
ApplicationEndpoint | An interface of an application that either sends or receives requests, such as an API. | |
People & Organization
|
Account | An organizational account for a service or a set of services (e.g. AWS, Okta, Bitbucket Team, Google G-Suite account, Apple Developer Account). Each Account should be connected to a Service. |
Group | A collection of entities grouped together for organizational or access control purposes. | |
Site | The physical location of an organization or a reference to AWS regions, indicating where operations or services are located. | |
Team | A team consisting of multiple member entities, such as a development or security team. | |
Vendor | An external organization or service provider offering products or services to customers. | |
Organization | An organization or company, such as JupiterOne, comprising internal or external entities. | |
Person | An individual representing an actual person, such as an employee of an organization. | |
Policy & Documentation
|
Configuration | Definitions describing a resource's configuration, such as an AWS ECS task definition. |
Standard | An object representing a standard, such as a compliance or technical standard, used for evaluating or enforcing requirements. | |
ControlPolicy | A technical or operational policy containing rules that govern security controls. | |
Rule | An operational or configuration compliance rule, typically part of a ruleset. | |
Ruleset | An operational or configuration compliance ruleset containing rules governing security controls or IT systems. | |
Section | A section or segment, often representing a part of a larger document or system. | |
Policy | A written documentation defining rules, procedures, or controls for governance or compliance. | |
Control | A security or IT Control implemented to enforce policies and procedures, ensuring compliance and mitigating risks. | |
Document | A document or data object. | |
PasswordPolicy | A password policy containing rules for creating and managing passwords, ensuring security and compliance. | |
Procedure | A written procedure and control documentation, typically implementing policies and standards. | |
Record | A DNS record, official record (e.g., Risk), written document (e.g., Policy/Procedure), or reference (e.g., Vulnerability/Weakness). The exact record type is captured in the _type property of the Entity. |
Widgets for New Entities, Critical Entities, and Source
Entities synced to the tenant are represented in widgets wherein you can view new entities, critical entities and source widgets:
- New entities: The total entities synced over the past 7 days are displayed. You can click View by category link to view entities synced by each category.
- Critical entities - A list of critical entities that are marked as critical by users and in the Enrichment policies.
- Source- A bar chart provides a detailed view of entities synced from individual sources (such as CMDB, ASE, cloud, and security sources) on the Resolution Intelligence Cloud. Clicking on each will show the total entities synced from each source to the Resolution Intelligence Cloud.
Using filters to search for entities
Use this procedure to search for entities using the search bar and filters. Applying filters allows you to fetch the required entity record.
To use filters for entities:
1. Navigate to Resolutions --> Overview, under Entities.
The Entities Overview page appears, displaying all entities organized by category and class.
2. Click the Filter icon to filter entities by Group users, Type, Location, Functions, Source, State, Critical, and tags.
- If you are at domain level, you can also filter the entities by organizations and tenants.
- If you are an organization level, you can filter by tenants in addition to the other filter options.
3. Select a source, state, function, group users, or a tag and click Apply to apply the set filter options. Here, we are selecting the source as AWS, State of the entity as active. This displays the category of entities published from the source AWS and in active state.
4. Click on a specific class in a category to view the entities published from source AWS that are in the active state.
Note:
When no entities are synced to the platform, you can see the following screen. Click the Get started with data ingestion button to navigate to the integrations page to sync entities from CMDB and security sources. There are also related topics available for learning more about entities.
Searching for entities on the Entity Overview
Use this procedure to search for a particular entity on the Entity Overview.
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Provide the search term, such as category name, class name, or entity name to search for an entity. If you search for an entity, this displays all results matching with the entity name.
Search by entity
3. Click on the entity whose details you want to view (or) click on the ellipses icon corresponding to the entity and select the View in Entity Details option. Both will take you to the entity details page.
Search by category or class name
4. Provide the category or class name in the search box on the Entity Overview page. This displays the results matching the search term.
5. Click on the Name or click on the ellipses icon corresponding to the entity and select the View in Entity Inventory option. Both takes you to the Entity Inventory page.
Exporting entities to a PDF
Use this procedure to export entities to a PDF from the Entities Overview page. This PDF can be shared with external users or stakeholders of the company.
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click the Export icon and select PDF to export the entity categories within the tenant or organization into a PDF file.
Applying filters to list of entities in Entity Inventory
Use this procedure to filter the entities from the entity inventory by category, functions, source, state, tags, and type to get more accurate results of entities. With or without applying the filter, you can search for entities by class, type, name or state using the search box. By clicking the cross icon next to the applied filter options will remove the selected filter.
To apply filters to the entity inventory:
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click on a specific class in a category from the entities list. This displays the list of entities that belong to this class under this category.
3. Select the Start Time and End Time to filter the entities by the selected duration. Otherwise, all entities are displayed by default. You have options to filter the entities from the last 30 minutes to the past year.
4. Click the filters icon to filter the entities further by category, Type, Source, Functions, Tags, and State. Based on the search criteria, the entities are displayed. On this filter icon, you can view the total filter options used. To reset the applied filters, use the Clear All option.
5. Click Apply.
6. Review this information in the entity inventory table:
Field name | Field description |
---|---|
Name | The name of the entity. |
Display Name | The display name of the entity. You can view the public IP address of an entity in this field only when the IP address check box is selected while creating an enrichment policy. |
ID | The ID assigned to the entity. |
State |
The entity state. Only active signals are visible. |
Location | The location from where the entity has been sync. |
Source |
The source from where the entities have been onboarded. Values:
|
Category | The category to which the entity belongs to. |
Class | The class associated with the entity. |
Type | The type of entity. |
Tags | The tags assigned to the entity. |
Function | The function associated with the entity. To create a function, refer Configuring a Function. |
7. Click Manage columns to select and deselect the columns you want to view in the table. You can also change the order of columns by dragging and dropping them to the position you want to see them in the table, using the reordering button.
8. Click the Export icon and select CSV or JSON to export the list of entities into a CSV file or a JSON file respectively. You will receive the file via email.
You can do the following actions on the Entity inventory page:
- Adding tags to a group of entities
- Assigning Functions to entities
- Assigning criticality
- Syncing entity data
Adding tags to a group of entities
Use this procedure to add tags to a group of entities at one go for enriching signals. Tag is a combination of key: value pair. Assigning tags will help you organize data.
To add tags to a list of entities:
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click on a specific class in a category from the entities list. This displays the list of entities returned for this class associated with this category.
3. Select the check boxes corresponding to the entities to which you want to add tags. This enables the tag icon.
4. Click the tag icon . This opens the Add tags window.
5. Select the key, value, and Tag type.
6. Click Save tags to assign tags to the selected entities.
You can add multiple tags to the entity, using the plus icon. If there are more than 7 tags, you can see More option. Click this option to search for a specific tag in View tags window.
Assigning Functions to entities
Use this procedure to assign functions to entities. This notifies the respective personnel who are configured in the escalation policy when an ActOn is triggered from this entity.
To add services to entities:
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click on a specific class in a category from the entities list. This displays the list of entities returned for this class associated with this category.
3. Select the check boxes corresponding to the entities to which you want to assign functions or services. This enables the assign functions icon.
4. Click the Assign Function icon . The Assign Functions window opens.
5. Select the Functions from the list. To define functions, see Configuring a Function
You can assign multiple functions to the entities.
6. Select the primary function for the entities. There can only be one default function to route the signals that do not belong to any entity.
7. Click Save to assign functions to entities.
Assigning criticality
Use this procedure to assign criticality for critical entities to the business infrastructure from thousands of entity records. An entity is considered critical if its compromise causes severe loss to business or interruption to business operations.
To assign criticality to entities:
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click on a specific class in a category from the entities list. This displays the list of entities returned for the class associated with this category.
3. Select the check boxes corresponding to the entities to which you want to assign criticality. This enables the criticality icon.
4. Click the Critical icon .
A pop-up appears, prompting you to set the entities to critical or not.
5. Click Yes to set the entities as critical.
Now you can view the entity with the criticality indication.
Syncing entity data
Use this procedure to sync the metadata of existing entities to the Resolution Intelligence Cloud.
To sync entity data:
1. Navigate to Resolutions --> Overview, under Entities. The Entities Overview page appears.
2. Click on a specific class in a category. This displays the list of entities within the selected class.
3. Select a specific or a group of entities whose changes you want to sync.
Note: Note that you can sync the data of only 10 entities simultaneously.
3. Click the Sync entities icon to sync the updated entity data into the Resolution Intelligence Cloud platform.
You can also sync the updated metadata of a specific entity from the entity page, using the Sync Now option. Sync now is enabled only for AWS, Azure, Opsramp, and GitHub entities.
Viewing a specific entity
Use this procedure to view the details of a specific entity such as active signals, Situations created and turned into ActOns.
To view the entity details,
1. Navigate to Resolutions --> Overview, under Entities.
The Entities page appears.
2. Click on the entities of a particular category to see the list of entities belonging to this category.
The Entity Inventory page appears.
3. Click on the entity name to view the comprehensive data related to the selected entity.
4. Review the basic entity details in the Base attributes section, under the Overview tab.
Field name | Field description |
---|---|
Name | The name of the entity. |
Display name | The display name of the entity. |
Category | The category to which the entity belongs to. |
Type | The type of entity. |
Source | The source from where the entity is obtained. |
Class | The class to which the entity belongs to. |
5. Review these details in the Identifier attributes section. Note that you can view these details only if you are a domain or organization user.
Field name | Field description |
---|---|
Tenant name | The name of the tenant. You can see this tenant name if you are an organizational or domain user. |
Organizations name | The name of the organization to which the entity belongs to. You can only view this information if you are an organizational user. |
6. Review these details in the Time attributes section:
Field name | Field description |
---|---|
Created time | The time and date on which the entity has been synced up to the platform. |
Updated time | The time at which the entity details were last updated. |
Info: You can view raw data of an entity in the JSON format.
7.View the existing tags linked to this entity.
Note: You can see View in Chronicle option for Google Chronicle entities. Clicking on this option takes you to the Chronicle page to view detailed information about the entity and alerts triggered.
8. Click the Actions drop-down:
- Select Add Tags to add tags to this entity. To add tags, please refer to Adding tags to a group of entities.
- Select Mark as Critical to mark the entity as critical based on how critical the entity is for the business.
- Select Assign Functions to assign functions to an entity. Refer to Assigning Functions to entities. If there are no functions or you want to create a new function, click Create Function. To create a function, refer to create a function.
- Select Sync now to sync the updated metadata of a specific entity. This option is enabled only for AWS, Azure, Opsramp, and GitHub entities.
9. Click the Functions tab. If you want to assign functions to an entity, click Assign Functions. Refer to Assigning Functions to entities. If there are no functions or you want to create a new function, click Create Function. To create a function, refer to create a function.
10. Review the escalation policy within a function and is associated with this entity:
Field name | Field description |
---|---|
Name | The function name assigned to the entity. |
Escalation policy | The escalation policy associated with this function. |
11. Click the ellipses icon corresponding to the function that you want to unassign or remove from this entity.
12. Click Unassign.
Note: If you select the source type as OpsRamp to filter the entities, you can view two additional tabs - Applications and Patch. On Applications tab, you can view the list of applications available for the entity and on the Patch tab, you can view the patches applied on the entity.
13. Click the Signals tab to view the number of signals detected for this entity.
14. Review all active signal information related to this entity. The following table describes about each column in the Signals table:
Column name | Description |
---|---|
ID | The ID for the signal. |
Description | The description of the signal created for this entity. |
Sub-category | The sub-category to which the signal belongs to. |
Created-on | The date on which the signal was generated. |
Status |
The status of the active signals. Possible values:
|
Note: Search for a specific signal from the list of signals, using the search box.
15. Click on a particular signal to redirect to the signal page and view comprehensive signal details.
16. Click the Situations tab to see the number of situations created for this entity.
17. Review the situation details. The following table describes about each column in the Situations table:
Column name | Description |
---|---|
ID | A unique ID assigned to the situation. |
Title | The title given for the situation. |
Priority |
The priority of this situation. Possible values:
|
Assignee | The user assigned to resolve the situation. |
Status |
The status of the situation. Possible values:
|
Likelihood | Applicable only for security assets. The higher the detection, the higher will be the score. The score decides how likely there is a chance for this entity to be susceptible to security threats. |
Impact | Indicates the damage caused to the entity due to the threat concern. The score depends on Likelihood and confidence scores. The higher the impact, the critical the entity is. |
Confidence | The higher the score, the higher the probability for this entity to encounter a security threat. |
18. Click on a particular situation from the list of situations to redirect to the Situations page and view its details.
19. Click the ActOns tab to see the ActOns generated for this entity.
20. Review the ActOn details. The following table describes about each column in the ActOns table:
Column name | Description |
---|---|
ID | A unique ID assigned to an ActOn. |
Title | The title given for the ActOn. |
Priority |
The priority assigned to the ActOn. The resolution time depends on the set priority for this ActOn. Possible values:
|
Assignee | The user assigned to act on this ActOn. |
Status |
The status of the ActOn. Possible values:
|
Likelihood | Applicable only for security assets. The higher the detection, the higher will be the score. The score decides how likely there is a chance for this entity to be susceptible to a security threat. |
Impact | Indicates the damage caused to the entity due to the threat concern. The score depends on Likelihood and confidence scores. The higher the impact, the critical the entity is. |
Confidence | The higher the score, the higher the probability for this entity to be susceptible to a security attack. |
21. Click on a specific ActOn from the list of ActOns to redirect to the ActOn page and view its details.
Comments
0 comments
Please sign in to leave a comment.