Entity Groups

  • Updated
Table of Contents:

Overview

Entity Groups help security teams to classify and monitor sets of related entities—such as users or hosts—based on common attributes or roles, enabling targeted analysis and risk detection. These groups allow organizations to track entities exhibiting risky patterns aligned with MITRE ATT&CK tactics and techniques.

Examples of user entity groups created to classify and monitor entities exhibiting the following behaviors:

  • Known Leavers: Detect exfiltration behaviors or suspicious activity before departure.
  • Cloud Admins: Monitor for abuse of privileged access (e.g., TA0004 - Privilege Escalation, TA0005 - Defense Evasion).
  • Former Employees: Identify unauthorized access attempts post off-boarding.

These groups provide enriched visibility and behavioral context across key security workflows—supporting detection, scoring, and triage activities within the platform. Entity Groups can be used in dashboards, behavior models, and investigation workflows to prioritize high-risk scenarios.

Key Capabilities

Customized Grouping

Group entities based on specific organizational attributes such as department, designation, or location, enabling more targeted behavior analysis and risk evaluation.

Binding Conditions with MITRE Alignment

Each group is created using a predefined template that includes default binding conditions and risk rules mapped to MITRE ATT&CK® tactics and techniques.
Users can:

  • Modify default conditions in the entity group
  • Add new conditions.This  flexibility ensures that groups reflect organizational context and evolving threat models.

Entity Preview Before Creation

Use the Preview option to review all entities that match the defined conditions before creating the group. This allows for validation and refinement, ensuring accuracy in group composition.

Two-Tab Structure for Insightful Management

Each entity group includes two purpose-built tabs:

  • Summary Tab:
    Displays high-level behavioral insights, associated risk scores, and patterns observed across the group.
  • Entities List Tab:
    Lists all entities that meet the group’s binding conditions, providing visibility into who or what is included in the group.

Related articles

Comments

0 comments

Please sign in to leave a comment.