Create an Entity Group from a Predefined Template

  • Updated
Table of Contents:

Entity groups are created using predefined templates published by the product admin at the platform level. You cannot create new templates at any level; instead, you can use the existing templates to create and configure entity groups based on your needs.

When you create an entity group from a template:

  • The risk rules defined in the selected template are inherited and cannot be modified.
  • You can define new binding conditions to determine which entities should be included in the group, or use the same conditions defined in the template.

Use the procedure below to create an entity group from a predefined template.

To create an entity group:

  1. Navigate to ResolutionsOverview, under the Entities section. The Entities Overview page appears.
  2. Click the Groups tab to view the list of existing entity groups. If no entity groups exist, you'll see a Create Entity Group button.
  3. Click Create Entity Group to open the list of predefined templates.
  4. Browse the list and click Use this Template next to the template you want to use.
    This opens the Create Group From Template page.
  5. Specify the following information.

    All fields are pre-populated based on the selected template. You may modify all fields except the risk rules.

    • Name:
      Enter a meaningful name for the entity group.

    • Description:
      Provide a brief description outlining the purpose or context of the group.

    • Entity Type:
      Select the type of entity to include in the group.
      Available options: User, Host.

    • Binding Condition:
      Define conditions to dynamically include entities that meet the specified criteria. These conditions help ensure the group is contextually relevant.

    • Risk Rules (Read-only):
      These rules are inherited from the template and cannot be modified. They are mapped to MITRE ATT&CK® tactics and techniques and define the risk behaviors entities in the group may exhibit.

      The Risk Rules table includes the following details:

      • Tactic: The adversary's objective or goal that the entity’s behavior may align with.

      • Technique: The method or approach used by an adversary to achieve the tactic.

      • Risk Description: A brief explanation of the potential risk associated with the behavior.

      • Risk Rule Condition: The criteria that must be met for the entity to generate a signal related to the defined risk.

  1.  

7. Click Preview to see the entities that match your binding conditions. When clicked it opens the Preview side sheet where you can see the entities matching the conditions. Once previewed, click close to close the side sheet. 

8. Click Submit to create the entity group. When the entities match the conditions set in the entity group, those are collated under Entities list tab. To view Entities list, see Viewing the Entities List in the User Entity Groups.

On the Summary tab, you can view the user entity insights. For more details, see Viewing the Summary Tab of User Entity Groups.

Viewing the Summary Tab of User Entity Groups

Use this procedure to access and understand the Summary tab of user entities within an entity group.

To access the Summary tab in entity groups:

  1. Navigate to Resolutions → Overview under the Entities section. The Entities Overview page appears.

  2. Click the Groups tab to view the list of existing entity groups.

  3. Select the user entity group whose summary or dashboards you want to view. This opens the Summary tab by default.

Summary Tab Overview

The Summary tab provides key insights into the behavior and profile distribution of user entities within the selected entity group.

  • Total Users
    Displays the total number of users (both associated and disassociated) linked to the entity group in the last 7 days.
  • Users by Organizational Unit
    Shows a breakdown of users by their organizational units within the entity group.
  • Users by Office Location
    Categorizes users in the entity group based on their office location.
  • Users by Role
    Groups users in the entity group according to their assigned roles.
  • Users by Employment Type
    Displays users in the entity group based on their employment type, such as full-time, contractor, etc.
  • Behaviors Overview
    Summarizes all observed behaviors (MITRE tactics and techniques) exhibited by users in the entity group. It includes:
    • The number of users displaying risky behaviors aligned with MITRE tactics and techniques
    • The total number of signals generated due to these behaviors
  • User Activity Insights
    Provides a detailed view of risky behaviors exhibited by individual users. It includes:
    • Mapping adversarial user behaviors to MITRE tactics and techniques
    • The total number of signals raised for each behavior exhibited by a user entity
  • ActOn Closure Reason
    Displays the total number of ActOns created from signals and their respective closure reasons.
  • Security Activities
    Presents a funnel view that illustrates the transition of signals into situations and then into ActOns for users in the group.
  • Signals
    Lists the signals raised based on behavioral patterns identified within the entity group. By default, data is shown for the last 30 days. You can adjust the date range from 24 hours to 90 days. Possible date range presets available are - Last 24 hrs, last 7 days, last 15 days, last 30 days, last 60 days, and last 90 days. b
  • Situations vs ActOns
    Compares the number of situations and ActOns generated in the last 30 days, displayed by date.
    • The date range is adjustable from 24 hours to 90 days

Viewing the Entities List in the Entity Groups

Use this procedure to view the list of entities that belong to a specific entity group (be it user or host) based on its binding conditions.

To access the entities list:

  1. Navigate to Resolutions → Overview under the Entities section. The Entities Overview page appears.

  2. Click the Groups tab to view existing entity groups.

  3. Select a group and then click the Entities List tab. The list of entities within the selected group is displayed.

  4. Review the details of user entities. These details may vary across different entity groups. The following information applies specifically to entities in the User entity group.
Field name Field description
Name The name of the user entity. Click on the name to navigate to the single entity page. To view insights of each entity, see Viewing detailed insights of a specific entity article. 
Organizational Unit The organizational unit to which the entity belongs.
Employment Type The employment classification of the entity (e.g., full-time, part-time, contractor).
Associated Date The date the entity was associated with the group.
State

The current status of the entity:

  • Active: The entity is currently monitored and part of the group.
  • Inactive: The entity is no longer actively monitored or associated with the group.
  •  

Review the details of the host entity:

Field name Field description
Name The name of the host entity. Click on the name to navigate to the single entity page. To view insights of each entity, see Viewing detailed insights of a specific entity article. 
Environment The environment where the entity operates for security segmentation. 
POD The geographical location of the host.
Associated Date The date the entity was associated with the group.
State

The current status of the entity:

  • Active: The entity is currently monitored and part of the group.
  • Inactive: The entity is no longer actively monitored or associated with the group.

 

Other options:

  • Use the search box to search by name.
  • Select or deselect columns to display in the table using the table settings icon.

Viewing the Summary Tab of Host Entity Groups

Use the following steps to access and understand the Summary tab of host entities within an entity group.

To access the Summary Tab:

  1. Navigate to Resolutions → Overview under the Entities section.
    The Entities Overview page appears.

  2. Click the Groups tab to view the list of existing entity groups.

  3. Select a host entity group to view its details.
    The Summary tab opens by default. This offers a comprehensive view of host behaviors, attributes, and security insights for the selected entity group.

Total Hosts

Displays the total number of hosts—both associated and disassociated—linked to the entity group in the last 7 days.

Ingested Sources

Presents a bar graph showing the number of entities ingested from each source.

Hosts by Location

Categorizes hosts within the entity group based on their geographic location.

Hosts by Environment & POD

Groups hosts by their environment (e.g., production, development) and Point of Delivery (POD).

Hosts by Platform

Displays the distribution of hosts based on their platform (e.g., Windows, Linux).

Hosts by State

Shows the number of active and inactive hosts in the entity group.

Behaviors Overview

Summarizes observed behaviors mapped to MITRE tactics and techniques.
Includes:

      • Number of users exhibiting risky behaviors
      • Total signals generated due to these behaviors

Host Activity Insights

Provides behavior-level insights per host, including:

      • Mapping of adversarial behaviors to MITRE tactics and techniques
      • Signal count per behavior for each host entity

Exposures and Weaknesses

Highlights vulnerabilities and exposures identified in the hosts.

ActOn Closure Reason

Displays the number of ActOns created from signals and their respective closure reasons.

Security activities

Presents a funnel view that illustrates the transition of signals into situations and then into ActOns for users in the group.

Signals

Lists behavior-based signals raised in the last 30 days by default.
The date range can be adjusted between 24 hours and 90 days.

Situations vs ActOns

Compares the number of Situations and ActOns generated over time.
The date range can be adjusted between 24 hours and 90 days.

Editing an Entity Group

Follow these steps to modify the details of an existing entity group:

  1. Navigate to Resolutions → Overview under the Entities section. The Entities Overview page appears.
  2. Click the Groups tab to view the list of existing entity groups.
  3. Select the entity group you want to edit.
    The Summary page for the selected group opens.
  4. Click the kebab menu (three vertical dots) and select Edit.
    You are redirected to the Entity Group page.
  5. Modify the desired details of the entity group.
  6. Click Update to save your changes.

Deleting an Entity Group

Use the following steps to delete an entity group permanently:

  1. Navigate to Resolutions → Overview under the Entities section.
    The Entities Overview page appears.

  2. Click the Groups tab to view the list of existing entity groups.

  3. Select the entity group you want to delete.
    The Summary page for the selected group opens.

  4. Click the kebab menu and select Delete.
    A confirmation modal appears.

  5. Click Yes to confirm and permanently delete the entity group.

Related articles

Comments

0 comments

Please sign in to leave a comment.