Creating Custom Entity Types

Creating Custom Entity Types

AntoineAntoine Siemplify Champion
edited May 2020 in Suggest New Ideas

There are currently 22* types of entity which can be used in many scenarios.

Perhaps, there are some situations where it would be great to actually define what type the entity is since a SOAR can ingest all sorts of things.

The objective for this would be to allow power users to define their custom entity types to better sort metadata that is ingested from a connector.

Here is an example on how this could be useful:

When using the Carbon Black integration, fetching events returns three type:

  • parentapp_applicationName (represented by the Parent Name in the picture below.)
  • selectedapp_applicationName (represented by the Process Name in the picture below.)
  • targetapp_applicationName (represented by the Target Name in the picture below.)

In this scenario under Siemplify,

  • The selectedapp_applicationName is "SourceProcessName".
  • The targetapp_applicationName is "DestinationProcessName".

To better understand the event, the parentapp_applicationName is considered to be valuable information for the analyst.

We could use the "Generic" entity type to define this but what if you want to map another field to an entity type that doesn't exist?

The ontology and visual families can be a complex subject and many things should be taken in consideration. Which is why this post is mostly to open a discussion about this to see where this could go!

13
13 votes

Scheduled in Roadmap · Last Updated

Comments

Sign In or Register to comment.