Quick Summary

Siemplify uses an automated system (Ontology) to extract the main objects of interest from the raw alerts to create Entities. Each Entity will be represented by an object that can track its own history for future reference.

Overview

Entities are objects that represent points of interest extracted from alerts (IOCs, artifacts etc.). Entities allow you to automatically track their history, group alerts without human intervention and hunt for malicious activity based on the relationship between the different entities.
Entities can also help security analysts to read cases faster and build playbooks more seamlessly.

Part of configuring the Ontology involves a process called Mapping and Modelling. In this process you select the visual representation of alerts and the Entities that should be extracted from it.
Siemplify provides basic Ontology rules for most popular SIEM products out-of-the-box.

The best time to start customizing the Ontology is when you already have a Connector that pulls data into Siemplify. When configuring Ontology, the user is first required to choose the visualization type for the data (select the model \ visual family) and then map the fields to support the selected model and extract the entities (mapping).

Example – Ingested Email

Let’s map and model new data of an ingested email.

  1. Run the Zero to Hero test case. Refer to Run Use Cases for full details on how to do this.
  2. In the Cases tab, click to open the Mail case from the Cases Queue and select the Events tab.
  3. Click on on the left of the Alert name, to open the Event Configuration screen.
  4. On the top left corner, click on the word Mail in the hierarchy. That ensures that your configuration will automatically work for every piece of data coming from this product (Email box).
  5. Assign the Visual Family that most represents the data – in our example we can skip this step as ‘MailRelayOrTAP’ has already been selected following the deployment of the Zero to Hero use case.
  6. Switch to Mapping and map the following Entity Fields:
    SourceUserName, DestinationUserName, DestinationURL, EmailSubject.
    This can be done by double clicking each and selecting the raw data field for that entity in the Extracted Field. As you can see in the screenshot below, you can provide alternative fields from which to extract the information from.
  7. In order to see what the original fields are in the email, click on the Raw Event Properties table in the top right corner.

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.