Creating Custom Entity Types
There are currently 22* types of entity which can be used in many scenarios.
Perhaps, there are some situations where it would be great to actually define what type the entity is since a SOAR can ingest all sorts of things.
The objective for this would be to allow power users to define their custom entity types to better sort metadata that is ingested from a connector.
Here is an example on how this could be useful:
When using the Carbon Black integration, fetching events returns three type:
- parentapp_applicationName (represented by the Parent Name in the picture below.)
- selectedapp_applicationName (represented by the Process Name in the picture below.)
- targetapp_applicationName (represented by the Target Name in the picture below.)
In this scenario under Siemplify,
- The selectedapp_applicationName is "SourceProcessName".
- The targetapp_applicationName is "DestinationProcessName".
To better understand the event, the parentapp_applicationName is considered to be valuable information for the analyst.
We could use the "Generic" entity type to define this but what if you want to map another field to an entity type that doesn't exist?
The ontology and visual families can be a complex subject and many things should be taken in consideration. Which is why this post is mostly to open a discussion about this to see where this could go!
I'd add that common types from industry standards should also be considered, i.e. STIX - https://oasis-open.github.io/cti-documentation/stix/intro.html
I think this is a little out of subject for this thread but integrations like these (STIX CybOX, YARA rules etc.) are definitely something that could be extremely useful to detect attack patterns and malicious behaviors. I'd recommend making a new suggestion about this.
It would be a pleasure to add more details about this!
@Antoine Lafond - okay I will create a separate thread :)