Skip to main content

EntityInfo Lists

Page Layout

This page allows you to upload an entity table for use with event buckets.

An entity table attaches values or descriptions to an ID or code. For example, an AD event entity table matches AD event codes to their meanings/descriptions.

Clicking the "+" button in the upper right corner allows you to import a preconfigured CSV file containing entity table(s).

To the left of the "+" button, the "< Options" button displays another three buttons when you click it: (1) "GITHUB" button: allows you to import preconfigured entity table(s) from the Fluency Github repository; (2) "EXPORT" button: export all currently configured entity tables into a JSON file.

On the right side of the table, each action has three icons: list, gear and bin. Click the gear icon to edit an entityinfo list.

Using an Entity Table

To see an entity table, click the list icon on the right of the page. For example, below is the "EventID_WatchList" entity table. You can see that the leftmost column are eventID codes, and each of these codes maps to a description of its meaning. For example, code 4618 means "A monitored security event pattern has occurred."

You can edit the EventID or Description by clicking the pencil icon to the right of the table.

To use an entity table, navigate to EventWatch->EventWatch Rules Page, choose the rule you'd like to edit and click the pencil icon:

This is an example of an "EventID WatchList" bucket. In the Search Filters field, "@fields.EventID" is set so that it must match event IDs from the "EventID_WatchList" table. While this filters events to include only critical event IDs, it also attaches the entity table to this event feed so that when events IDs match, their descriptions will also be attached to the event.

Page last updated: 2023 Aug 01 17:23:14 EDT