Entity Info Lists
Table of contents
Page Layout
This page allows you to upload an entity table for use with event buckets.
An entity table attaches values or descriptions to an ID or code. For example, an AD event entity table matches AD event codes to their meanings/descriptions.
Clicking the “IMPORT” button allows you to import a preconfigured CSV file containing entity table(s). Clicking the “GITHUB” button allows you to import preconfigured entity table(s) from the Fluency Github repository. Clicking the “EXPORT” button will export all currently configured entity tables into a JSON file.
Using an Entity Table
Above is the EventID_WatchList entity table. You can see that on the left are event ID codes, and each of these codes maps to a description of its meaning. For example, code 1102 means “The audit log was cleared.”
This is an example of an EventID WatchList bucket. In the Search Filters field, @fields.EventID is set so that it must match event IDs from the EventID_WatchList table. While this filters events to include only critical event IDs, it also attaches the entity table to this event feed so that when events IDs match, their descriptions will also be attached to the event.