Using Entity Graph for dynamic mappings?

mogriffs · 02-07-2025 03:33 AM

I have a question about the Entity Graph, and specifically whether I can customise it and use it for non-default purposes? Here is a simple use case I’d like to know if it’s possible and if so how I can go about it.

We log information about customer activity. Customers have an ID, but they also have multiple accounts, each with their own Account ID. Some events have only customer ID, or only account ID, while other events will record both CID and AID.

I would like to create a mapping in the Graph that is updated automatically when Chronicle sees a log with both IDs, such that when a log with only one of the IDs is seen, it can be enriched with the missing data. So if the log only has CID, then it is enriched with all known AIDs from the Graph, and when it has just an AID, it is enriched with the parent CID from the Graph.

Is this possible?

rajukg

There are 2 issues at the moment: there is no way to model the multiple userids to a USER entity in the proto today. That means you have to create a different entity for every userid of the user. Even though we can map the other userids to "additional" it's not used for enrichment and can't use it in queries so there is no use in doing so.
What we can do today is to create a data table and have the rules update the data table (this ability is now in preview with an extension to YARA-L called export). But this usage of data tables to what you are trying to do is limited to only rules. The events will NOT be automatically enriched.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Using Entity Graph for dynamic mappings?

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps