This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Searching Entity Data

Posted a month ago
JaredBloomberg
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

If I understand correctly you currently cannot use UDM search to look at entity data directly? For example, if I type in metadata.entity_type != "" I get an error saying that that field does not exist. Is there some other way to directly query/search the entity data in Chronicle?

Solved Solved
1 3 98
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
citreno
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

It's tough, with some licenses you can use BigQuery to search it but the newer license model doesn't automatically include BQ access. There's two main ways I'm aware of - one is using a dashboards you can use the entity data model to build a data visualization. The second is using TestRule but you have to correlate it with some sort of UDM event as well, so your search needs to be $udm and $graph event at the same time, like in this example. Both are a little awkward but workable with enough commitment and sifting. That said it appears support for this type of search may be coming in the roadmap as part of the YL2 revamp, so hoping the Google team will have good news on that front soon. 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
citreno
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

It's tough, with some licenses you can use BigQuery to search it but the newer license model doesn't automatically include BQ access. There's two main ways I'm aware of - one is using a dashboards you can use the entity data model to build a data visualization. The second is using TestRule but you have to correlate it with some sort of UDM event as well, so your search needs to be $udm and $graph event at the same time, like in this example. Both are a little awkward but workable with enough commitment and sifting. That said it appears support for this type of search may be coming in the roadmap as part of the YL2 revamp, so hoping the Google team will have good news on that front soon. 

Jump to Solution

Posted on --/--/---- --:-- AM
JaredBloomberg
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

That is actually very helpful, thank you!

Jump to Solution

Posted on --/--/---- --:-- AM
Mustache
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

If your environment has ingested an entity, you can query that entity (such as an IP). On the overview page of the UDM search, you will then get the entity information, for example an IP will show you the IP, it's prevalance, etc. At the bottom-right of that first block of info, you will see "VIEW MORE". This is alluded to in the screenshots via @citreno's example link

If you click that, it will show you more graph information. You can then start to correlate graph data regarding the type of entity you're searching for (domain name, IP, user, etc etc etc) 

I hope this helps!

Mustache_0-1715998612580.png

 

Jump to Solution
0 Likes