Lets say I bring in context data, which contains the entities of a asset(hostname, username, mac, IP, agents installed, etc...).
I have created a parser to parse all the required entities.
Will this help me in enriching other missing entities in other log sources ? for example I have a firewall log, where only the hostname and username is present in the log. Will it enrich the remaining entites associated to the host and username like mac and its associated IP ?
Yes, if you build out those entities when new events come in with matching values the they will be enriched with that entity data, as long as the data is parsed into the appropriate fields on both the entity and the event.
The fields used for matching an event to an entity depend on the type of entity. There is a list of the entity side of this match here: https://cloud.google.com/chronicle/docs/event-processing/data-enrichment#enrich_entities_merging . On the event side, those values should get matched on any Noun on the event and rest of the entity will be pulled into enriched fields. e.g. principal.hostname, source.hostname or target.hostname on an event will match entity.asset.hostname and enrich the event with the rest of the entity.asset data.
Note: There is a 5 day lookback in the entity side of this process (except for IOCs with interval data). You'll need to re-ingest your entity data more frequently than that to ensure enrichment functions properly, typically orgs will re-ingest this context data on a daily schedule.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.