I am facing a few issues while performing event enrichment using entities.
- One of the issues is related to partial data availability in the Overview tab. When I search for an entity in Google SecOps SIEM search and select any row in the Results section, a panel opens on the right-hand side displaying the entity details (as shown in the image below).
When I navigate to the Entities section from the top-right corner, I am presented with the following view.
Upon clicking the listed Entity IP, a new window opens that is expected to display the entity details. However, in this case, no data related to the selected entity is displayed.
After that, when I switch to the Overview tab (next to the Results tab) and click the View More button within the Entity Summary section, significantly less data is displayed compared to the Results section. Overall, the information shown in the Overview tab appears to be incomplete or only partially populated.
- Another issue is related to event enrichment based on different types of entities. In this case, I already have an existing Entity IP provided by GCP_COMPUTE_CONTEXT Log Source. Later, when I ingest an event that contains this same Entity IP, the parsed event gets enriched. This can be identified by the “E” indicator highlighted in green, which shows that the field was populated as a result of enrichment.
On the other hand, when an Entity IP is ingested through a custom parser, events containing that same Entity IP do not get enriched. In this case, there is no field marked with the “E” label, which indicates that no fields were added through the enrichment process.
- The last issue is regarding whether enrichment works only for simple entities or if it also applies to IoC entities. A simple entity refers to an entity that does not contain any associated threat information. In contrast, an IoC (Indicator of Compromise) entity represents specific threat data (like malicious IPs, domains, file hashes, URLs) that is ingested and stored in the Entity Graph.
Can someone kindly guide me:
- How can I view complete information about entities in OverView Tab?
- Why is data not populating under the Entities section in the Results Page for a particular entity?
- Why is event enrichment working for few entities and not working for custom parser ingested entities?
- Does enrichment work only for simple entities and not for IOC entities?
