EntityInfo Lists
Table of contents
Page Layout
This page allows you to upload an entity table for use with event buckets.
An entity table attaches values or descriptions to an ID or code. For example, an AD event entity table matches AD event codes to their meanings/descriptions.
Clicking the “+” button allows you to import a preconfigured CSV file containing entity table(s). Clicking the “< Options” button displays another three buttons: (1) “GITHUB” button: allows you to import preconfigured entity table(s) from the Fluency Github repository; (2) “EXPORT” button: export all currently configured entity tables into a JSON file.
Using an Entity Table
To see an entity table, click the list icon on the right of the page. For example, below is the EventID_WatchList entity table. You can see that on the left are event ID codes, and each of these codes maps to a description of its meaning. For example, code 1102 means “The audit log was cleared.”
To use an entity table, navigate to EventWatch->EventWatch Rules Page, choose the rule you’d like to edit and click the pencil icon:
This is an example of an EventID WatchList bucket. In the Search Filters field, @fields.EventID is set so that it must match event IDs from the EventID_WatchList table. While this filters events to include only critical event IDs, it also attaches the entity table to this event feed so that when events IDs match, their descriptions will also be attached to the event.
Page last updated: 2023 Aug 01 17:23:14 EDT