Entity Operations Using Analytics Rule Syntax

Evaluate and retrieve entity attributes using analytics rule syntax.

To know which entity in the event to evaluate, all entity-related functions require a selector as one of its arguments. Functions finds the first credential in the event that matches the selector conditions, then uses the credential to query Attack Surface Insights for an entity.Selector in Entity Functions

When you define the selector argument, ensure you use the correct syntax and understand the order in which functions select credentials matching the selector.Selector in Entity FunctionsSelector in Entity Functions

Function	Description	Returned Value	Examples
`EntityHasAttribute("selector", "attribute")`	Checks if the entity matching `selector` has a defined value for `attribute`.	Boolean	`EntityHasAttribute("type: User & direction: Dest", "department")` returns `true` if the destination user entity in the event has department information.
`EntityAttribute("selector", "attribute")`	Retrieves value of `attribute` for the entity matching `selector`.	Value of `attribute`	`EntityAttribute("type: User & direction: Dest", "department")` returns `"Product"` for the destination user in the event.
`EntityID("selector")`	Retrieves the ID of the entity associated with an event.	String	`EntityID("type: User & direction: Dest")` returns the ID for the destination user entity in the event.
`EntityIsLoggedToVpn("selector")`	Checks if the entity matching `selector` is logged into a VPN.	Boolean	`EntityIsLoggedToVPN("type: User & direction: Dest")` returns `true` if the destination user in the event is logged into a VPN.

Threat Detection ManagementThreat Detection Management Guide

Table of ContentsTable of Contents

Entity Operations Using Analytics Rule Syntax