Skip to main content

Responses are generated using AI and may contain mistakes.

Threat Detection ManagementThreat Detection Management Guide

Entity Operations Using Analytics Rule Syntax

Evaluate and retrieve entity attributes using analytics rule syntax.

To know which entity in the event to evaluate, all entity-related functions require a selector as one of its arguments. Functions finds the first credential in the event that matches the selector conditions, then uses the credential to query Attack Surface Insights for an entity.

When you define the selector argument, ensure you use the correct syntax and understand the order in which functions select credentials matching the selector.

Function

Description

Returned Value

Examples

EntityHasAttribute('selector', 'attribute')

Checks if the entity matching selector has a defined value for attribute.

Boolean

EntityHasAttribute('type: User & direction: Dest', 'department') returns true if the destination user entity in the event has department information.

EntityHasAttributeValue('selector', 'attribute', 'attribute_value')

Checks if the entity matching selector has the defined value attribute_value for attribute.

Boolean

EntityHasAttributeValue('type: User & direction: Dest', 'department', 'Product') returns true if the destination user entity in the event is in the Product department.

EntityAttribute('selector', 'attribute')

Retrieves value of attribute for the entity matching selector.

Value of attribute

EntityAttribute('type: User & direction: Dest', 'department') returns 'Product' for the destination user in the event.

EntityID('selector')

Retrieves the ID of the entity associated with an event.

String

EntityID('type: User & direction: Dest') returns the ID for the destination user entity in the event.

EntityIsLoggedToVpn('selector')

Checks if the entity matching selector is logged into a VPN.

Boolean

EntityIsLoggedToVPN('type: User & direction: Dest') returns true if the destination user in the event is logged into a VPN.

Selector in Entity Functions

Specify the entities analytics rules entity-related functions evaluate using the selector argument.

The selector is an argument in all entity-related functions that tells the function which entity in the event to evaluate. The function finds the first credential in the event that matches the selector criteria, then uses the credential to query Attack Surface Insights for an entity.

When you define the selector argument, ensure you use the correct syntax and understand the order in which functions select credentials matching the selector.

Selector Syntax

The selector argument is a string. With the selector, you can specify two criteria:

  1. The entity type; either type: User or type: Device

  2. The network traffic direction; either direction: Source or direction:Dest

You can specify only one criteria or both type and direction criteria. To specify both criteria, use the & operator; for example, "type: User & direction: Dest". You can't use a logical "or" operator.

Selector Credential Selection Order

There is a specific order in which a function looks for credentials matching its selector argument. If a credential doesn't exist in the event, the function looks for the next credential in the sequence. The function uses the first credential that matches its selector to query Attack Surface Insights.

Credential Selection Order for "type: User" Selector

If the selector is "type: User", the function looks for the specific user credentials in the following order:

  1. domain_user_name

  2. local_user_name

  3. account_user_name

  4. database_user_name

  5. src_email_address

  6. email_address

  7. employee_id

  8. badge_id

  9. user_sid

  10. dest_domain_user_name

  11. dest_local_user_name

  12. dest_email_address

Credential Selection Order for "type: Device" Selector

If the selector is "type: Device", the function looks for the specific device credentials in the following order:

  1. src_host

  2. dest_host

Credential Selection Order for "destination: Source" Selector

If the selector is "destination: Source", the function looks for the specific source entity credentials in the following order:

  1. domain_user_name

  2. local_user_name

  3. account_user_name

  4. database_user_name

  5. src_email_address

  6. email_address

  7. employee_id

  8. badge_id

  9. user_sid

  10. src_host

Credential Selection Order for "destination: Dest" Selector

If the selector is "destination: Dest", the function looks for specific destination entity credentials in the following order:

  1. dest_domain_user_name

  2. dest_local_user_name

  3. dest_email_address

  4. dest_host

Credential Selection Order for "type: User & destination: Source" Selector

If the selector is "type: User & destination: Source", the function looks for specific source user credentials in the following order:

  1. domain_user_name

  2. local_user_name

  3. account_user_name

  4. database_user_name

  5. src_email_address

  6. email_address

  7. employee_id

  8. badge_id

  9. user_sid

Credential Selection Order for "type: User & destination: Dest" Selector

If the selector is "type: User & destination: Dest", the function looks for specific destination user credentials in the following order:

  1. dest_domain_user_name

  2. dest_local_user_name

  3. dest_email_address

Credential Selection Order for "type: Device & destination: Source" Selector

If the selector is "type: Device & destination: Source", the function looks for the src_host credential.

Credential Selection Order for "type: Device & destination: Dest" Selector

If the selector is "type: Device & destination: Dest", the function looks for the dest_host credential.