Asset and Entity Resolution

What is it?

Minimize manual effort to collect an up-to-date and ever-changing asset inventory with Entity Resolution powered by DataBee. Entity Resolution is a technique to identify and maintain data records that refer to the same real-world entity, such as a user or device. DataBee takes in data from all of your data sources to create a comprehensive entity inventory of users and devices based on what you are streaming through the system. DataBee supports ingestion from a variety of sources to keep your asset hygiene in check. It can ingest from a variety of traditional sources for asset management such as your CMDB, Directory Services, and Vulnerability Scanner. It also can learn about your users and devices from non-traditional data sources such as network traffic, authentication logs, and anything else streamed through DataBee that contains a reference to a user or device.  

How does it work?

Each event is inspected for potentially correlatable fields to enhance what is known about the organization. This includes fields such as email, username, hostname, IP, MAC address, etc. If there is no existing record of the user or device, the newly identified information is added to the entity inventory. The service aggregates information across data sources, merging any duplicate entries as new data becomes available, and can suggest potential owners of devices. Entity Resolution generates a unique ID for each device and user as part of identity resolution and enriches the raw event by assigning the device ID and the user ID to each event. This minimizes manual effort to collect an up-to-date and ever-changing asset inventory.

Asset and Owner Discovery

Asset Discovery 

Entity Resolution maintains an inventory of known assets in your organization. This enables continuous discovery of previously unknown or orphaned assets based on events streamed through DataBee.  

Owner Discovery

DataBee provides a starting point to identifying and validating the owner of a device. When a new device is discovered and the owner is not indicated, DataBee will leverage the Authentication events streaming through the platform to make a suggestion of the potential owners of device. The system tracks who logs into the device over the last seven days and uses statistical analysis to suggest the three most likely owners.

The Potential Owners are listed in the Entity Details section of the Entity View page. They are presented as clickable links, to facilitate easy pivoting to the user’s Entity View to validate the owner. After confirming ownership, the CMDB should be updated. DataBee will then receive logs from the CMDB noting the confirmed ownership and the device will no longer be part of the owner discovery process.

Feed Prioritization

Not all data feeds have the same fidelity for entity related context. DataBee allows for the exclusion of feed sources from Entity Resolution as well as configuration of log provider prioritizations. Note that a single feed may contain multiple log providers. These inputs are leveraged directly by Entity Resolution when collisions or conflicting information is present to reduce metadata thrashing (i.e., unnecessary updates to the entity metadata).

For example, if a device is first seen in network traffic, preliminary information about the device will be added to DataBee such as the hostname and IP. Over time, the CMDB, your source of truth, provides an update on the device’s IP. DataBee will overwrite the associated IP based on the CMDB update if the CMDB feed is prioritized over the network traffic.  

Configurable Age Out

To keep the data fresh, DataBee removes stale entities based on user configured inputs. If no events from any data feed are seen for a given entity over the configurated time window, it is removed from the asset inventory. The stability of entities can vary based on their intended use. To accommodate this, DataBee allows for entity type configured age outs. Cloud assets often are very volatile, so by default they will age out after 7 days. Whereas physical devices and users are much more likely to be in the environment for a long time, as such as default to keep entity information for users and physical devices for a year.  

Select an Owner

Navigate to the 'Potential Owners' section to view all the potential owners suggested by DataBee. Hovering over the potential owner’s name will reveal the probability that they are the owner compared to the other candidates. Click on the chain icon next to each owner to review the Entity View for each potential owner. Once you are able to verify who the correct owner is, click on the Select Owner button to choose the actual owner of the entity from the list.

The selected owner will then be added under the 'Owner' category. Only the primary owner for a device should be selected. To remove a selected owner, click on the Clear button next to the owner's name.

Entity Views

Security alerts often provide only limited information about the victim or attack, leading to challenges for SOC (Security Operations Center) analysts. They are bombarded with numerous alerts and other contextual information. This leads to a struggle to piece together the complete picture of an incident. Entity Views feature in DataBee is designed to reduce swiveling between screens and tools, minimizing manual effort and saving time. It accomplishes this by bringing together critical business contexts related to the victim, correlating assets with their respective business owners for more effective remediation. 

Entity Views offers several key benefits to security operations which benefit CISOs (Chief Information Security Officers), security analysts, and GRC (Governance, Risk, and Compliance) analysts alike.

Enhanced Efficiency: Entity Views optimizes security detection workflows by presenting a consolidated view of critical information. This prioritizes the focus on critical assets and business-impacting events, streamlining the user's ability to efficiently address and respond to security threats. 

Increased Accuracy: Entity Views fosters precise decision-making by providing a comprehensive understanding of incidents. This proves especially crucial when responding to events affecting the business and when prioritizing alerts for effective action. 

Streamlined Remediation: It simplifies the process of remediation by offering a complete view of the incident and enabling swift actions. This ensures that security threats are addressed effectively.

Enriched Detection: Entity Views enhances detection capabilities by correlating assets with business context, helping identify the criticality of assets in real-time, and distinguishing between critical and non-critical assets when responding to alerts.

Asset Inventory Maintenance: It ensures an up-to-date asset inventory, which is essential for effective control monitoring coverage. This proactive approach to asset management minimizes security risks.

Clear Ownership: Entity Views establishes clear ownership relationships between assets and business owners promoting accountability.

GRC Continuous Controls Monitoring: Entity Views delivers instant visibility into an organization's internal controls and compliance processes, ensuring proactive risk management and regulatory adherence. 

Entity Search Page

The Entities Search page is designed to show the current, active state of devices or users, without displaying any duplicate entries.

Log in to the DataBee UI. Click on the Entities button and choose Device or User. If you click Search without applying any filters, you’ll see a list of all the active devices or users. Use the filter options to narrow down your search. To refine your search further, click Add Parameters and select the additional criteria you want to include. Next to As of, pick a date from the calendar to see all the active entities up to that specific date. After setting your filters, click Search. The results appear in a table showing you only the active entities that match your criteria. Unlike the Search page which includes a record for all changes to an entity, the Entities page focuses only on the latest metadata for only active entities.

You can click on the search icon, under the 'DETAILS' column for viewing the entity metadata details. Click the Columns dropdown button to view or toggle the currently selected options. To save a copy of the data table, click the Download button located above the table. Select your preferred format CSV or JSON. The file will be automatically downloaded to your device. You can customize the data table columns based on your requirements. Click on the Customize button to add or remove columns based on your preferences. Column customizations are shared between the Entity Search and Device and User table Search pages.

To access entity details from the Entity Search page, follow the steps below.

Once you log in to the DataBee UI, Click on the Search button. Set your search parameters using the available filter options and click the Search button to execute the search query, which will present the information in a data table format. To delve deeper into the details of a specific entity, locate the respective entry in the data table. Click on the chain icon positioned under the respective hostname or IP address. Similarly, you can pivot to entity resolution from the "Findings" page. Click on the chain icon displayed under the user name, device hostname, or analytic name.

This action directs you to another page displaying comprehensive information about the entity. To obtain entity details for a specific date and time, please provide the desired date and time, and then, click Now to retrieve the latest version of the information. Here, you'll find information about the selected host or IP, including device type, OS type and version, risk level, organization, MAC address, owner's name, first and last seen dates, and more.

Click View Full Details to access more comprehensive information about the device. To toggle visibility, click Hide User/Device Details to conceal the information or Show User/Device Details to reveal it again.

Click the backtrace icon next to the metadata like entity type, MAC address, and IP address. This action will open the Audit Trace modal, revealing the OCSF event responsible for providing that specific information.

DataBee Findings for an Entity

This button reflects the total number of DataBee findings over time. Click on it to access the Findings Summary, encompassing all findings within a specified time frame. Choose from the dropdown menu to set the timeframe, such as last year, month, week, day, or hour. The findings are visually presented in a line graph for easy interpretation.

Related Entities

The Related Entities visualization feature provides a dynamic node graph representation of the users and devices associated with the selected entity. This visualization allows you to observe the relationships and interactions over a specified timeline. You can pause, play, and replay the visual representation to analyze the connections thoroughly.

Types of Connections:

• Finding: If the selected entity and another entity are mentioned in the same security finding, they are connected with a red line.

• Authentication: If the selected entity and another entity appear in the same authentication event, they are connected with blue lines.

• Ownership: If the selected entity is the owner of any other entities, they are connected with white lines.

To refine the visual representation of related entities, click on the Filter button. This allows you to customize which connections are displayed based on Findings, Authentication, and Ownership criteria.

Finding: Enable the Finding toggle button to filter by different types of findings. You can further specify by enabling toggle buttons for Security Finding, Vulnerable Finding, Compliance Finding, or Detection Finding based on your requirements.

Authentication: Enable the Authentication toggle button to filter authentication events. You can then select specific activities, authentication protocols, and statuses from the dropdown list.

Ownership: Enable the Ownership toggle button to filter by ownership relationships. You can also enable additional toggles for Additional Owner or Potential Owner. Furthermore, you can select the device type, device OS name, device organization name, and device group name from the dropdown list.

After configuring your filters, click Apply to update the node graph visualization according to your selected criteria.

Correlated Events

Click on this button to view the total number of correlated events identified. Specify the timeline to view the Events Summary, which presents an overview of correlated events within the selected timeframe. The summary is depicted in the form of a line graph for comprehensive visualization.

Click on any point on the line graphs, and you will be automatically redirected to the event timeline for that specific day, displaying all the relevant data.

Event Timeline

The event timeline shows a chronological history of activity correlated to the entity. You can customize which event are shown by using the filter option. Click on the Filter dropdown which displays numerous event types under various domains: system activity, identity and access, network activity, discovery, and application activity. The event timeline section exhibits the date, time, event type, and a descriptive message about each event. You can click on the search symbol to delve into the details of security findings. Utilize the message filter to narrow down events by typing specific keywords or messages. You can optionally include events from the Device Owner when viewing a Device or all owned devices when viewing a user’s event timeline.

Click on Download Event History to download a JSON or CSV file representing the timeline data.

Click on Suppress to suppress a Security Finding in Active Detection Streams. To learn more about suppression of DataBee detection events see Suppress List.

Entity Resolution Configuration

Click on the settings icon at the top right corner of the UI. From the dropdown menu, select System. 

From the left sidebar, select Entity Resolution. The "Entity Resolution" page helps you customize the entity details you want DataBee to showcase. You can exclude certain providers, set the priority order for providers, specify age-out time for users and devices, etc. Enter the details in the data fields for tailored results.

• OCSF Activity Inclustion List: Click on the OCSF Activity Inclusion List to get a dropdown menu, select all OCSF Activity class numbers that you want to include for entity resolution

• Feed Inclusion List: Click on the Feed Inclusion List to get a dropdown menu, select all the feed providers you want to include for entity resolution. Newly created feeds will not be automatically added to this list. This list should be used to determine which data sources are used to create and modify entities. If you wish to delete a particular choice at any time come back and click on the cross icon next to the feed name

• Enable Owner Inference: Allow DataBee to predict owners of unclaimed devices

• Owner Inference Wait Period: Set how often DataBee should predict owners

After entering the data in the fields click on Submit.

Entity Type Specific Configuration Options

Some configuration options are specific to the type of entity.

• Feed Exclusion List: Select data feeds to ignore only for this particular entity type

• Feed Priority: DataBee extracts information about an entity from various sources. Click on the dropdown list and select the feeds you prioritize for obtaining information. Drag and adjust to set them in the order of priority. If you wish to delete a provider, click on the trash icon associated with the provider name

• Physical Device Age Out Time: number of days of inactivity before a physical device is removed from entity metadata tracking

• Virtual Device Age Out Time: number of days of inactivity before a virtual device is removed from entity metadata tracking

• Ignore Randomized MAC Addresses: Select this option to ignore MAC addresses known to be associated with containers and other virtual sources (i.e., not tied to a physical interface). This can reduce device metadata thrashing and is generally recommended

• Internal CIDR Blocks: user-defined field of CIDR blocks that encompass internal hosts. E.g. 10.0.0.0/8, 192.168.1.0/24

• Internal Hostnames: user-defined field of hostnames that encompass internal hosts

• User Age Out Time: number of days of inactivity before a user is removed from entity metadata tracking (available in the User entity configuration modal…not shown).

After entering the data in the fields click on Submit.

Iconography