What is it?
Minimize manual effort to collect an up-to-date and ever-changing asset inventory with Entity Resolution powered by DataBee. Entity Resolution is a technique to identify and maintain data records that refer to the same real-world entity, such as a user, device, or application. DataBee takes in data from all your data sources to create a comprehensive entity inventory of users, devices, and applications based on what you are streaming through the system. DataBee supports ingestion from a variety of sources to keep your asset hygiene in check. It can ingest from a variety of traditional sources for asset management, such as your CMDB, Directory Services, and Vulnerability Scanner. It can also learn about your users, devices, and applications from non-traditional data sources such as network traffic, authentication logs, or application life cycle events, and anything else streamed through DataBee that contains a reference to a user, device, or application.
How does it work?
Each event is inspected for potentially correlatable fields to enhance what is known about the organization. This includes fields such as email, username, hostname, IP, MAC address, etc. If there is no existing record of the user, device, or application, the newly identified information is added to the entity inventory. The service aggregates information across data sources, merging any duplicate entries as new data becomes available, and can suggest potential owners of devices. Entity Resolution generates a unique ID for each device and user as part of identity resolution and enriches the raw event by assigning the device ID and the user ID to each event. This minimizes manual effort to collect an up-to-date and ever-changing asset inventory.
Asset and Owner Discovery
Asset Discovery
Entity Resolution maintains an inventory of known assets in your organization. This enables continuous discovery of previously unknown or orphaned assets based on events streamed through DataBee.
Owner Discovery
DataBee provides a starting point to identifying and validating the owner of a device. When a new device is discovered and the owner is not indicated, DataBee will leverage the Authentication events streaming through the platform to make a suggestion of the potential owners of the device. The system tracks who logs in to the device over the last seven days and uses statistical analysis to suggest the three most likely owners.
The Potential Owners are listed in the Entity Details section of the Entity View page. They are presented as clickable links, to facilitate easy pivoting to the user’s Entity View to validate the owner. After confirming ownership, the CMDB should be updated. DataBee will then receive logs from the CMDB noting the confirmed ownership and the device will no longer be part of the owner discovery process.
Feed Prioritization
Not all data feeds have the same fidelity for entity related context. DataBee allows for the exclusion of feed sources from Entity Resolution as well as configuration of log provider prioritizations. Note that a single feed may contain multiple log providers. These inputs are leveraged directly by Entity Resolution when collisions or conflicting information is present to reduce metadata thrashing (i.e., unnecessary updates to the entity metadata).
For example, if a device is first seen in network traffic, preliminary information about the device will be added to DataBee such as the hostname and IP. Over time, the CMDB, your source of truth, provides an update on the device’s IP. DataBee will overwrite the associated IP based on the CMDB update if the CMDB feed is prioritized over the network traffic.
Configurable Age Out
To keep the data fresh, DataBee removes stale entities based on user configured inputs. If no events from any data feed are seen for a given entity over the configurated time window, it is removed from the asset inventory. The stability of entities can vary based on their intended use. To accommodate this, DataBee allows for entity type configured age outs. Cloud assets often are very volatile, so by default they will age out after 7 days. Whereas physical devices and users are much more likely to be in the environment for a long time, as such as default to keep entity information for users and physical devices for a year.
Select an Owner
Navigate to the 'Potential Owners' section to view all the potential owners suggested by DataBee. Hovering over the potential owner’s name will reveal the probability that they are the owner compared to the other candidates. Click on the chain icon next to each owner to review the Entity View for each potential owner. Once you are able to verify who the correct owner is, click on the Select Owner button to choose the actual owner of the entity from the list.
The selected owner will then be added under the 'Selected Owner' category. Only the primary owner for a device should be selected. To remove a selected owner, click on the Clear button next to the owner's name. The suggested owner is populated by Beekeeper when trying to determine who the owner of a device is. Owner and the additional owners are mapped directly from the data source.
Entity Views
Security alerts often provide only limited information about the victim or attack, leading to challenges for SOC (Security Operations Center) analysts. They are bombarded with numerous alerts and other contextual information. This leads to a struggle to piece together the complete picture of an incident. Entity Views feature in DataBee is designed to reduce swiveling between screens and tools, minimizing manual effort and saving time. It accomplishes this by bringing together critical business contexts related to the victim, correlating assets with their respective business owners for more effective remediation.
Entity Views offers several key benefits to security operations which benefit CISOs (Chief Information Security Officers), security analysts, and GRC (Governance, Risk, and Compliance) analysts alike.
Enhanced Efficiency: Entity Views optimizes security detection workflows by presenting a consolidated view of critical information. This prioritizes the focus on critical assets and business-impacting events, streamlining the user's ability to efficiently address and respond to security threats.
Increased Accuracy: Entity Views fosters precise decision-making by providing a comprehensive understanding of incidents. This proves especially crucial when responding to events affecting the business and when prioritizing alerts for effective action.
Streamlined Remediation: It simplifies the process of remediation by offering a complete view of the incident and enabling swift actions. This ensures that security threats are addressed effectively.
Enriched Detection: Entity Views enhances detection capabilities by correlating assets with business context, helping identify the criticality of assets in real-time, and distinguishing between critical and non-critical assets when responding to alerts.
Asset Inventory Maintenance: It ensures an up-to-date asset inventory, which is essential for effective control monitoring coverage. This proactive approach to asset management minimizes security risks.
Clear Ownership: Entity Views establishes clear ownership relationships between assets and business owners promoting accountability.
GRC Continuous Controls Monitoring: Entity Views delivers instant visibility into an organization's internal controls and compliance processes, ensuring proactive risk management and regulatory adherence.
Inventory
The Inventory page in DataBee provides simple way to review and search all the active unique inventory of users, devices, and applications. Log in to the DataBee UI. Click on the Exposure dropdown and click on Inventory button.
Choose Device, User or Application. If you click Search without applying any filters, you’ll see a list of all the active devices, users, or applications. Use the filter options to narrow down your search. To refine your search further, click Add Parameters and select the additional criteria you want to include. Next to As of, pick a date from the calendar to see all the active entities up to that specific date. After setting your filters, click Search. The results appear in a table showing you only the active entities that match your criteria. Unlike the Search page which includes a record for all the changes to an entity, the Inventory page focuses only on the latest metadata of the active entities.
You can click on the search icon, under the 'DETAILS' column for viewing the entity metadata details. Click the Columns dropdown button to view or toggle the currently selected options. To save a copy of the data table, click the Download button located above the table. Select your preferred format CSV or JSON. The file will be automatically downloaded to your device. You can customize the data table columns based on your requirements. Click on the Customize button to add or remove columns based on your preferences. Column customizations offer different columns for the Device, Application, and User table Search pages.
The Save Search button is used to save your search queries for later use. On clicking, you will be prompted to a dialog box with the search query already filled in. Now you can provide a suitable ‘Query Name’ and save it.
To access all the saved searches, you can simply click on the Saved Searches button, which will display a comprehensive list of all the searches that have been saved up until now. In addition, you can load or delete any of the saved search queries directly from the pop-up window, providing a flexible and efficient way to manage searches. Saved Searches are stored on a per-user basis and are not shareable with other users.
Click on the Search History button to view a list of all the searches you have performed until now. By clicking on the Execute button, you can instantly perform the search without having to re-enter the filtering criteria. Saved History is also stored on a per-user basis and is not shareable with other users.
Interactive Charts
Interactive pie charts and histograms are displayed to enhance data visualization. Use the Toggle Charts button to enable or disable them. More details about each chart in the device, user, and application pages are given below.
Device Inventory
The Device Inventory view in DataBee provides an easy way to review and search for all active unique devices. There are 3 types of insights provided in this view.
Device by Discovery Source: the number of devices by the data feed that provided the first record of the device.
Device by Ownership: the number of devices by their current ownership status:
Known Owners provided by your data feeds.
Potential Owners provided by DataBee’s entity resolution.
Suggested Owners provided by employee responses to DataBee’s BeeKeeper.
Selected Owners that have been chosen by a user using DataBee.
Unknown occurs when no owner is known by your data feeds, or suggested by your employees to BeeKeeper and there isn’t enough data for Entity Resolution to propose a potential owner.
Device by Type: the percentage of devices by their type identification in OCSF.
User Inventory
The User Inventory view in DataBee provides an easy way to review and search for all active unique devices. There are 2 types of insights provided in this view.
User by Discovery Source: the number of users by the data feed that provided the first record of the device.
User by Type: the percentage of user by their type identification in OCSF.
Application Inventory
The Application Inventory view in DataBee serves as a simple way to review and search of all active unique applications. We have 2 types of DataBee Insights provided in this view.
Application by Discovery Source: the number of devices by the data feed that provided the first record of the device.
Application by Ownership: the number of applications by their current ownership status:
Known Owners provided by your data feeds.
Potential Owners provided by DataBee’s entity resolution.
Suggested Owners provided by employee responses to DataBee’s BeeKeeper.
Selected Owners that have been chosen by a user using DataBee.
Unknown occurs when no owner is known by your data feeds, or suggested by your employees to BeeKeeper and there isn’t enough data for Entity Resolution to propose a potential owner.
Entity Details
To access entity details from the “Entity Search” page, follow the steps below.
Set your search parameters using the available filter options and click the Search button to execute the search query, which will present the information in a data table format. To delve deeper into the details of a specific entity, locate the respective entry in the data table. Click on the chain icon positioned under the respective hostname or IP address. Similarly, you can pivot to entity resolution page from the “Search” page, or the "DataBee Findings" page by clicking on the chain icon displayed under the hostname, product name, user name, or analytic name.
This action directs you to another page displaying comprehensive information about the entity. To obtain entity details for a specific date and time, please provide the desired date and time, and then, click Now to retrieve the latest version of the information. Here, you'll find information about the selected host or IP, including device type, OS type and version, risk level, organization, MAC address, owner's name, first and last seen dates, and more.
Click View Full Details to access more comprehensive information about the device/user/application.
Click on View User Updates/View Device Updates/View Application Updates to view the updates done by the user/ updates done for a device/ updates done for a application respectively.
Click the backtrace icon next to the metadata such as the entity type, MAC address, or IP address. This action will open the Audit Trace modal, revealing the OCSF event responsible for providing that specific information.
In the “Audit Trace Details” window, if you scroll below you can see a button Compare With Raw Data to compare the processed data with the raw data.
DataBee Findings for an Entity
This button reflects the total number of DataBee findings over time. Click on it to access a findings Summary, encompassing all findings within a specified time frame. Choose from the dropdown menu to set the timeframe, such as last year, month, week, day, or hour. The findings are visually presented in a line graph for easy interpretation.
Related Entities
The Related Entities visualization feature provides a dynamic node graph representation of the users and devices associated with the selected entity. This visualization allows you to observe the relationships and interactions over a specified timeline. You can pause, play, and replay the visual representation to analyze the connections thoroughly.
Types of Connections:
Finding: If the selected entity and another entity are mentioned in the same security finding, they are connected with a red line.
Authentication: If the selected entity and another entity appear in the same authentication event, they are connected with blue lines.
Ownership: If the selected entity is the owner of any other entities, they are connected with white lines.
Application Lifecycle: If the selected entity changes the status of an application instance (ex: installs, deletes, etc.), that is displayed with salmon pink lines.
Software Instances: If the selected entity and another entity are in the same Software Instance, they are connected with a grey line.
To refine the visual representation of related entities, click on the Filter button. This allows you to customize which connections are displayed based on Findings, Authentication, Application lifecycle, Software instances and Ownership criteria.
Finding: Enable the Finding toggle button to filter by different types of findings. You can further specify by enabling toggle buttons for Security Finding, Vulnerable Finding, Compliance Finding, or Detection Finding based on your requirements.
Application Lifecycle: Enable the Application lifecycle toggle to filter Activity and Status from the dropdown list.
Software Instances: Enable the Software Instances toggle to filter based on the instances available.
Authentication: Enable the Authentication toggle button to filter authentication events. You can then select specific activities, authentication protocols, and statuses from the dropdown list.
Ownership: Enable the Ownership toggle button to filter by ownership relationships. You can also enable additional toggles for Additional Owner or Potential Owner. Furthermore, you can select the device type, device OS name, device organization name, and device group name from the dropdown list.
After configuring your filters, click Apply to update the node graph visualization according to your selected criteria.
Correlated Events
Click on this button to view the total number of correlated events identified. Specify the timeline to view the Events Summary, which presents an overview of correlated events within the selected timeframe. The summary is depicted in the form of a line graph for comprehensive visualization.
Click on any point on the line graphs, and you will be automatically redirected to the event timeline for that specific day, displaying all the relevant data.
Event Timeline
The event timeline shows a chronological history of activities correlated to the entity. You can customize events using the filter option. Click on the Filter dropdown which displays numerous event types under various domains: system activity, identity and access, network activity, discovery, application activity, etc. The event timeline section exhibits the date, time, event type, and a descriptive message about each event. You can click on the search symbol to delve into the details of security findings. Utilize the Filter by Message feature to narrow down events by typing specific keywords or messages. You can optionally check the Include Events from Device Owner box if you want to include all the events correlated to the Device owner.
Click on Download Event History to download a JSON or CSV file representing the timeline data.
Click on Suppress to suppress a Security Finding in Active Detection Streams. To learn more about suppression of DataBee detection events see Suppress List.
Entity Resolution Configuration
Click on the settings icon at the top right corner of the UI. From the dropdown menu, select System.
From the left sidebar, select Entity Resolution. The "Entity Resolution" page helps you customize the entity details you want DataBee to showcase. You can exclude certain providers, set the priority order for providers, specify age-out time for users, products and devices, etc. Enter the details in the data fields for tailored results.
OCSF Activity Inclusion List: click on the OCSF Activity Inclusion List to get a dropdown menu, select all OCSF Activity class numbers that you want to include for entity resolution.
Feed Inclusion List: click on the Feed Inclusion List to get a dropdown menu, select all the feed providers you want to include for entity resolution. Newly created feeds will not be automatically added to this list. This list should be used to determine which data sources are used to create and modify entities. If you wish to delete a particular choice at any time come back and click on the cross icon next to the feed name.
Enable Owner Inference: allow DataBee to predict owners of unclaimed devices.
Owner Inference Wait Period: set how often DataBee should predict owners.
After entering the data in the fields click on Submit. You can also click the Force Owner Inference button to kick off the job immediately.
Entity Type Specific Configuration Options
Some configuration options are specific to the type of entity.
Feed Exclusion List: select data feeds to ignore only for this particular entity type.
Feed Priority: DataBee extracts information about an entity from various sources. Click on the dropdown list and select the feeds you prioritize for obtaining information. Drag and adjust to set them in the order of priority. If you wish to delete a provider, click on the trash icon associated with the provider name.
Physical Device Age Out Time: number of days of inactivity before a physical device is removed from entity metadata tracking.
Virtual Device Age Out Time: number of days of inactivity before a virtual device is removed from entity metadata tracking.
Ignore Randomized MAC Addresses: select this option to ignore MAC addresses known to be associated with containers and other virtual sources (i.e., not tied to a physical interface). This can reduce device metadata thrashing and is generally recommended.
Associate Only When Only IP Address is Present : select this option to associate events with device information with existing entities.
Internal CIDR Blocks: user-defined field of CIDR blocks that encompass internal hosts. E.g. 10.0.0.0/8, 192.168.1.0/24
Internal Hostnames: user-defined field of hostnames that encompass internal hosts.
User Age Out Time: number of days of inactivity before a user is removed from entity metadata tracking (available in the User entity configuration).
Product Age Out Time: number of days of inactivity before a Product is removed from Entity metadata tracking (available in the Application entity configuration).
After entering the data in the fields, click Submit.
Iconography
Icon Name | Icon | Description |
---|---|---|
User | An enterprise user account | |
Device | An enterprise device | |
Backtrace | Information pertaining to the source of the data (i.e., what event caused DataBee to associate this value to the entity) | |
Pivot | A URL link to an entity view | |
Magnifying glass | Get additional details about an event | |
Suppress | Generate a suppression rule based on a DataBee detection finding | |
DataBee Findings | Indicates a detection finding was created by DataBee | |
Related Entities (device) | An enterprise device or device network endpoint | |
Related Entities (user) | An enterprise user account | |
Correlated Events | Events that are related to one another | |
Play | Begin to step through the related entity graph visualization using a shifting time window | |
Pause | Pause/stop stepping through the related entity graph visualization using a shifting time window | |
Reset | Restart the related entity graph visualization to the beginning of the time window | |
Select Entire Duration | Manually select the time window to show in the related entity graph visualization | |
Playback Speed (the little rocket) | Adjust how quickly to step through the related entity graph visualization using a shifting time window |