Use new Cloud SIEM Entity Groups to make threat response more efficient

Security analysts and administrators need every advantage to keep up with prioritizing and investigating alerts. A SIEM (security information and event management) solution helps uncover threats, but it takes a lot of time assigning and updating tags, criticality, and signal suppression. Sometimes users opt to skip the step altogether, especially if there are a lot of entities to add or update at once. Other times, they introduce errors during this manual step.

Fortunately, there’s a way to make threat investigations more efficient.

Meet Entity Groups in Cloud SIEM Enterprise

We’re introducing a new feature — Entity Groups for Sumo Logic Cloud SIEM Enterprise (CSE)—that lets you cut out the manual step of assigning tags by automatically setting attributes like criticality and tags for Entities based on name or Inventory system attributes. You can also automatically suppress Signals for Entities that are in specific groups. For example, you can more easily see whether an event is alerting from a high-risk executive’s laptop or a lower-priority test environment.

Entities will be added to or removed from, the groups automatically based on their name, a range of IP addresses, or group membership in the customer’s Inventory system (like Active Directory). Whenever you add or change an Entity in your Active Directory server, Cloud SIEM will automatically pick up those attributes without your having to do any manual editing.

Managing Entity Groups from the CSE List Page.

How Entity Groups improve threat response

Entity Groups benefit security analysts, SOC (security operations center) managers, and the overall organization. The feature gives analysts more contextual information to make it easier to do their job. It also makes it easier to prioritize alerts and decreases response time by eliminating the need to manually determine these attributes. These benefits allow analysts to handle more events per day.

Tags help understand context when investigating issues and can also be used in rule definitions. For example, you can set a security rule to flag log activity when it is an Entity with a particular tag.

More about how the Entity Groups work

The updated CSE user interface includes a new section that lets administrators:

• View a list of existing Entity Group definitions
• Create new Entity Group definitions
• Update an existing Entity Group definition
• Delete an Entity Group definition

While Entities can be members of more than one Entity Group, we recommend customers try to define groups in ways that don’t cause overlap. Also, CSE will track attributes set on Entities. If an Entity Group is changed or deleted so that an Entity isn’t part of the group, the changes are applied to the Entity without affecting attributes applied manually or from other Groups.

Creating a new Entity Group in CSE.

Entity Groups also help you take advantage of other CSE features, like Tag use for improved event context and Criticality for better Signal prioritization. Using CSE to its fullest helps you have a better user experience and make more of your investment.

Only Sumo Logic offers the Entity Groups feature, which is now automatically available to all Sumo Logic customers using Cloud SIEM Enterprise. If you want to learn how Entity Groups or CSE can help you improve your threat response, read more on our What’s New page.