Siren Platform User Guide

Creating an initial data model

You can create a data model, also known as an ontology, by defining relations between indexes. This effectively treats indexes as classes and records as entities.

Create an index pattern search
  1. In Siren Investigate, navigate to ManagementData Model.

  2. Click Create Index Pattern Search.

  3. Enter the index name in the Index pattern id box.

  4. Click the Save icon.

Create a relationship

Relationships are defined from a class to other classes. However, it is not possible to define a relationship between two entity identifiers.

A relationship is defined as a join operation between two indexes with:

  • The field of the local index to join on.

  • The class (index pattern or entity) to connect to.

  • (If the class is an index pattern) the field of the index to join with.

  • The label of the relation.

The examples given here are from the Loading CSV and JSON data sets with Logstash quick start guide.

  1. Click Management (fa-cog.png).

  2. Click Data Model.

  3. Click an Index Pattern, for example company.

  4. In the Relations tab, click Add relation.

  5. Select a Field in the Source Entity, for example CompanyName.keyword.

  6. Select a Target Entity. This can be an index pattern or an entity identifier, for example persons-control.

  7. If you selected an index pattern as the Target Entity, select a Field, for example data.name.keyword.

  8. Enter a short description of the relationship in the Labels boxes. For example, CompanyName.keyword in the company index pattern "is owned by" data.name.keyword in the persons-control index pattern and data.name.keyword "owns" CompanyName.keyword.

  9. Click Save.

By default, the join type is automatic. You can click Edit to manually set the Join type and Relation join task timeout.

You can click the Graph View tab to show a graphical representation of the relationship with the currently selected class highlighted.

Create an entity identifier

Entity identifiers enable you to navigate between two or more indexes without requiring a direct relationship between them. They also act as a central node element when doing graph analysis.

For example, you may have many indexes with IPs in multiple roles (source, destination) and want to join them with other roles and indexes.

  1. Click Management (fa-cog.png).

  2. Click Data Model.

  3. Click Create Entity Identifier.

  4. Enter an Entity identifier name.

  5. Enter a Short Description.

  6. Enter a Long Description.

  7. Select an Icon.

  8. Select a Color.

  9. Click Save.

For more information about entity identifiers, see 3.2.1. Creating an index pattern or entity identifier.3.2.1. Creating an index pattern or entity identifier

Connect an entity identifier to the data model

This example uses the Companies House data set.

  1. Create an entity identifier with the ID PostCode as described in the previous section.

  2. From the Relations tab, click Add relation.

  3. Using the boxes, set the relationship so that the source entity is owned by the target entity and the target entity owns the source entity.

  4. Select company from the index box.

  5. Select RegAddress.PostCode from the Field box.

Next steps
  1. Create dashboards.

  2. Add a graph browser visualization to a dashboard.