Siren Platform User Guide

How to use entity identifiers

Siren 10 introduces the concept of an "Entity Identifier" (EID). Previously, in Siren, to be able to join between two indexes you had to specify that there existed a direct connection between them. For example, if you had two logs which could be connected by the IP value, you would have specified a direct connection, thus creating a relational button between the two.

But what if you have many indexes having IPs (or anything else: MAC Addresses, User IDs, URLs, Port Numbers, Transaction IDs, and so on) that are in multiple roles (Source IP, Destination IP) and it may be useful to join from any of these roles and indexes to any other role and index?

The new relational model enables this automatically.

For example, in this configuration, we have defined the IP concept as an EID and tied it in with other indexes where IPs show up. For each connection, we specify the name of the relation that describes the role of the IP in that index (Is it the source IP in that log or the blocked IP?).

Relations Graph

Using only this configuration, you can now have buttons that explore the ontology and show you all possible matches across your data. At this point, one click and you will be pivoting to the target dashboard, with the right relational filter applied.

For example, to see the records of the Apache logs where the Agent IP matches the Destination IP in the current log, navigate from "Destination IP" as per the picture:

Automatic relational buttons

Entity identifiers are great for anything that identifies "things" across indexes but does not have an index per se (otherwise, you would pivot to it). Things like Phone Numbers, but also Tags, Labels from standalone indexes, and so on. In practice a single Excel spreadsheet can be seen as a "knowledge graph" if you consider labels as identifiers that interconnect records. Here is an example with entity identifiers (Tissue and Organism) in a Life Science deployment.

Knowledge Graph

Note that the automatic connections between dashboards are seen when using the new relational button. The old one will still require manual inputs on which relation to show where.

Visualize

Again, this is how the new relational button appears in action.

Automatic relational buttons
Creating an entity identifier
  1. Click Create Entity Identifier.

  2. Enter a unique name in the Entity Identifier field.

The entity identifier appears on the left side.

UUID-6e1cd46c-03b0-a337-5d7c-075822ca6c37.png
Editing an entity identifier

To save any changes, click Save.

Removing an entity identifier
  1. Select the entity identifier from the left menu.

  2. Click Delete.