Siren Platform User Guide

Relations auto-discovery wizard

Siren Investigate can attempt to automatically identify the relational configuration between any set of Index Pattern Searches.

Go to the Management > Data Model > Relations page and click the Relations auto-discovery wizard button which located on the right below the relations .

relations_wizard.png

Select the index pattern searches to analyze for relations. The default settings for the wizard are usually good enough, but you can check the other tabs for additional controls.

select_input.png

In the EID Patterns tab, regular expression can be defined to identify particular types of data to match to EIDs e.g URL, email address, IP address etc.

eid_patterns.png

More generation parameters are available in the Advanced Parameters tab. The available presets are suited for most cases, but you can also edit complete parameters list for full control.

advanced_parameters.png

Click Ok to start the detection procedure.

Report

At the end of the detection process, all found relations are presented in a report.

The Suggested Relations tab displays found relations grouped by source endpoint (either a field or an Entity Identifier). Selecting a source endpoint will open the list of all its related target fields.

suggested_relations.png

Fields in the report can be included or excluded from the output result by selecting or clearing the appropriate check box.

To provide a clear idea of the data connected in the relations, clicking a target field will open an exploitative window with 100 sample documents per endpoint with highlighted matched values.

You can change a source endpoint by clicking on the drop-down button before its name. This is sometimes useful to correct mistakes in the generation procedure, or if you prefer to have a different relation type (direct relation or passing through an Entity Identifier).

The name of Entity Identifiers is also editable. Note that assigning the same Entity Identifier name on two different sources will merge them into a single output identifier.

The Already Existing Relations tab in the report can be used to track the situation of existing relations in the data set against the reported relations. Note that Found relations in this tab don’t also appear as Suggested Relations, since they already exist and should not be duplicated.

already_existing.png

For further insight about the generation process, you can inspect details about each analyzed field in the Per-Field Notes tab, and the full log of the procedure is available in the Log tab.

Temporary Relations

Click Ok to close the report and put all selected relations in a temporary state. They are shown in light blue in the Data Model page but will otherwise be ignored in other parts of Siren Investigate.

temporary_relations.png

Temporary relations can also be seen in the graph.

temporary_relations_graph.png

The temporary state is useful to provide a final overview of the newly generated relations and enable further customization, as if they were manually inserted (for example, changing the link names).

Caution

Temporary relations are associated with the current browser session. If the browser closes, all temporary relations are lost.

You can review and save each temporary relation individually by clicking on the disk icon of its entry in the DataModel > Relations tab, while removing the entry will discard it permanently.

If you are sure that all the temporary auto-relations are fine, you can also click Save All in the upper info banner to save them in bulk. Conversely, click Remove All to discard all the temporary relations.

Saving an Index Pattern Search or Entity Identifier will also save all its temporary relations.