PiRogue Tool Suite

Entity management

Entity creation

Colander offers 4 ways to create new entities, each of them offering different level of details.

Graph workspace

Users can create new entities, one at a time, directly from the knowledge graph.

Create a new entity within the knowledge graph
Create a new entity within the knowledge graph

Collect workspace

Users can create new entities, multiple at the same time, directly from the Collect workspace.

Quickly create multiple new entities
Quickly create multiple new entities

Entity creation form

Finally, users can create new entities, one at a time, using the different entity creation forms available in the Collect workspace. This way is the one offering the higher level of details.

Create a new entity
Create a new entity

REST API

Refer to the RESP API documentation.

Entity attributes

Users can add custom attributes to entities of type:

  • Artifact
  • Device
  • Observable
  • Event

Some sub-types such as IP v4 come with a set of suggested attributes such as address block or asn.

Overview of an entity having custom attributes
Overview of an entity having custom attributes

Entities that were imported or enriched from the Investigate workspace usually come with additional attributes extracted from external services.

Entity attributes are exported in feeds along with the all the other information about the entity they belong to.

Types of entities

Each type of entity can be more precisely defined. For example, Colander comes with a set of sub-types such as Observable / IP v4, Artifact / Android backup, etc.

Actors

Entities of this type represent individuals, organizations or groups that can perform actions in the digital environment.

Create a new actor
Create a new actor

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Device is operated by an Actor
  • Observable is operated by an Actor

Artifacts

Entities of this type represent files or any digital trace left behind by actors or the execution of a software.

Create a new artifact
Create a new artifact

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Artifact has been extracted from a Device
  • Observable has been extracted from an Artifact
  • Event has been been extracted from an Artifact
  • Fragment of data has been extracted from an Artifact

Devices

Entities of this type represent computers, smartphones, tablets, and other electronic devices that store and transmit data.

Create a new device
Create a new device

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Device is operated by an Actor
  • Event has been observed on a Device
  • Artifact has been extracted from a Device

Detection rules

Entities of this type represent sets of criteria used to identify suspicious activity or potential threats.

Create a new detection rule
Create a new detection rule

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Event has been detected by a Detection rule

Threats

Entities of this type represent potential risks or harmful actions that can target individuals, organizations, or systems.

Create a new threat
Create a new threat

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Observable indicates a Threat

Observables

Entities of this type represent specific pieces of evidence or information that can be used to identify a technical information.

Create a new observable
Create a new observable

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Observable is operated by an Actor
  • Observable has been extracted from an Artifact
  • Observable indicates a Threat
  • Event involves a set of Observable

Events

Entities of this type represent recorded occurrences of actions or changes in a system.

Create a new event
Create a new event

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Event involves a set of Observable
  • Event has been detected by a Detection rule
  • Event has been been extracted from an Artifact

Fragment of data

Entities of this type represent small pieces of data that can be used to reconstruct a larger dataset or provide insights into the activities of actors or systems.

Create a new fragment of data
Create a new fragment of data

Tight relationships

Colander supports the following tight relationships which represents the bare minimum level of information needed to represent relationships between entities:

  • Fragment of data has been extracted from an Artifact
Edit this page on GitHub
Prev
Knowledge graph
Next
Artifact management