Case Management
Entities & Entity Graph
Entities & Entity Graph
Entities are the key artifacts extracted from security events - users, hosts, IP addresses, domains, file hashes, and more. nano automatically extracts entities from alerts and provides an interactive visualization to understand relationships.
Entity Types
| Type | Icon | Description | Examples |
|---|---|---|---|
| User | Purple circle | User accounts and identities | admin, jsmith@corp.com |
| Host | Blue circle | Hostnames and computer names | SRV-PROD-01, LAPTOP-ABC123 |
| IP | Green circle | IP addresses (v4 and v6) | 192.168.1.100, 10.0.0.1 |
| Domain | Orange circle | Domain names | evil.com, api.example.org |
| Hash | Gray circle | File hashes (MD5, SHA1, SHA256) | a1b2c3... |
| URL | Purple square | Full URLs | https://evil.com/malware.exe |
| File | Blue square | File paths and names | /tmp/payload.sh |
| Process | Green square | Process names | powershell.exe, cmd.exe |
| Orange square | Email addresses | attacker@evil.com |
Entity Extraction
Entities are automatically extracted from matched events when alerts fire:
Extraction Sources
| Field | Extracts To |
|---|---|
user, src_user, dest_user | User entity |
src_host, dest_host | Host entity |
src_ip, dest_ip | IP entity |
| Domain patterns in messages | Domain entity |
file_hash | Hash entity |
| URL patterns in messages | URL entity |
file_path, file_name | File entity |
process_name, parent_command_line | Process entity |
| Email patterns in messages | Email entity |
Extraction Logic
// Example: Extract IPs from event
if event.src_ip is present and is valid IP → add IP entity
if event.dest_ip is present and is valid IP → add IP entity
// Example: Extract domains from message
for each pattern matching domain regex in event.message:
if not an IP address → add Domain entity
// Example: Extract hashes
for each pattern matching hash regex (MD5/SHA1/SHA256):
add Hash entity with hash type annotationEntities Panel
The entities panel in the case detail view shows all extracted entities grouped by type:
┌─────────────────────────────────┐
│ ENTITIES │
├─────────────────────────────────┤
│ ▼ Users (3) │
│ ⭐ admin@corp.com (15) │
│ jsmith (3) │
│ service_account (1) │
│ │
│ ▼ Hosts (2) │
│ SRV-PROD-01 (8) │
│ LAPTOP-ABC123 (4) │
│ │
│ ▼ IPs (5) │
│ 192.168.1.100 (12) │
│ 10.0.0.1 (5) │
│ 203.0.113.42 [G] (3) │
│ ... │
│ │
│ ▼ Domains (1) │
│ evil.com [!] (2) │
└─────────────────────────────────┘Panel Features
| Feature | Description |
|---|---|
| Counts | Number in parentheses shows occurrence count |
| Primary Entity | Star icon marks the primary entity for the case |
| Enrichment Icons | Globe for geo-enriched IPs, warning badge for threat intel matches |
| Click Action | Click any entity to pivot to search |
| Double-Click | Opens new search tab filtered to that entity |
Entity Graph
The entity graph provides a visual representation of relationships between entities:
┌─────────────┐
│ admin │
│ (User) │
└──────┬──────┘
│
┌────────────┼────────────┐
│ │ │
┌─────┴─────┐ ┌────┴────┐ ┌─────┴─────┐
│ SRV-PROD │ │ LAPTOP │ │ 10.0.0.1 │
│ (Host) │ │ (Host) │ │ (IP) │
└─────┬─────┘ └─────────┘ └───────────┘
│
┌─────┴─────┐
│ evil.com │
│ (Domain) │
└───────────┘Graph Features
Node Visualization
- Color: Indicates entity type (see table above)
- Size: Larger nodes have more occurrences
- Border: Highlighted for primary entities
- Tooltip: Hover for entity details and enrichment
Interactions
| Action | Result |
|---|---|
| Drag | Move node, graph adjusts |
| Click | Highlight node and connected edges |
| Double-click | Pivot to search for entity |
| Scroll | Zoom in/out |
| Pan | Click and drag background |
Controls
- Reset View: Return to default zoom/position
- Export PNG: Save graph as image
- Layout Toggle: Switch between force-directed and hierarchical layouts
Edge Relationships
Edges (lines) connect entities that appear together in the same events:
| Edge Type | Meaning |
|---|---|
| User ↔ Host | User authenticated to or acted on host |
| Host ↔ IP | Host has/had this IP address |
| Host ↔ Domain | Host communicated with domain |
| IP ↔ Domain | Domain resolved to IP |
| Process ↔ File | Process accessed/created file |
Edge thickness indicates connection strength (more co-occurrences = thicker line).
Primary Entity
Each case has a primary entity - the most significant entity for that investigation:
Selection Logic
- Entity with highest occurrence count in matched events
- Preference order: User > Host > IP > Domain > Hash
- Can be manually overridden by analysts
Use Cases
- Grouping key: Primary entity often determines case grouping
- Title generation: Used in case title templates (
Activity by {{primary_entity}}) - Dashboard filtering: Filter cases by primary entity type
Entity Enrichment
Entities are automatically enriched when applicable:
IP Enrichment
If IP enrichment is configured, external IPs receive:
- Country/Continent: Geographic location
- ASN: Autonomous System Number and name
- Risk Score: From threat intelligence feeds
Domain Enrichment
Domains may be checked against:
- Threat intel feeds: Known malicious domains
- Prevalence: How common in your environment
Hash Enrichment
File hashes can be looked up in:
- Threat intel feeds: Known malware hashes
- VirusTotal: (if configured)
Viewing Enrichment Data
Click an enriched entity to see details:
┌─────────────────────────────────────┐
│ 203.0.113.42 │
├─────────────────────────────────────┤
│ Type: IP Address │
│ Occurrences: 12 │
│ │
│ Enrichment: │
│ Country: Russia │
│ Continent: Europe │
│ ASN: AS12345 │
│ AS Name: Example ISP │
│ Risk Score: 75/100 │
│ │
│ Actions: │
│ [Search] [VirusTotal] [Whois] │
└─────────────────────────────────────┘API Reference
Get Case Entities
GET /api/cases/:id/entitiesResponse:
{
"entities": [
{
"entity_type": "user",
"entities": [
{
"value": "admin@corp.com",
"occurrence_count": 15,
"is_primary": true,
"risk_score": null,
"enrichment_data": null
}
]
},
{
"entity_type": "ip",
"entities": [
{
"value": "203.0.113.42",
"occurrence_count": 3,
"is_primary": false,
"risk_score": 75,
"enrichment_data": {
"country": "Russia",
"asn": "AS12345"
}
}
]
}
]
}Add Entity to Case
POST /api/cases/:id/entities
{
"entity_type": "ip",
"entity_value": "203.0.113.42",
"is_primary": false
}Querying Entities
Use the search interface to find cases by entity:
Find Cases with Entity
source_type=case_audit entity_value="admin@corp.com"
| stats count by case_idFind All IPs in Cases
source_type=case_audit entity_type=ip
| dedup entity_value
| table entity_value, case_numberEntity Occurrence Ranking
source_type=case_audit
| where entity_value != ""
| stats count by entity_type, entity_value
| sort -count
| head 20Best Practices
1. Review Primary Entities
Ensure the primary entity accurately represents the case focus. Override if needed.
2. Use Entity Graph for Correlation
The visual representation often reveals relationships not obvious in tabular data.
3. Pivot Freely
Click entities to search - this is how you expand investigations.
4. Watch for Hub Entities
Large nodes (many connections) may indicate:
- Compromised accounts (user hub)
- Infected hosts (host hub)
- C2 servers (IP/domain hub)
5. Export Graphs
Use "Export PNG" to include entity relationships in reports and tickets.