Records, Signals, Entities, and Insights

Learn about Insight generation, working with Entities, and how to query CSE Records. 

In this section, we will introduce the following concepts:

📄️ Insight Generation Process

This page explains CSE's Insight generation process.

📄️ View and Manage Entities

This topic has information about the Entities page in CSE UI, which lists all of the Entities in CSE and their Activity Scores, and the Entities \> Details page, which presents information about a particular Entity, including Signals and Insights associated with the Entity.

📄️ Set Insight Generation Window and Threshold

This page has instructions for changing the detection window and the threshold Activity Score for Insight generation.

📄️ Entity Criticality

This page describes CSE’s Entity Criticality feature and how to use it.

📄️ Crowd-sourced intelligence for Insight triage

This page describes Global Intelligence for Security Insights, implemented in CSE as Global Confidence scores. This feature helps security analysts triage and prioritize Insights.

📄️ Create a Custom Entity Type

This topic has instructions for how to create custom Entity types in CSE.

📄️ Using Tags with Insights, Signals, Entities, and Rules

What are tags?

📄️ Searching for CSE Records in Sumo Logic

This topic has information about how to search the Sumo Logic platform for Records that have been forwarded from CSE. For more information about performing log searches in Sumo Logic, see Search Basics.

📄️ View Records for a Signal

CSE uses rules to evaluate incoming Records, and when the conditions of a rule are met, generates a Signal. This topic explains how to view Records associated with a Signal in CSE.

📄️ About Signal Suppression

In CSE, a suppressed Signal is a Signal that CSE’s Insight algorithm will exclude from the Insight generation process. In other words, a suppressed Signal does not contribute to or become a part of an Insight. Some suppression of Signals is automatic. CSE also has features that allow you to suppress Signals for a specific

📄️ About the CSE Insight UI

This topic describes the CSE UI for working with Insights.

📄️ Configure an Entity Lookup Table

This topic describes Entity Lookup Tables and how to configure them.

📄️ Configure a Custom Insight

As described in the Insight Generation Process topic, CSE automatically generates an Insight based on an Entity’s Activity Score, which is the cumulative severity of the unique Signals that have fired on an Entity during a period of time. In some cases, you may want CSE to generate an Insight on some basis other than Entity Activity Scores. For example, you might want an Insight generated

📄️ CSE Heads Up Display

This topic describes CSE’s Heads Up Display (HUD), the landing page for the CSE UI. The HUD provides an at-a-glance overview of Insight status and activity.

📄️ Save Inventory Data to a Lookup Table

This topic has instructions for using a saved Sumo Logic search to populate a Lookup Table with CSE inventory data. Once you’ve created an inventory Lookup Table, you can leverage it in log searches, and also use it to normalize hostnames and usernames.