SumoLogic · jpipkin1 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
@@ -176,16 +176,20 @@ Involved entities are connected to the primary entity with dashed lines. Entitie
 It's possible for a related entity to both be involved and detected. In that case, it typically be displayed as detected unless it is in a number of the insight's signals.
 :::
 
-How does Cloud SIEM detect entity relationships outside of the insight? Within the time range of the insight, described above, Cloud SIEM searches for related entities in the following normalized record fields:
+How does Cloud SIEM detect entity relationships outside of the insight? Within the time range of the insight, described above, Cloud SIEM searches for related [entities in the following normalized record fields](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
 * `*_command`
+* `*_deployment`
 * `*_domain`
 * `*_email`
 * `*_file`
 * `*_hash`
 * `*_hostname`
 * `*_ip`
 * `*_mac`
+* `*_pod`
 * `*_process`
+* `*_replicaset`
+* `*_resource`
 * `*_url`
 * `*_useragent`
 * `*_username`

@@ -31,25 +31,28 @@ Watch this micro lesson to learn how insights are created.
 
 ## Entities in messages are mapped to entity-type schema attributes
 
-During the next step of the [record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following Cloud SIEM schema entity attributes:
-
-| Entity type | Schema attributes |
-|:----- |:----- |
-| Command | `commandLine` |
-| Domain | `http_referer_fqdn`, `http_url_fqdn` |
-| Email | `targetUser_email`, `user_email` |
-| File | `file_path`, `file_basename` |
-| Hash | `file_hash_imphash`, `file_hash_md5`, `file_hash_pehash`, `file_hash_sha1`, `file_hash_sha256`, `file_hash_ssdeep` |
-| Hostname | `device_hostname`, `device_hostname_raw`, `dstDevice_hostname`, `dstDevice_hostname_raw`, `srcDevice_hostname`, `srcDevice_hostname_raw` |
-| IP Address | `device_ip`, `device_natIp`, `dns_replyIp`, `dstDevice_ip`, `dstDevice_natIp`, `srcDevice_ip`, `srcDevice_natIp` |
-| MAC Address | `device_mac`, `dstDevice_mac`, `srcDevice_mac` |
-| Process | `baseImage`, `parentBaseImage` |
-| URL | `http_url` |
-| User Agent | `http_userAgent` |
-| Username | `fromUser_username`, `fromUser_username_raw`, `user_username`, `user_username_raw` |
-
-Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245"
-to `srcDevice_ip`. 
+During the next step of the [record processing flow](/docs/cse/schema/record-processing-pipeline)—log mapping—message fields are mapped to Cloud SIEM schema attributes. During this process, each entity field from a message is mapped to one of the following [Cloud SIEM schema entity attributes](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
+
+| Entity type | Field | Schema attributes |
+|:-- |:-- |:--|
+| Command | `_command` | `commandLine` |
+| Deployment | `_deployment` | `device_k8s_normalizedDeploymentName`, `dstDevice_k8s_normalizedDeploymentName`, `srcDevice_k8s_normalizedDeploymentName` |
+| Domain | `_domain` | `http_referer_fqdn`, `http_url_fqdn` |
+| Email | `_email` | `targetUser_email`, `user_email` |
+| File | `_file` | `file_path`, `file_basename` |
+| Hash | `_hash` | `file_hash_imphash`, `file_hash_md5`, `file_hash_pehash`, `file_hash_sha1`, `file_hash_sha256`, `file_hash_ssdeep` |
+| Hostname | `_hostname` | `device_hostname`, `device_hostname_raw`, `dstDevice_hostname`, `dstDevice_hostname_raw`, `srcDevice_hostname`, `srcDevice_hostname_raw` |
+| IP Address | `_ip` | `device_ip`, `device_natIp`, `dns_replyIp`, `dstDevice_ip`, `dstDevice_natIp`, `srcDevice_ip`, `srcDevice_natIp` |
+| MAC Address | `_mac` | `device_mac`, `dstDevice_mac`, `srcDevice_mac` |
+| Pod | `_pod` | `device_k8s_normalizedPodName`, `dstDevice_k8s_normalizedPodName`, `srcDevice_k8s_normalizedPodName` |
+| Process | `_process` | `baseImage`, `parentBaseImage` |
+| Replica Set | `_replicaset` | `device_k8s_normalizedReplicaSetName`, `dstDevice_k8s_normalizedReplicaSetName`, `srcDevice_k8s_normalizedReplicaSetName` |
+| Resource | `_resource` | `resource` |
+| URL | `_url` | `http_url` |
+| User Agent | `_useragent` | `http_userAgent` |
+| Username | `_username` | `fromUser_username`, `fromUser_username_raw`, `user_username`, `user_username_raw` |
+
+Which particular attribute an entity gets mapped to depends on the [field mappings](/docs/cse/schema/create-structured-log-mapping) in the log mapper for the message source. Given the example message above, “thedude” might be mapped to `user_username` and "185.35.135.245" to `srcDevice_ip`. 
 
 ## Rules have one or more On Entity attributes
 

@@ -37,17 +37,21 @@ Watch this micro lesson to learn more about entities.
 
 ## About entities
 
-In Cloud SIEM, an entity is a unique actor that a signal fired upon. Cloud SIEM has a number of built-in entity types:
+In Cloud SIEM, an entity is a unique actor that a signal fired upon. Cloud SIEM has a number of [built-in entity types](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/entity_fields.md):
 
 * Command
+* Deployment
 * Domain
 * Email
 * File
 * Hash
 * Hostname
 * IP Address
 * MAC Address
+* Pod
 * Process
+* Replica Set
+* Resource
 * URL
 * User Agent
 * Username
@@ -145,34 +149,34 @@ or criticality for one or more entities.
 1. Click the top checkbox to select all of the entities on the page, or click the checkbox next to each entity you want to update. 
 1. Note that once you select an entity, three options appear at the top of the entities list. <br/><img src={useBaseUrl('img/cse/update-options.png')} alt="Update options" style={{border: '1px solid gray'}} width="800"/> 
 <br/>See the instructions for each option below:
-   * [Update Tags](#update-tags)
-   * [Update Suppression](#update-suppression)
-   * [Update Criticality](#update-criticality)
+   * [Update tags](#update-tags)
+   * [Update suppression](#update-suppression)
+   * [Update criticality](#update-criticality)
 
-#### Update Tags
+#### Update tags
 
 1. After selecting the entities you want to update, click **Update Tags**. 
-2. Click the down arrow to display the options: <br/><img src={useBaseUrl('img/cse/tag-options.png')} alt="Tag options" style={{border: '1px solid gray'}} width="400"/>
+1. Click the down arrow to display the options: <br/><img src={useBaseUrl('img/cse/tag-options.png')} alt="Tag options" style={{border: '1px solid gray'}} width="400"/>
    * **Add.** Select this option to add one or more tags to the entity, without affecting any tags already assigned to the entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select  multiple tags to add.
    * **Remove**. Select his option to remove one or more tags from the entity. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. You can select multiple tags to remove. If a selected entity doesn't have the specified tags, no change will be made to the entity. 
    * **Replace**. Select this option to remove all of the tags currently assigned to the entity and add one or more specified tags. You’re prompted to select a tag. If you select a schema tag, you’re prompted to select a tag value. 
     :::important
     When you use the **Replace** option, be sure to specify new tags. If you do not, the existing tags will still be removed.
     :::
-3. As you select tags, they’ll appear in the update popup. <br/><img src={useBaseUrl('img/cse/tags-to-add.png')} alt="Add tags to entities" style={{border: '1px solid gray'}} width="400"/>
-4. When you are done selecting tags, click **Update Entity Tags**.
+1. As you select tags, they’ll appear in the update popup. <br/><img src={useBaseUrl('img/cse/tags-to-add.png')} alt="Add tags to entities" style={{border: '1px solid gray'}} width="400"/>
+1. When you are done selecting tags, click **Update Entity Tags**.
 
-#### Update Suppression
+#### Update suppression
 
 1. After selecting the entities you want to update, click **Update Suppression**. 
-2. The **Update Suppression** popup appears, with the suppression toggle set to **Not Suppressed**. <br/><img src={useBaseUrl('img/cse/before-suppression.png')} alt="Update suppression" style={{border: '1px solid gray'}} width="400"/>
-3. If you want to unsuppress the selected entities, click **Update Entity Suppression**. Otherwise, if you want to suppress the entity, toggle the slider to **Suppressed**, supply a comment if desired, and then click **Update Entity Suppression**. 
+1. The **Update Suppression** popup appears, with the suppression toggle set to **Not Suppressed**. <br/><img src={useBaseUrl('img/cse/before-suppression.png')} alt="Update suppression" style={{border: '1px solid gray'}} width="400"/>
+1. If you want to unsuppress the selected entities, click **Update Entity Suppression**. Otherwise, if you want to suppress the entity, toggle the slider to **Suppressed**, supply a comment if desired, and then click **Update Entity Suppression**. 
 
-#### Update Criticality
+#### Update criticality
 
 1. After selecting the entities you want to update, click **Update Criticality**. 
-2. The **Update Criticality** popup appears. <br/><img src={useBaseUrl('img/cse/update-criticalities.png')} alt="Update criticalities" style={{border: '1px solid gray'}} width="400"/>
-3. If you want to assign default criticality to the selected entities, click **Update Entity Criticality**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticality**.
+1. The **Update Criticality** popup appears. <br/><img src={useBaseUrl('img/cse/update-criticalities.png')} alt="Update criticalities" style={{border: '1px solid gray'}} width="400"/>
+1. If you want to assign default criticality to the selected entities, click **Update Entity Criticality**. Otherwise, use the down arrow to view defined Criticalities, select one, and then click **Update Entity Criticality**.
 
 ### Import entity updates from a CSV file
 
@@ -204,8 +208,8 @@ Note that:
 
 | Column | Description |
 |:--|:--|
-| `id` | **This field is required for Format 1.**<br/>To form the id field value, concatenate the entity `type` and the value of the entity, separated by a dash character (-) where the entity `type` is one of the following:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>`<br/><br/>The `id` for an IP address would look like:<br/><br/>`_ip-1.2.3.4` <br/><br/>You can optionally specify an entity’s sensor zone as a part of the `id` column, in this format:<br/><br/> `_<entity_type>-<sensor_zone>-<entity_value>`  <br/><br/>For example: <br/><br/> `_ip-zone1-172.18.20.3`|
-| `type` | **This field is required for Format 2.**<br/>Identifies the type of entity, one of:<br/>`_ip`<br/>`_hostname`<br/>`_username`<br/>`_mac`<br/>`_process`<br/>`_command`<br/>`_hash`<br/>`_domain`<br/>`_useragent`<br/>`_email`<br/>`_url`<br/>`_file`<br/>`<CustomEntityTypeId>` |
+| `id` | **This field is required for Format 1.**<br/>To form the id field value, concatenate the entity `type` and the value of the entity, separated by a dash character (-) where the entity `type` is one of the following:<br/>`_command`<br/>`_deployment`<br/>`_domain`<br/>`_email`<br/>`_file`<br/>`_hash`<br/>`_hostname`<br/>`_ip`<br/>`_mac`<br/>`_pod`<br/>`_process`<br/>`_replicaset`<br/>`_resource`<br/>`_useragent`<br/>`_username`<br/>`_url`<br/>`<CustomEntityTypeId>`<br/><br/>The `id` for an IP address would look like:<br/><br/>`_ip-1.2.3.4` <br/><br/>You can optionally specify an entity’s sensor zone as a part of the `id` column, in this format:<br/><br/> `_<entity_type>-<sensor_zone>-<entity_value>`  <br/><br/>For example: <br/><br/> `_ip-zone1-172.18.20.3`|
+| `type` | **This field is required for Format 2.**<br/>Identifies the type of entity, one of:<br/>`_command`<br/>`_deployment`<br/>`_domain`<br/>`_email`<br/>`_file`<br/>`_hash`<br/>`_hostname`<br/>`_ip`<br/>`_mac`<br/>`_pod`<br/>`_process`<br/>`_replicaset`<br/>`_resource`<br/>`_useragent`<br/>`_username`<br/>`_url`<br/>`<CustomEntityTypeId>` |
 | `value` | **This field is required for Format 2.**<br/>The value of the entity, for example, for an IP address:<br/>`1.2.3.4` |
 | `sensor_zone` | Identifies the sensor zone for the entity. <br/><br/>Don’t include this column if you are specifying entity sensor zones in the `id` column, as described above. |
 | `suppressed` | When *true*, Cloud SIEM suppresses the entity. |