Entity Tracking

Overview

Secure60 Collector implements comprehensive entity tracking capabilities that automatically discover and monitor key entities within your environment. This real-time entity intelligence provides visibility into hosts, applications, and network actors, enabling advanced security analytics and threat detection.

Key Benefits

Automatic Discovery: Continuously discover new entities as they appear in your data streams
Real-time Monitoring: Track entity activity and behavior patterns in real-time
Memory Efficient: In-memory caching with configurable TTL and batch processing
Flexible Configuration: Enable/disable tracking for specific entity types
Security Analytics: Feed entity data into advanced analytics and threat detection systems

Entity Tracking Architecture

Secure60 Collector’s entity tracking system uses an in-memory enrichment table to efficiently track and deduplicate entities across your data streams:

Entity Detection - Monitor incoming events for entity identifiers
Deduplication - Cache entities to avoid duplicate processing
Export Processing - Periodically export tracked entities for analytics
Batch Optimization - Process entities in configurable batches for memory efficiency

Supported Entity Types

The entity tracking system supports three primary entity types with plans for custom entity support:

1. Hostname Tracking

Track unique hostnames appearing in your environment to monitor infrastructure changes and identify new systems.

Field Monitored: host_name
Use Cases:

Infrastructure inventory management
Unauthorized system detection
Asset discovery and tracking
Compliance monitoring

2. Source IP Address Tracking

Monitor unique source IP addresses to identify network actors and communication patterns.

Field Monitored: ip_src_address
Use Cases:

Network actor identification
Threat intelligence correlation
Geographic analysis preparation
Communication pattern analysis

3. Application Name Tracking

Track unique application names to maintain visibility of software assets and application usage.

Field Monitored: app_name
Use Cases:

Application portfolio management
Software license compliance
Security application monitoring
Performance analytics preparation

4. Custom Entity Tracking

Support for custom field-based entity tracking to monitor organization-specific identifiers. Contact Secure60 Support to enable this feature.

Configuration

Entity tracking requires the INGEST_METRIC_LOCATION environment variable to be configured to specify where tracked entities should be sent. This endpoint receives the entity data for processing by Secure60’s analytics systems.

Basic Configuration

Via Environment Variables

# Required: Configure metric ingest endpoint for entity data
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Enable hostname tracking
ENTITY_TRACKING_HOSTNAME=true

# Enable source IP tracking  
ENTITY_TRACKING_SRCIP=true

# Enable application name tracking
ENTITY_TRACKING_APPNAME=true

Via Portal UI

Navigate to Integrations → Secure60 Collector
Click “Advanced Config”
Find “Entity Tracking” section
Enable desired entity types
Configure timing parameters

Advanced Configuration

Memory and Performance Tuning

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Basic entity tracking setup
ENTITY_TRACKING_HOSTNAME=true
ENTITY_TRACKING_SRCIP=true  
ENTITY_TRACKING_APPNAME=true

# Performance optimization
ENTITY_TRACKING_TTL=300              # 5 minute cache TTL
ENTITY_TRACKING_EXPORT_INTERVAL=180  # 3 minute export interval

# Memory efficiency (handled automatically)
# Export batch size: 10,000 entities per batch
# Flush interval: 5 seconds for table maintenance

Selective Entity Tracking

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Track only specific entity types for focused monitoring
ENTITY_TRACKING_HOSTNAME=true    # Infrastructure focus
ENTITY_TRACKING_SRCIP=false      # Disable IP tracking
ENTITY_TRACKING_APPNAME=false    # Disable app tracking

Entity Data Format

Output Structure

Tracked entities are exported in a standardized format for integration with Sexure60 analytics systems:

{
  "_category": "entity-tracking",
  "_entity_name": "host_name",
  "_entity_value": "web-server-01.company.com", 
  "_score": 0
}

Field Descriptions

_category: Always set to “entity-tracking” for identification
_entity_name: The type of entity (host_name, ip_src_address, app_name)
_entity_value: The actual entity value discovered
_score: Risk score (default: 0, available for future scoring integration)

Example Entity Records

Hostname Entity

{
  "_category": "entity-tracking",
  "_entity_name": "host_name", 
  "_entity_value": "database-server-prod-01.internal",
  "_score": 0
}

Source IP Entity

{
  "_category": "entity-tracking",
  "_entity_name": "ip_src_address",
  "_entity_value": "192.168.1.100", 
  "_score": 0
}

Application Entity

{
  "_category": "entity-tracking",
  "_entity_name": "app_name",
  "_entity_value": "nginx",
  "_score": 0
}

Implementation Use Cases

Infrastructure Monitoring

Asset Discovery and Inventory

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Enable comprehensive hostname tracking
ENTITY_TRACKING_HOSTNAME=true
ENTITY_TRACKING_TTL=86400  # 24 hour cache for inventory

# Use case: Maintain real-time inventory of all systems
# - Automatically discover new servers
# - Track decommissioned systems  
# - Monitor infrastructure changes

Network Security Monitoring

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Focus on network actor tracking
ENTITY_TRACKING_SRCIP=true
ENTITY_TRACKING_HOSTNAME=false
ENTITY_TRACKING_APPNAME=false

# Use case: Network threat detection
# - Identify new IP addresses in environment
# - Track external communication patterns
# - Prepare data for threat intelligence correlation

Application Security

Software Asset Management

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Track application landscape
ENTITY_TRACKING_APPNAME=true
ENTITY_TRACKING_HOSTNAME=true

# Use case: Application security monitoring
# - Discover unauthorized software
# - Track application versions and updates
# - Monitor application deployment patterns

Compliance Monitoring

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Comprehensive entity tracking for compliance
ENTITY_TRACKING_HOSTNAME=true
ENTITY_TRACKING_SRCIP=true
ENTITY_TRACKING_APPNAME=true
ENTITY_TRACKING_TTL=604800  # 7 day retention for compliance

# Use case: Regulatory compliance
# - Maintain audit trails of system access
# - Document infrastructure inventory
# - Track application usage patterns

Performance Optimization

Memory Management

The entity tracking system is designed for efficiency with automatic memory management:

Automatic Optimization Features

Batch Processing: Entities exported in 10,000 record batches
TTL Management: Automatic cache expiration prevents memory bloat
Deduplication: Only new entities consume cache space
Flush Intervals: Regular cache maintenance every 5 seconds

Configuration for High-Volume Environments

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Optimize for high-volume data streams
ENTITY_TRACKING_TTL=86400              # Longer cache for less turnover
ENTITY_TRACKING_EXPORT_INTERVAL=900   # Longer export periods to reduce data volumes

Configuration for Long-Term Tracking

# Required: Configure metric ingest endpoint
INGEST_METRIC_LOCATION=https://ingest.secure60.io/ingest/1.0/metrics/project/

# Optimize for comprehensive entity retention
ENTITY_TRACKING_TTL=3600             # 1 hour cache retention
ENTITY_TRACKING_EXPORT_INTERVAL=300  # Standard export interval

Processing Efficiency

Conditional Processing

The system only processes events when:

Entity tracking is enabled for the specific type
The target field contains a non-null value
The entity is not already cached (deduplication)

Resource Usage

CPU Impact: Minimal - only hash table lookups and inserts
Memory Usage: Proportional to unique entity count within TTL window
Network Impact: None - processing occurs within collector

Monitoring and Analytics Integration

Entity Stream Processing

Tracked entities are output to the console sink in JSON format, making them available for:

SIEM Integration

# Example entity stream for SIEM ingestion
{"_category":"entity-tracking","_entity_name":"host_name","_entity_value":"web01.company.com","_score":0}
{"_category":"entity-tracking","_entity_name":"ip_src_address","_entity_value":"10.0.1.50","_score":0} 
{"_category":"entity-tracking","_entity_name":"app_name","_entity_value":"apache","_score":0}

Analytics Pipelines

Real-time Analytics: Stream entities to analytics platforms
Threat Intelligence: Correlate entities with threat feeds
Behavioral Analysis: Build entity behavior baselines
Risk Scoring: Integrate with risk scoring systems (future enhancement)

Best Practices

Performance Considerations

High-Volume Environments

Monitor Memory Usage: Track collector memory consumption
Adjust TTL: Raise TTL for high-churn environments
Export Frequency: Decrease export frequency to reduce entity volume
Selective Tracking: Enable only necessary entity types

Troubleshooting

Common Issues

No Entities Being Tracked

Symptoms: No entity output in logs Possible Causes:

Entity tracking not enabled for any types
Target fields not present in incoming data
Entity Export time too high

High Memory Usage

Symptoms: Collector memory consumption increasing Possible Causes:

TTL too long for entity churn rate
Very high number of unique entities

For assistance with entity tracking configuration and optimization, contact our integrations team at integrations@secure60.io