You can add or edit entity enrichment properties from various screens as part of your case investigation. Add/Edit Entity properties allow you to work more efficiently during a case investigation. You can add 100 entity properties to a single entity.

You can allow users to add or edit entity properties by selecting this permission in the relevant module in the Settings. For more information, see Working with Permission Groups.

You can add/edit an entity enrichment in the following screens:  

• Investigation Screen— drill down to the required case and then click on the Explore button. You will be taken to the Investigation screen.
  

• Entity Explorer Screen— drill down to the required case and click on the required entity in the Entity Highlights widget. You will be taken to the Entity Explorer screen.
  

• Cases Screen— drill down to the required case and select the required entity in the Entities Highlights widget and click on View more. A side drawer will open with the entity properties.
  

• Cases Screen— drill down to the required case and select the Entities Graph widget and click the entity icon. A side drawer will open with the entity properties.
  
  
  
  

Edit Entity Property 

Let’s say you have a case where there is a potential malware threat. The file attached to the case was marked as suspicious with low confidence. After running a TI enrichment block and comparing it to previous cases with similar results, you are sure this file is malicious. You want to update the confidence level of the suspicious hash from Low to High.

Let’s edit the hash’s confidence_level property directly from the Investigation screen. 

To edit an entity property:

1. In the Cases screen , let's drill down to the Virus Risk or Security Risk Found Case and then click on the Explore button in the top right corner. The Investigation screen opens.
2. Click on the File Hash entity icon in the Investigation screen.
   
3. Hover to the right of the confidence_level value in the Entity Property side drawer. Three dots appear.
   
4. Click on the three dots and then click on the View or edit property button from the popup menu.
   
5. Edit the Entity Property Value in the dialog box. Let’s change the value of the Confidence_level from Low to High to highlight the potential risk of the hash entity. You have the option to select the type of format used to display the data in the side drawer.
   

   The Display Format changes the format of the data in the dialog box. The Display Format does not affect the actual data.

6. Then click Save. The entity key and value for confidence is updated in the data and reflected in the entity property side drawer below.
   

Add Entity Property

As part of the investigation, you may want to include other entity keys to enrich your case investigation. You’ve decided that you want to identify what kind of malware is being used to better understand the threat. Let’s take a look at the way you create a new entity property called Malware_family. 

To add an entity property: 

1. In the Cases screen , let's drill down to the Virus Risk of Security Risk Found Case and then click on the Explore button in the top right corner. The Investigation screen opens.
2. Click on the plus icon located at the top of the Entity Property side drawer in the Investigation screen.
   
3. Enter Malware_family in for Key and Trojan.Generic for its Value.
   
4. Then click Save. The new entity property key Malware_family and its value Trojan.Generic provides you with another layer of understanding during your case investigation.