Google Security Operations ontology uses a formal specification that provides a
shareable and reusable knowledgeable representation of alerts and events. The ontology lets Google SecOps build
entities from events and define relationships between them. This process lets you
see the full picture and explore potential threats on theExplore Casespage. Once entities have been defined using the ontology, you can run
actions on them based on their role in the attack or event.
Ontology status
Go toSettings>Ontology {and_then} Ontology Statusto see the following information:
Number of product types: The number of products that Google SecOps captures from your environment. This number is in flux as more products are added to your environments.
Number of event types: The number of events that Google SecOps captures.
Number of events assigned to default families: The number of events that Google SecOps has automatically assigned. You can reassign an event (at any time) by locating the default value in theFamily Namecolumn and clicksettingsConfigure.
You can export selected ontology status rows as a ZIP file containing a JSON file. You can also import ontology status rows. Be sure to import a ZIP file that contains a JSON with the ontology details.
Set up model families
After you've established an initial data connection, you'll need to
complete the following procedures to ensure that the data is ingested into the
Google SecOps data model. You'll also need to map and model new events
and alerts according to your requirements and as your connectors pick up new
events.
To set up a model family, follow these high-level steps:
Define the family: clickSettings>Ontology>Visual Families.
Assign the family to the Event (or Product/Source) from either
theEvents tabor theOntology Statuspage, clickEvent Configuration>Visualization.
Map data fields
To map data fields, follow these high-level steps:
In theCaseManagementorExplorescreen, identify missing or incorrect field
information.
Check if this can be solved by attaching a new Visual Family; otherwise, edit and
configure the rules that make up both the Family and the general System fields
in theEvent Configuration>Mapping page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Security Operations ontology provides a framework for representing and sharing knowledge about alerts and events, allowing for the creation of entities and relationships.\u003c/p\u003e\n"],["\u003cp\u003eThe ontology allows users to see a comprehensive view of potential threats and run actions on them based on their role in the attack or event via the Explore Cases screen.\u003c/p\u003e\n"],["\u003cp\u003eSetting up model families is a two-step process involving defining a family in Settings > Ontology > Visual Families and then assigning it to the Event in the Event Configuration screen.\u003c/p\u003e\n"],["\u003cp\u003eMapping data fields involves identifying missing or incorrect field information, attempting to attach a new Visual Family, and, if needed, editing the rules that make up the Family and System fields in the Event Configuration > Mapping screen.\u003c/p\u003e\n"]]],[],null,["Ontology overview \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nGoogle Security Operations ontology uses a formal specification that provides a\nshareable and reusable knowledgeable representation of alerts and events. The ontology lets Google SecOps build\nentities from events and define relationships between them. This process lets you\nsee the full picture and explore potential threats on the\n[Explore Cases](/chronicle/docs/soar/investigate/working-with-cases/explore-entities-and-alerts-investigation) page. Once entities have been defined using the ontology, you can run\nactions on them based on their role in the attack or event.\n| **Note:** Most integrations include a pre-configured ontology that provides a ready-made structure you can adapt or extend to meet your needs, instead of creating the entire structure manually.\n\nOntology status Go to **Settings \\\u003e Ontology {and_then} Ontology Status** to see the following information:\n\n- **Number of product types**: The number of products that Google SecOps captures from your environment. This number is in flux as more products are added to your environments.\n- **Number of event types**: The number of events that Google SecOps captures.\n- **Number of events assigned to default families** : The number of events that Google SecOps has automatically assigned. You can reassign an event (at any time) by locating the default value in the **Family Name** column and click settings **Configure** .\n\nYou can export selected ontology status rows as a ZIP file containing a JSON file. You can also import ontology status rows. Be sure to import a ZIP file that contains a JSON with the ontology details.\n\nSet up model families\n\nAfter you've established an initial data connection, you'll need to\ncomplete the following procedures to ensure that the data is ingested into the\nGoogle SecOps data model. You'll also need to map and model new events\nand alerts according to your requirements and as your connectors pick up new\nevents.\n\nTo set up a model family, follow these high-level steps:\n\n1. Define the family: click **Settings \\\u003e Ontology \\\u003e Visual Families**.\n2. Assign the family to the Event (or Product/Source) from either the [Events tab](/chronicle/docs/soar/admin-tasks/ontology/deciding-what-events-to-configure) or the [Ontology Status](/chronicle/docs/soar/admin-tasks/ontology/viewing-model-family-and-field-mapping) page, click **Event Configuration \\\u003e Visualization**.\n\nMap data fields\n\nTo map data fields, follow these high-level steps:\n\n1. In the **CaseManagement** or **Explore** screen, identify missing or incorrect field information.\n2. Check if this can be solved by attaching a new Visual Family; otherwise, edit and configure the rules that make up both the Family and the general System fields in the [Event Configuration \\\u003e Mapping page.](/chronicle/docs/soar/admin-tasks/ontology/configure-mapping-and-assign-visual-families)\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
