Entity delimiterslet you decide for each entity type and data source how
you want to map the incoming entity. You can disable
delimiters for incoming entities, map a specific delimiter (up to 64
characters) or use a regular expression instead.
For example, if you have several files separated by commas in a single entity, you can set the delimiter to a comma so the system treats each file as a separate entity.
You can use entity delimiters in two places:
In theEvent Configuration>Mappingpage.
In thePlaybook action>Siemplify>Create Entitypage.
Event configuration & mapping screen
You can configure mapping at the field level. Click theRaw Event Propertiesicon to see the raw data from the
event in the particular alert. The page displays a list of the entity
fields and the system fields with an edit option to
map the raw data to your preferred format in the platform.
The following fields are available in theMap Fieldsdialog for each
entity or system field:
Field
Description
Extracted Field
Main field name in the raw event field to take information from.
Alternative Field 1
Fallback field in the raw event field to take information from if the
primary field can't be located.
Alternative Field 2
Fallback field in the raw event field to take information from if both
primary and secondary can't be located.
Extraction function
Extracts or manipulates data from the raw event field. The three options are:
None: The raw data is presented as is.
Delimiter: A delimiter (up to 64 characters) is used to divide the data into separate entities. The default is a comma (,).
Regex: A regular expression is used to divide data into separate entities.
Transformation function
This function lets you transform information from the data
source to be compatible with the database. Available functions
are:
TO_STRING
FROM_UNIXTIME_STRING_OR_LONG
FROM_CUSTOM_DATETIME
EXTRACT_BY_REGEX
TO_IP_ADDRESS
Once you have chosen the function, add the
appropriate parameter. For example: select the
function FROM_CUSTOM_DATETIMEand reformat the date and time to%Y-%m-%DT%H:%M:%S.
Use delimiters in playbooks
You can also use delimiters in theCreate Entityaction. For
example, in theEntities Identifiersfield, you can enter a list of IP
addresses separated by semicolons. In theDelimiterfield, add a
semicolon.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eEntity Delimiters in Google SecOps SOAR allow users to define how incoming data is mapped for each entity type and data source, providing options to disable delimiters, use specific delimiters (up to 64 characters), or utilize regex.\u003c/p\u003e\n"],["\u003cp\u003eDelimiters can be configured in two primary locations: the Event Configuration > Mapping screen for field-level mapping, and within the Playbook action > Siemplify Create Entity for manipulating entity identifiers.\u003c/p\u003e\n"],["\u003cp\u003eThe Mapping screen offers fields such as Extracted Field, Alternative Field 1 & 2, Extraction Function (None, Delimiter, Regex), and Transformation Function to customize data extraction and transformation from raw events.\u003c/p\u003e\n"],["\u003cp\u003eThe Extraction Function in the Mapping screen lets users divide data into separate entities using a specified delimiter or regex, with the default delimiter being a comma.\u003c/p\u003e\n"],["\u003cp\u003eThe Transformation Function allows for the alteration of data formats to be compatible with the Siemplify database after extraction, with functions like TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, and TO_IP_ADDRESS available.\u003c/p\u003e\n"]]],[],null,["Work with entity delimiters \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n*Entity delimiters* let you decide for each entity type and data source how\nyou want to map the incoming entity. You can disable\ndelimiters for incoming entities, map a specific delimiter (up to 64\ncharacters) or use a regular expression instead.\n\nFor example, if you have several files separated by commas in a single entity, you can set the delimiter to a comma so the system treats each file as a separate entity.\n\nYou can use entity delimiters in two places:\n\n- In the **Event Configuration \\\u003e Mapping** page.\n- In the **Playbook action \\\u003e Siemplify \\\u003e Create Entity** page.\n\nEvent configuration \\& mapping screen\n\nYou can configure mapping at the field level. Click the **Raw Event Properties** icon to see the raw data from the\nevent in the particular alert. The page displays a list of the entity\nfields and the system fields with an edit option to\nmap the raw data to your preferred format in the platform.\n\n\nThe following fields are available in the **Map Fields** dialog for each\nentity or system field:\n\n| **Field** | **Description** |\n|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Extracted Field | Main field name in the raw event field to take information from. | **Note:** Use `Contains` or `Starts with` to divide the data into separate fields. This can be useful if you have multiple fields like `url_1`, `url_2` to create multiple entries. Entities can only equal `is` as each one is unique. |\n| Alternative Field 1 | Fallback field in the raw event field to take information from if the primary field can't be located. |\n| Alternative Field 2 | Fallback field in the raw event field to take information from if both primary and secondary can't be located. |\n| Extraction function | Extracts or manipulates data from the raw event field. The three options are: - `None`: The raw data is presented as is. - `Delimiter`: A delimiter (up to 64 characters) is used to divide the data into separate entities. The default is a comma (,). - `Regex`: A regular expression is used to divide data into separate entities. |\n| Transformation function | This function lets you transform information from the data source to be compatible with the database. Available functions are: - `TO_STRING` - `FROM_UNIXTIME_STRING_OR_LONG` - `FROM_CUSTOM_DATETIME` - `EXTRACT_BY_REGEX` - `TO_IP_ADDRESS` Once you have chosen the function, add the appropriate parameter. For example: select the function `FROM_CUSTOM_DATETIME` and reformat the date and time to `%Y-%m-%DT%H:%M:%S`. | **Note:** The transformation function applies after the extraction function. If multiple entities are created by the extraction function, the transformation is applied to each one separately. |\n\nUse delimiters in playbooks\n\n\nYou can also use delimiters in the **Create Entity** action. For\nexample, in the **Entities Identifiers** field, you can enter a list of IP\naddresses separated by semicolons. In the **Delimiter** field, add a\nsemicolon.\n| **Note:** The action will appear with a comma by default.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
