About actions for entity rules

Entity rules parameters may require specific input to produce the expected results. This section describes how rule parameters work and the allowed input they take for selected actions.

About Set alias

The Set alias rule uses named capturing groups and backreferences to automatically assign entities title aliases based on specified data pattern regexes, variable names, and formatting templates for the title aliases.
Aliases help identify entities that are known by different names, depending on the data provider referencing them.

First, define the named groups in the entity title.
You insert named groups in the title alias by referencing them with the variables that represent them:

  • The (?P<name>regex) expressions in Title parsing pattern define data patterns for matching text strings in the title.

  • You can reference matches in the alias using the corresponding variable names between chevron brackets (< >).

  • The name variable accepts alphanumeric characters. It must start with a letter.

  • The regex must comply with Python syntax.

Then, define a format template for the title alias.
You insert named groups in template by referencing them with the variables that represent them:

  • The Alias formatting template field accepts a string to set a formatting template for the title alias, where you include the previously defined named group variables as needed.

  • The template variable names must exactly match the corresponding named group variables they reference.

  • The formatting string must comply with Python syntax.

Example

Let's assume we want to set an alias for the following entity title:
VxVault reporting on Malware Malware.Win32.Sample with name sample found at URL http://malicious.com/double-click-me.exe (104.31.72.46)

  1. First, let's isolate the named groups in the title that we want to reuse in the title alias by setting Title parsing pattern to:
    VxVault reporting on Malware (?P<malware>[^\s]+) with name sample found at URL (?P<url>[^\s]+) \ ((?P<ip>[\d\.]+)\)

  2. Then, let's define a format template for the title alias that includes the named groups by referencing the corresponding variables by setting Alias formatting template to
    malware={malware}, url={url}, ip={ip}

When the rule runs, it produces the resulting title alias:
malware=Malware.Win32.Sample, url=http://malicious.com/double-click-me.exe, ip=104.31.72.46