Classification and Mapping - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Classify and map an integration so you can see the results in alert fields when investigation an alert.

The classification and mapping feature enables you to take the events and event information that Cortex XSIAM ingests from integrations, and classify the event as a type of Cortex XSIAM alert.

For example, you may configure EWS to ingest both Phishing and Malware alerts so you can classify their respective alert types based on some information in the event. By classifying the events as different alert types, you can process them with different playbooks suited to their respective requirements.


Classification determines the type of alert that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration.


You can map the fields from your third party integration to the fields in your alert layouts.

You can do the following:

  • Map your fields to alert types irrespective of the integration or classifier. This means that you can create a mapping before defining an instance and ingesting incidents. By doing so, when you do define an instance and apply a mapper, the alerts that come in are already mapped.

  • Create a default mapping for all of the fields that are common to all alert types, and then map only those fields that are specific to each alert type individually. You can still overwrite the contents of a field in the specific alert type.

  • Use auto-map to automatically map fields based on their naming convention. For example, severity would be mapped to importance.