Classify events using a classification key in an integration ingestion.
When an integration fetches alerts, it populates the rawJSON object in the alert object. The rawJSON object contains all of the attributes for the event. For example, source, when the event was created, the priority that was designated by the integration, etc. When classifying the event, you want to select an attribute that can determine the event type.
You can use this procedure for creating a classifier or duplicating an existing classifier.
Go to → → → → .
Click New and select Alert Classifier.
If you want to duplicate the classifier, select the relevant classifier and then duplicate it.
Under Get data, select from where you want to pull the information based on which you will classify the incident types.
Pull from instance - select an existing integration instance.
Select schema - when supported by the integration, this will pull all the fields for the integration from the database from which you can select by which to classify the events.
Upload JSON - upload a formatted JSON file which includes the field by which you want to classify.
In the Select Instance field, select the instance from where you want to choose the value.
In the Data fetched from select the value by which you want to classify the events.
Drag values from the Unmapped Values column to the relevant alert type on the right.
You can optionally choose a default alert type for unclassified incidents from Direct unclassified events to: Select.
Click Save.
Go to → .
Select the integration to which you want to apply the classifier.
In the integration settings, under Classifier, select the classifier you created and click Save.