Indicators Classification and Mapping - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about the classification and mapping feature.

The classification and mapping feature enables you to take the data that Cortex XSIAM ingests from integrations, and classify and map the data to indicator types and indicator fields. By classifying the data as different indicator types, you can process them with different playbooks suited to their respective requirements.

Classification determines the type of indicator that is created for data ingested from a specific integration. You create a classifier and define that classifier in an integration.

You can map the fields from your third party integration to the fields in your indicator layouts. You can do the following:

  • Map your fields to indicator types irrespective of the integration or classifier. This means that you can create a mapping before defining an instance and ingesting indicators. By doing so, when you do define an instance and apply a mapper, the data that comes in is already mapped.

  • Create default mapping for all of the fields that are common to all indicator types, and then map only those fields that are specific to each alert type individually. You can still overwrite the contents of a field in the specific indicator type.