Map Attributes to Indicator Types - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-25
Category
Administrator Guide
Abstract

Create independent mappers that map attributes from incoming data to indicator types.

Mappers enable you to map the information from incoming data to the indicator that you have in your system.

Mapping data takes place in two stages. Firstly, map all of the fields that are common to all indicators in the default mapping. Secondly map the additional fields that are specific for each indicator type, or overwrite the mapping that you used in the default mapping.

Note

In the Classification & Mapping page, the mapping does not indicate for which indicator types they are configured. When creating a mapper, it is best practice to add to the mapper name, the alert types the mapper is for. For example, Mail Listener - Phishing.

When mapping a list, we recommend you map to a multi select field. Short text fields do not support lists. If you do need to map a list to a short text field, add a transformer in the relevant playbook task, to split the data back into a list.

You can use this procedure for creating a classifier or duplicating an existing mapper for alert types.

  1. Select SettingsConfigurationsIndicatorClassification & MappingNew.

  2. Indicator Mapping (Incoming) - maps all of the indicator fields to their indicator layout.

  3. Under Get data, select from where you want to pull the information based on where you want to map the indicator type.

    • Pull from instance - select an existing integration instance.

      Select schema - when supported by the integration, this will pull all of the fields for the integration from the database. This enables you to see all of the fields for each given event type that the integration supports.

    • Upload JSON - upload a formatted JSON file which includes the field you want to map.

  4. Under Indicator Type, start by mapping out the Common Mapping. This mapping includes the fields that are common to all of the indicator types and saves you time having to define these fields individually in each indicator type.

  5. Click the attribute to which you want to map. You can further manipulate the field using filters and transformers.

  6. Repeat this process for the other indicator types for which this mapping is relevant.

  7. Save the mapper.

  8. Go to SettingsAutomation & Feed Integrations.

    1. Select the integration to which you want to apply the classifier.

    2. In the integration settings, under Mapper select the mapper you created and click Save.