Map Fields to Alert Types - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

You can create independent mappers for integrations.

Mappers enable you to map information from incoming events to the alert fields that you have in your system. You can map to system alert fields or custom alert fields.

Mapping event attributes or alert fields takes place in two stages. First you map all of the fields that are common to all alerts in the default mapping. Second, you map the additional fields that are specific for each alert indicator type, or overwrite the mapping that you used in the default mapping.

Note

In the Classification & Mapping page, the mapping does not indicate for which alert types they are configured. Therefore, when creating a mapper, it is best practice to add to the mapper name, the alert types the mapper is for. For example, Mail Listener - Phishing.

Note

When mapping a list, we recommend you map to a multi select field. Short text fields do not support lists. If you do need to map a list to a short text field, add a transformer in the relevant playbook task, to split the data back into a list.

You can use this procedure for creating a classifier or duplicating an existing mapper for alert types.

  1. Go to SettingsConfigurationsObject SetupAlertsClassification & Mapping.

  2. Click New and select Alert Mapper (incoming). The Alert Mapper maps all of the fields you are pulling from the integrations to the alert fields in your layouts.

  3. Under Get data, select from where you want to pull the information based on where you want to map the alert types.

    • Pull from instance - select an existing integration instance.

    • Select schema - when supported by the integration, this pulls all of the fields for the integration from the database. This enables you to see all of the fields for each given event type that the integration supports.

    • Upload JSON - upload a formatted JSON file which includes the field you want to map.

  4. Under Alert Type, start by mapping out the Common Mapping. This mapping includes the fields that are common to all of the alert types and will save time having to define these fields individually in each alert type.

  5. Click the event attribute to which you want to map. You can further manipulate the field using filters and transformers.

    You can click Auto Map to automatically map fields with common or similar names to fields in Cortex XSIAM . For example, Severity to Importance or Description to Description.

  6. Repeat this process for the other alert types for which this mapping is relevant.

  7. Click Save.

  8. Go to SettingsConfigurationsData CollectionAutomation & Feed Integrations.

    1. Select the integration instance to which you want to apply the mapper.

    2. In the integration settings, under Mapper (incoming) select the mapper you created and click Save.