Classify Events Using a Classification Key - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Classify events using a classification key in an integration ingestion. Create an incident classifier in Cortex XSOAR.

When an integration fetches incidents, it populates the rawJSON object in the incident object. The rawJSON object contains all of the attributes for the event. For example, source, when the event was created, the priority that was designated by the integration, and more. When classifying the event, you want to select an attribute that can determine what the event type is.

Note

You can also configure classifiers for indicators, by going to SettingsOBJECTS SETUPIndicatorsClassification & Mapping .

  1. Go to SettingsOBJECTS SETUPIncidentsClassification & Mapping.

  2. Click New and select Incident Classifier.

  3. Under Get data, select from where you want to pull the information based on which you will classify the incident types.

    • Pull from instance - select an existing integration instance.

    • Select schema - when supported by the integration, this will pull all of the fields for the integration from the database from which you can select by which to classify the events.

    • Upload JSON - upload a formatted JSON file which includes the field by which you want to classify.

  4. Under Select Instance, select the instance from where you want to choose the value.

  5. Under Fetched data select the value by which you want to classify the events.

  6. Drag values from the Unmapped Values column to the relevant incident type on the right.

    You can optionally choose a default incident type for unclassified incidents from Direct unclassified events to: Select.

    classify_incidents.png

    If you do not choose a default incident type, the classifier will use the "default" incident type for unclassified incidents. The default incident type can be configured on the Incident Types page, and is set to "Unclassified" by default.

  7. Click Save.

  8. Go to SettingsINTEGRATIONSInstances.

    1. Select the integration to which you want to apply the classifier.

    2. In the integration settings, under Classifier, select the classifier you created and click Done.