Classify and Map EWS Fields - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 6.x Tutorials
Product
Cortex XSOAR
Version
6.x
Creation date
2022-10-13
Last date published
2023-06-05
Category
Tutorials

Classification determines the type of incident that is created for events ingested from a specific integration (EWS O365). Mapping matches the fields from your third party integration to the fields that you associate with the phishing incident (often displayed in the layout as well).

EWS comes out of the box with the following:

  • EWS - Classifier

  • EWS - Incoming Mapper

As we are ingesting incidents from a phishing mailbox, we do not need to change the classifier, as everything that is ingested into Cortex XSOAR from the EWS mailbox is classified as phishing. If there were other third party integrations that you fetched incidents from such as QRadar you may need to update the classifier.

Map Incident fields

Although incidents are ingested into Cortex XSOAR as phishing, we need to ensure the correct attributes are mapped to the phishing incident fields in the layout.

Most of the mapping is done out of the box. Nevertheless, it's important to review the data, check that it's mapped correctly and add fields where necessary.

  1. Select SettingsOBJECTS SETUPIncidentsClassification & MappingEWS - Incoming Mapper checkbox.

  2. Click Duplicate.

  3. Click EWS - Incoming Mapper_copy.

  4. In the Incident Type dropdown, change from the default Common Mapping to Phishing.

  5. In the Select Instance field, select your EWS configured instance.

    On the left side of the screen you see all of the fields that are available for the phishing incident type. We can see that some fields are already mapped, such as Attachment Count, Attachment ID, Email Body, Email CC, etc.

  6. Add one of the custom fields we created.

    1. For the Sensitivity field, click Choose data path.

    2. In the root section (right-hand side of the window), click sensitivity.

    3. Repeat these steps if you have any unmapped custom fields.

    4. Save the changes to the mapper.

  7. Click Auto Map to automatically map the remaining fields based on naming convention. In this example, SHA256 maps to attachmentsSHA256.

    phishing-map.png

  8. By default, the instance is set to use the EWS - Incoming Mapper and now needs to be changed to the duplicate mapper we have created and edited. Go to SettingsINTEGRATIONSInstances and click the gear icon to edit the settings for the EWS O365 instance. Change the mapper to EWS - Incoming Mapper_copy, Save & exit.