Create an incident classifier - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-31
Category
Administrator Guide
Solution
On-prem
Abstract

Classify events using a classification key in an integration ingestion. Create incident classifier in Cortex XSOAR

When an integration fetches incidents, it populates the raw JSON object in the incident object. The raw JSON object contains all of the attributes for the event, such as the source of the event and when the event was created. When classifying the event, select an attribute that can determine the event type.

When creating a classifier, you can pull data from the following:

  • An existing integration instance

    Note

    Ensure that your instance is configured and enabled but you don't need to fetch incidents.

  • Schema

    When supported by the integration, this pulls all of the integration fields from the database. You select from these fields to classify the events.

  • Upload a JSON file

    Upload a formatted JSON file which includes the field you want to classify. If the instance has nothing to fetch or has insufficient data, you can upload a JSON file containing raw data.

  1. Go to Settings & InfoSettingsObject SetupIncidentsClassification & Mapping.

  2. Do one of the following:

    1. To create a new classifier, select NewIncident Classifier.

    2. To edit an existing classifier open the classifier.

      If the classifier is installed from a content pack, you need to duplicate and then open it.

  3. Enter a name for the classifier so it can be easily identified.

  4. Under Get data, select from where you want to pull the event data. You will classify the incident types based on this information.

    • Pull from instance

    • Select schema

    • Upload JSON

  5. Under Select Instance, select the integration instance from where you want to pull data.

    In the Data fetched from [name of integration instance) section, you will see the raw alert data pulled in from the integration instance. In this example, after configuring the Sample Incident Generator instance, we have pulled in the following data:

    classifier-data-fetched.png
  6. To route the alert information to an incident type, select the classification key,

    1. In the Data fetched section, click the key you want to map. For example, type.

      Tip

      Select a key that is common to across all the samples. If a key is selected that will change across all alerts such as SourceIP there could be many values.

      In the Unmapped Values section, the selected key returns any unmapped classifier values. For example, type returns Malware, Unclassified, and Phishing.

      classifier-unmapped.png
    2. Drag and drop the unmapped classifier values onto the Incident Types section.

      For example, you can see the Malware and Phishing values have been mapped to the relevant incident type.

      classifier-mapped.png
    3. In the Direct Unclassified events to field, select the incident type for unclassified events.

      If you don't choose a default incident type, the classifier uses the default incident type, which is set to the Unclassified incident type. To view the default incident type, go to the Incidents page and add the Default column. You can set a different default incident type as required.

    4. (Optional) If there are events that haven't been pulled from the samples you can manually add them to the Incident Types section, by clicking the edit button in the Incident Type field. For example, if you know that the source has a file blocked incident type, click the edit button on the relevant field and type file blocked.

  7. Save the classifier.

  8. (Optional) Create a mapper, if required.

  9. Go to Settings & InfoSettingsIntegrationsInstances.

    1. Select the integration from which you want to apply the classifier.

    2. In the integration settings, under Classifier, select the classifier you created and click Done.

      For some instance integrations, you need to click Fetches incidents to add a classifier and mapper.