Classify Events Using a Classification Key - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Classify events using a classification key in an integration ingestion. Create incident classifier in Cortex XSOAR

When an integration fetches incidents, it populates the rawJSON object in the incident object. The rawJSON object contains all of the attributes for the event. For example, source, when the event was created, the priority that was designated by the integration, and more. When classifying the event, you want to select an attribute that can determine what the event type is.


You can also configure classifiers for indicators, by going to Settings & InfoSettingsObject SetupIndicatorsClassification & Mapping .

  1. Go to Settings & InfoSettingsObject SetupIncidentsClassification & Mapping.

  2. Do one of the following:

    1. To create a new classifier, select NewIncident Classifier.

    2. To edit an existing classifier open the classifier.

      If the classifier is installed from a content pack, you need to duplicate and then open it.

  3. Under Get data, select from where you want to pull the event data. You will classify the incident types based on this information.

    • Pull from instance - select an existing integration instance.

    • Select schema - when supported by the integration, this will pull all of the integration fields from the database. You select from these fields to classify the events.

    • Upload JSON - upload a formatted JSON file which includes the field you want to classify by.

  4. Under Select Instance, select the integration instance from where you want to pull data.

  5. Under Fetched data select the value you want to classify the events by.

  6. Drag values from the Unmapped Values column to the relevant incident type on the right.

    You can optionally choose a default incident type for unclassified incidents from Direct unclassified events to: Select.


    If you do not choose a default incident type, the classifier will use the "default" incident type for unclassified incidents. The default incident type can be configured on the Incident Types page, and is set to "Unclassified" by default.

  7. Click Save.

  8. Go to Settings & InfoSettingsIntegrationsInstances.

    1. Select the integration you want to apply the classifier to.

    2. In the integration settings, under Classifier, select the classifier you created and click Done.