Create a Mapper - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Create new mapper and apply to an integration in Cortex XSOAR.

Mappers enable you to map the information from incoming events to the incident or indicator layouts that you have in your system.

Mapping event attributes or indicator fields now takes place in two stages. At first, you map all of the fields that are common to all incident or indicator types in the default mapping. After that, you can map the additional fields that are specific for each incident or indicator type, or overwrite the mapping that you used in the default mapping.

Note

  • In the Classification & Mapping screen, the mappings do not indicate for which incident types they are configured. Therefore, when creating a mapper, it is best practice to add to the mapper name the incident types the mapper is for. For example, Mail Listener - Phishing.

  • When mapping a list, we recommend you map to a multi select field. Short text fields do not support lists. If you do need to map a list to a short text field, add a transformer in the relevant playbook task, to split the data back into a list.

Be aware that the following out-of-the-box fields are entirely controlled by Cortex XSOAR, and therefore cannot be mapped:

Type

Source Instance

Category

DBot Status

Playbook

DBot Created

DBot Closed

SLA

DBot Modified

DBot Total Time

Close Reason

Close User

Close Notes

Reminder

Labels

Run Status

Dropped Count

Linked Count

Feed Based

Note

You can also configure mappers for indicators, by going to Settings & InfoSettingsObject SetupIndicatorsClassification & Mapping.

  1. Go to Settings & InfoSettingsObjects SetupIncidentsClassification & Mapping.

  2. Click New and select the mapper that you want to create.

    • Incident Mapper (Incoming) - maps all of the fields you are pulling from the integration to the incident fields in your layouts.

    • Incident Mapper (Outgoing) - maps fields from to the fields in the integration to which you are pushing the data. This is useful for mirroring.

  3. Under Get data, select from where you want to pull the information based on which you will map the incident types.

    • Pull from instance - select an existing integration instance.

      Select schema - when supported by the integration, this will pull all of the fields for the integration from the database. This enables you to see all of the fields for each given event type that the integration supports.

    • Upload JSON - upload a formatted JSON file which includes the field you want to map.

  4. Under Incident Type, start by mapping out the Common Mapping. This mapping includes the fields that are common to all of the incident types and saves you time having to define these fields individually in each incident type.

  5. Click the event attribute to which you want to map. You can further manipulate the field using filters and transformers.

    You can click Auto Map to automatically map fields with common or similar names to fields in . For example, Severity to Importance or Description to Description.

  6. Repeat this process for the other incident types for which this mapping is relevant.

  7. Click Save.

  8. Go to Settings & InfoSettingsIntegrationsInstances.

    1. Select the integration to add the mapper.

    2. In the integration settings, under Mapper, select the mapper you created and click Done.