Your alert is not mapped and modeled by default. In order to do so, navigate to the mapping and modelling section (click the gear icon).

  1. For this use case we will map our case using the predefined family – MailRelayOrTAP for email monitoring events.
  2. Mapping and Modeling can be in one of the three stages of hierarchy, for this example:
    • Source – This is the Source name field as we filled earlier. This is the Source that digested the data and created an alert in Chronicle SOAR platform. For this example the Source name is “Email Connector”.
      In this stage we will map only the time, since these fields are the same in each stage.
      If you map at this stage then the following stages (Product – “Mail” and the Event -“Suspicious email”), will inherit the same modeling mapping we performed.
    • Product – The product is “Mail”, which is the product that digests the data that came by the source “Mail”. For example a connector can digest data from many sources. If mapping and modeling is configured at this stage then the following stage (“Suspicious email”) will inherit the same modeling mapping we performed.
    • Event – This is the event_name as we filled in earlier, for this example the event name is “Suspicious email”. The event in this case is the email message itself.
  3. We will map the relevant fields by assigning each field to the appropriate field in the code. In this mapping section we will map all the fields under the “Product” level.
    Rule LevelTarget FieldExtracted FieldTransformation FunctionThe field value
    ProductDestinationUserNameevent["destinationUserName"]TO_STRINGThe email address of the person who received the email.
    ProductSourceUserNameevent["sourceUserName"]EXTRACT_BY_REGEX Regex format:

     [\w\.-]+@[\w\.-]+
    The email address of the person who sent the email
    ProductEmailSubjectevent["subject"]TO_STRINGThe email subject
    ProductDestinationURLevent["found_url"]TO_STRINGThe URLs found in the email body
    ProductStartTimeevent["startTime"]FROM_UNIXTIME_STRING_OR_LONGThe time the email was received
    ProductEndTimeevent["EndTime"]FROM_UNIXTIME_STRING_OR_LONGThe time the email was received

    Please note that you can click on the information icon to view the transformation function as presented in the pic below.

  4. After Mapping this case we will simulate the alert to see the mapping result, on your right hand click on the three dots icon and select “Ingest alert as test case”.

    Then, a new simulated alert will appear as a new case in the case queue. All the simulated cases are tagged with the purple “Test” mark on the left of the case name.

    After mapping the case you can see each email message arguments that we mapped on the right of the screenshot below.

    If you would like to see a visual view of the entities involved in the event and the relations between them, click on the Explore button.

    Now that you have finished the mapping and modelling step you can now start ingesting alerts into your platform automatically that will inherit the mapping and modelling you have performed. To do so, navigate back to the Connectors screen, enable the toggle and click save.

    Congratulations!! You have developed your first connector in Chronicle SOAR platform.