Configure Mapping and Assign Visual Families
For a full explanation of this subject, refer to Ontology first.
You will arrive at the Event Configuration screen after clicking on a Configure icon from one of the following places in the Chronicle SOAR platform:
In the Event Configuration screen, you can assign visual model families at source/product/event level in the Visualization screen as well as being able to configure mapping at field level in the Mapping screen. The model family will provide you with a graphic explanation of the relationship between all the events and actions that take place.
So for example, if an event comes into the platform and you can see that there is missing or incorrect information, you would click the Configure icon from the Alerts Events tab and check to see that it’s assigned to the right visual family, and only after checking this is correct, you would navigate to the Mapping screen to edit and add specific field information that is missing or change to correct information.
The point of this Visualization screen is that you assign the event/product/source to a specific “family” – i.e. a visual map of relationships and entities that will provide you with the best graphic explanation of what happened. This visual family is displayed on the Explore Cases screen.
You can assign a model family at source level (this is the top level), product level (this is the second level), or event level (this is the ground level). The model family is inherited from the “parent”. In other words, if you assign a family at source level, then both the product and the event inherit the model family from the Source level. However, you can edit the mapped fields at each level and this will override the “parent” settings.
In the screenshot below:
Source = Arcsight
Product = Phishing Email Detector
Event = Email check
To assign a model family:
- Select the model family that most resembles the relationship between events and actions that occur in this situation. Note that Chronicle SOAR provides 24 model families out of the box and you can add as many as you need. For cloning, editing and adding families, refer to Visual Families.
- Confirm the assignment.
Mapping
In this screen you can see the fields belonging to the Model Family that is assigned to this product (or event or source) and perform a number of actions from the drop down menu from the three dots at the end of each row.
Edit Field
The following fields can be edited by double clicking on the entity:
Field | Description |
---|---|
Extracted Field | Main field name in the raw event field to take information from. Pro-tip. Use Contains or Starts with in order to divide the data into separate entities entities. This can be useful if you have multiple fields like url_1, url_2 to create multiple entities. |
Alternative Field 1 | Fallback field in the raw event field to take information from if the primary field cannot be located. |
Alternative Field 2 | Fallback field in the raw event field to take information from if both primary and secondary cannot be located. |
Extraction Function | This function allows you to extract particular data or manipulate the data from the raw event field. Three options. None: the raw data is presented as is. Delimiter: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma) Regex: Uses a regex to divide data into separate entities. |
Transformation Function | This enables you to “transform” information from the data source to be compatible with the Siemplify database. Available functions are: TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, TO_IP_ADDRESS. Once you have chosen the function, you would add the appropriate parameter. For example: select the function FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S Note that the transformation function applies after the extraction function and in case of multiple entities created by the extraction function – it will apply the transformation on each one of them separately. |
Note that you can extract data from one source field and map it to different target fields. For example, if a source field has both a hostname and an IP address, you can separate them out using Regex expressions.
Show Result
From the three dots on the right, select the Show Result to see the values after the mapping process.
Add Enrichment
Various SIEMs include enrichment data as part of the initial ingestion process. By selecting Add Enrichment from the three dots on the side, you can choose which enrichment values you want to add to the entity.
After you click Save, the next time this entity is ingested into the platform as part of the Alert, you can click View Details and this enrichment field will appear under the heading Raw Enrichment in the side drawer that opens.