For a full explanation of this subject, refer to Ontology first.

You will arrive at the Event Configuration screen after clicking on a Configure icon from one of the following places in the Chronicle SOAR platform:

In the Event Configuration screen, you can assign visual model families at source/product/event level in the Visualization screen as well as being able to configure mapping at field level in the Mapping screen. The model family will provide you with a graphic explanation of the relationship between all the events and actions that take place.

So for example, if an event comes into the platform and you can see that there is missing or incorrect information, you would click the Configure icon from the Alerts Events tab and check to see that it’s assigned to the right visual family, and only after checking this is correct, you would navigate to the Mapping screen to edit and add specific field information that is missing or change to correct information.

The point of this Visualization screen is that you assign the event/product/source to a specific “family” – i.e. a visual map of relationships and entities that will provide you with the best graphic explanation of what happened. This visual family is displayed on the Explore Cases screen.
You can assign a model family at source level (this is the top level), product level (this is the second level), or event level (this is the ground level). The model family is inherited from the “parent”. In other words, if you assign a family at source level, then both the product and the event inherit the model family from the Source level. However, you can edit the mapped fields at each level and this will override the “parent” settings.

In the screenshot below:
Source = Arcsight
Product = Phishing Email Detector
Event = Email check

To assign a model family:

  1. Select the model family that most resembles the relationship between events and actions that occur in this situation. Note that Chronicle SOAR provides 24 model families out of the box and you can add as many as you need. For cloning, editing and adding families, refer to Visual Families.
  2. Confirm the assignment.

Mapping

In this screen you can see the fields belonging to the Model Family that is assigned to this product (or event or source) and perform a number of actions from the drop down menu from the three dots at the end of each row.

Edit Field
The following fields can be edited by double clicking on the entity:

FieldDescription
Extracted FieldMain field name in the raw event field to take information from. Pro-tip. Use Contains or Starts with in order to divide the data into separate entities entities. This can be useful if you have multiple fields like url_1, url_2 to create multiple entities.
Alternative Field 1Fallback field in the raw event field to take information from if the primary field cannot be located.
Alternative Field 2Fallback field in the raw event field to take information from if both primary and secondary cannot be located.
Extraction FunctionThis function allows you to extract particular data or manipulate the data from the raw event field. Three options. None: the raw data is presented as is.
Delimiter: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma)
Regex: Uses a regex to divide data into separate entities.
Transformation FunctionThis enables you to “transform” information from the data source to be compatible with the Siemplify database. Available functions are: TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, TO_IP_ADDRESS. Once you have chosen the function, you would add the appropriate parameter.
For example: select the function FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S
Note that the transformation function applies after the extraction function and in case of multiple entities created by the extraction function – it will apply the transformation on each one of them separately.

Note that you can extract data from one source field and map it to different target fields. For example, if a source field has both a hostname and an IP address, you can separate them out using Regex expressions.

Show Result

From the three dots on the right, select the Show Result to see the values after the mapping process.

Add Enrichment

Various SIEMs include enrichment data as part of the initial ingestion process. By selecting Add Enrichment from the three dots on the side, you can choose which enrichment values you want to add to the entity.  

After you click Save, the next time this entity is ingested into the platform as part of the Alert, you can click View Details and this enrichment field will appear under the heading Raw Enrichment in the side drawer that opens.