Classification and Mapping - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Integration ingestion

The classification and mapping feature enables you to take the events and event information that Cortex XSOAR ingests from integrations, and classify the event as a type of Cortex XSOAR incident.

For example, Cortex might generate alerts from Cortex Traps which you would classify according to the information in those events either as a dedicated Traps incident type or maybe Authentication or Malware. Also, you might have EWS configured to ingest both phishing and malware alerts which you want to classify to their respective incident types based on some information in the event. By classifying the events as different incident types, you can process them with different playbooks suited to their respective requirements.

Classification

Classification determines the type of incident that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration.

Mapping

You can map the fields from your third-party integration to the fields that you defined in your incident layouts.

Starting with version 6.0, mappers are separate entities from classifiers. This enables you to do the following:

  • Map your fields to incident types irrespective of the integration or classifier. This means that you can create a mapping before defining an instance and ingesting incidents. By doing so, when you do define an instance and apply a mapper, the incidents that come in are already mapped.

  • Create a default mapping for all of the fields that are common to all incident types, and then map only those fields that are specific to each incident type individually. You can still overwrite the contents of a field in the specific incident type.

  • Use auto-map to automatically map fields based on their naming convention. For example, severity would be mapped to importance.

  • Mirror content in Cortex XSOAR with third-party integrations. This enables you to make changes to an incident in Cortex XSOAR and have that change be reflected in the case managed by the integration. For example, if you are using a case management system such as JIRA or Salesforce, you can close an incident in Cortex XSOAR and have that reflected automatically.

    Note

    Note: The integration must support pulling the integration schema for mirroring to work.