End-of-Life (EoL)

Classification and Mapping

Integration ingestion
The classification and mapping feature enables you to take the events and event information that Cortex XSOAR ingests from integrations or REST API, and classify the event as a type of Cortex XSOAR incident.
For example, Cortex XSOAR might generate alerts from Traps which you would classify according to the information in those either as dedicated Traps incident types, Authentication or Malware. You might have EWS configured to ingest both phishing and malware alerts, which you would want to classify to their respective incident types based on some information in the event. By classifying the events differently, you have more control of the incident type and allowing you to run multiple playbooks for the events coming from one source.


Classification determines the type of incident that is created for events ingested from a specific integration. You can classify events in the following ways:
  • Defining an integration
    Select the incident type that is created. When this is configured, it becomes the default incident type. If you do not classify the event through classification and mapping, it is set as what you have defined here.
  • Use the classification engine to determine the incident type. This overrides whatever you configured in the integration settings.


Once you classify the incident, you can map the fields from the 3rd party integration to the fields that you defined in the incident layout. Any fields that you do not map, are automatically mapped to Cortex XSOAR labels. While this information can still be accessed, it is always easier to work with fields.
To get the most benefit out of classification and mapping, ensure that you understand which information is ingested from the events, so you can set up the fields and incident types accordingly.

Recommended For You