The classification and mapping feature
enables you to take the events and event information that Cortex
XSOAR ingests from integrations or REST API, and classify the event
as a type of Cortex XSOAR incident.
For example, Cortex XSOAR might generate alerts
from Traps which you would classify according to the information
in those either as dedicated Traps incident types, Authentication
or Malware. You might have EWS configured to ingest both phishing
and malware alerts, which you would want to classify to their respective incident
types based on some information in the event. By classifying the
events differently, you have more control of the incident type and
allowing you to run multiple playbooks for the events coming from
Classification determines the type of incident that
is created for events ingested from a specific integration. You
can classify events in the following ways:
Defining an integration
Select the incident type
that is created. When this is configured, it becomes the default
incident type. If you do not classify the event through classification
and mapping, it is set as what you have defined here.
Use the classification engine to determine the
incident type. This overrides whatever you configured in the integration settings.
Once you classify the incident, you can map the fields
from the 3rd party integration to the fields that you defined in
the incident layout. Any fields that you do not map, are automatically
mapped to Cortex XSOAR labels. While this information can still
be accessed, it is always easier to work with fields.
To get the most benefit out of classification and mapping, ensure
that you understand which information is ingested from the events,
so you can set up the fields and incident types accordingly.