Follow these instructions to classify events using a
classification key in an integration ingestion.
When an integration fetches incidents, it
populates the rawJSON object in the incident object. The rawJSON
object contains all of the attributes for the event. For example,
source, when the event was created, the priority that was designated
by the integration, and more. When classifying the event, you want
to select an attribute that can determine what the event type is.
Open the Classification & Mapping window for
the Integrations instance.
Servers & Services
next to the integration instance, click
Classification & Mapping
the dropdown menu, select the integration instance.
Values to Identity
drag values from the
or type your own value.
to open the
Load event data using one of the following options:
: pull from
Cortex XSOAR fetches events from the instance (alerts, notifications
: upload a JSON file
object from the integration.
The file must be uploaded in JSON format.
Skip getting samples: Map the attributes without event
data. Not recommended.
Set the classification key.
The event attributes are presented on the right side of
the screen. Click on the attribute by which you want to classify
the incidents. You can navigate between the fetched events to view
all of the attributes in the other events and to ensure that you
are selecting a viable attribute.
You can use filters and
transformers to make the selection more exact.
Once you select the attribute, the unique values for the
attribute that you have selected from the fetched events appear
Drag any unmapped value to the
Values to Identify
for the incident type to which you want to classify. Any unmapped
values that you do not classify, an incident type as defined in
the integration is created.
You can map multiple values to an incident type, but you
cannot map an unmapped value to multiple incident types.