End-of-Life (EoL)

Classify Events Using a Classification Key

Follow these instructions to classify events using a classification key in an integration ingestion.
When an integration fetches incidents, it populates the rawJSON object in the incident object. The rawJSON object contains all of the attributes for the event. For example, source, when the event was created, the priority that was designated by the integration, and more. When classifying the event, you want to select an attribute that can determine what the event type is.
  1. Open the Classification & Mapping window for the Integrations instance.
    1. Go to
      Servers & Services
      and next to the integration instance, click
    2. In the
      Classification & Mapping
      tab, from the dropdown menu, select the integration instance.
  2. In the
    Values to Identity
    column, drag values from the
    Unmapped Values
    column or type your own value.
  3. Click
    Create mapping
    to open the classification wizard.
  4. Load event data using one of the following options:
    • Pull events
      : pull from
      . Cortex XSOAR fetches events from the instance (alerts, notifications etc.)
    • Pull events
      : upload a JSON file containing the
      object from the integration. The file must be uploaded in JSON format.
    • Skip getting samples: Map the attributes without event data. Not recommended.
  5. Set the classification key.
    The event attributes are presented on the right side of the screen. Click on the attribute by which you want to classify the incidents. You can navigate between the fetched events to view all of the attributes in the other events and to ensure that you are selecting a viable attribute.
    You can use filters and transformers to make the selection more exact.
  6. Click
    Once you select the attribute, the unique values for the attribute that you have selected from the fetched events appear under the
    Unmapped Values
  7. Drag any unmapped value to the
    Values to Identify
    column for the incident type to which you want to classify. Any unmapped values that you do not classify, an incident type as defined in the integration is created.
    You can map multiple values to an incident type, but you cannot map an unmapped value to multiple incident types.
  8. Map Event Attributes to Fields so the information is indexed.

Recommended For You