The classification and mapping feature enables you to
take the events and event information that Cortex XSOAR ingests
from integrations, and classify the event as a type of Cortex XSOAR
For example, Cortex might generate alerts from
Cortex Traps which you would classify according to the information
in those events either as a dedicated Traps incident type or maybe
Authentication or Malware. Also, you might have EWS configured to
ingest both phishing and malware alerts which you want to classify
to their respective incident types based on some information in
the event. By classifying the events as different incident types,
you can process them with different playbooks suited to their respective
Classification determines the type of incident that
is created for events ingested from a specific integration. You
create a classifier and define that classifier in an integration.
You can map the fields from your 3rd party integration
to the fields that you defined in your incident layouts.
Starting with version 6.0, mappers are separate entities from
classifiers. This enables you to do the following:
Map your fields to incident types irrespective of the
integration or classifier. This means that you can create a mapping
before defining an instance and ingesting incidents. By doing so,
when you do define an instance and apply a mapper, the incidents
that come in are already mapped.
Create a default mapping for all of the fields that are common
to all incident types, and then map only those fields that are specific
to each incident type individually. You can still overwrite the
contents of a field in the specific incident type.
Use auto-map to automatically map fields based on their naming
convention. For example, severity would be mapped to importance.
Mirror content in Cortex XSOAR with 3rd party integrations.
This enables you to make changes to an incident in Cortex XSOAR
and have that change be reflected in the case managed by the integration.
For example, if you are using a case management system such as JIRA
or Salesforce, you can close an incident in Cortex XSOAR and have
that reflected automatically.
Note: The integration
must support pulling the integration schema for mirroring to work.