1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Classification and Mapping
    End-of-Life (EoL)

    Classification and Mapping

    Integration ingestion
    The classification and mapping feature enables you to take the events and event information that Cortex XSOAR ingests from integrations, and classify the event as a type of Cortex XSOAR incident.
    For example, Cortex might generate alerts from Cortex Traps which you would classify according to the information in those events either as a dedicated Traps incident type or maybe Authentication or Malware. Also, you might have EWS configured to ingest both phishing and malware alerts which you want to classify to their respective incident types based on some information in the event. By classifying the events as different incident types, you can process them with different playbooks suited to their respective requirements.

    Classification

    Classification determines the type of incident that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration.

    Mapping

    You can map the fields from your 3rd party integration to the fields that you defined in your incident layouts.
    Starting with version 6.0, mappers are separate entities from classifiers. This enables you to do the following:
    • Map your fields to incident types irrespective of the integration or classifier. This means that you can create a mapping before defining an instance and ingesting incidents. By doing so, when you do define an instance and apply a mapper, the incidents that come in are already mapped.
    • Create a default mapping for all of the fields that are common to all incident types, and then map only those fields that are specific to each incident type individually. You can still overwrite the contents of a field in the specific incident type.
    • Use auto-map to automatically map fields based on their naming convention. For example, severity would be mapped to importance.
    • Mirror content in Cortex XSOAR with 3rd party integrations. This enables you to make changes to an incident in Cortex XSOAR and have that change be reflected in the case managed by the integration. For example, if you are using a case management system such as JIRA or Salesforce, you can close an incident in Cortex XSOAR and have that reflected automatically.
      Note: The integration must support pulling the integration schema for mirroring to work.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo