1. Home
    2. Cortex
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Classification and Mapping
    7. Create a Mapper

    Create a Mapper

    Starting with version 6.0, you can create independent mappers for your integrations.
    Mappers enable you to map the information from incoming events to the incident or indicator layouts that you have in your system.
    Mapping event attributes or indicator fields now takes place in two stages. At first, you map all of the fields that are common to all incident or indicator types in the default mapping. After that, you can map the additional fields that are specific for each incident or indicator type, or overwrite the mapping that you used in the default mapping.
    In the
    Classification & Mapping
     screen, the mappings do not indicate for which incident types they are configured. Therefore, when creating a mapper, it is best practice to add to the mapper name the incident types the mapper is for. For example, Mail Listener - Phishing.
    1. Navigate to
      Classification & Mapping
      .
    2. Click
      New
       and select the mapper that you want to create.
      • Incident Mapper (Incoming) - maps all of the fields you are pulling from the integrations to the incident fields in your layouts
      • Incident Mapper (Outgoing) - maps fields from Cortex XSOAR to the fields in the integration to which you are pushing the data. This is useful for mirroring.
      • Indicator Mapping (Incoming) - maps all of the indicator fields to their indicator layout.
    3. Under
      Get data
      , select from where you want to pull the information based on which you will map the incident types.
      • Pull from instance - select an existing integration instance.
        Select schema - when supported by the integration, this will pull all of the fields for the integration from the database. This enables you to see all of the fields for each given event type that the integration supports.
      • Upload JSON - upload a formatted JSON file which includes the field you want to map.
    4. Under
      Incident Type
      , start by mapping out the
      Default Mapping
      . This mapping includes the fields that are common to all of the incident types and will save you time having to define these fields individually in each incident type.
    5. Click the event attribute to which you want to map. You can further manipulate the field using filters and transformers.
      You can click
      Auto Map
      to automatically map fields with common or similar names to fields in Cortex XSOAR. For example, Severity to Importance or Description to Description.
    6. Repeat this process for the other incident types for which this mapping is relevant.
    7. Click
      Save
      .
    8. Navigate to the
      Servers and Services
       page.
      1. Select the integration to which you want to apply the mapper.
      2. In the integration settings, under
        Mapper
        , select the classifier you created and click
        Done
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo