The value of the custom incident field is determined
by the value of the key in Context data to which the field is mapped.
Before you can map custom indicator fields,
you need to Create a Custom Indicator Field and associate
the field with the relevant indicator types.
The data mapped
from enrichment commands results can be mapped into indicator custom
fields. Enrichment commands return an entry as their result, with
the
EntryContext
property as the source of
the mapping process.
For the enrichment data to be considered
valid,
EntryContext
must include a
DBotScore
with
the fields:
Indicator
,
Score
,
Vendor
and
Type
.
To
update the mapping of a certain indicator type, first call the enrichment command.
After you call the enrichment command, the data will be available
in the Indicator Sample panel and the mapping can be updated. The
relevant indicator custom fields will in the next mapping attempt.
Go to
Settings
Advanced
Indicator Types
.
Select the check box for the indicator for which to map
the custom fields.
Click the
Edit
button.
Click the
Custom Fields
tab.
The custom fields associated with this incident type
are listed in the table. If you do not see a custom field in the
list, verify that you associated the custom field to this incident
type.
(
Optional
) In the
Indicator Sample
panel,
enter an indicator relevant to the indicator type to load sample
data.
Click
Choose data path
to map
the custom field to a data path.
(
Optional
) Click the curly brackets
to map the field to a context path.
