End-of-Life (EoL)

Map Custom Indicator Fields

The value of the custom incident field is determined by the value of the key in Context data to which the field is mapped.
Before you can map custom indicator fields, you need to Create a Custom Indicator Field and associate the field with the relevant indicator types.
The data mapped from enrichment commands results can be mapped into indicator custom fields. Enrichment commands return an entry as their result, with the
EntryContext
property as the source of the mapping process.
For the enrichment data to be considered valid,
EntryContext
must include a
DBotScore
with the fields:
Indicator
,
Score
,
Vendor
and
Type
.
To update the mapping of a certain indicator type, first call the enrichment command. After you call the enrichment command, the data will be available in the Indicator Sample panel and the mapping can be updated. The relevant indicator custom fields will in the next mapping attempt.
  1. Go to
    Settings
    Advanced
    Indicator Types
    .
  2. Select the check box for the indicator for which to map the custom fields.
  3. Click the
    Edit
    button.
  4. Click the
    Custom Fields
    tab.
    The custom fields associated with this incident type are listed in the table. If you do not see a custom field in the list, verify that you associated the custom field to this incident type.
  5. (
    Optional
    ) In the
    Indicator Sample
    panel, enter an indicator relevant to the indicator type to load sample data.
  6. Click
    Choose data path
    to map the custom field to a data path.
    1. (
      Optional
      ) Click the curly brackets to map the field to a context path.
    2. (
      Optional
      ) From the
      Indicator Sample
      panel, select a context key to map to the field.

Recommended For You