Classify events using a classification key in an integration
ingestion. Create incident classifier in Cortex XSOAR
When an integration fetches incidents, it
populates the rawJSON object in the incident object. The rawJSON
object contains all of the attributes for the event. For example,
source, when the event was created, the priority that was designated
by the integration, and more. When classifying the event, you want
to select an attribute that can determine what the event type is.
Classification & Mapping
, select from where
you want to pull the information based on which you will classify
the incident types.
Pull from instance - select an existing integration instance.
Select schema - when supported by the integration, this will
pull all of the fields for the integration from the database from
which you can select by which to classify the events.
Upload JSON - upload a formatted JSON file which includes
the field by which you want to classify.
the instance from where you want to choose the value.
value by which you want to classify the events.
Drag values from the
to the relevant incident type on the right.
You can optionally choose a default incident type for unclassified incidents
Direct unclassified events to: Select
Select the integration to which you want
to apply the classifier.