.png)
Event and Incident Intake Field Mapping
LAST UPDATED: SEPT 28, 2024
Event and incident intake commands will require Event Field Mapping and Incident Field Mapping. D3 has added the essential event and incident field mapping for System integrations.
Event Intake Specific Field Mapping
Event mapping must be configured via the Event Field Mapping popup, which can be opened from the Overview > Settings section of the command. Extracted fields must either be mapped to D3 fields via the D3 Data Model, or to custom fields defined by the user.
Below is an example of field extraction mapping for the CrowdStrike integration.
In the Fetch Event command page, click on the Setup Field Extraction Mapping button.
-20240927-023836.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Click on the Edit Main JSON Path button to configure the default Event Source.
Edit Event Source to enter the Main JSON Path for the CrowdStrike event data: $.logs
Click on the Save button.
-20240927-033135.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Click on + Add Field button to insert a new field and map event source fields to corresponding fields in the D3 Data Model.
-20240927-033208.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Input a name for the field.
READER NOTE
Clicking the input box will render a dropdown menu containing all standardized field names from the D3 Data Model.
-20240927-032957.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Enter a source field.
-20240927-153902.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Select a source type from the dropdown.
-20240927-153945.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
(Optional) Toggle the "Show in Incident" option to display the corresponding field in the "Key Information" section of the Event Summary within the Incident Overview. Users may specify the display order of the field. If no order number is provided, the field will appear last. If none of the mapped fields have the "Show in Incident" option toggled on, the Event Summary section will default to displaying a standard set of field values.
READER NOTE
Use artifact settings to configure source-specific paths for artifact identities. For further details on configuring artifacts, refer to Artifacts.
Click Save and then continue the other fields mapping following the steps from 2-8 until all desired field mappings are complete.
READER NOTE
The Field Type column indicates whether a field is user-defined or a built-in field.
-20240927-154006.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
%201-20240927-154201.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
For more granular field mapping, you can add one or more custom Event Sources. This feature allows you to map specific third party data fields to the D3 Data Model or user-defined field when a search string is satisfied.
Configuring a New Event Source
Click the + Add Event Source button.
-20240927-154753.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Complete the following fields on the Event Source form:
Event Source Name: Enter a custom event source name.
Search String: Enter a search string using the following format:
CODE{jsonpath}= valueOrder Priority: This field allows the SOC Engineer to determine which custom event source takes priority when field mappings apply to one or more event sources (the lowest number ranks the highest priority).
Click the Save button to confirm changes.
Result: The newly created Event Source will appear in the drop-down list on the Field Extraction window.
Source Field Types
D3 SOAR uses the Source Field Types to define how the mapped event data will be formatted within the application. The table below outlines the different source field types available and examples of how to use them.
Source Field Type | Description |
|---|---|
Text | Text: The source field will be formatted as text. Example: Event Type |
Datetime | Datetime: The source field will be formatted as a datetime. Default datetime format: Other datetime formats can be: UnixTimeSeconds, UnixTimeMilliseconds |
Regex | Regular Expression: The source field will be formatted as a regular expression with capture groups. Source Format: Get data from the capture groups. Example: $1 |
Conditions | Condition: Set conditions that must be met before the event field maps the data. Example: |
Placeholder | Placeholders: Combine previously mapped fields into a new string. Use the field name (not display name) of D3 Data Model fields or the user-defined field name.  Put the field name in {} and construct a template in the Source Format. There are some system default placeholders that can also be used. These are found by clicking on system variables. |
Incident Intake Specific Field Mapping
Event Field Mapping
Event field mapping will also need to be completed for incident intake so that any child events that get ingested along with the incident will be properly mapped.
READER NOTE
Event field mappings are shared between both the event intake and incident intake commands. Therefore, the user only needs to configure the event field mapping once.
Add the same JSON Path as required for the event intake to correctly link the events with the incident:
-20240927-161237.png?inst-v=3aad7b54-0db1-4981-9037-aa5431705c67)
Incident Field Mapping
The incident field mapping is only available for the incident intake Command.
The mapping allows the SOC engineer to determine the following:
Title
Description
Severity
Incident Type
Incident Creator
Incident Owner
Incident Playbook
Due In Date
Origin ID
Unique Key
Tactics
Techniques
The SOC engineer will need to input the Main JSON Path and define the Default Incident Source. For more flexibility, the SOC engineer can also define the mapping based on the site.