Skip to main content
Skip table of contents

Event and Incident Intake Field Mapping

Incident and Event Intake Commands will also require Event Field Mapping and Incident Field Mapping. Please note, D3 Security has added the essential event and incident field mapping for System Integrations.

Event Intake Specific Field Mapping

The Event Mapping will need to be configured via the Event Field Extraction Mapping located in the overview of an event intake command.

For an Event intake Integration, the fields extracted will need to be mapped to the fields using D3 Data Model or mapped to the custom fields defined by the user.

Below is an example of Field Extraction Mapping for the system Datadog Integration.

  1. In the fetchEvent Command page, click on the Setup Field Extraction Mapping button.

  1. Click on the Edit Event Source button to configure the default Event Source.

  1. Edit Event Source to enter the Main JSON Path for the Datadog event data: $.logs

  2. Click on the Save button.

  1. Click on + Add Field to add a field to edit map fields from the event source to fields within the D3 Data Model.

  1. Enter a name for Field Name: Event Type

Reader Note

The dropdown lists all the standardized field names within the D3 Data Model.

  1. Select a Source Field: .content.attributes.evt.name

  1. Enter or select a Source Type from the dropdown: Text

  1. (Optional): If you select the "Show in Incident" option, the corresponding field will appear in the "Key Information" section of the Event Summary in Incident Overvew. You can also specify the order in which the field should be displayed. If no order number is specified, the field will be displayed last. In case none of the field mappings have the "Show in Incident" option enabled, the "Events Summary" section will display a default set of field values.

Reader Note

Artifact Settings is used to configure source specific paths in artifact identities. For more details on how to configure artifacts, please refer to this document.

  1. Click Save and then continue the other fields mapping following the steps from 2-8 until all desired field mappings are complete.

Reader Note
The Field Type column on this screen will display whether a field is user defined or a built-in field.

Reader Note

For more granular field mapping, you can add one or more custom Event Sources. This feature allows you to map specific third party data fields to the D3 Data Model or user-defined field when a search string is satisfied.

Configuring a New Event Source

  1. Click the + Add Event Source button.

  1. Complete the following fields on the Event Source form:

    1. Event Source Name: Enter a custom event source name.

    2. Search String: Enter a search string using the following format: {jsonpath}= value.

    3. Order Priority: This field allows the SOC Engineer to determine which custom event source takes priority when field mappings apply to one or more event sources (the lowest number ranks the highest priority).

  2. Click the Save button to confirm changes.

Result: The newly created Event Source will appear in the drop-down list on the Field Extraction window.

image-20240131-212644.png

Source Field Types

D3 SOAR utilizes the Source Field Types to define how the mapped event data will be formatted within the application. The table below outlines the different source field types available and examples of how to use them.

Source Field Type

Description

Text

Text: The source field will be formatted as text.

Example: Event Type

Datetime

Datetime: The source field will be formatted as a datetime.

Default datetime format: yyyy-MM-dd HH:mm:ss

Other datetime formats can be: UnixTimeSeconds, UnixTimeMilliseconds

Regex

Regular Expression: The source field will be formatted as a regular expression with capture groups.
Example: ipAddress:(.+)\S

Source Format: Get data from the capture groups.

Example: $1

Conditions

Condition: Set conditions that must be met before the event field maps the data.

Example: {Fieldname: "EventID", OP: "eq", Value: "7", "ParseAsSourceType": 1, "ParseAsSourceFormat": ""}

Placeholder

Placeholders: Combine previously mapped fields into a new String.

Use the field name (not display name) of D3 data model fields or the user-defined field name.

Put the field name in {} and construct a template in the Source Format.

There are some system default placeholders that can also be used. These are found by clicking on system variables.

Incident Intake Specific Field Mapping

Event Field Mapping

Event Field Mapping will also need to be completed for Incident Intake so that any child events that get ingested along with the Incident will be properly mapped.

Please note, the event field mappings are shared across both the Event Intake and Incident Intake Command. As such, you will only need to configure the event field mapping once.

Please add the same JSON Path as the Event Intake required specifically to correctly link the Events to the Incident:

Incident Field Mapping

The Incident Field Mapping is only available for the Incident Intake Command.

The Mapping allows the SOC Engineer to determine the following:

  1. Title

  2. Description

  3. Severity

  4. Incident Type

  5. Incident Creator

  6. Incident Owner

  7. Incident Playbook

  8. Due in Date

  9. Unique Key

The SOC Engineer will need to input the Main JSON Path and define the Default Incident Source. For more flexibility, the SOC engineer can also define the mapping based on the site.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.