Event and Incident Intake Field Mapping
Incident and Event Intake Commands will also require Event Field Mapping and Incident Field Mapping. Please note, D3 Security has added the essential event and incident field mapping for System Integrations.
Event Intake Specific Field Mapping
The Event Mapping will need to be configured via the Event Field Extraction Mapping located in the overview of an event intake command.
For an Event intake Integration, the fields extracted will need to be mapped to the fields using D3 Data Model or mapped to the custom fields defined by the user.
Below is an example of Field Extraction Mapping for the system Datadog Integration.
In the fetchEvent Command page, click on the Setup Field Extraction Mapping button.
Click on the Edit Event Source button to configure the default Event Source.
Edit Event Source to enter the Main JSON Path for the Datadog event data: $.logs
Click on the Save button.
Click on + Add Field to add a field to edit map fields from the event source to fields within the D3 Data Model.
Enter a name for Field Name: Event Type
Reader Note
The dropdown lists all the standardized field names within the D3 Data Model.
Select a Source Field:
.content.attributes.evt.name
Enter or select a Source Type from the dropdown: Text
(Optional): If you select the "Show in Incident" option, the corresponding field will appear in the "Key Information" section of the Event Summary in Incident Overvew. You can also specify the order in which the field should be displayed. If no order number is specified, the field will be displayed last. In case none of the field mappings have the "Show in Incident" option enabled, the "Events Summary" section will display a default set of field values.
Reader Note
Artifact Settings is used to configure source specific paths in artifact identities. For more details on how to configure artifacts, please refer to this document.
Click Save and then continue the other fields mapping following the steps from 2-8 until all desired field mappings are complete.
Reader Note
The Field Type column on this screen will display whether a field is user defined or a built-in field.
Reader Note
For more granular field mapping, you can add one or more custom Event Sources. This feature allows you to map specific third party data fields to the D3 Data Model or user-defined field when a search string is satisfied.
Configuring a New Event Source
Click the + Add Event Source button.
Complete the following fields on the Event Source form:
Event Source Name: Enter a custom event source name.
Search String: Enter a search string using the following format: {jsonpath}= value.
Order Priority: This field allows the SOC Engineer to determine which custom event source takes priority when field mappings apply to one or more event sources (the lowest number ranks the highest priority).
Click the Save button to confirm changes.
Result: The newly created Event Source will appear in the drop-down list on the Field Extraction window.
Source Field Types
D3 SOAR utilizes the Source Field Types to define how the mapped event data will be formatted within the application. The table below outlines the different source field types available and examples of how to use them.
Source Field Type | Description |
---|---|
Text | Text: The source field will be formatted as text. Example: Event Type |
Datetime | Datetime: The source field will be formatted as a datetime. Default datetime format: Other datetime formats can be: UnixTimeSeconds, UnixTimeMilliseconds |
Regex | Regular Expression: The source field will be formatted as a regular expression with capture groups. Source Format: Get data from the capture groups. Example: $1 |
Conditions | Condition: Set conditions that must be met before the event field maps the data. Example: |
Placeholder | Placeholders: Combine previously mapped fields into a new String. Use the field name (not display name) of D3 data model fields or the user-defined field name. Put the field name in {} and construct a template in the Source Format. There are some system default placeholders that can also be used. These are found by clicking on system variables. |
Incident Intake Specific Field Mapping
Event Field Mapping
Event Field Mapping will also need to be completed for Incident Intake so that any child events that get ingested along with the Incident will be properly mapped.
Please note, the event field mappings are shared across both the Event Intake and Incident Intake Command. As such, you will only need to configure the event field mapping once.
Please add the same JSON Path as the Event Intake required specifically to correctly link the Events to the Incident:
Incident Field Mapping
The Incident Field Mapping is only available for the Incident Intake Command.
The Mapping allows the SOC Engineer to determine the following:
Title
Description
Severity
Incident Type
Incident Creator
Incident Owner
Incident Playbook
Due in Date
Unique Key
The SOC Engineer will need to input the Main JSON Path and define the Default Incident Source. For more flexibility, the SOC engineer can also define the mapping based on the site.