Field Mapping
Field mapping serves as a bridge between how data points from integrated data sources are displayed on the D3 SOAR investigation dashboard. Additionally, it provides a standardized data format for data consistency to facilitate data correlation, efficient automation, and streamlined incident handling. Here’s how it works:
Field mappings are configured for fetchEvent
or fetchIncident
commands.
fetchEvent
retrieves data from sources and inputs them as events into D3 SOAR.fetchIncident
, conversely, ingests data as incidents into D3 SOAR.
Reader Note
For fetchEvent
commands, you need to configure Event Field Mapping. On the other hand, both Event and Incident Field Mappings need to be configured with fetchIncident
commands.
What’s the difference between events and incidents?
Some systems only provide a single layer of raw data, while others offer two. For instance, Microsoft Sentinel differentiates between alerts and incidents. With this in mind, D3 also employs a two-level approach to organize ingested data:
Events: Raw data from systems like SIEMs, email protection, EDRs, and many more. Events are undetermined data, meaning they haven't yet been checked for potential security risks.
Incidents: Consists of one or more events that are flagged as potentially malicious and need investigating.
Event Field Mapping
For built-in integrations, D3 provides a set of default event field mappings. However, D3 provides the flexibility for you to modify and add mappings as you see fit, which opens up endless configurability. For instance, you may want to map the flagStatus
field for the Office 365 connector, which isn’t mapped by default in D3 SOAR. Event field mapping can be configured by navigating to Configuration > Integrations > [Your Desired Integration] > Event Intake > Setup Event Field Mapping.
Event Source
Some third-party platforms offer multiple types of retrievable data. While most built-in integrations come with a single default event source to cater to the majority of data ingestion scenarios, there are exceptions. For instance, integrations such as Microsoft Sentinel provide various data types for ingestion, including incidents, events, and alerts, requiring three additional corresponding event sources. You can also create new event sources for various edge cases.
Main Event JSON Path: This is the parent JSON array in the ingested data’s structure for the event source. This is configured by specifying the JSON path in dot notation.
For example, take a look at the following condensed JSON structure representing event data from Office 365:
JSON{ "@odata.context":"<https://graph.microsoft.com/v1.0/$metadata#users('sysint%40d3devcyber.onmicrosoft.com')/mailFolders('Inbox')/messages(attachments()>)", "value":[ { "@odata.etag":"W/\\"CQAAABYAAAA5S8SNezXtS61ZDvwztvPVAAAkd5by\\"", "id":"AAMkAGI5ODVlN2I2LWVlODktNDhkYS1iZjI4LTU1NTQ1YTliMmZmYQBGAAAAAADOVKOjlhkSQK6WF_M4xWz-BwA5S8SNezXtS61ZDvwztvPVAAAAAAEMAAA5S8SNezXtS61ZDvwztvPVAAAkgSisAAA=", "createdDateTime":"2021-05-13T21:48:49Z", "lastModifiedDateTime":"2021-05-13T21:48:51Z", "changeKey":"CQAAABYAAAA5S8SNezXtS61ZDvwztvPVAAAkd5by", "categories":[], "receivedDateTime":"2021-05-13T21:48:50Z", "sentDateTime":"2021-05-13T21:46:50Z", "hasAttachments":true, "internetMessageId":"<CAO78ce_dnvP+PYXnYyczkMsFwczG6T4vP71YQUNi1hjgi-3ntA@mail.gmail.com>", "subject":"Phishing1", "bodyPreview":"", "importance":"normal", "parentFolderId":"AAMkAGI5ODVlN2I2LWVlODktNDhkYS1iZjI4LTU1NTQ1YTliMmZmYQAuAAAAAADOVKOjlhkSQK6WF_M4xWz-AQA5S8SNezXtS61ZDvwztvPVAAAAAAEMAAA=", "conversationId":"AAQkAGI5ODVlN2I2LWVlODktNDhkYS1iZjI4LTU1NTQ1YTliMmZmYQAQAPuXocauAD5AukCNPirqico=", "conversationIndex":"AQHXSEHC+5ehxq4APkC6QI0+KuqJyg==", "isDeliveryReceiptRequested":null, "isReadReceiptRequested":false, "isRead":false, "isDraft":false, "webLink":"<https://outlook.office365.com/owa/?ItemID=AAMkAGI5ODVlN2I2LWVlODktNDhkYS1iZjI4LTU1NTQ1YTliMmZmYQBGAAAAAADOVKOjlhkSQK6WF%2BM4xWz%2FBwA5S8SNezXtS61ZDvwztvPVAAAAAAEMAAA5S8SNezXtS61ZDvwztvPVAAAkgSisAAA%3D&exvsurl=1&viewmodel=ReadMessageItem>", "inferenceClassification":"focused", "body":{}, "sender":{}, "from":{}, "toRecipients":[], "ccRecipients":[], "bccRecipients":[], "replyTo":[], "flag":{}, "attachments":[], "originalEmail":[], "originalMessageFile":[] } ] }
The most relevant event data from Office 365 reside under the key
$.value
. However, there's also the$[.@odata.context](<mailto:.@odata.context>)
key, which provides the payload's context URL—usually not relevant for incident responses. By setting the “Main Event JSON Path”, the system knows to associate fields starting with$.value
. This means that instead of writing out the full path as$.value.[field]
when defining additional field mappings for the event source, you can shorthand it to.[field]
.Search String: This feature enables an event source to sift through ingested data, focusing solely on specific values or based on regular expressions. For instance, if you wish to only capture events from Office 365 that have a "high" importance level, found at the path
$.value.importance
in the JSON object, you would set the search string to$.value.importance=high
when establishing a new event source. Regex expressions can be used to tell D3 to only extract a certain type of data from the data source. For example, in the Splunk v2 integration, there is a built-in event source for WinEventLog, or Windows Event Log. The search string with the Regex condition for this event source is{sourcetype}=WinEventLog:*
.
Reader Note
Search strings can be specified using one of the following formats: {jsonpath}=value
, {jsonpath}={{regex}}
, or jsonpath=value
.
Order Priority: In situations where several event sources are set up for a fetch command, the system gives precedence to the event source with the lowest order priority number, especially in cases of overlapping field mappings.
Mapped Fields
Event sources have fields that map the relationship between ingested data and an event field.
Source Field: The JSONPath of the key to specify the desired field to map from the ingested JSON data. As mentioned above, when you do not have to specify the JSON path of the “Main Event JSON Path”. For example, if the full JSONPath of the desired map field is
$.value.importance
, and the “Main Event JSON Path” has been set as$.value
, you will need to input.importance
as the source field.Source Field: This refers to the JSONPath of the key which identifies the specific field you want to map from the ingested JSON data. Remember, if you've already defined the Main Event JSON Path, you don't need to specify the entire JSON path again. Let's say your desired field has a full JSONPath of
$.value.importance
. If the Main Event JSON Path is set to$.value
, then you only need to input.importance
as the source field.Source Type: The data type of the mapped field, which can be
Text
,Datetime
,Regex
, andPlaceholder
. This lets D3 know how the data will be formatted within the application.
Source Type | Description |
---|---|
Text | Formatted as a plain text field. |
Datetime | Formatted as a datetime field. The default datetime format is |
Regex | Applies a regular expression to filter the field value (e.g. |
Placeholder | Concatenates the values from multiple mapped fields as a single plain text field (e.g. |
Unique Key Field Mapping
The Unique Key
event field mapping tells D3 SOAR how to distinguish each event upon ingestion and prevent duplicated events. This is done by pinpointing a UUID or primary key found within the event data and mapping it to D3’s event Unique Key
field. Events are ingested differently based on whether a Unique Key
field mapping has been configured. Here's how it works:
If the Unique Key Field is Mapped:
Only events with a unique key value are ingested. A new event containing an existing Unique Key
with a different set of raw event data will not be ingested.
If the Unique Key Field is NOT Mapped:
Only events containing unique raw data are ingested. Events with identical raw event data as any existing event in the system will not be ingested.
Incident Field Mapping
Incident field mapping is exclusively available for fetchIncident
commands. In most cases, default incident field mappings are already available. If you wish to customize them, you can do so by navigating to Configuration > Integrations > [Your Desired Integration] > Incident Intake > Setup Incident Field Mapping.
Please note that event field mapping must also be configured for fetchIncident
commands. Incident field mapping allows you to map the following set of incident-specific system fields with the ingested data of a command:
Incident Fields | Description |
---|---|
Title | The title of the incident. |
Description | A description text about the incident. |
Severity | The triage severity level of the incident. |
Incident Type | The default incident type to apply to the incident after ingestion. Note: Incident types can be configured within the incident form editor. |
Incident Creator | The default creator of the incident after ingestion. |
Incident Owner | The default owner of the incident after ingestion. Owners have the permission to modify incident details, run the playbook and assign investigators. |
Incident Playbook | The default incident playbook which will be run after ingestion. |
Due in Date | The deadline for the incident to be concluded and closed. This is the current date plus x number of days. |
Unique Key | The unique key to identify the incident upon ingestion. Refer to the Unique Key Field Mapping section below for more details. |
Tactics | The JSON path in the incident data to extract MITRE tactics. Any matching values will appear as a new instance in the Monitor module. |
Techniques | The JSON path in the incident data to extract MITRE techniques. Any matching values will appear as a new instance in the Monitor module. |
Main JSON Path
Some third-party systems may offer their incidents in the form of an overarching incident dataset with sub-events embedded inside. In that case, we need to tell D3 SOAR which JSON path where the incident portion of the data starts. If no Main JSON Path has been specified, it will default to the root path.
Consider the following condensed JSON structure representing incident data from Cybereason:
{
"data":{
"resultIdToElementDataMap":[],
"suspicionsMap":{},
"evidenceMap":{},
"totalPossibleResults":1,
"guessedPossibleResults":0,
"queryLimits":{},
"queryTerminated":false,
"pathResultCounts":[],
"guids":[]
},
"status":"SUCCESS",
"hidePartialSuccess":false,
"message":"",
"expectedResults":1,
"failures":0
}
If our primary interest lies in the data under the "resultIdToElementDataMap"
key, the Main JSON Path can be set to $.data.resultIdToElementDataMap
. The rest of the arrays in this JSON are not relevant for our analysis.
Reader Note
When you set a Main JSON path, it will be universally applied to all incident sources within the fetchIncident
command.
Site
Each site can have its own unique incident field mappings, allowing various sites to have distinct incident sources and associated mappings. By default, all sites utilize the “Default Site” mappings.
To customize incident field mappings for a particular site:
Choose the desired site.
View its "Default Incident Source."
If necessary, you can either adjust the "Default Incident Source" or create a new incident source.
Click on the "+ Add Default Mappings" button to apply the standard mappings to your chosen site’s "Default Incident Source."
Once added, you can then modify individual mappings as needed.
Incident Source
For the specified site, multiple incident sources can be configured. Unless you want configure a customized search string for the incident source, you do not need to add a new incident source. Incident sources have the following configurable components:
Search String: This feature enables an incident source to sift through ingested data, focusing solely on specific values or based on Regex expressions.
Reader Note
Search strings can be specified using one of the following formats: {jsonpath}=value
, {jsonpath}={{regex}}
, or jsonpath=value
.
Order Priority: In situations where several incident sources are set up for a fetch command, the system gives precedence to the incident source with the lowest order priority number, especially in cases of overlapping field mappings.
Unique Key Field Mapping
The Unique Key
incident field mapping tells D3 SOAR how to distinguish each event upon ingestion and prevent duplicated events. This is done by pinpointing a UUID or primary key found within the incident data and mapping it to D3’s incident Unique Key
field. Incidents are ingested differently based on whether a Unique Key
field mapping has been configured. Here's how it works:
If the Unique Key Field is Mapped:
Incidents with a unique key value are ingested. Should an incoming incident share the same unique key as an existing one, it will only be considered for ingestion if it presents a different data set. In such cases, the original incident is replaced with the updated data.
If the Unique Key Field is NOT Mapped:
Only incidents containing unique raw data are ingested. Any incident exhibiting raw incident data identical to what's already in the system will be excluded from ingestion.