Entity Delimiters allow you to decide for each entity type and data source how you want to map the incoming entity. You have full control whether to disable delimiters for incoming entities, map a specific delimiter (up to 64 characters) or even use a regex instead.
For example, you might have several files come in as one entity separated by commas and you want the system to treat each entity separately – in this case you would set the delimiter to be a comma.
The entity delimiter can be used in one of two places:
- Event Configuration > Mapping screen
- Playbook action > Siemplify Create Entity
Event Configuration > Mapping screen
Here you can configure mapping at field level. At the top of the screen, you can click on to see the Raw data from the Event in the particular Alert. The screen itself shows a list of the Entity Fields and the System Fields with an edit option allowing you to make changes to map the raw data to how you want the information presented in the Siemplify platform.
The following fields are available in the Map Fields Dialog box for each entity or system field.
|Extracted Field||Main field name in the raw event field to take information from. Pro-tip. Use Contains or Starts with in order to divide the data into separate entities entities. This can be useful if you have multiple fields like url_1, url_2 to create multiple entities.|
|Alternative Field 1||Fallback field in the raw event field to take information from if the primary field cannot be located.|
|Alternative Field 2||Fallback field in the raw event field to take information from if both primary and secondary cannot be located|
|Extraction Function|| This function allows you to extract particular data or manipulate the data from the raw event field. Three options. None: the raw data is presented as is.
Delimiter: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma)
Regex: Uses a regex to divide data into separate entities
|Transformation Function|| This enables you to “transform” information from the data source to be compatible with the Siemplify database. Available functions are: TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, TO_IP_ADDRESS. Once you have chosen the function, you would add the appropriate parameter.
For example: select the function FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S
Note that the transformation function applies after the extraction function and in case of multiple entities created by the extraction function – it will apply the transformation on each one of them separately
Now let’s look at some examples of using the delimiter:
Using Delimiters in Playbooks
You can also use delimiters in the Siemplify Create Entity action. For example, in the Entities Identifiers field, you could have a list of IP addresses separated by semi-colons. In the Delimiter field, you would add a semi-colon. Note that the action will appear with a comma by default.
Need more help with this?
Click here to open a Support ticket