You will arrive at the Event Configuration screen after clicking on a Configure icon from one of the following places in the Siemplify platform:
In the Event Configuration screen, you can assign visual model families at source/product/event level in the Visualization screen as well as being able to configure mapping at field level in the Mapping screen. The model family will provide you with a graphic explanation of the relationship between all the events and actions that take place.
So for example, if an event comes into Siemplify platform and you can see that there is missing or incorrect information, you would click the Configure icon from the Events tab and check to see that it’s assigned to the right visual family, and only after checking this is correct, you would navigate to the Mapping screen to edit and add specific field information that is missing or change to correct information.
The point of this screen is that you assign the event/product/source to a specific “family” – i.e. a visual map of relationships and entities that will provide you with the best graphic explanation of what happened. This visual family is displayed on the Explore Cases screen.
You can assign a model family at source level (this is the top level), product level (this is the second level), or event level (this is the ground level). The model family is inherited from the “parent”. In other words, if you assign a family at source level, then both the product and the event inherit the model family from the Source level. However, you can edit the mapped fields at each level and this will override the “parent” settings.
In the screenshot below:
Source = Splunk
Product = Phishing Email Detector
Event = Unknown Event Type
To assign a model family:
- Select the model family that most resembles the relationship between events and actions that occur in this situation. Note that Siemplify provides 24 model families out of the box and you can add as many as you need. For cloning, editing and adding families, refer to Visual Families
- Confirm the assignment.
In this screen you can see the fields belonging to the Model Family that is assigned to this product (or event or source) and edit them.
The following fields can be edited:
|Rule Level||Either Source, Product or Event (non editable)|
|Target Field||Field name used by Siemplify|
|Extracted Field||Main field name in the integration data source to take information from|
|Alternative Field 1||Fallback field in the integration data source to take information from|
|Alternative Field 2||Fallback field in the integration data source to take information from if both primary and secondary cannot be located|
|Transformation Function/ Transformation Function Parameter|| This enables you to “transform” information from the data source to be compatible with the Siemplify database. Available functions are: TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, TO_IP_ADDRESS. Once you have chosen the function, you would add the appropriate parameter. For example, select the function EXTRACT_BY_REGEX, TO_IP_ADDRESS and add the parameter:
Note that you can extract data from one source field and map it to different target fields. For example, if a source field has both a hostname and an IP address, you can separate them out using Regex expressions.
Need more help with this?
Click here to open a Support ticket