You will arrive at the Event Configuration screen after clicking on a Configure icon from one of the following places in the Siemplify platform:
In the Event Configuration screen, you can assign visual model families at source/product/event level in the Visualization screen as well as being able to configure mapping at field level in the Mapping screen. The model family will provide you with a graphic explanation of the relationship between all the events and actions that take place.
So for example, if an event comes into Siemplify platform and you can see that there is missing or incorrect information, you would click the Configure icon from the Events tab and check to see that it’s assigned to the right visual family, and only after checking this is correct, you would navigate to the Mapping screen to edit and add specific field information that is missing or change to correct information.
The point of this screen is that you assign the event/product/source to a specific “family” – i.e. a visual map of relationships and entities that will provide you with the best graphic explanation of what happened. This visual family is displayed on the Explore Cases screen.
You can assign a model family at source level (this is the top level), product level (this is the second level), or event level (this is the ground level). The model family is inherited from the “parent”. In other words, if you assign a family at source level, then both the product and the event inherit the model family from the Source level. However, you can edit the mapped fields at each level and this will override the “parent” settings.
In the screenshot below:
Source = Splunk
Product = Phishing Email Detector
Event = Unknown Event Type
To assign a model family:
- Select the model family that most resembles the relationship between events and actions that occur in this situation. Note that Siemplify provides 24 model families out of the box and you can add as many as you need. For cloning, editing and adding families, refer to Visual Families
- Confirm the assignment.
In this screen you can see the fields belonging to the Model Family that is assigned to this product (or event or source) and edit them.
The following fields can be edited:
The following fields are available in the Map Fields Dialog box for each entity or system field.
|Extracted Field||Main field name in the raw event field to take information from. Pro-tip. Use Contains or Starts with in order to divide the data into separate entities entities. This can be useful if you have multiple fields like url_1, url_2 to create multiple entities.|
|Alternative Field 1||Fallback field in the raw event field to take information from if the primary field cannot be located.|
|Alternative Field 2||Fallback field in the raw event field to take information from if both primary and secondary cannot be located|
|Extraction Function|| This function allows you to extract particular data or manipulate the data from the raw event field. Three options. None: the raw data is presented as is.
Delimiter: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma)
Regex: Uses a regex to divide data into separate entities
|Transformation Function|| This enables you to “transform” information from the data source to be compatible with the Siemplify database. Available functions are: TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX, TO_IP_ADDRESS. Once you have chosen the function, you would add the appropriate parameter.
For example: select the function FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S
Note that the transformation function applies after the extraction function and in case of multiple entities created by the extraction function – it will apply the transformation on each one of them separately
Note that you can extract data from one source field and map it to different target fields. For example, if a source field has both a hostname and an IP address, you can separate them out using Regex expressions.
For more information, refer to Working with Entity Delimiters.
Need more help with this?
Click here to open a Support ticket