Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCS-587 - Make terms lowercase in Cloud SIEM - Schema, sensors, integrations, match lists, automation, and administration sections #4889

Merged
merged 7 commits into from
Dec 18, 2024
Next Next commit
Make terms lowercase in 'Schema' section
jpipkin1 committed Dec 17, 2024
commit 73d01347fb98dfca3d197108919b6efeef0b4f4d
6 changes: 3 additions & 3 deletions docs/cse/schema/attributes-map-to-records.md
Original file line number Diff line number Diff line change
@@ -2,12 +2,12 @@
id: attributes-map-to-records
title: Attributes You Can Map to Records
sidebar_label: Mappable Attributes
description: Learn what Cloud SIEM schema attributes you can map to Records.
description: Learn what Cloud SIEM schema attributes you can map to records.
---

You can map schema attributes to Records. Note that you can map any of the attributes defined to any [record type](/docs/cse/schema/cse-record-types).
You can map schema attributes to records. Note that you can map any of the attributes defined to any [record type](/docs/cse/schema/cse-record-types).

For the complete list of attributes you can map to records, see [Schema: General Schema Fields](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/general_fields.md) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).

For information about all schema attributes, including those that cannot be mapped to Records, for example enrichment fields, see [Schema Attributes](/docs/cse/schema/schema-attributes).  
For information about all schema attributes, including those that cannot be mapped to records, for example enrichment fields, see [Schema Attributes](/docs/cse/schema/schema-attributes).  

36 changes: 18 additions & 18 deletions docs/cse/schema/create-structured-log-mapping.md
Original file line number Diff line number Diff line change
@@ -7,17 +7,17 @@ description: Learn how to create a log mapping for structured messages.

import useBaseUrl from '@docusaurus/useBaseUrl';

This topic has instructions for creating a log mapping for structured messages using the Cloud SIEM UI. Log mapping is the process of telling Cloud SIEM how to build a Record from the key-value pairs extracted from messages.
This topic has instructions for creating a log mapping for structured messages using the Cloud SIEM UI. Log mapping is the process of telling Cloud SIEM how to build a record from the key-value pairs extracted from messages.

For more information about log mapping, and how it fits into the Record creation process, see the [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline) topic. For a complete list of the standard log mappings, see [Mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md) the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).
For more information about log mapping, and how it fits into the record creation process, see the [Record Processing Pipeline](/docs/cse/schema/record-processing-pipeline) topic. For a complete list of the standard log mappings, see [Mappings](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/mappings/README.md) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md).

## About the log mapping process

When you set up a log mapping, you supply the following information:  

* **What messages will the mapper process?** To identify which incoming messages the mapper should process, you supply a vendor name, product name, message format, and an event ID expression. 
* **What Record type should be created for the messages the mapper processes?** Cloud SIEM has multiple predefined [Record types](/docs/cse/schema/cse-record-types), each of which corresponds to a particular sort of event a log message might describe. When you configure a log mapping, you select the Record type that corresponds best to the log messages the mapper will process. For example, you would select “Authentication” as the Record type to create from messages that report successful or unsuccessful authentication events.
* **What normalized classification should be added for the messages the mapper processes?** Records can be classified at two levels of granularity. First, at a high level with [Record Types](/docs/cse/schema/cse-record-types) which all mapped Records have, and more specifically using Normalized Classification Fields alongside the mapped attributes within a Record. For more information, see the [Cloud SIEM Normalized Classification.](/docs/cse/schema/cse-normalized-classification)
* **What Record type should be created for the messages the mapper processes?** Cloud SIEM has multiple predefined [record types](/docs/cse/schema/cse-record-types), each of which corresponds to a particular sort of event a log message might describe. When you configure a log mapping, you select the record type that corresponds best to the log messages the mapper will process. For example, you would select “Authentication” as the record type to create from messages that report successful or unsuccessful authentication events.
* **What normalized classification should be added for the messages the mapper processes?** Records can be classified at two levels of granularity. First, at a high level with [record types](/docs/cse/schema/cse-record-types) which all mapped records have, and more specifically using Normalized Classification Fields alongside the mapped attributes within a record. For more information, see [Cloud SIEM Normalized Classification.](/docs/cse/schema/cse-normalized-classification)

## Step 1: Choose mapping type and name the mapping

@@ -41,15 +41,15 @@ The values you supply should correspond to the values that were supplied for ven

## Step 3: Enter “Then Create Record” values

1. **Record of type**. Select the [Record type](/docs/cse/schema/cse-record-types) that specifies the attributes that the Records created by the mapper should contain.
1. **with vendor**. The vendor name that the mapper should write to Records. If you already selected a vendor in **When a log from vendor** in the **If Input Matches** area, that vendor appears here. In the Records the mapper creates, this value will be written to the `device_vendor` field.
1. **and product**. The product name that the mapper should write to Records. If you already selected a product from **and product** in the **If Input Matches** area, that product appears here. In the Records the mapper creates, this value will be written to the `device_product` field.
1. **Record of type**. Select the [record type](/docs/cse/schema/cse-record-types) that specifies the attributes that the records created by the mapper should contain.
1. **with vendor**. The vendor name that the mapper should write to records. If you already selected a vendor in **When a log from vendor** in the **If Input Matches** area, that vendor appears here. In the records the mapper creates, this value will be written to the `device_vendor` field.
1. **and product**. The product name that the mapper should write to records. If you already selected a product from **and product** in the **If Input Matches** area, that product appears here. In the records the mapper creates, this value will be written to the `device_product` field.

## Step 4: Specify field mapping

In this step you specify field mapping. This is the process of assigning the value of message fields to Cloud SIEM attributes. 

You might not map all message fields to schema attributes. Unmapped message fields will be retained in the `fields` attribute of the resulting Records.
You might not map all message fields to schema attributes. Unmapped message fields will be retained in the `fields` attribute of the resulting records.

The sections that follow have instructions for setting up each type of mapping:
* [constant mapping](#constant-mapping)
@@ -77,7 +77,7 @@ To configure a constant mapping:

1. Select **constant** from the **Create a new … mapping field?** pull-down.
1. **Constant**. Enter the name of an input field. This is the field from incoming messages whose value you want to translate.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### extracted mapping
@@ -94,7 +94,7 @@ To configure a extracted mapping:

1. Select **extracted** from the **Create a new … mapping field?** pull-down.
1. **Extracted Field**. Enter the name of an extracted field. 
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### format mapping
@@ -116,7 +116,7 @@ To define a format mapping:
1. Select **format** from the **Create a new … mapping field?** pulldown.
1. **Input Field**. Enter the format specifiers to be applied to the message fields you’ll specify in the next step.
1. **Format Parameters**. Enter the message fields to which the formatting will be applied.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### joined mapping
@@ -134,17 +134,17 @@ In the screenshot below, we're configuring a mapping that joins the value of the
1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If any of the input fields you entered above do not exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.

### lookup mapping

You use a lookup mapping to specify a set of input-output value pairs that are used to translate the value of an input field to the output value that should be mapped to a selected Cloud SIEM attribute. You can define a default value that will be applied if the input field value from an incoming message doesn’t match any of the input values you define.  

**Example lookup mapping**

In the screenshot below, we’ve defined a set of lookup key-value pairs that specify how to translate the value of the EventData.LogonType field and write it to the logonType attribute in resulting Records
In the screenshot below, we’ve defined a set of lookup key-value pairs that specify how to translate the value of the EventData.LogonType field and write it to the logonType attribute in resulting records

The configuration shown below defines what value to write to the logonType attribute of a Record when the EventData.LogonType message field value is “1”, “2”, “3”, or “4”, which will be “Interactive”, “”Network”, “Batch”, and “Service”, respectively.
The configuration shown below defines what value to write to the logonType attribute of a record when the EventData.LogonType message field value is “1”, “2”, “3”, or “4”, which will be “Interactive”, “”Network”, “Batch”, and “Service”, respectively.

<img src={useBaseUrl('img/cse/lookup-mapping-filled-out.png')} alt="Lookout mapping" style={{border: '1px solid gray'}} width="800" />

@@ -157,7 +157,7 @@ The configuration shown below defines what value to write to the logonType attri
1. **Output Value**. Enter the value you want to translate the input value to.
1. **Add Mapping Pair.** Click this option and repeat the two previous steps 3 through 5 to an additional value mapping.
1. **Input Case Sensitive**. Check the box if the value of the input field is case sensitive.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### split mapping
@@ -176,7 +176,7 @@ To define a split mapping:
1. **Input Field**. Enter the name of an input field. This is the field from incoming messages whose value you want to split.
1. **Delimiter.** Enter the character that delimits the segments of the field.
1. **Index**. Enter the integer value that corresponds, order-wise, to the segment of the field that you want to write to the output field you’ll specify in the next step. An index value of “0” indicates the first segment, “1” indicates the second segment, and so on. Use a negative index value to index from the end (i.e., "-1" for the last segment, "-2" for the second to last segment).
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### standard mapping
@@ -200,7 +200,7 @@ To map a single input field:
1. **Show optional fields**. Expand this section if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
1. **Alternate Input Fields**. Enter one or more fields, separated by spaces. If the Input Field you entered above doesn’t exist in a message, or is null, the value of the first alternative field that exists in the message and isn’t null will be mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
1. **Default Value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input field or any alternative fields with non-null values exist in the message.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

**Example standard mapping: multiple input fields**
@@ -222,7 +222,7 @@ To map multiple input fields:
1. **Show optional fields**. Click this if you want to specify one or more alternative input fields, or set a default value to be mapped to the target in the event that the input field is null.
1. **Alternate input fields**. Enter one or more fields, separated by spaces. If any of the Input Fields you entered above don’t exist in a message, or are null, the values of the alternative fields you enter will be combined and mapped to the Cloud SIEM attribute you’ll specify later in this procedure.
1. **Default value**. Enter the value you want to write to the Cloud SIEM attribute in the event that neither the input fields or any alternative fields exist with non-null values in the message.
1. **Output Field**. Select an output field. This is the Record attribute whose value you wish to populate.
1. **Output Field**. Select an output field. This is the record attribute whose value you wish to populate.
1. Click **Add Field** to save the field mapping.

### time mapping
Loading