Security attacks today have unprecedented variety: they can come in different forms, through different channels, target different vectors, and have endless tweaks that can’t be captured by any one system. The result? Organizations have multiple security tools that perform specific functions such as data enrichment, endpoint security, threat intelligence, and incident management.
Although these tools often have APIs and other means to connect with each other, this brings its own problems. Each security tool has its own definitions of incident types and indicator fields; mapping all these tools to ingest alerts into a common system often makes analysts feel like overworked phone operators, scrambling to translate languages and make connections before the call drops.
Making Ingestion Easier
Demisto 3.0’s alert ingestion update solves this exact problem. With the help of an intuitive classification and mapping wizard, integration instances that earlier sapped hours from an analyst’s day can now be performed in minutes without any scripting. With this editing interface, it is now easier to fetch and map data, conduct tests and manual fixes, and edit the mapping model.
This feature walkthrough will go through the major screens and workflows required to map a new instance of an external tool to Demisto. The flow is as follows:
Note that if you know the incident type of all events in the instance to be mapped, you can skip the classification part and move on to mapping event fields to Demisto incident fields (step 5 in the flow).
For this walkthrough, let us take ProtectWise as an example and set up a mapping for its instance.
- Start Instance Mapping
In the ‘Servers & Services’ tab on the Integrations menu, you can search for the tool you want to map the instance for. If you haven’t mapped an instance before, there will be a ‘Mapping’ button next to the ‘Add Instance’ button for each integrated security tool. Just select the ‘Mapping’ button to begin, as shown in the snapshot below:
Alerts from an instance can be ingested without mapping. They will just show up as unmapped. You can also hover over the integration to see how many incidents were pulled and how many had errors.
- Set Classification Rule
Selecting the ‘Mapping’ button will open the classification wizard. You can use three methods to map an instance: uploading a JSON file with sample data, pulling the sample data directly from the instance, and going ahead with mapping without using sample data at all. The three options are illustrated in the screenshot below:
For uploading JSON files, upi have two options. You can either get the JSON file to map from the third-party product, or you can create a JSON file to be mapped from a previously unmapped sample incident from the same source. You can get the JSON file from an incident field called rawJSON, as shown in the screenshot below.
For this example, let us use a JSON file to upload sample data for the mapping.
- Set Classification Key
The crux of mapping is selecting a classification key from the sample data. The key is the field that signifies the incident type and acts as the pivot around which the rest of the incident details are mapped. The screenshot below shows the classification key select screen. Field types and details from the sample data are shown on the right, and the space to enter the classification key is shown on the left.
In this example, the sample data has a field called ‘type’ which seems relevant to identify the incident type. If you click on ‘type’ in the same data shown on the right, it automatically gets populated in the classification key field.
- Map Incident Types
Once the classification key is selected, you enter the mapping wizard. On the left, you’ll find all the values associated with the classification key from the sample data. On the right are all possible Demisto incident types that these values can be mapped from. For example, in the screenshot below, there are four unmapped values falling under ‘type’ (which we selected as the classification key). These four values need to me mapped to Demisto incident types.
Mapping values to incident types is easy and can be done by simply dragging and dropping the value button to the incident type you want. The snapshot below illustrates the process.
In this example, two of the four values have been mapped to Malware and the other two to C2Communication.
- Map Other Event Fields
After the incident types are successfully mapped, each mapping needs to be studied and other relevant fields from the sample data need to be mapped to corresponding fields in Demisto. For example, to complete the mapping for the C2Communication incident type, just select the ‘Edit mapping’ button next to the incident type as shown in the snapshot below.
It is not necessary to map every single field from the sample data, just the fields that you consider relevant. For instance, the ‘threatLevel’ field is relevant and maps well with the ‘severity’ field in Demisto. You can finish this mapping as shown below.
By default, all unmapped fields will be mapped automatically to ‘labels’ and you can uncheck this option in the mapping wizard if you wish.
Once you’ve finished mapping for one incident type, and you foresee mapping for other incident types to be largely similar (apart from the incident type), you can copy the mapping with one click. In this example, the mapping for the ‘Malware’ incident type can easily be copied from the ‘C2Communication’ incident type as shown below.
And with these five quick steps, your mapping is complete! Alerts from ProtectWise will now be ingested according to the mapping you just devised. When you view the ProtectWise instance in the Integrations menu, the ‘Mapping’ button will now read ‘Mapped’.
We hope this feature walkthrough was helpful to you. If you’re interested to know more, we invite you to view the video walkthrough on our YouTube channel. If you are a Demisto customer, you can also visit the release notes on the Demisto Support portal.
If you are new to Demisto and interested in exploring the platform further, we invite you to sign-up for the Demisto Community Edition. All Demisto v3.0 features are available with full functionality in the Community Edition.