Create a Security Operations enrichment data map

Transform data from JSON, XML, or Properties file format to ServiceNow records using enrichment data maps.

Before you begin

Role required: sn_sec_cmn.write

About this task

Existing enrichment data maps are used by workflows provided within Security Operations. You can view the list under Enrichment Data Mapping. To use a map, you need a trigger, either a business rule or workflow.

Procedure

  1. Navigate to Security Operations > Utilities > Enrichment Data Mapping.
  2. Click New.
  3. Fill in the fields, as appropriate.
    Table 1. Creating an enrichment data map
    Field Description
    Name Name of this enrichment data map.
    Input format Choose a format from the list:
    • JSON (default)
    • XML
    • Properties File format
    Prefix key Use to limit the input data set to a specified key. The root of the input data set is set to this key. In this example, if you entered file_info, then the input values would be limited to those values within file_info.
    <?xml version="1.0" encoding="UTF-8"?>
    <malware>
        <version>2.0</version>
        <file_info>
            <malware>yes</malware>
            <sha1>24c051142583e10451a53893fed3aa5d80bfb1f6</sha1>
            <filetype>PE</filetype>
            <sha256>be9bd96808173e2d967feef8c8c5b8c4d73b621584fb11eb68434da1e6a0a930</sha256>
            <md5>ee8c91751b3010e38c479cf9ab09827a</md5>
            <size>546304</size>
        </file_info>
    </malware>
    Application Scope of the application.
    Duplication rule Rule defining when a record is considered a duplicate and what actions to take with duplicate records.
    Destination table Choose a table from the list.
    Active Select this check box to activate the map.
    Description Enter a description of the enrichment data map.
  4. Click Submit.
    The Enrichment Data Mapping Fields tab appears.
  5. Click New.
  6. Fill in the fields on the form, as appropriate.
    Table 2. Enrichment data mapping fields
    Field Description
    Field Name of the enrichment data map.
    Value type Choose from the list:
    • Lookup data using property key
    • Static value
    • Static value plus data from the property key
    • Field is an array or object (raw data nesting)

    Each choice has different entries. Field values and arrays or objects require a Property key.

    Property key Determines the key for the input data search and the value written to the target field.
    Value transform The field value transform that maps one value to another.
    Application Scope of the application.
    Order In what order to consider the mapping. The first match is used. Default is 100.
    Mapping Name of the enrichment data map.
    Destination table The table to which the fields to map are going.
  7. Click Submit.
    The following is an example of an enrichment data map.
    Enrichment Data Mapping example