Map tables to tables with Security Operations field mapping

Security Operations provides you with finer field mapping granularity so you can map a Security Operations table to any other table.

Before you begin

Role required: sec_cmn.write

Procedure

  1. Navigate to Security Operations > Utilities > Field Mapping.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Field mapping
    Field Description
    Name The name of the field map.
    Source table The table that provides the data to use to create a record in the destination table.
    Duplication rule Governs how to handle source records that would generate a duplicate record. For more information, see Security Operations duplication rules.
    Destination table The table where new records are created.
    Active Select this check box to activate the mapping.
    Note: Only one mapping between tables can be active at a time. If two maps contain the same tables, then the older version is automatically deactivated.
    Description Description for the field map.
  4. When you have completed your entries, right-click in the form header and select Save.
    Field Mapping Fields tab appears. This record defines what data is placed in the target field, in records created by this field transform.
    Field Mapping form
  5. Click New.
  6. Fill in the fields on the form, as appropriate.
    FieldDescription
    Store value in a field or a related list Select where to find the value. Choices include:
    • Add new value into a field in the record
    • Link to this value in a related list
    • Link to this value, creating a new record if a matching record does not exist
      Note: If the destination table does not have any related lists, this field is not displayed.
    Field When Store value in a field or related list is set to Add new value into a field in the record this field specifies the field to fill in.
    Note:

    For choice fields, matches are made to existing choices using the underlying choice label or value. If no match is found, the field is set, but no new entry is added to the choice list. For more information, see Choice lists.

    For reference fields, an entry is set only when a value matching the display name of the record, or valid sys_id is found. For more information, see Reference fields.

    Related list

    When Store value in a field or related list is set to Link to this value in a related list or Link to this value, creating a new record if a matching record does not exist, this field specifies the related list to add information to.

    Value field

    When Store value in a field or related list is set to Link to this value in a related list or Link to this value, creating a new record if a matching record does not exist, this field specifies the field within the table displayed in the related list, that is used to look up and find an existing record. For example, if your related list is Affected CIs, this field may contain Name or Fully Qualified Domain Name, or any other field in the CI record that should be used to look up the CI is added to the Affected CIs list.

    Relationship data

    When Store value in a field or related list is set to Link to this value in a related list, a new record is created to link that record (such as a security incident) to the value (a CI, an observable, and so on). This field specifies any additional information (field and value pairs) that should be added to that linking record. For example, adding an observable for a source IP, you can specify that this IP is the source, rather than destination IP. For multiple values, use a ^ separator, for example, type= Source IP^active=true.

    New record data When Store value in a field or related list is set to Link to this value, creating a new record if a matching record does not exist, if a related record matching the parsed value is not found, a new record is created. This field specifies the static data to add to that record. For example, for Affected CIs, if we cannot find the CI, this setting indicates that a new CI is created). The value found in the source record is set to the Value field in the CI record. You can set additional data – a note indicating why this CI was created, some information about what type of CIs you are working with. A sample would be:

    description=Created by malware Incident report^type=autodetect

    Value separator

    When Store value in a field or related list is set to Link to this value in a related list or Link to this value, creating a new record if a matching record does not exist, this field specifies the separator to use for lists of items, commonly a comma, or semicolon.

    Value type When Store value in a field or related list is set to Add new value into a field in the record, this field specifies the type of value. Choices include:
    • Source field record
    • Append to the field as a new line
    • Static value
    • Static value plus source record field value
    Source field Choose the source field that contains the value to be placed within the destination field or the selected related list.
    Static field Static value for the field.
    Value transform Choose the field value transformation entry to apply. It is used to map choice fields between records, for example, converting the set of Category choices for a security incident into the appropriate Type field for a Change Request.
    Destination table Auto-populated with the destination table.
    Field Mapping Auto-populated with the parent field map.
    Source table Auto-populated with the source table.
  7. Click Submit.