Maps defined in this tool work together with the Referenced from Map data source setting for individual fields. The following built-in maps are available:
Identity: Contains information about identities and the accounts associated with them. Data is added to the Identity map through the Collector API and Identity Tracking Module for Sentinel. Data is then extracted to the identityAccountMap.csv file.
Keys: User name and domain, TenantName (mapped to both Initiator and Target users).
Data added to event: User identity (an internal GUID), full name, department, workforce ID, and email address.
Asset: Contains information about hosts in the environment. Data is added to the Asset map using a Collector API and Collectors such as the Generic Asset Collector, stored in the database, and then extracted to the asset.csv file.
Keys: IP address and TenantName (mapped to Initiator, Target, Observer, and Reporter hosts).
Data added to event: Host identity (an internal GUID), function, class, department, and criticality.
Country: Contains information about which physical location hosts reside in, including country, latitude, and longitude. Data is downloaded from a commercial IP location database and added to the IpToCountry.csv file using the IP2Location Feed plug-in. For more information, see the IP2Location Feed documentation on the Sentinel Plug-ins Website.
Keys: IP address and TenantName (mapped to Initiator, Target, and Observer hosts).
Data added to event: Country, latitude, and longitude.
CustomerHierarchy: Contains a hierarchical list of tenants that are generating event data. This can be used by security providers that collect data for multiple third parties or departments to provide a hierarchic namespace for users and hosts. Data is added to the customerhierachy.csv file manually.
Keys: TenantName.
Data added to event: TenantHierarchy fields.
Threat Intelligence: Sentinel populates the Threat_Intelligence.csv file when Sentinel process the threat intelligence data sources. For more information about threat intelligence data sources, see Configuring Threat Intelligence Data Sources.
Keys: IP address
Data added to event: Reputation score, Threat types, Unique Identifier.
NOTE:For map files that have a large number of entries, the map.h2.db file in the /var/opt/novell/sentinel/tmp directory may grow in size and would eventually stop growing. For example, when the IP2Location feed plug-in updates the IpToCountry.csv file, the map.h2.db file may grow up to 20 to 25 GB.