7.4 Adding Map Definitions

  1. Access the map definitions.

    For more information, see Section 7.3, Accessing Map Definitions.

  2. Click Add, then use the following information to create the map definition:

    Name: Specify the name of the map definition.

    File Name: Select whether the file is local or remote, then browse to and select your map definition.

    • Local File: Allows you to browse for your file on your local file system (on the machine where Sentinel Control Center was launched).

    • Remote File: Allows you to select from existing map source data files on the Sentinel server. The remote file points to /var/opt/novell/sentinel/data/map_data.

    Map Definition: Use the following information to define the map. As you configure each setting and filter, the data preview is automatically updated to allow you to preview your data and ensure your data is being parsed as expected.

    • Delimiter: Character used to separate the data into rows in the map data source file. Usually a comma, but other delimiters such as pipe, tab, and semicolon are supported. You can also specify other delimiters in the Other field.

    • Start at row: Some input map files contain header rows that do not contain real data. This option specifies the number of rows to skip from the top of the map data source file.

    • Column names: Specify the column names. These names are used later to configure which columns are matched against event fields and which columns are injected into event data. 

    • Key columns: A key is a unique identifier for the row of data in the map data. If more than one column is selected as a key, then all event fields must match each of the corresponding selected key columns.

      When a column is set as a key, it does not appear in the Column drop-down field.

    • Column types: Specify the data type for the column. The currently supported data types are:

      • String: A string is treated as a simple sequence of characters, and can include any characters except the specified delimiter. Use strings for any data including numeric fields.

      • Number Range: A number range (NumberRange) is a range of numbers. For example, 10 through 200 is represented as 10-200. To use the range map functionality, a map definition must have only one key column and the key column must be of type NumberRange. If there are any other key columns, or if the key column is of a different type, the mapping service does not consider the map to be a range map. For more information, see Section 7.5, Adding a Number Range Map Definition.

    • Active columns: When a column is marked as active, the data in the column is distributed to processes using maps. All key columns must be active. Only active columns (but not key columns) can be selected as the Map Column under the Event Configuration tab.

    • Column filtering: A row can be explicitly included or excluded based on matching criteria for a particular column. This can be used to exclude rows from the map source data that are not needed or that interfere with your mapping.

  3. After you finish configuring all parameters and filters for the definition, click Finish.

  4. (Conditional) If you selected Local File above, you are prompted to upload your file. Specify a file name, then click OK.

You can have more than one column set as a key if you do not want the map to be a Range Map (Range Maps can only have one key column, with that column type set to NumberRange). For instance, with column type set to String, the AttackId tag has the DeviceName (name of the security device) and DeviceAttackName columns set as keys and uses the NormalizedAttackID column in the AttackNormalization map for its value. In a row where the DeviceName event ID matches the data in Device map column and the DeviceAttackName matches the data in the AttackSignature map column, the value for AttackId is the value in the NormalizedAttackID column.