7.9 Using Maps for Event Configuration

After you have created a map, you must decide where the mapped data is injected into the event. You must configure each Event to use mapping:

  1. Access the Configuration tab in the Sentinel Control Center.

    For more information, see Section 1.2.1, Accessing the Sentinel Control Center.

  2. Click Event Configuration in the navigation pane.

    or

    In the toolbar, click Configuration > Event Configuration.

  3. Select an entry from the Event Columns, then use the following information to configure the event using a map:

    Name: Displays the name of the event ID selected in the Event Columns field.

    Referenced from Map: Click Referenced from Map to configure the event ID to be populated with data from a map.

    The default option of External keeps the value the Collector put in the event ID (if any).

    Map Column: Click the Map Name drop-down list, then select one of the available maps.

    The maps listed are the default maps or a map you have created.

    Map Column: Click the Map Column field drop-down list, then select a Map Column name.

    Depending on your Map Name choice in the previous step, these values vary.

    • All other choices: Names of active columns within the map definition that are not set as a key (for example, CustomerId column in Asset or NormalizedAttackId column in AttackNormalization)

    • _EXIST_ : This is a special Map Column that exists in every map. If this Map Column is selected, a 1 is placed in the event ID if the key is in the map data. If the key is not in the map data, a 0 is placed in the event ID.

    Key Configuration: For each row in the table, select the event ID in the Event ID column that is matched against the map key column specified in the corresponding Map Key Field column. The rows in the Key Configuration table depend on the Map Name selected.

    A key is a unique identifier for the row of data in the map data.

  4. Click Apply.

    Clicking Apply saves the changes you made for the currently selected event column in a temporary buffer. If you don't click Apply, the changes you made to the previously selected event column are lost when you select a different event column. Changes aren’t be saved to the server until you click Save.

  5. If you want to edit the event mapping of another event column, repeat the steps above. Remember to click Apply after editing the event mapping of each event column.

  6. Click Save.

    Clicking Save saves your changes to the server. The save function saves all changes stored in the temporary buffer when you clicked Apply.