Previous Topic: Provide Sample EventsNext Topic: Set Function Mappings


Set Direct Mappings

Direct mappings set 1-1 correspondences between a native event and a single refined event value. Thus, it is best to use direct mappings only for default values, or common values that rarely change, such as the ideal_model field.

A mapping can be set to derive a refined event value in the following ways:

Text value

Sets specific text for a specific CEG field. This value appears each time an appropriate event is mapped. For example, setting the CEG ideal_model field to "Firewall" results in the ideal_model field displaying "Firewall" for all rules that contain that mapping.

Field value

Sets a raw event field whose content is included for a specific CEG or parsed field. A field value is distinguished from a text value by prefacing the value with a dollar sign, $. For example, setting the CEG event_logname field to "$Log" results in any event mapped displaying whatever text appears in the native event Log field.

To set direct mappings

  1. Open the mapping file wizard, enter a name and select a Logname for the mapping file, and advance to the Direct Mappings step.

    The Direct Mappings screen appears, displaying current or default mappings. The Name column shows the CEG or parsed field name. The Value column shows either a text value or a field value.

    Note: Select a parsing file in the Provide Sample Events step for parsed field values to appear.

  2. Click Add Direct Mapping to add a new mapping entry at the bottom of the table and then select it, or select a current direct mapping to edit.

    The direct mappings for the field, if any, appear in the Mapping Details area.

  3. Select a CEG field or parsed event field, if available, to map to from the Field drop down menu. When you begin typing, the auto-complete feature narrows the list of available CEG fields.
  4. Enter a new value in the Add Value entry field, and click Add Direct Mapping next to it. Precede the value with "$" to denote a field value rather than a text value.

    The value appears in the Selected Fields area.

  5. (Optional) You can enter multiple direct mappings for a single field, using the up and down arrows to set the order in which the DM file considers them. The refined event displays the last direct mapping located by the DM file.

    Note: Adding multiple values decreases performance of the mapping, so you use this feature conservatively.

  6. (Optional) Use the shuttle control to move unneeded values to the Available Fields area to prevents them from being considered for the current mapping.
  7. When you have added all the direct mappings you want, click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

If you click Save and Close, the new file appears in the Mapping File User folder, otherwise the step you select appears.