Direct mappings set 1-1 correspondences between a native event and a single refined event value. Thus, it is best to use direct mappings only for default values, or common values that rarely change, such as the ideal_model field.
A mapping can be set to derive a refined event value in the following ways:
Sets specific text for a specific CEG field. This value appears each time an appropriate event is mapped. For example, setting the CEG ideal_model field to "Firewall" results in the ideal_model field displaying "Firewall" for all rules that contain that mapping.
Sets a raw event field whose content is included for a specific CEG or parsed field. A field value is distinguished from a text value by prefacing the value with a dollar sign, $. For example, setting the CEG event_logname field to "$Log" results in any event mapped displaying whatever text appears in the native event Log field.
To set direct mappings
The Direct Mappings screen appears, displaying current or default mappings. The Name column shows the CEG or parsed field name. The Value column shows either a text value or a field value.
Note: Select a parsing file in the Provide Sample Events step for parsed field values to appear.
The direct mappings for the field, if any, appear in the Mapping Details area.
The value appears in the Selected Fields area.
Note: Adding multiple values decreases performance of the mapping, so you use this feature conservatively.
If you click Save and Close, the new file appears in the Mapping File User folder, otherwise the step you select appears.
Copyright © 2013 CA.
All rights reserved.
|
|