Field Mapping for Security Event Sources
This topic has information about creating field mappings for messages that you want to be processed by normalized threat rules.
CSE provides built-in normalized threat rules for processing messages that describe security events that have already occurred. These rules address a range of threat types, such as intrusion, malware, and so on. The rules are normalized so that the same rule can evaluate messages from multiple data log sources. For example, a single rule could handle messages from multiple products that detect malware, for example Antivirus Appliances, Trend Micro Antivirus, and Symantec Endpoint Protection Scanning/Antivirus.
To ensure that the appropriate threat rule or rules are applied to a message, there are certain log mapping requirements for the following schema attributes:
threat_ruleType
—This attribute should be populated for messages that describe security events that have already occurred. Messages that don’t include security event detection should not map this attribute. See the field mapping instructions for each threat type in the sections below.threat_name
—The value you map to this attribute depends on the value of thethreat_ruleType
in the mapping. See the field mapping instructions for each threat type in the sections below.threat_signalName
—This attribute is used by some normalized rules as an element of the names for Signals the rule generates, so that the rule generates different signal names for different products.normalizedSeverity
—The value you map to this attribute depends on the value of thethreat_ruleType
in the mapping. See the field mapping instructions for each threat type in the sections below.
Field mappings for intrusion events
In the Field Mappings section of the log mapper, map these attributes.
Attribute | Mapping instruction |
---|---|
threat_ruleType | Map to the value “intrusion”. |
threat_name | Map to the intrusion system’s signature name. |
normalizedSeverity | Map to the severity value from the message. |
Field mappings for malware events
In the Field Mappings section of the log mapper, map these attributes.
Attribute | Mapping instruction |
---|---|
threat_ruleType | Map to the value “malware”. |
threat_name | Map to the antivirus signature or virus name, for example “Trojan.Crypt”. |
normalizedSeverity | Map to the severity value from the message. |
Field mappings for direct events
In the Field Mappings section of the log mapper, map these attributes.
Attribute | Mapping instruction |
---|---|
threat_ruleType | Map to the value “direct”. |
threat_signalName | Map this to the field or fields that should be used as the name of Signal generated for a message. You can do this with a standard field mapping. If you want to map to a formatted combination of message fields, use a format field mapping. Note When the built-in Normalized Security Signal rule fires a Signal, the Signal name will be the value of threat_signalName, resulting in Signal names of this form: {threat_signalName} |
threat_name | Map to the alert name contained in the message. |
normalizedSeverity | Map to the severity field in the message. Note that in CSE, severity is a value from 0 (lowest) to 10 (highest). If the severity range used in the message is not 0 to 10, you can translate the value from the message using a lookup mapping. For example, if the message source uses severities 1 to 5, you could translate the values like this: '1': '2' '2': '4' '3': '6' '4': '8' '5': '10' You can also define a default severity value that will apply if apply if a message doesn’t contain a severity value. |