How to populate event fields in event summary

shubhamagar · 11-17-2024 03:29 AM

How below event fields like , Name, Type, Source/PRODUCT PORT and OUTCOME , TIME fields are mapped ?

1. are these mapped from "ontology" ?

2. are these mapped via "Parameters" option while running/configuring the connector ?

3. are specific event list keys like "event_type" etc are mapped to them automatically, if yes, where this mapping can be found ?

hzmndt

This tab showing raw event data

https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-events-tab

The Events tab displays raw data of the selected event and is only displayed if there is an event connected to the case.

shubhamagar

Hii @hzmndt

Is value in these fields depend on any parameter which can be sent as event key while loading an event through a custom written connector ?

ddiserens

@shubhamagar so several of the fields you are referring to are set within the ontology mapping which you can find by clicking on a Case -> Events Tab -> Clicking gear next to the event you want to map.

by clicking configure event it will take you to the ontology page where you can set visual family along with mapping.

In here you will see several key names in the system section along with all the entities. Setting these values will effect what you see in the Alert.

There are a couple of fields that get set within the connector. (i.e. Source, Product, Event Type) Those are set within the connector.

The fields that set those typically are the two at the bottom of the screenshot:
Product Field Name, Event Field Name.

Source is normally hard coded within the connector code / integration.