This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Is there a way to use \ change the Properties Metadata - System name?

Posted on 12-03-2024 05:36 AM
ORBR
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hey,

A quick explanation, we have clients with different SIEMs, and for each client different fields.

For example, one rule has "Username", and the other "user", "srcusr", "account", etc.

This causes some hard times when mapping the ontology entities.

I noticed that event fields can be edited (Edit Properties Metadata > Display name, system name,etc.)

From the events page I cannot edit the system name, only the Display name. But on the ontology page I still see only the actual system name.

Is there a way to map these multiple similar fields so that all will present only one fields on the ontology page? for the example above, only "User Name"? 

or another example : SrcIP, src IP, src_ip > "Source IP"

Start changing that on the SIEM platforms can take a while and a lot of man power.

Solved Solved
0 3 217
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to ORBR
Reply posted on --/--/---- --:-- AM

The platform supports 3 names for each field (the original, and 2 fallbacks), PER Alert type. I.e. "source > product > alert type".  Mappings at the Source (typically the SIEM), then are filtered down unless you have other names at Product or Alert level, where a config here overrides. This means you actually have lots more than 3 overall from the technology.

If you have more than this you might have to revisit the SIEM to either duplicate fields or remap them. 
Andy

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
ddiserens
Staff
Reply posted on --/--/---- --:-- AM

You should be able to use an alternative field. 

ddiserens_0-1733326970475.png

Will that work for what you are trying to do?

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ORBR
Bronze 5
Bronze 5
In response to ddiserens
Reply posted on --/--/---- --:-- AM

No, 2 alternatives is not enough ๐Ÿ˜ž

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to ORBR
Reply posted on --/--/---- --:-- AM

The platform supports 3 names for each field (the original, and 2 fallbacks), PER Alert type. I.e. "source > product > alert type".  Mappings at the Source (typically the SIEM), then are filtered down unless you have other names at Product or Alert level, where a config here overrides. This means you actually have lots more than 3 overall from the technology.

If you have more than this you might have to revisit the SIEM to either duplicate fields or remap them. 
Andy

Jump to Solution
0 Likes
Top Solution Authors
View all