A map is a collection of values and keys defined in a CSV or text file. You can enrich your data by using maps to add additional information to the incoming events from your source device. This additional information can be used for correlation and reporting.
You can create your custom maps in addition to the default maps available. You can use event mapping, which allows you to add additional data to an event by using data already present in the event and by referencing and pulling data from an outside source. For more information, see Event Configuration and Event Mapping.
NOTE:In order to do mapping, your configuration.xml file must be pointing to a communication server that has DAS_Binary and DAS_Core connected to it. This is normally the case by default, as long as the communication server and DAS processes are running.
The
tab allows you to:Mapping works together with the Referenced from Map Data Source setting for individual fields under Event Configuration. You can map by using a string or number range. The following are the default maps available:
AccountIdentity: Contains information about identities and the accounts associated with them. The keys are UserName, UserDomain, and CustomerName (for MSSPs). This map is populated from information in the Account and Identity tables in the Sentinel database.
Asset: Contains the data from the map data source file asset.csv. The asset.csv is automatically generated from asset data from Sentinel Database when an asset Collector is run. This file can also be populated manually. The keys are PhysicalAssetName and CustomerName (for MSSPs).
AssetToRegulation: Contains the data from the map data source file AssetToRegulation.csv. This file must be populated manually.
CustomerHierarchy: Generally used for Managed Security Service Providers (MSSPs). This file can be used to organize customers into a four-level hierarchy. It contains data from the customerhierachy.csv. This file must be populated manually. The key is CustomerName.
IpToCountry: Contains the data from the IpToCountry.csv map data source file. This file must be populated manually.
IsExploitWatchlist: Contains the data from the exploitDetection.csv map data source file. (vulnerabilities and threats). The exploitDetection.csv file is automatically generated from Advisor and Vulnerability data from the Sentinel Database when either an Advisor feed is completed or a vulnerability Collector is run. The keys are IP, AttackName, DeviceName, and CustomerName (for MSSPs).
To view maps in the GUI:
Navigate to the Admin tab and select Map Data Configuration from the Navigation pane or click the Map Data Configuration button .
The main Mapping GUI displays a listing of all of the maps that have been defined for the system.
NOTE:Default Sentinel maps cannot be edited or deleted.
For trademark and copyright information, see Legal Notices.