Skip to main content

Custom Field Mapping

Creating and managing profiles to customize rules' code for your data schema

S
Written by Sergey Bayrachny

In this article:

Overview

Sigma rule translations in the SOC Prime Platform are based on the standard data schema of a corresponding SIEM, EDR, or XDR solution. Accordingly, if non-standard tables/indexes or fields are used in the Data Plane, translated rules require customization.

Customizing tables/indexes, field names, or field values in the rule code manually is a tedious task prone to errors. That's why we provide capabilities for configuring Custom Field Mapping profiles where you can specify all relevant custom tables/indexes, field names, or field values and map them to the default ones. Create a profile once, and apply it on the fly each time you deploy a rule or send a query to your Data Plane. You can create multiple profiles and share them with your teammates.

There are three types of custom field mapping profiles:

  • My — created by you

  • Company — created by you or your teammates and shared to all users across your organization

  • Global — created by the SOC Prime Team and shared with your organization. These profiles can only be viewed or copied

How to Find Out What Fields are Used in Your SIEM

If you are not sure what tables and fields are used in the data schema of your SIEM/EDR/Data Lake, follow the instructions below to retrieve this information automatically. We're working to add similar instructions for more security platforms.

If your subscription plan includes an account manager, contact them to request help with identifying your fields and defining a mapping profile.

Splunk

Execute this query in the Search panel:

| tstats count where index=* groupby index,sourcetype,_time span=24h | table index, sourcetype |dedup index, sourcetype | map maxsearches=1000 search="search index=$index$ sourcetype=$sourcetype$ earliest=-24h| stats values(*) AS * | transpose | eval index=\"$index$\", sourcetype=\"$sourcetype$\" | table column, index, sourcetype | rename column AS fieldname"

ElasticSearch / OpenSearch

Go to Dev tools in Kibana and execute this query:

GET */_mapping/field/*

Microsoft Sentinel

Execute this query in the Logs Search panel:

union withsource = Tables *
| distinct Tables

{table_name} | getschema | project ColumnName

Where to Apply

You can apply Custom Field Mapping profiles:

  1. On a rule's page to modify the translation of a particular Sigma rule.

    Note:

    • If you've enabled the Make Default and Share to Company switches in a profile's settings, it will automatically apply to rules with a matching log source

    • If you need to make sure no mapping is applied, select None in the dropdown menu

    • If you manually select a profile in the dropdown menu, it is applied to the current rule regardless of the rule's log sources

  2. In the Quick Hunt module. If you've enabled the Make Default switch in a profile's settings, it will automatically apply to rules with a matching log source.

    Note

    If you select the Default option in the dropdown, Custom Field Mapping profiles will be applied as follows:

    • If there are Custom Field Mapping profiles linked to the currently selected Data Plane

      • The profile that matches the log sources of the Sigma rule is applied

      • If there're several profiles that match the log sources of the Sigma rule, the most recently created/edited one is applied

    • If there are no Custom Field Mapping profiles linked to the currently selected Data Plane, the profile that is made default but not linked is applied as long as it matches the log sources of the Sigma rule

    • If there are neither profiles linked to the currently selected Data Plane no profiles made default (or none of them matches the log sources of the Sigma rule), no mapping is applied

  3. In Job settings in Automation to configure modifications applied to all Sigma rules associated with a particular Job

    Note:

    1. By default, the Use Default Custom Field Mapping based on Log Source checkmark is selected. In this case, the Custom Field Mapping is dynamically applied to content based on the log source products the content is intended for. For a Custom Field Mapping profile to be applied as part of this feature, it should have the Make Default and Share to Company switches enabled in its settings. The profiles are applied as follows:

      • If there are Custom Field Mapping profiles linked to the Data Plane selected in the Job settings

        • The profile that matches the log sources of the Sigma rule is applied

        • If there're several profiles that match the log sources of the Sigma rule, the most recently created/edited one is applied

      • If there are no Custom Field Mapping profiles linked to the Data Plane selected in the Job settings, the profile that is made default but not linked is applied as long as it matches the log sources of the Sigma rule

      • If there are neither profiles linked to the Data Plane selected in the Job settings no profiles made default (or none of them matches the log sources of the Sigma rule), no mapping is applied

    2. To show the Custom Field Mapping drop-down and select a single profile for all content linked to the Job or not to apply mapping at all, clear the Use Default Custom Field Mapping based on Log Source checkmark.

  4. In Attack Detective. Link Data Planes you add to an Investigation to Custom Field Mapping profiles to apply mappings to queries with matching log sources. Note that Share to Company and Make Default settings have to be enabled in the linked profiles.

  5. In Uncoder AI. Click the Gear icon next to the Translate button when translating from Sigma to open the settings menu. Select a Custom Field Mapping profile that will be applied during translation into the selected output language.

Create a Profile

To create a new Custom Field Mapping profile, click the Add Custom Field Mapping button and fill in the following sections.

Profile Details

Fill in the profile details:

  1. Name your profile.

  2. Enable the Share to Company switch if you'd like to make the profile available to your teammates. Note: Enabling this switch is also required to make the profile default.

  3. Select the security platform for which the profile will be applied.

  4. Optionally, select one or multiple Data Planes to link the profile to. The profile will be automatically applied to Sigma rule translations with the matching log source in Quick Hunt and Automation for the linked Data Planes.

Note:

After that, if you open any linked Data Plane's settings, you'll see the assigned Custom Field Mapping profile in the Default Custom Field Mappings field.

If you'd like to link multiple Custom Field Mapping profiles to a single Data Plane, you can do it in the Default Custom Field Mappings field in the Data Plane's settings.

Log Source

Select one or multiple log source products for which the profile is intended and will be applied automatically (if the Make Default and Share to Company switches are enabled). Click the Select Log Source field, start typing a product name and select it from the suggested options.

Alternatively, you can switch to the Sigma tab and set the Sigma Product, Service, and Category that define log sources for which the profile will be applied automatically (if the Make Default and Share to Company switches are enabled). These are advanced settings intended for users well-acquainted with Sigma. To enter a value, click on a field, type the value and click on the entered name to add it. Each field can have multiple values.

If you fill the Sigma tab, the following logic is used to match the selected values with parameters of Sigma rules to apply the mapping: any of Sigma products AND any of Sigma categories AND any of Sigma services.

Note:

You can define log sources either on the Log Source tab or on the Sigma tab. When you fill in one tab, the other is cleared.

Choose if you want to make the profile default. A default profile is applied automatically on a content item page and in Quick Hunt to the content for the selected platform suitable for the specified log source product (or Sigma Product, Service, and Category). Also, it is applied as part of the Use Default Custom Field Mapping based on Log Source feature in Automation.

Note:

To make the profile default, you also need to enable the Share to Company switch.

Mapping Configuration

Provide custom names used in the Data Plane for log source location (indices, tables, etc.), fields, or values. Select the corresponding tab and indicate the default and custom names. For a limited number of products, default names are suggested in the dropdown.

Source

The exact name of this tab depends on the selected platform since we use the native names of the log data locations for Microsoft Sentinel, Elastic Stack, and Splunk:

  • Microsoft Sentinel: Table

  • Elastic Stack and Splunk: Index

  • Other platforms: Source

  1. Click on the DEFAULT SOURCE field and type the default name of the location (index, table, etc.) where logs of the indicated product are stored. This is the name used in a standard data schema. When finished typing, click on the entered name to add it.

    For some security platforms, this field is predefined. In the predefined values, an asterisk (*) is used as a wildcard standing for any number of characters.

  2. Click on the CUSTOM SOURCE field and type the custom name of the log location. This is the name used in your actual Data Plane. When finished typing, click on the entered name to add it.

    You can add multiple custom source names. In this case, the added names are combined with an OR operator in the rule's code.

Note:

For Splunk, the tab contains three field pairs.

  • Index. Use it to customize the values of the index field.

    • If you leave the DEFAULT VALUE empty or set it to * and fill the CUSTOM VALUE, any value of the index field will be replaced with the CUSTOM VALUE input.

    • If the DEFAULT VALUE is filled and the CUSTOM VALUE is empty, the specified index will be removed from the code (if you set the DEFAULT VALUE to *, any index will be removed).

    • If you use new field name=new field value pattern in the CUSTOM VALUE (leaving DEFAULT VALUE empty), both the name of the field (index) and its value will be replaced.

  • Source. Use it to customize the values of the source field. The same logic applies as to the Index.

  • Other Field & Value. Use it to customize the name of any other field and optionally assign it a static custom value. If you indicate a default field name in the DEVAULT VALUE and use custom field name=custom field value pattern in the CUSTOM VALUE, both the name of the field and its value will be replaced.

    • The * wildcard does not work in this field.

Fields

  1. Click on the DEFAULT FIELD and start typing the default field name used in a standard data schema. Select a suggested option or, if there's no relevant option, finish typing and click on the entered name to add it.

  2. Click on the CUSTOM FIELD, type the custom field name used in your actual Data Plane, and click on the entered name to add it.

  3. Click the green checkmark icon to save the field mapping.

  4. Add all required field mappings using the procedure above. If you need to edit an added mapping, click on the pencil icon near it. To delete a mapping, click on the trash icon near it.

You can also import field mappings using a CSV. The file should be comma-delimited and have two columns:

  • First column with the default field names you want to change

  • Second column with your custom field names

Field names can contain only characters, underscores (_), dashes (-), or dots (.). The maximum allowed number of lines is 500. Empty rows are ignored.

Values

  1. Type the name of the field for which you need to map values.

  2. Type the name of the original and new values.

  3. Click Add Value to map values for another field if needed.

Note:

  • Value mapping is not applied to partial matches. For example, if netstat is mapped to NET_STAT, this value will be replaced in CommandLine="netstat", but CommandLine="netstat -nao" will be kept without changes since the match is only partial.

  • You can have the same new value for different original values of a field.

  • If you map multiple new values to the same original value of a field, only the last mapping is considered.

  • If you leave the original value empty, the entered new value is used for ANY original value of the field.

  • To dynamically insert the original value as part of the new one, use {VALUE} placeholder in the NEW VALUE field.

  • To modify any original value of a field according to a pattern, add {VALUE} placeholder that stands for the original value to NEW VALUE and leave ORIGINAL VALUE empty. For example, to add a prefix "Microsoft-Windows-Security-" to any value in the EventID field, make the following mapping:

    • FIELD: EventID

    • ORIGINAL VALUE: leave empty

    • NEW VALUE: Microsoft-Windows-Security-{VALUE}

  • You can use regexps to define the original and new values. See examples shown directly on the Values tab.

Edit or Delete a Profile

To edit or delete a Custom Field Mapping profile, click the Edit or Delete icon to the right and make the edits/confirm your action.

Did this answer your question?