Working with Entity Delimiters
Entity Delimiters allow you to decide for each entity type and data source how you want to map the incoming entity. You have full control whether to disable delimiters for incoming entities, map a specific delimiter (up to 64 characters) or even use a regex instead.
For example, you might have several files come in as one entity separated by commas and you want the system to treat each entity separately – in this case you would set the delimiter to be a comma.
The entity delimiter can be used in one of two places:
- Event Configuration > Mapping screen
- Playbook action > Siemplify Create Entity
Event configuration > Mapping screen
Here you can configure mapping at field level. At the top of the screen, you can click the Raw Event Properties icon to see the raw data from the event in the particular alert. The screen itself shows a list of the Entity Fields and the System Fields with an edit option allowing you to make changes to map the raw data to how you want the information presented in the platform.
The following fields are available in the Map Fields Dialog box for each entity or system field.
Field | Description |
---|---|
Extracted Field |
Main field name in the raw event field to take information from.
Pro-tip. Use Contains or Starts with in order to divide the data into
separate fields. This can be useful if you have multiple fields like
url_1, url_2 to create multiple entries. Note that entities can only equal "is" as each one is unique |
Alternative Field 1 | Fallback field in the raw event field to take information from if the primary field cannot be located. |
Alternative Field 2 | Fallback field in the raw event field to take information from if both primary and secondary cannot be located |
Extraction Function |
This function allows you to extract particular data or manipulate the
data from the raw event field. Three options. None: the raw data is
presented as is. Delimiter: Delimiter can be defined with a character (or up to 64 characters) to divide the data into separate entities. The default is Delimiter = , (comma) Regex: Uses a regex to divide data into separate entities |
Transformation Function |
This enables you to "transform" information from the data
source to be compatible with the Siemplify database. Available functions
are:
TO_STRING, FROM_UNIXTIME_STRING_OR_LONG, FROM_CUSTOM_DATETIME, EXTRACT_BY_REGEX,
TO_IP_ADDRESS. Once you have chosen the function, you would add the
appropriate parameter. For example: select the function FROM_CUSTOM_DATETIME and reformat the date and time to %Y-%m-%DT%H:%M:%S Note that the transformation function applies after the extraction function and in case of multiple entities created by the extraction function – it will apply the transformation on each one of them separately |
Using delimiters in playbooks
You can also use delimiters in the Siemplify Create Entity action. For example, in the Entities Identifiers field, you could have a list of IP addresses separated by semi-colons. In the Delimiter field, you would add a semi-colon. Note that the action will appear with a comma by default.