Mapping & modeling
Alerts are not mapped and modeled by default. In order to do so, navigate to the mapping and modeling section (click the gear icon).
- For this use case we will map our case using the predefined family – MailRelayOrTAP for email monitoring events.
- Mapping and Modeling can be in one of the three stages of hierarchy, for this example:
- Source – This is the Source name field as we filled earlier. This is the Source that digested the data and created an alert in Google Security Operations platform. For this example the Source name is "Email Connector".
In this stage we will map only the time, since these fields are the same in each stage.
If you map at this stage then the following stages (Product – "Mail" and the Event -"Suspicious email"), will inherit the same modeling mapping we performed. - Product – The product is "Mail", which is the product that digests the data that came by the source "Mail". For example a connector can digest data from many sources. If mapping and modeling is configured at this stage then the following stage ("Suspicious email") will inherit the same modeling mapping we performed.
- Event – This is the
event_nameas we filled in earlier, for this example the event name is "Suspicious email". The event in this case is the email message itself.
- Source – This is the Source name field as we filled earlier. This is the Source that digested the data and created an alert in Google Security Operations platform. For this example the Source name is "Email Connector".
- We will map the relevant fields by assigning each field to the appropriate field in the code. In this mapping section we will map all the fields under the "Product" level.
- After Mapping this case we will simulate the alert to see the mapping
result. From the Overview Tab in the Alert, click on the right side of the screen and select "Ingest alert as test case".
Then, a new simulated alert will appear as a new case in the case queue. All the simulated cases are tagged with the purple "Test" mark on the left of the case name.
After mapping the case you can see each email message argument that we mapped by clicking more_vert on the right of the screen and then clicking Show Result.
If you would like to see a visual view of the entities involved in the event and the relations between them, click on the Explore button.
Now that you have finished the mapping and modelling step you can now start ingesting alerts into your platform automatically that will inherit the mapping and modelling you have performed. To do so, navigate back to the Connectors screen, enable the toggle and click save.
| Rule Level | Target Field | Extracted Field | Transformation Function | The field value |
|---|---|---|---|---|
| Product | DestinationUserName | event["destinationUserName"] |
TO_STRING | The email address of the person who received the email. |
| Product | SourceUserName | event["sourceUserName"] |
EXTRACT_BY_REGEX Regex format:[\w.-]+@[\w.-]+ |
The email address of the person who sent the email |
| Product | EmailSubject | event["subject"] |
TO_STRING | The email subject |
| Product | DestinationURL | event["found_url"] |
TO_STRING | The URLs found in the email body |
| Product | StartTime | event["startTime"] |
FROM_UNIXTIME_STRING_OR_LONG | The time the email was received |
| Product | EndTime | event["EndTime"] |
FROM_UNIXTIME_STRING_OR_LONG | The time the email was received |