This document describes how to map and model alerts for your events.
By default, alerts aren't mapped and modeled, which is a necessary step to
properly analyze security data. This process happens in the Mapping and modeling
section of the Google Security Operations platform.
Map your events
The following use case outlines how to map your events:
From the Cases screen Events tab, select an event and click
settings
Event Configuration.
Select modelingMapping & Modeling. For this use case, map your data using the predefined family MailRelayOrTAP for email monitoring events.
Understand the mapping hierarchy
You can configure mapping and modeling at one of three levels. Mappings are
inherited from the top down, so any mappings you apply at a higher level are
automatically applied to all levels below it.
Source: The name of the source you provided earlier that ingested the data and created the alert. For example, your source might be called Email Connector. At this level, you only need to map the Time field—it's common across all stages. If you perform the mapping now, the subsequent stages—Product - "Mail" and Event - "Suspicious email"—automatically inherit the same mapping.
Product: The product is the application that ingests data from a specific source, for example, Mail. For example, a single connector can ingest data from multiple sources. If you map at this level, all subsequent events inherit the same mapping.
Event: This is the event_name you defined earlier, for example, Suspicious email. The event in this case is the email message itself.
For this use case, map all relevant fields at the Product level, assigning each field to the appropriate field in the code.
Target field
The field value
Extracted field
Transformation function
DestinationUserName
event["destinationUserName"]
TO_STRING
The email address of the person who received the email.
SourceUserName
event["sourceUserName"]
EXTRACT_BY_REGEX format:
[\w\.-]+@[\w\.-]+
The email address of the person who sent the email
EmailSubject
event["subject"]
TO_STRING
The email subject
DestinationURL
event["found_url"]
TO_STRING
URLs found in the email body
StartTime
event["startTime"]
FROM_UNIXTIME_STRING_OR_LONG
Start time the email was received.
EndTime
event["endTime"]
FROM_UNIXTIME_STRING_OR_LONG
End time the email was received.
Simulate and review your mapped alerts
After mapping your case, simulate the alert to see the mapping
results, as follows:
On the Overview tab of the alert, click more_vertMore
and select Ingest alert as test case.
A new, simulated alert appears as a case in the case queue. All
simulated cases tag with a Test marked next to the
case name.
Click more_vert More > Show Result to see each mapped email message argument.
Optional: Click Explore to visualize the entities and their relationships.
After completing the connector mapping and modeling, enable the connector to begin automatic alert ingestion:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eMapping and modeling alerts in Google SecOps is not enabled by default and must be configured in the settings via the gear icon.\u003c/p\u003e\n"],["\u003cp\u003eMapping and modeling can be performed at three hierarchical levels: Source, Product, or Event, with subsequent levels inheriting the mapping of the levels above them.\u003c/p\u003e\n"],["\u003cp\u003eIn this example, the mapping process is demonstrated using a "MailRelayOrTAP" email monitoring case, mapping fields at the "Product" level with corresponding data extraction functions and field values.\u003c/p\u003e\n"],["\u003cp\u003eAfter mapping, the alert can be simulated as a test case, allowing users to review the mapping results and also offering a visual exploration of entities and their relationships.\u003c/p\u003e\n"],["\u003cp\u003eOnce mapping and modeling is completed, new alerts that come in the system will inherit the mapping configurations, and can be done so by toggling the setting in the connector screen.\u003c/p\u003e\n"]]],[],null,["Map and model alerts \nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \nThis document describes how to map and model alerts for your events.\nBy default, alerts aren't mapped and modeled, which is a necessary step to\nproperly analyze security data. This process happens in the **Mapping and modeling**\nsection of the Google Security Operations platform.\n\nMap your events\n\nThe following use case outlines how to map your events:\n\n1. From the **Cases** screen **Events** tab, select an event and click settings **Event Configuration**.\n2. Select modeling **Mapping \\& Modeling** . For this use case, map your data using the predefined family **MailRelayOrTAP** for email monitoring events.\n\nUnderstand the mapping hierarchy\n\nYou can configure mapping and modeling at one of three levels. Mappings are\ninherited from the top down, so any mappings you apply at a higher level are\nautomatically applied to all levels below it.\n\n- **Source** : The name of the source you provided earlier that ingested the data and created the alert. For example, your source might be called `Email Connector`. At this level, you only need to map the **Time** field---it's common across all stages. If you perform the mapping now, the subsequent stages---**Product - \"Mail\"** and **Event - \"Suspicious email\"**---automatically inherit the same mapping.\n- **Product** : The product is the application that ingests data from a specific source, for example, **Mail**. For example, a single connector can ingest data from multiple sources. If you map at this level, all subsequent events inherit the same mapping.\n- **Event** : This is the `event_name` you defined earlier, for example, **Suspicious email**. The event in this case is the email message itself.\n- For this use case, map all relevant fields at the **Product** level, assigning each field to the appropriate field in the code.\n\n| Target field | The field value | Extracted field | Transformation function |\n|-----------------------|--------------------------------|------------------------------------------------------|---------------------------------------------------------|\n| `DestinationUserName` | `event[\"destinationUserName\"]` | `TO_STRING` | The email address of the person who received the email. |\n| `SourceUserName` | `event[\"sourceUserName\"]` | `EXTRACT_BY_REGEX` format: ``` [\\w\\.-]+@[\\w\\.-]+ ``` | The email address of the person who sent the email |\n| `EmailSubject` | `event[\"subject\"]` | `TO_STRING` | The email subject |\n| `DestinationURL` | `event[\"found_url\"]` | `TO_STRING` | URLs found in the email body |\n| `StartTime` | `event[\"startTime\"]` | `FROM_UNIXTIME_STRING_OR_LONG` | Start time the email was received. |\n| `EndTime` | `event[\"endTime\"]` | `FROM_UNIXTIME_STRING_OR_LONG` | End time the email was received. |\n\nSimulate and review your mapped alerts\n\nAfter mapping your case, simulate the alert to see the mapping\nresults, as follows:\n\n1. On the **Overview** tab of the alert, click more_vert**More** and select **Ingest alert as test case** . A new, simulated alert appears as a case in the case queue. All simulated cases tag with a **Test** marked next to the case name.\n2. Click more_vert **More \\\u003e Show Result** to see each mapped email message argument.\n3. Optional: Click **Explore** to visualize the entities and their relationships.\n4. After completing the connector mapping and modeling, enable the connector to begin automatic alert ingestion:\n 1. Go to the **Connectors** page.\n 2. Click the toggle to the on position\n 3. Click **Save**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
