REST Resource: projects.locations.instances.ontologyRecords.mappingRules

Resource: MappingRule

This service is available for customers who migrated SOAR to a customer managed project and have the Chronicle API enabled. A MappingRule represents an ontology mapping rule.

JSON representation 
{
  "name": string,
  "securityEventFieldName": string,
  "transformationFunction": enum (TransformationFunction),
  "rawDataPrimaryFieldMatchTerm": string,
  "rawDataPrimaryFieldComparisonType": enum (ComparisonType),
  "enrichmentFields": [
    string
  ],
  "isArtifact": boolean,
  "extractionFunction": enum (ExtractionFunction),
  "mappingRuleId": string,
  "ontologyConfigurationLevel": enum (OntologyConfigurationLevel),
  "targetFieldType": enum (TargetFieldType),
  "transformationFunctionParam": string,
  "rawDataSecondaryFieldMatchTerm": string,
  "rawDataSecondaryFieldComparisonType": enum (ComparisonType),
  "rawDataThirdFieldMatchTerm": string,
  "rawDataThirdFieldComparisonType": enum (ComparisonType),
  "extractionFunctionParam": string
}
Fields
name

string

Output only. Identifier. Format: projects/{project}/locations/{location}/instances/{instance}/ontologyRecords/{ontologyRecord}/mappingRules/{mappingRule}
securityEventFieldName

string

Required. The name of the security event field.
transformationFunction

enum (TransformationFunction)

Required. The transformation function to apply.
rawDataPrimaryFieldMatchTerm

string

Required. The primary field match term in the raw data.
rawDataPrimaryFieldComparisonType

enum (ComparisonType)

Required. The comparison type for the primary field.
enrichmentFields[]

string

Optional. Enrichment fields (if any).
isArtifact

boolean

Output only. Indicates if this rule is for artifact extraction.
extractionFunction

enum (ExtractionFunction)

Required. The extraction function to apply.
mappingRuleId

string (int64 format)

Output only. Unique numeric ID for the MappingRule.
ontologyConfigurationLevel

enum (OntologyConfigurationLevel)

Output only. Ontology Configuration Level.
targetFieldType

enum (TargetFieldType)

Output only. Target Field Type.
transformationFunctionParam

string

Optional. Parameters for the transformation function (if any).
rawDataSecondaryFieldMatchTerm

string

Optional. The secondary field match term in the raw data (optional).
rawDataSecondaryFieldComparisonType

enum (ComparisonType)

Optional. The comparison type for the secondary field.
rawDataThirdFieldMatchTerm

string

Optional. The third field match term in the raw data (optional).
rawDataThirdFieldComparisonType

enum (ComparisonType)

Optional. The comparison type for the third field.
extractionFunctionParam

string

Optional. Extraction function parameters (if any).

TransformationFunction

The transformation function to apply.

Enums
TRANSFORMATION_FUNCTION_UNSPECIFIED Unspecified transformation function.
TO_STRING Convert the field to a string.
TO_INTEGER Convert the field to an integer.
TO_DOUBLE Convert the field to a double.
FROM_UNIXTIME_STRING_OR_LONG Convert the field from string or long (MS or SEC) to unixtime long.
FROM_CUSTOM_DATETIME Convert the field from custom stringFormat time to unixtime long.
TO_BOOLEAN Convert the field to a boolean.
EXTRACT_BY_REGEX Extract the field by regex.
EXTRACT_BY_REGEX_WITH_GROUP Extract the field by regex with a group.
TO_IS_CORRELATION Convert the field to a correlation.
TO_IP_ADDRESS Convert the field to an IP address.
TO_LIST_OF_LONGS_SEPARATED_COMMA Convert the field to a list of longs separated by comma.
SUBSTR_BY_LENGTH Substring by length.
SUBSTR_BY_ENDTEXT Substring by endtext.
FIRST_LINES Extract the first lines of the field.
JOIN_RAW_FIELDS Join the raw fields.
STATIC_VALUE Static value.
EXTRACT_DOMAIN_FROM_URI Extract the domain from a URI.
CLEAN_URL Clean invalid characters from url (inside a uri).

ComparisonType

The comparison type for the fields.

Enums
COMPARISON_TYPE_UNSPECIFIED Unspecified comparison type.
EQUAL The term should be equal to the candidate.
CONTAINS The term should be a substring of the candidate.
STARTS_WITH The term should be a prefix of the candidate.
ENDS_WITH The term should be a suffix of the candidate.

ExtractionFunction

The extraction function to apply.

Enums
EXTRACTION_FUNCTION_UNSPECIFIED Unspecified extraction function.
NONE No extraction function.
REGEX Extract by regex.
DELIMITER Extract by delimiter.

OntologyConfigurationLevel

Ontology Configuration Level.

Enums
ONTOLOGY_CONFIGURATION_LEVEL_UNSPECIFIED Unspecified ontology configuration level.
SOURCE Configured at Source level.
PRODUCT Configured at Product level.
EVENT_NAME Configured at Event Name level.

TargetFieldType

Target Field Type.

Enums
TARGET_FIELD_TYPE_UNSPECIFIED Unspecified target field type.
ENTITY Target field is of type entity.
GENERAL_FIELD Target field is of type general field.

Methods

delete

 Delete a MappingRule.

fetchAll

 Fetch all mapping rules, existing and candidates.

get

 Get a MappingRule.

list

 Lists MappingRules.

patch

 Update a MappingRule.

save

 Save a mapping rule.

test

 Test a MappingRule.