Map incident fields

If you aren’t continuing from the previous section of the Name criteria, access the profile you’re defining.

Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
Select the profile that you’re continuing to define.
Select Mapping in the progress bar.

Select one of the Sample Ingestion Methods in the Defender Incident Field Mapping section.

Tableau 1. Sample Ingestion Method
Field	Description
All default Incident and evidence files	Use this ingestion method to view the static list of all the Incident, and Event fields. This method contains only default field names without any values.
Retrieve Recent Defender Incidents	Use this ingestion method to import the most recent Defender Incidents. If the Defender incident contains multiple alerts, the earliest alert that is part of the incident is shown in the mapping section. During ingestion as well the earliest security alert field values will be used. You can ingest 5 sample incidents. The sample field values populate when the profile ingests the sample incidents. You can map these incidents to the SIR Incident Target Fields. The Incident fields and values appear as individual tabs.
Retrieve Defender Incidents based on ID	Incident IDs (comma separated)	Specify incident IDs separated by commas. You can ingest 5 incident IDs.

To add fields to the default fields that are displayed on the security incident, do the following actions:

Select in the SIR Incident Target Fields section.
It shows a list of SIR fields, from which you can select a new field.
In the Security Incident column, expand the list that is displayed and then select a field.

Remarque :
Multiple observables can be displayed on the same security incident. For example, the Observable field can be mapped multiple times with different values. Similarly, the Configuration Item and Work notes fields support multiple values. If you try to map two values to a field that can't support multiple values, you see an error message that this field doesn’t support multiple values. Similarly, if a field on a security incident has a list from which you can choose multiple options, and you try to map an option to that field that is not displayed on the list, the field doesn’t populate on the security incident.
From the Incident Fields section, drag your field to map it to your new field.
When you select the check box that corresponds to a field, any new or updated changes made in Defender will automatically update the respective SIR incident data with the new incident data.
Remarque :
In the base system, the system property sn_sec_def_sntl.incident_updates is by default set True to receive Defender updates related to new incidents that are linked to SIR.
- By default, the Affected Users, Configuration items, and Observables fields are checked. This means that whenever there are new observables or associated configuration items, or affected users that get added to the incident then that information is automatically extracted and populated in the respective related lists in the Security Incident Response (SIR) during that polling interval.
- For any other fields, you must select the check box that corresponds to a field for any new or updated changes made in the Defender incident record within Defender. This will automatically replace the respective SIR incident data with the new incident data.
Important :
Due diligence is required to be done before selecting this functionality as overriding the existing data may result in unstable data for the analyst to work with and any other automation that is set even by the field values of security incident may also get affected. So, it’s important to do the due diligence before you select any override functionality.

To remove a field, use the Remove button

Remove item button next to the input expression field in the SIR Incident Target Fields section.

To map a field value from the Incident and Event Fields section to a field on the SIR incident Target Fields section, use one of the following actions:

Drag the Incident field name (for example, id) and drop it next to a field name in the SIR incident Target Fields column.

You can match any value from the Incident and Event fields section to a field on the SIR incident Target Fields section. Fields are color-coded so that you don’t overlook or duplicate incident fields in the mapping process. Light blue fields indicate that an incident field isn’t yet selected and mapped on the security incident. You may prefer to associate an incoming incident fields with more than one field on a security incident. A gray field indicates that a field has been selected and mapped to a field on the security incident. This way, you can visualize which field values have been added to the security incident and if any remaining important incident information remains unmapped.
You can add a combination of text and field.
For example, Incident name is ${Incidents: name}$. Here, Incident name is can be manually entered while ${Incidents: ${name}$ is mapped from the Incident and Event Fields section.
You can manually enter and map a source Incident or Event field to a target field.
- To manually map a source incident field use the $⁠{field name}$ format. For example, to map an incident field Severity, the format is ${incidentWebUrl}$ .
- To manually add Incident, and Event fields, use the ${evidenceName: evidenceField}$ format. For example, ${Alert: category}$ , ${deviceEvidence: healthStatus}$ .

This integration classifies certain observable subtypes. When you map a Defender field with the SIR observable field, the auto-classifies the observable. If you want to generically map the incoming Defender observable to the observable type in, then drag the Incident and Event field in the Observable field. However, if you’re aware of the observable type for the incoming Defender observable, then map specifically to the Observable type field. Some examples of specific observable types in include Observable(Domain name), Observable(Email address), Observable(IP address (V4)), and Observable(Host name).

Sometimes, incident field values in Defender may not translate directly to the fields on the SIR security incident. For these values, you can use a script editor to format field values on the security incident during the mapping step. Use the script editor if you want to format values that are similar, but not identical.

To format a field translation for a new field from a Defender Incident to match a field value on a Security Incident, select the Click here link in the SIR Incident Target Fields header.

To modify the fields that support field translation, select the Field format button

script format field translation icon.

The fields that support field translation are Affected user, Configuration Item, and Priority. For example, select Field format button

icon next to the Category. The Defender Field Translation script editor opens.

Enter any changes to the script and select Update to save the changes and return to the Mapping page.

For example, for Category define the following in the script editor:

"<Incoming Defender Field Value>":"<Category to assign to the Security Incident>".

This mapping confirms that a profile uses only configured categories.

Continue mapping by adding or removing field values.

You can use the same field values in the Incident Generation Conditions builder to define additional criteria that an incoming Incident must satisfy to create a security incident.

Map incident fields

Select Continue.

Map incident fields

Australia Security Management

Map incident fields

Avant de commencer

Procédure

Que faire ensuite