Skip to main content

Hey,

A quick explanation, we have clients with different SIEMs, and for each client different fields.

For example, one rule has "Username", and the other "user", "srcusr", "account", etc.

This causes some hard times when mapping the ontology entities.

I noticed that event fields can be edited (Edit Properties Metadata > Display name, system name,etc.)

From the events page I cannot edit the system name, only the Display name. But on the ontology page I still see only the actual system name.

Is there a way to map these multiple similar fields so that all will present only one fields on the ontology page? for the example above, only "User Name"? 

or another example : SrcIP, src IP, src_ip > "Source IP"

Start changing that on the SIEM platforms can take a while and a lot of man power.

You should be able to use an alternative field. 




Will that work for what you are trying to do?


 

You should be able to use an alternative field. 




Will that work for what you are trying to do?


 


No, 2 alternatives is not enough 😞

No, 2 alternatives is not enough 😞


The platform supports 3 names for each field (the original, and 2 fallbacks), PER Alert type. I.e. "source > product > alert type".  Mappings at the Source (typically the SIEM), then are filtered down unless you have other names at Product or Alert level, where a config here overrides. This means you actually have lots more than 3 overall from the technology.


If you have more than this you might have to revisit the SIEM to either duplicate fields or remap them. 
Andy

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.