Open Integration Manager - Advanced Configuration
The Open Integration Manager enables you to create customizable inbound alert integrations through an intuitive UI.
The Open Integration Manager enables you to create customizable inbound alert integrations through the configuration of a generic inbound integration rather than creating custom code. The integration manager sets parsing rules for incoming payloads, pre-processing the content to match incoming data requirements before it reaches the BigPanda enrichment engine.
Read more about key features and general configuration in the Open Integration Manager documentation.
Advanced Configuration
If your tag mapping requires more complex logic, you can click Edit Tag Mapping on the right-hand side of each BigPanda Destination tag being mapped. Once you have done that, a modal menu will be presented that allows for advanced configuration. Choose a Source Tag, then select the conditions and extraction regex as necessary.
In Advanced Tag Mapping, you can reuse the same source tag multiple times to define a single destination tag.
Conditions:
For example, if your tool will be sending multiple categories of alerts that have different properties configured, you will likely want to ensure that all alerts send the same set of properties to BigPanda (for enrichment, correlation, etc). This is where you can specify criteria like "When alert_type = error, use the errored_host property for the host tag, but when alert_type = synthetic, use the device tag for the host tag".
You can add multiple conditions to the same tag by hovering over the condition and clicking the plus sign that appears on the right side. These new conditions will be added with
ANDlogic.
Extraction Regex:
Sometimes a property will contain much more detail than is necessary and only a certain component of the text is required. This process can also be done in the Alert Enrichment section of the pipeline, but doing so here will prevent the need for a duplicate tag in an alert.
These features can be combined with one another. If one criterion requires you to extract some text out of a property to create a BigPanda tag and another doesn't, it's easy to define extraction logic per criteria.
Nested Objects
When using nested objects from a sample event, there are many different ways payload properties can be organized. Maintaining desired naming conventions requires careful configuration when multiple parent-objects may have the same child-object names.
The tag names and values sent to BigPanda will be determined based on the selections in the Source Tags, BigPanda Tag Name, and Ignore additional tags? fields. For more information on tag names, see Tag Naming Requirements.
Example Payload
The following payload will be interpreted into BigPanda properties depending on the Tag Mapping configuration:
{
"metadata": {
"entitytype": "value1",
"entityname": "value2",
"location": "value3"
},
"metadata2": {
"entitytype": "value4",
"entityname": "value5",
"location": "value6"
},
"severity": "critical",
}
| Source Tag | BigPanda Tag Name | Ignore Additional Tags? | Result Property Names |
|---|---|---|---|
| (blank) | (blank) | No | metadata_entitytype metadata_entityname metadata_location metadata2_entitytype metadata2_entityname metadata2_location |
| metadata.entityname | (blank) | Yes | entityname |
| metadata.entityname | metadata | Yes | metadata |
| metadata | (blank) | Yes | entitytype entityname location |
| metadata | (blank) | No | entitytype entityname Location metadata2_entitytype metadata2_entityname metadata2_location |
| metadata | metadata | Yes | metadata_entitytype metadata_entityname metadata_location |
| metadata metadata2 | (blank) | Yes | entitytype entityname location (from metadata2) |
| metadata metadata2 | metadata metadata2 | Yes | metadata_entitytype metadata_entityname metadata_location metadata2_entitytype metadata2_entityname metadata2_location |
Caution with Arrays
If you send the same property name twice in a single event, BigPanda will only use the last value for that property name. We recommend avoiding this, if possible.
Updated 4 months ago