Mapping Enrichment Items
Mapping enrichment allows users to upload a CSV to map tag values to an enrichment table. Incoming alert data will be compared to the values in query_tag columns. If a match is found, the related tag will be updated with a value from the result_tag column.
Mapping enrichment items are added automatically to existing tags upon the upload of a mapping enrichment table with matching result_tag column names. If a map contains a result_tag column name that does not match an existing tag, a new tag is automatically created for the enrichment item.
result_tag column
If a result_tag column should match to a BigPanda tag with a name different from the column title, use the tag_name attribute. This will map the column to the BigPanda tag. No new tag will be created for the result_tag column title.
When the values of a mapping table should be updated, a new CSV file can be uploaded. All future incoming alerts will be mapped to the updated values.
Mapping enrichment items are created using two separate elements:
Mapping Enrichment Schema: The configuration of the Mapping Table to be uploaded. Defines properties such as: active status, source tag names (
query_tag), BigPanda tag names (result_tag), and override settings. Individual tag values do not need to be configured, as values will be extracted from the uploaded table.Mapping Enrichment Table: The dynamic table of values to populate into BigPanda based on the predefined
query_tagandresult_tagrules. This defines the actual data that will be used when enriching alerts.
Naming limitations
Alert tag names and values must meet character and size limits.
Some words are already used for tagging and backend functions in BigPanda. These words may have limited functionality within BigPanda when used as tag names.
When creating new alert or incident tags, we recommend users use an alternate name (i.e. "short_description") for the tag to bring that data into the BigPanda system.
To see the full list of naming limitations, refer to Tag Naming.