Configure global field mappings
Use global field mappings when you have data mappings that you want to apply for all your data model and saved search exports. Global field mappings provide consistency when sending events from Splunk CIM (Common Information Model), used in Splunk Cloud Platform and Splunk Enterprise into CEF (Common Event Format), used in Splunk SOAR. Global field mappings can also save you time when configuring your data model or saved search exports.
Global field mappings are useful, for example, when running actions in Splunk Enterprise Security (ES) notable events, specifically the Send to SOAR or Run Playbook in SOAR actions. If you know that the Splunk Enterprise Security Search Field of app_name corresponds to the CEF Field appName in Splunk SOAR, create that global field mapping. Whenever one of the actions mentioned above runs, it will automatically use the global field mapping you created.
Updating CIM to CEF mappings when accessing the global field mappings for the first time
The first time you access the Global Field Mapping page, the default CIM-to-CEF mappings defined in Splunk SOAR are displayed. Configure and save the desired mappings to use them in your saved searches and data models. The default CIM-to-CEF mappings are not displayed again on subsequent visits to the Global Field Mapping page.
Create global field mappings
Create global field mappings on the Global Field Mapping page. Use only letters, numbers, and underscores. To create a global field mapping, follow these steps:
- On the Global Field Mapping page, select Add Mapping.
- In the Search Field, select an existing Splunk CIM value or a Custom (non-CEF) field. Enter text into the filter to find specific values more quickly.
Fields that already have a defined global field mapping are dimmed and cannot be selected. - In the CEF Field, select the target CEF field to map to in Splunk SOAR. Enter text into the filter to find specific values more quickly.
- In the Contains field, specify a filter for the type of contents included in the fields you just specified. For example, select
ip
in the Contains field so only source fields containing an IP address are sent to Splunk SOAR.
Make sure that your Search Field values are unique. If you map a single Search Field to multiple CEF fields, the results can be unpredictable.
For information on data models and saved searches, see Create and export data models and saved searches to send to Splunk SOAR.
Forward unmodified data to Splunk SOAR
To send the raw, unmodified data to Splunk SOAR, delete the relevant global field mapping.
To delete a global field mapping, follow these steps:
- In your Splunk platform instance, access Splunk App for SOAR Export.
- Select Global Field Mappings.
- For the field mapping you want to delete, in the Action column, select Delete.
- Click Delete in the dialog box to confirm that you want to delete the mapping.
Synchronize workbooks across multiple Splunk SOAR servers | Configure how Splunk SOAR handles multivalue fields in Splunk ES notable events |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3, 4.3.2
Feedback submitted, thanks!