In this post, we’ll set up the classification  feature, which allows us to transform events into specific incident types. This guide expands on the content covered in the videos XSOAR Engineer Training - Part 2: Incident Types & Fields  and XSOAR Engineer Training - Part 3: Classification and Mapping .

Set Up Incident Classifier

Navigate to Settings -> Objects Setup -> Classification & Mapping -> New Incident Classifier. At the top, select the JSONSampleIncidentGenerator_url_events instance we created in the previous post. This allows us to work with sample events.

On the right, you’ll see a list of existing incident types in XSOAR:

There’s already a PAN-OS URL Log Incident type, but since our events don’t originate from PAN-OS, we’ll create a new incident type specific to the data we’re analyzing.

Go to Settings -> Objects Setup -> Incidents -> Types and select PAN-OS URL Log Incident. Use the Detach button to modify the object and explore its structure. After making your changes, click Reattach to restore the original state.

Create a New Incident Type

Create a new incident type with the following settings:

• Name: URL Alerts
• Run playbook automatically: Set (best practice)
• Post process using: Unset (script executed before closing the incident)

Continue reading the post on Patreon .