Workflow Automation

Managing Incident Group Mappings

An incident group mapping specifies the incidents that are associated with the incident group. Only admins with full access to Workflow Automation can map the incident groups. Incident groups are mapped to one or more of the attributes available in an incident transaction. These mappings can be simple or more complex to meet your requirements. After incident groups are configured, admins with full access can then assign these incident groups to the admins with restricted access who will be responsible for them. They do these assignments in the Workflow Automation Admin Portal, on the Admin Assignment page. To learn more, see Managing Admin Assignments.

In the Workflow Automation Admin Portal, on the Incident Group Mapping page, admins can:

Add Incident Group Mappings

Prerequisites

In the Workflow Automation Admin Portal, on the Incident Group page, ensure that incident groups have been added. To learn more, see Managing Incident Groups.

Adding Incident Group Mappings

To add an incident group mapping:

Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped.
On the Incident Group Mapping page, click Add Statement. A new expanded row appears after the last incident group mapping. The statement section appears within that row.
See image.
Close
You can also access the Incident Group Mapping page by clicking the Add New Incident Group Mapping icon from the Incident Group page.
See image.
Close
In the new row, from the drop-down menu, select the Incident Group that you want to map.
See image.
Close

As required, configure a basic or advanced property mapping for the incident group.

Basic Incident Mapping

To configure a basic incident mapping:

In the statement section, from the drop-down menu, select the Source DLP Type. Source DLP types are Any, Email, Endpoint, Inline, and SaaS Security. Any appears by default.

Add a predicate for the first condition:

Property: From the drop-down menu, select the property. All the attributes in an incident transaction are available as properties. The properties available for selection vary depending on the Source DLP type you select. A property can be a number, a string, a date, or a Boolean field (True or False).
If you choose user attributes for obfuscation, you cannot map an incident group to these obfuscated attributes (properties). In addition, if a user with permissions to incident group mappings has obfuscation enabled and an incident group was previously mapped using an obfuscation field, then the user cannot edit those existing incident group mappings. To learn more about obfuscation settings, see Managing Account Settings and Managing Admin Assignments.
- Property List
  The following is a list of the incident group mapping properties:
  - Application Info
    The Application Info properties are available only for Source DLP types of Email, Inline, and SaaS Security.
    - Additional Info (only available for Source DLP types of Email and SaaS Security)
      Tenant (only available for Source DLP type Email)
      SaaS Tenant Name (only available for Source DLP type SaaS Security)
    - Category
    - Hostname Or Application
    - Name
    - Referrer URL (only available for Source DLP type Inline)
    - Url
  - Content Info
    - Inline and Any Source DLP Types
      Additional Info
      File MD5
      File Name
      File Type
      Close
    - SaaS Security Source DLP Type
      Additional Info
      Attachment Name
      Bucket Name
      Bucket Owner
      Channel Name
      Code Repository
      Collaboration Scope
      Values
      File MD5
      Email Recipients
      Email Sender
      External Collaborators
      File ID
      File Owner
      Internal Collaborators
      Message ID
      Object ID
      Object Name
      Attachments
      File Category
      File Name
      File Size
      File Type
      File MD5
      Content Location
      File Category
      File Name
      File Size
      File Type
      Close
    - Endpoint Source DLP Type
      Additional Info
      Additional Info
      Channel
      Destination Type
      File MD5
      Expected Action
      File Destination Location
      File Size
      File Source Location
      Item Destination Name
      Item Source Name
      Item Type
      Source Type
      ZDP Mode
      Evidence Url
      File Name
      File Type
      Close
    - Email Source DLP Type
      Additional Info
      Message ID
      Subject
      Close
  - Endpoint Info
    The Endpoint Info properties are available only for Source DLP type Endpoint.
    - Activity Type
    - Confirm Action
    - Confirm Justification
  - Integration Type
  - Matching Policies
    - Inline Source DLP Type
      Dictionaries
      Match Count
      Name
      Name Match Count
      Engines
      Name
      Rule
      Other Rules
      Other Rules
      Rule Name
      Total Other Rules
      Rules
      Name
      Close
    - SaaS Security Source DLP Type
      Dictionaries
      Match Count
      Name
      Name Match Count
      Engines
      Name
      Rule
      Rules
      Name
      Close
    - Endpoint Source DLP Type
      Dictionaries
      Assigned To Hit Rule
      Match Count
      Name
      Name Match Count
      Engines
      Assigned To Hit Rule
      Name
      Rule Expr
      Other Rules
      Other Rules
      Rule ID
      Rule Name
      Total Other Rules
      Rules
      Name
      Close
    - Email Source DLP Type
      Dictionaries
      Assigned To Hit Rule
      Match Count
      Name
      Name Match Count
      Engines
      Assigned To Hit Rule
      Name
      Rule
      Rules
      Action
      Files Info
      Content Location
      File Category
      File Name
      File Size
      File Type
      File MD5
      Name
      Other Matched Rules
      Recipient
      Severity
      Close
    - Any Source DLP Type
      Dictionaries
      Match Count
      Name
      Name Match Count
      Engines
      Name
      Rules
      Name
      Close
  - Severity (not available for Source DLP type Email)
  - Source Actions
  - Source ID
  - Source SubType
  - Source Type
  - User Info
    - Addresses
      Home
      Country
      PostCode
      Region
      Other
      Country
      PostCode
      Region
      Work
      Country
      PostCode
      Region
    - Client IP (only available for Source DLP type Inline)
    - Department
    - Device Name (only available for Source DLP type Endpoint)
    - Device OS (only available for Source DLP type Endpoint)
    - Device Trust Level (only available for Source DLP type Endpoint)
    - Division
    - Email
    - Employ Number
    - First Name
    - Groups
    - Home Country (only available if you select CSV as the primary user data source on the Account Settings page)
    - Job Title (only available if you select CSV as the primary user data source on the Account Settings page)
    - Last Name
    - Location (only available if you select CSV as the primary user data source on the Account Settings page)
    - Manager Info
      Department
      Email
      Groups
      ID
      Name
      Organization
    - Name
    - Organization
    - Organization Hierarchy (only available if you select CSV as the primary user data source on the Account Settings page)
    - Phone Number (only available if you select CSV as the primary user data source on the Account Settings page)
    - Project IDs (only available if you select CSV as the primary user data source on the Account Settings page)
    - Skip Level Managers
      The Skip Level Managers properties are only available if you select CSV as your primary user data source on the Account Settings page.
      Department
      Email
      ID
      Name
    - Status
    - Termination Date (only available if you select CSV as the primary user data source on the Account Settings page)
    - User ID
    - User Role (only available if you select CSV as the primary user data source on the Account Settings page)
    - Worker Type (only available if you select CSV as the primary user data source on the Account Settings page)
  Close

Operation: Select the operation. The operations vary depending on the property you choose.

Operations Table

The following table lists the operations and their descriptions:

Operation Description

Operation	Description
AFTER It can be used for a Date type property field.	This operation tests whether the property selected for these types of incidents is after the value that you entered in the property value field (e.g., userInfo.Termination Date).
BEFORE It can be used for a Date type property field.	This operation tests whether the property selected for these types of incidents is before the value that you entered in the property value field (e.g., userInfo.Termination Date).
CONTAINS_EXACT It can be used for the following types of property fields: Array of strings Number Boolean	This operation tests whether the property selected for these types of incidents contains the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[].name, matchingPolicies.engines[].name, and matchingPolicies.dictionaries[].name). For example, let's say you want to map incidents that have violated a specific Data Loss Prevention (DLP) rule (Block-HIPAA-SSN) to an incident group (Social Security Number Violations). But, incidents are occurring in your organization that violate multiple DLP rules (Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN) at the same time. Using the CONTAINS operation, you can ensure that those incidents with multiple rule violations that include the Block-HIPAA-SSN rule are mapped to the Social Security Number Violations incident group. In the following example, an incident has violated the Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN rules. See image. Close In the future, to ensure that this type of incident maps to the Social Security Number Violations incident group, create the following incident group mapping predicate: Incident Group = Social Security Number Violations Property = matchingPolicies.rules[].name Operation = CONTAINS_EXACT Property Value = Block-HIPAA-SSN (must contain the full name of the DLP rule) See image. Close
NOT_CONTAINS_EXACT It can be used for the following types of property fields: Array of strings Number Boolean	This operation tests whether the property selected for these types of incidents does not contain the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[].name, matchingPolicies.engines[].name, and matchingPolicies.dictionaries[*].name).
EQUALS It can be used for the following types of property fields: String Number Date	This operation tests whether the property selected for these types of incidents equals the value that you entered in the property value field. The property field value is not case sensitive.
NOT_EQUALS It can be used for the following types of property fields: String Number Date	This operation tests whether the property selected for these types of incidents does not equal the value that you entered in the property value field. The property field value is not case sensitive.
IN_IPv4_SUBNET It can be used for an IP Address type property field.	This operation tests whether the property selected for these types of incidents is in the IPv4 subnet value that you entered in the property value field.
IN_IPv6_SUBNET It can be used for an IP Address type property field.	This operation tests whether the property selected for these types of incidents is in the IPv6 subnet value that you entered in the property value field.
LIKE It can be used for a String type property field.	This operation tests whether the property selected for these types of incidents is like the value that you entered in the property value field. This operation does a partial comparison of the substring. For example, if you select userInfo.name as the property and enter `John` for the property value, the LIKE operation matches the following user names: John Brown David John Smith Susan John John
EXISTS It can be used for all types of property fields.	This operation tests whether the property selected exists for these types of incidents. For this type of operation, you do not enter a property value.
LESS_THAN It can be used for a Number type property field.	This operation tests whether the property selected for these types of incidents is less than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userID).
GREATER_THAN It can be used for a Number type property field.	This operation tests whether the property selected for these types of incidents is greater than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userID).

AFTER

It can be used for a Date type property field.

This operation tests whether the property selected for these types of incidents is after the value that you entered in the property value field (e.g., userInfo.Termination Date).

BEFORE

It can be used for a Date type property field.

This operation tests whether the property selected for these types of incidents is before the value that you entered in the property value field (e.g., userInfo.Termination Date).

CONTAINS_EXACT

It can be used for the following types of property fields:

Array of strings
Number
Boolean

This operation tests whether the property selected for these types of incidents contains the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[*].name, matchingPolicies.engines[*].name, and matchingPolicies.dictionaries[*].name).

For example, let's say you want to map incidents that have violated a specific Data Loss Prevention (DLP) rule (Block-HIPAA-SSN) to an incident group (Social Security Number Violations). But, incidents are occurring in your organization that violate multiple DLP rules (Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN) at the same time. Using the CONTAINS operation, you can ensure that those incidents with multiple rule violations that include the Block-HIPAA-SSN rule are mapped to the Social Security Number Violations incident group. In the following example, an incident has violated the Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN rules.

See image.

In the future, to ensure that this type of incident maps to the Social Security Number Violations incident group, create the following incident group mapping predicate:

Incident Group = Social Security Number Violations
Property = matchingPolicies.rules[*].name
Operation = CONTAINS_EXACT
Property Value = Block-HIPAA-SSN (must contain the full name of the DLP rule)

See image.

NOT_CONTAINS_EXACT

It can be used for the following types of property fields:

Array of strings
Number
Boolean

This operation tests whether the property selected for these types of incidents does not contain the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[*].name, matchingPolicies.engines[*].name, and matchingPolicies.dictionaries[*].name).

EQUALS

It can be used for the following types of property fields:

String
Number
Date

This operation tests whether the property selected for these types of incidents equals the value that you entered in the property value field. The property field value is not case sensitive.

NOT_EQUALS

It can be used for the following types of property fields:

String
Number
Date

This operation tests whether the property selected for these types of incidents does not equal the value that you entered in the property value field. The property field value is not case sensitive.

IN_IPv4_SUBNET

It can be used for an IP Address type property field.

This operation tests whether the property selected for these types of incidents is in the IPv4 subnet value that you entered in the property value field.

IN_IPv6_SUBNET

It can be used for an IP Address type property field.

This operation tests whether the property selected for these types of incidents is in the IPv6 subnet value that you entered in the property value field.

LIKE

It can be used for a String type property field.

This operation tests whether the property selected for these types of incidents is like the value that you entered in the property value field. This operation does a partial comparison of the substring. For example, if you select userInfo.name as the property and enter John for the property value, the LIKE operation matches the following user names:

John Brown
David John Smith
Susan John
John

EXISTS

It can be used for all types of property fields.

This operation tests whether the property selected exists for these types of incidents. For this type of operation, you do not enter a property value.

LESS_THAN

It can be used for a Number type property field.

This operation tests whether the property selected for these types of incidents is less than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userID).

GREATER_THAN

It can be used for a Number type property field.

This operation tests whether the property selected for these types of incidents is greater than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userID).

Property value: Enter or select the value for the property. Some of the properties display values for your organization filtered by the source DLP type that you can select from (e.g., Severity, Source Actions, and Matching Policies.Rules[*].name). For others, you must enter a value for the property.
Select the function for the condition. If required, select NOT. You can only select OR or AND as the function when you add another predicate.

See image.

(Optional) Add another predicate:
1. Click Add Predicate. Another predicate row appears under the first predicate row, and the AND function is automatically selected for the condition.
  See image.
  Close
2. In the new predicate row:
  1. Property: From the drop-down menu, select the property.
  2. Operation: From the drop-down menu, select the operation.
  3. Property value: Enter or select the property value for the property.
3. If required, select the function for the condition. Functions are NOT, OR, and AND.
See image.
Close
(Optional) Add another condition to the statement:
1. Above the predicates that have been defined, click the Add icon. Another condition box appears.
  See image.
  Close
2. Enter the predicates for the condition. Add a predicate for the first condition and optionally add another predicate.
3. Click Save.

Advanced Incident Mapping
To configure an advanced incident mapping:
1. In the statement section, from the drop-down menu, select the Source DLP Type. Source DLP types are Any, Email, Endpoint, Inline, and SaaS Security. Any appears by default.
2. Click Advanced. The statement section reappears, displaying multiple nested conditions.
  See image.
  Close
3. Configure the predicates as required for each condition in the statement. To add another predicate to a condition, click Add Predicate. To add another condition to a certain level in the statement section, click the Add icon at that level. To learn how to add a predicate and a condition to a statement, see Basic Incident Mapping.
4. Click Save.
Close

Edit Incident Group Mappings
To edit an incident group mapping:
1. Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped.
2. (Optional) On the Incident Group Mapping page, use the Search field to locate the incident group you want to edit the mappings for.
3. At the end of the row next to the incident group you want to edit, click the Expand icon. The row expands to display the mappings in the statement section for the incident group.
  See image.
  Close
4. In the statement section, edit any of the existing predicates and conditions for the statement. You can edit the properties, operations for the properties, and property values within the existing predicates and the function for the condition.
5. (Optional) Add additional predicates or conditions to the statement. To learn more, see Adding Incident Group Mappings.
6. Click Save.
To delete a predicate or condition within a statement, click the Delete icon next to the predicate or condition.
Close
View Incident Group Mappings
To view incident group mappings:
1. Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped. The incident groups are displayed as Incident Group Type / Incident Group Name.
  See image.
  Close
2. On the Incident Group Mapping page, at the end of the row next to an incident group, click the Expand icon. The row expands to display the mappings in the statement section for that incident group.
  See image.
  Close
Close
Delete Incident Group Mappings
To delete an incident group mapping:
1. Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped.
2. On the Incident Group Mapping page, click the Delete icon next to an incident group. A message appears asking whether you are sure that you want to delete this statement.
  See image.
  Close
3. Click OK.
Close
Arrange Incident Group Mapping Rules
Rules equate to statements in Workflow Automation.
To arrange incident group mapping rules:
1. Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped.
2. On the Incident Group Mapping page, click the down arrow or up arrow next to an incident group to arrange the order in which the rules are processed. Workflow Automation processes through all the rules for an incident transaction. If a transaction matches a rule, the incident group associated with the rule is assigned to the transaction. Depending on your rules, a transaction might be assigned to multiple incident groups.
  See image.
  Close
3. Click Save.
Close
Specify the Default Incident Group
To specify the default incident group:
1. Go to Incident Group > Incident Group Mapping. The Incident Group Mapping page appears, listing the default incident group and all the incident groups that have been mapped.
2. On the Incident Group Mapping page, from the drop-down menu, select the Default Incident Group. When Workflow Automation finds no other matches for any other incident group mapping for an incident, it uses the default incident group for the incident.
  See image.
  Close
3. Click Save.
Close

Workflow Automation

Managing Incident Group Mappings

Prerequisites

Adding Incident Group Mappings

Was this article helpful? Click an icon below to submit feedback.

Related Articles