Novell SENTINEL 6.1 SP2 - 02-2010 User Manual page 262

 Referenced from Map: Data is retrieved from a map to populate the tag.
Figure 11-15
In the above illustration, the SourceAssetName tag is populated from the map called
has
asset.csv
the AssetName column from the Asset map. The PhysicalAsssetName column is set as the key.
When the InitIP tag of the event matches one of the source IP values in the PhysicalAsssetName
column of the map, the row with the matching key is used to intersect the AssetName Column. For
instance, in the below example the IP corresponds to AssetName Finance35.
NOTE: When a column is set as a key, it will not appear in the Column drop down field.
Figure 11-16
You can have more than one column set as a key as you do not want the map to be a Range Map
(Range Maps can only have one key column, with that column type set to NumberRange). For
instance (with column type set to String) the AttackId tag has the DeviceName (name of the security
device) and DeviceAttackName columns set as keys and uses the NormalizedAttackID column in
the AttackNormalization map for its value. In a row where the DeviceName event tag matches the
data in Device map column and the DeviceAttackName matches the data in the AttackSignature
map column, the value for AttackId is the value in the NormalizedAttackID column. The
configuration for Event Mapping just described is:
Figure 11-17
262 Sentinel 6.1 User Guide
Data Sources
as its map data source file). The specific value for SourceAssetName is taken from
Physical Assent Name corresponds to Asset Name
Event Mapping Configuration
(which
Asset