Map offense fields
After you have selected the rules, the next step is to map offense, event, or flow fields to the fields in the security incident form.
Overview of Mapping
For the mapping step, you must first ingest sample offenses for one or more selected IBM QRadar rules. Then you must ensure that all relevant offense field data is mapped to the appropriate place on the SIR incident form and then visualize the SIR incident in the preview section.
Mapping of the sample offense fields involves the following:
- Fetching and populating of the sample data: See Ingesting the sample IBM QRadar offenses.
- Mapping the offense fields to the security incident: See Mapping IBM QRadar offense fields to security incident response fields.