Data Dictionary provides you an ability to specify your own easy to understand labels for data coming from datasources. Labels simplify ingestion, analytics, and hunting processes. Content developers can use labels to create policies.
Labels can be used uniformly across all datasources of the same functionality. This reduces the time and effort a content developer has to spend on creating policies for different datasources. For example, if there are 5 vendors for the firewall functionality, then all 5 vendors will have same labels for events. This allows content developers to create one policy and use it for all 5 vendors.
Labels help security analysts to get valuable context and query data efficiently in Spotter.
Note: When you upgrade your current SNYPR application to SNYPR 6.4, the new labels are displayed in Spotter. You can select whether you want to view records using new labels or Securonix attributes. For more information on mapped attributes and labels, refer to the Data Dictionary Mapping.
As part of the out-of-box content, Securonix provides functionalities with new labels mapped to SNYPR attributes. You can edit these labels to create customized labels from Menu > Administrator > Settings > Data Dictionary.
Note: Only users with the role as ROLE_CONTENT_ADMIN can edit labels from the Data Dictionary screen. This role can be assigned from Menu > Administrator > Access Control > User.
You can select a functionality to view Securonix mapped attributes and corresponding labels. Additionally, you can edit an existing label to create your own custom labels.
SNYPR provides data dictionary for out-of-box functionalities. In case, you have to send data from a custom functionality, you can create new labels while setting up the ingestion from Add Data > Activity Import.
You have to create a label and map the label with the SNYPR attribute name. Once the labels are added, you can use it for another datasource of the same functionality.
Note: For more information on mapped attributes and labels, refer to the Data Dictionary Mapping. If you are upgrading to SNYPR 6.4 from a previous version, SNYPR 6.4 documentation provides mapping between Securonix old attributes and new labels.
Using Data Dictionary Labels in SNYPR
Labels are used everywhere in SNYPR 6.4 to provide uniformity, such as:
During the ingestion process, you can select predefined labels for data coming from a datasource.
While creating policies, labels provide meaningful context to content developers. Content developers can create one policy for a functionality and use it across all datasources of that functionality.
While querying data using Spotter, security analysts can use customer defined labels and Securonix attributes to query data. Prior to the 6.4 release, security analysts can use Securonix attributes to query data.
Note: To query data using Securonix attributes, you can prefix "@" and then enter the Securonix attribute. The "@" indicates that you are only using Securonix attribute to run a query. If you want to query data using only labels, do not use "@".
Limitation: You cannot use APIs to query data using labels and @ Securonix Attribute.