Many of the MSV Integrations especially in the SIEM category utilize field mappings to associate data to variables used by MSV to attribute log or alert events to Actions. Typical mappings include: source IP, destination IP, host name, user, source Port, destination port, file hash, detection time, and event description. The field mappings process is a cycle of acquiring a log sample, setting up initial mappings, running an action, and then verifying if an alert has been attributed to the action. If not, review suspicious events for the partial match and identify which fields need correcting.

The process can be complicated; however, it can be streamlined utilizing these few steps:

Assumption:  The integration is already configured, suspicious events enabled, the integration query is syntactically correct and the integration passes the Check Health test. Additionally the user knows how to trouble shoot event attribution using suspicious events. See working with suspicious events for information on this subject

Utilize the Integration Test feature - Every Direct integration has a "Test" feature allowing you to craft a custom query to pull back an example log. Each integration is different in its API syntax but the idea for all of them is to submit a query that will pull back an example log entry from the security control you plan to assess.

Identify the key fields - Once you have a quality sample log from the "Test" feature will include fields that can be mapped back to the integration in the field mapping section. Not every field is mandatory but the key fields that generally are required are fields listed previously

Location, location, location - Getting the JSON embedded path correct is paramount and can be difficult if just looking at plain text results. If the log is large, the chance of making a mistake in mapping is easy. In cases like this, don't ruin your eyes and take advantage of a JSON tool to beautify / format the output to simplify the tracking of your key value pairs of interest. For example there are several online tools that will not only format the output but offers a "tree" view. https://jsonformatter.org/ is a popular an easy to use tool.

   !Warning. If using an online tool, it's a good idea to obfuscate any sensitive data!

When using the tree view, highlighting the data of interest will show you the nested position in JSON output. This nesting value in turn can be input into the MSV field mapping. In the image below the field mappings for the source IP address would be "raw_event.id_resp_h". The online tool makes it easy to identify the path. In logs where nesting is three or more levels deep this can eliminate multiple trial and error mappings. 

In some cases the base, raw_event, in this example is assumed and only the second level of JSON needs to be mapped like below. 

Execute your Test Action - Run an action that will trigger an alert from the security control whose log you sampled. Ensure the action runs to completion. Review the event for field mapping correctness or if no event is found locate the event in suspicious events and identify which fields need correction.

Using this process should eliminate many headaches of using trial and error to properly map your security control events to the MSV variables needed for event attribution. 

Good Hunting!