Defining the record format - Security Center 5.10

Security Center Administrator Guide 5.10

Product
Security Center
Content type
Guides > Administrator guides
Version
5.10
Language
English
Last updated
2023-06-12

To create a record type, you must first define the format of the records you want to import. You can define the format manually or let the system derive it from a data file.

What you should know

The record format is defined as a list of fields. Each field in the record type is characterized by four properties: name, display name, type, and role. You can either define the field list manually or let the system populate the list automatically by deriving the field definitions from a file containing the records you want to import.
CAUTION:
After the record type is created, you can only change how the fields are displayed. If you missed a field or misconfigured a field attribute, you must delete the record type and start over.

Procedure

To define the record format manually:

  1. At the bottom of the Properties page, click Add an item ().
    The field definition dialog box opens with four suggested fields.
    Record Caching Service - Create a record type
  2. Give a Name to the record type.
  3. Adjust the number of fields as needed.
    • Click to add a new field.
    • Select a field and click to remove it.
    You can have as many fields as required by your record type.
  4. For each data field, define the following attributes:
    Name
    Name used to identify the field in report filters and display format expressions. All field names are case-sensitive.
    Display as
    Name used to identify the field in the information bubble when ingested data is displayed on a map.
    Type
    The type attribute defines both how the data is stored in the ingestion database and how it is read from a data file.

    The following types are supported:

    String
    An alphanumeric string.
    32 bit integer
    An integer in the range -2,147,483,648 to 2,147,483,647.
    64 bit integer
    An integer in the range -9.223372x1018 to 9.223372x1018
    Floating point number
    A floating point number.
    Boolean
    A Boolean value expressed as 1 or 0, or a string containing one of the following: "True", "False", "true", "false", "T", or "F".
    Timestamp
    A string or number that can be parsed as either:
    • A timestamp in one of any known formats understood by C#. See DateTime.TryParse Method.
    • A number representing the number of ticks elapsed since midnight January 1, 0001 that can be converted to a timestamp. A tick is one-ten-millionth of a second. See DateTime.Ticks.Property.
    Security Center entity
    A GUID that represents the internal ID of a Security Center entity.
    Binary - Base64
    Binary data represented as text using the Base64 encoding scheme.
    Binary - file
    String containing the path to a file on disk.
    Extended string
    A long text. The difference between String and Extended string is their expected size.
    The last three data types are used for large data. Fields using these data types are not loaded by default when a record is fetched from the ingestion database. To help optimize the system performance, the data is only loaded on demand.
    Function
    Fields that have a specific function in the record are indexed for faster access. A given function can only be assigned to one field. The following functions are predefined:
    ID
    Designates a field as the primary key. Each value from that field must be unique within the record type. It is the only function that must be assigned to a field. All other functions are optional.
    Timestamp
    Designates a timestamp field for time correlation. There can be many timestamp fields in a record type, but only one can be assigned the Timestamp function.
    Latitude, Longitude
    These two functions must be assigned together. The Latitude and Longitude fields must correspond to a geographical location that can be used to position the data on a map and for geofencing.
    Location
    This function is equivalent to the Latitude and Longitude functions. They are mutually exclusive. A field assigned to the Location function must contain a string in the format {"Latitude": n.nnnn, "Longitude": n.nnnn}.
  5. Review all fields definitions and click Create.

To populate the field list from a data file:

  1. Click Populate from file, select a data file, and click Open.
    The field list is automatically populated with the fields deduced from the data file.
    Record Caching Service - Create a record type - Populate from file
  2. Check the Type and Function of each field and fix any mistakes.
    CAUTION:
    The system can generate the field list quickly, but some data types might be recognized incorrectly. The Binary - file data type can be mistaken for a string, and a timestamp can be mistaken for an integer or a string. Pay attention to the functions; they are more error-prone from automatic field population.
  3. Go through the Display as column and enter more user-friendly display names.
    By default, the display names are copied from the field names.
  4. Review the list and add or delete fields as needed.
    CAUTION:
    If you change the number of fields or their sequence, you might not be able to import data from the file you used to create the field list.
  5. When you are finished, click Create.

Results

The suggested presentation of the data is displayed.