Defining the record format - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

To create a record type, you must first define the format of the records you want to import. You can define the format manually or let the system derive it from a data file.

What you should know

The record format is defined as a list of fields. Three properties characterize each field in the record type: Display as, Type, and Function. You can either define the field list manually or let the system populate the list automatically. The latter is done by letting the system derive the field definitions from a file containing the records you want to import.
CAUTION:
After the record type is created, you can only change how the fields are displayed. If you missed a field or misconfigured a field attribute, you must delete the record type and start over.

Procedure

To define the record format manually:

  1. At the bottom of the Properties page, click Add an item ().
    The Create a record type dialog box opens with four suggested fields:
    Record Caching Service - Create a record type dialog box.
  2. In the Name field, enter to the record type name.
  3. Adjust the number of fields as needed.
    • Click to add a new field.
    • Select a field and click to remove it.
    You can have as many fields as required by your record type.
  4. For each data field, define the following attributes:
    Display as
    The field label used to identify the field value in the information bubble when ingested data is displayed on maps.
    NOTE: The field name is derived from the field label by removing spaces. Field names are used in report filter and display format expressions. Field names are case-sensitive.
    Type
    The type attribute defines both how the data is stored in the ingestion database and how it is read from a data file.

    The following types are supported:

    Text
    An alphanumeric string.
    Numeric (32-bit)
    An integer in the range -2,147,483,648 to 2,147,483,647.
    Numeric (64-bit)
    An integer in the range -9.223372x1018 to 9.223372x1018
    Decimal
    A floating point number.
    Boolean
    A Boolean value expressed as 1 or 0, or a string containing one of the following: "True", "False", "true", "false", "T", or "F".
    Security Center entity
    A GUID that represents the internal ID of a Security Center entity.
    Binary (Base64)
    Binary data represented as text using the Base64 encoding scheme.
    Binary (file path)
    A string containing the path to a file on disk.
    Text (extended)
    A long text. The difference between Text and Text (extended) is their expected size.
    Timestamp
    A string or number that can be parsed as either:
    • A timestamp in one of any known formats understood by C#. See DateTime.TryParse Method.
    • A number representing the number of ticks elapsed since midnight January 1, 0001 that can be converted to a timestamp. A tick is one-ten-millionth of a second. See DateTime.Ticks.Property.
    The Binary and Text (extended) data types are used for large data. Fields using these data types are not loaded by default when a record is fetched from the ingestion database. To help optimize the system performance, the data is only loaded on demand.
    Function
    Fields that have a specific function in the record are indexed for faster access. A given function can only be assigned to one field. The following functions are predefined:
    ID
    Designates a field as the primary key. Each value from that field must be unique within the record type. It is the only function that must be assigned to a field. All other functions are optional.
    Timestamp
    Designates a timestamp field for time correlation. There can be many timestamp fields in a record type, but only one can be assigned to the Timestamp function.
    Latitude, Longitude
    These two functions must be assigned together. The Latitude and Longitude fields must correspond to a geographical location that can be used to position the data on a map and for geofencing.
    Location
    This function is equivalent to the Latitude and Longitude functions. They are mutually exclusive. A field assigned to the Location function must contain a string in the format {"Latitude": n.nnnn, "Longitude": n.nnnn}.
  5. Review all fields definitions and click Create.

To populate the field list from a data file:

  1. Click Populate from file, select a data file, and click Open.
    The field list is automatically populated with the fields deduced from the data file.
    Record Caching Service - Create a record type - Populate from file.
  2. Check the Type and Function of each field and fix any mistakes.
    CAUTION:
    The system can generate the field list quickly, but some data types might be recognized incorrectly. The Binary (file path) data type can be mistaken for a string, and a timestamp can be mistaken for an integer or a string. Pay attention to the functions; they are more error-prone from automatic field population.
  3. Go through the Display as column and enter more user-friendly display labels.
    By default, the display labels are copied from the field names.
  4. Review the list and add or delete fields as needed.
    CAUTION:
    If you change the number of fields or their sequence, you might not be able to import data from the file you used to create the field list.
  5. When you are finished, click Create.

Results

The suggested presentation of the data is displayed.