Configure Custom Case and Incident Management Data Mappings

because teds (turbine extendable data schema) relies on the most common attributes for a given object type, such as alerts, there are vendor specific fields that are not mapped in teds objects in order to map these fields to case and incident management (cim) records, you will need to use the soc extract raw alert fields to cim playbook to extract values from the raw alert object included in the teds object and record, and write those values to fields you have created in the cim application there are two approaches to mapping custom fields prerequisites before configuring custom field mappings have access to the soc extract raw alert fields to cim playbook understand the structure of your raw alert data have created custom fields in the cim application for the fields you want to map know the exact field key names in your cim application (they must match exactly) option 1 discrete mappings (native transformations) this approach uses individual transformation blocks for each field you want to extract use this method when you have a small number of fields or need different transformation logic for each field step 1 create custom fields in cim application navigate to applications in the swimlane platform open the case and incident management (cim) application for each vendor specific field you want to add create a new field of the appropriate type (text, number, date, etc ) important note the exact field key name it must match exactly what you'll use in the mapping configure any field properties (required, default values, etc ) step 2 edit the extract raw alert fields to cim playbook navigate to orchestration → playbooks locate and open the soc extract raw alert fields to cim playbook review the playbook structure to understand the workflow step 3 configure field extraction for each vendor specific field you wish to extract to cim 3 1 create a transformation block locate the extract fields action in the playbook click edit on the extract fields action create a new transformation block click "add transformation" or "new block" select the transformation type (typically "get value by key" or similar) 3 2 configure the get value by key transformation in the transformation block, select get value by key transformation configure the transformation property navigate to and select evaluate raw alert → raw alert → this is the playbook data property that contains the raw alert object key enter the exact key name from your raw alert json that contains the value you want to extract example if your raw alert has {"vendor id" "12345"} , the key would be vendor id default value (optional) set a default value if the key doesn't exist navigation path in the property selector, expand playbook properties → evaluate raw alert → result → raw alert or search for evaluate raw alert result raw alert 3 3 map to cim record field locate the write to cim record action in the playbook (typically after the extract fields action) click edit on the write to cim record action navigate to update fields section add your created cim field to the update fields mapping select the field you created in step 1 map the transformation value from step 3 2 to this field ensure the field key name in cim exactly matches what you're mapping example configuration if extracting a vendor severity field transformation get value by key from evaluate raw alert result raw alert with key vendor severity cim field map to a field named exactly vendor severity in your cim application step 4 repeat for each field repeat steps 3 1 3 3 for each vendor specific field you want to extract option 2 bulk mappings (advanced transformations) this approach uses a single advanced transformation block to extract multiple fields at once use this method when you have many fields or want to map all fields from the raw alert object step 1 create fields in cim application navigate to applications → case and incident management (cim) application create fields of the appropriate types for all the vendor specific fields you want to map critical ensure the field key names in cim exactly match the key names in your raw alert json step 2 create advanced transformation block navigate to orchestration → playbooks open the soc extract raw alert fields to cim playbook locate the extract fields action click edit on the extract fields action create an advanced transformation block click "add transformation" → "advanced" or "jsonata" this allows you to write custom transformation expressions step 3 create json mapping object in the advanced transformation block, create a json object that maps each raw alert key to the corresponding cim field the format is { "field key name 1" actions evaluate raw alert result raw alert 'key name 1', "field key name 2" actions evaluate raw alert result raw alert 'key name 2', "field key name 3" actions evaluate raw alert result raw alert 'key name 3' } key points the left side (field key) must exactly match the cim application field key name the right side references the raw alert data using actions evaluate raw alert result raw alert 'key name' use single quotes around key names that contain special characters or spaces for nested keys, use dot notation actions evaluate raw alert result raw alert 'nested' 'key' example advanced transformation { "vendor alert id" actions evaluate raw alert result raw alert 'alert id', "vendor severity" actions evaluate raw alert result raw alert severity, "vendor category" actions evaluate raw alert result raw alert category, "custom metadata" actions evaluate raw alert result raw alert metadata } step 4 map to cim record locate the write to cim record action click edit on the write to cim record action navigate to update fields map the transformation result object as a playbook property select "playbook property" navigate to the output of your advanced transformation block map it to update fields note when using bulk mapping, the entire transformation object is mapped to update fields, and turbine automatically matches field keys to cim application fields handling different data types text fields extract directly actions evaluate raw alert result raw alert 'field name' convert to string if needed $string(actions evaluate raw alert result raw alert 'field name') number fields extract and ensure numeric type $number(actions evaluate raw alert result raw alert 'field name') date fields extract and format if needed actions evaluate raw alert result raw alert 'date field' convert format if necessary using date transformation functions array/list fields extract array directly actions evaluate raw alert result raw alert 'array field' ensure the cim field type supports arrays/lists nested objects access nested properties actions evaluate raw alert result raw alert 'parent' 'child' extract specific nested values as needed common issues and solutions issue field not appearing in cim record possible causes field key name doesn't match exactly between transformation and cim application field doesn't exist in cim application transformation is not extracting the value correctly solutions verify field key names match exactly (case sensitive) check that the field exists in the cim application test the transformation to ensure it's extracting the correct value check playbook execution logs for errors issue transformation returns null or undefined possible causes key doesn't exist in raw alert json key name is misspelled nested path is incorrect solutions verify the key exists in your raw alert data check for typos in key names use the raw alert object structure to verify the correct path add default values for missing keys actions evaluate raw alert result raw alert 'key' ?? 'default' issue data type mismatch possible causes cim field expects a different data type than what's being extracted transformation is returning wrong type solutions verify cim field type matches the data being extracted use type conversion functions in transformation (e g , $string() , $number() ) check transformation output data types best practices field naming use consistent, descriptive field names that match your vendor's terminology error handling add default values for optional fields to prevent null errors testing test mappings with sample data before deploying to production documentation document which vendor fields map to which cim fields validation verify field mappings after any vendor api changes performance use bulk mappings (option 2) for many fields to improve performance verification after configuration test the playbook run the playbook with a sample alert containing vendor specific fields verify that fields are extracted correctly check that values appear in cim records validate field values compare raw alert values with cim record values ensure data types are correct verify special characters and formatting are preserved check for errors review playbook execution logs check for any transformation errors verify cim record updates are successful related documentation https //docs swimlane com/case and incident management application docid\ zybqdpkxwzv8bv4scsmte case and incident management data mappings walk through