Strixl LabsStrixl.Labs
Get started
Docs/Field mapping

Field mapping

When auto-detection can't figure out which column holds the source IP, the mapping modal lets you tell the engine once and save the profile for every future upload from that vendor.

When you'll see it

After upload, if the engine can't map at least the required fields from your file's headers, you'll land on a mapping screen instead of the detections view. The file is already parsed; you just need to tell us which column is which.

Required fields

These have to be mapped for the engine to score anything:

  • src_ip: the source IP address, as text
  • dst_ip: the destination IP address, as text
  • timestamp: event time; ISO 8601 or a Unix epoch (seconds or milliseconds) are both fine

Strongly recommended fields

Scoring quality drops without these. Map them if your file has them:

  • dst_port: destination port, as an integer
  • bytes_out and bytes_in: byte counts for the source-to-destination and destination-to-source directions
  • duration: connection duration in seconds

Optional enrichment fields

If your vendor already produces these, map them and the engine will skip the work of recomputing them:

  • ja3, ja4, ja4h, ja4x: precomputed TLS or HTTP fingerprints
  • http_user_agent: HTTP User-Agent
  • sni: TLS Server Name Indication
  • dns_query: DNS query name

Saving a profile

After you finish the mapping, check Save profile and give it a name. Next time you upload a file from the same vendor, the mapping applies automatically and you skip the modal entirely.

Recon plans save one profile; Hunter saves three; Operator and Partner save unlimited. Profiles are scoped to the workspace, so teammates inherit your work.

Tips

  • If your file has both client_ip and server_ip, map client_ip to src_ip.
  • Byte totals that combine directions can be mapped to eitherbytes_out or bytes_in, but the behavioral scoring leans on the asymmetry, so directional fields are meaningfully better when available.
  • If you get a parse error after mapping, the timestamp format is usually the culprit. Open one row of your source file and confirm it's ISO 8601 or epoch. Text dates like “April 17, 2026 10:42 AM” are not supported.

← Previous

Supported formats

Next →

Behavioral scoring