ESM: Create Event Source Groups

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode
 

Administrators need to be able to receive notifications when event sources are no longer being collected by Security Analytics. They need to be able to configure how long event sources can be quiet before sending a notification based on different factors.

RSA Security Analytics provides event source groups so that you can group similarly important devices together. You can create groups based on attributes that you imported from your CMDB, or by manually choosing event sources to add to the group.

For example, these are some of the types of event source groups that you can create:

  • PCI sources
  • Windows Domain Controllers
  • Quiet sources
  • Finance Servers
  • High Priority devices
  • All Windows sources

To create an Event Source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. In the Manage panel, click add_icon.png .
    The Create an Event Group dialog is displayed.
    ES_Add.png
  3. Enter a Group Name.
  4. Enter a Description.
  5. Click add_icon.png to add a condition. Continue adding conditions as necessary. For details on constructing conditions, see Create / Edit Group Form.
  6. Click Save.

The new group is listed in the Manage panel.

Examples

This section describes a simple example, and then discusses how to set up a more complex set of rules.

Simple Example

If you want to create an event source group that contains all of your high priority event sources, this example describes the necessary steps.

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. In the Manage > Groups panel, click add_icon.png .
  3. Enter High Priority Devices for the Group Name.
  4. Enter a description, such as, "These devices are our highest priority ones, and must be monitored closely."
  5. Leave All of these selected and click add_icon.png to add a condition.
  6. Select Add condition from the drop-down menu.
    1. Select an Attribute: Priority.
    2. Select an Operator: Less than.
    3. Enter a value: 2.

      The following graphic displays the updated Edit Event Group dialog.

      ES_Add02.png

  7. Click Save.

Complex Example

In this example, you want to create a fairly complex rule: match event sources that are in the United States, and in either the Sales, Finance, or Marketing departments. Also, match worldwide internal, high priority Sales event sources. High Priority is assumed to be where the priority is 1 or 0. Logically, the definition is as follows:

(Country=United States AND (Dept.=Sales OR Dept.=Finance OR Dept.=Marketing))
OR
(Priority < 2 AND Division != External AND Dept.=Sales)

The following graphic is an example of the criteria you would enter when creating such an Event Source Group.

ESM_complexGroup.png

You are here: Procedures > Manage Event Sources > Create Event Source Groups

Attachments

    Outcomes