ESM: Manage Event Source Groups

Document created by RSA Information Design and Development on Jul 27, 2016
Version 1Show Document
  • View in full screen mode

The Manage tab in the Event Source module provides an easy way to manage event sources. In this tab, you can:

  • Set up event source groups in a consistent way.
  • Work with event source attributes in a consistent, straightforward manner.
  • Easily search through your entire set of event sources.
  • Bulk edit and update your event sources and event source groups.

You can view the details about your event source groups by doing the following:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. Select the Manage panel to see the details for your existing event source groups.

Note: When the system receives logs from an event source that does not currently exist in the Event Source List, Security Analytics automatically adds the event source to the list. Additionally, if it matches the criteria for any existing groups, it becomes part of that group.


When dealing with event source groups in Security Analytics, keep in mind the following:

  • An event source is essentially the combination of values for all of its attributes.
  • An event source group is the set of event sources that match a set of criteria that are defined for that group.

For example, you might have the following groups:

  • A group named Windows Devices, consisting of all the event source types associated with Microsoft Windows event sources (winevent_nic, winevent_er, and winevent_snare).
  • A group named Low Priority Services, consisting of all services where the Priority attribute has been set lower than 5.
  • A group named U.S. Sales Servers, where you gather event sources located in the U.S.A. and having an Organization attribute of Sales, Finance, or Marketing.

Default Groups

RSA Security Analytics is delivered with several default groups. You can customize these as you like, as well as using them as templates for creating new groups.

The following default groups are delivered with Security Analytics:

  • All Unix Event Sources
  • All Windows Event Sources
  • Critical Windows Event Sources
  • PCI Event Sources
  • Quiet Event Sources

You can edit any of these groups to investigate the rules that define the groups.

Note: You cannot edit or delete the All event source group.

Next steps 

You are here: Procedures > ESM: Manage Event Source Groups