ESM: Create Event Source Groups

Document created by RSA Information Design and Development on Jun 9, 2017Last modified by RSA Information Design and Development on Jun 26, 2017
Version 2Show Document
  • View in full screen mode
  

Administrators must receive notifications when event sources are no longer being collected by Security Analytics. They need to be able to configure how long the event sources can be quiet (that is, not collect any log messages) before sending a notification based on different factors.

RSA Security Analytics provides event source groups so that you can group similarly important devices together. You can create groups based on attributes that you imported from your CMDB (configuration management database), or by manually choosing event sources to add to the group.

For example, these are some of the types of event source groups that you can create:

  • PCI sources
  • Windows Domain Controllers
  • Quiet sources
  • Finance Servers
  • High Priority devices
  • All Windows sources

Procedure

To create an Event Source group:

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. In the Manage panel, click add_icon.png .

    The Create an Event Group dialog is displayed.

    ES_Add.png

  3. Enter a Group Name.
  4. Enter a Description.
  5. Click add_icon.png to add a condition. Continue adding conditions as necessary. For details on constructing conditions, see Create/Edit Group Form.
  6. Click Save.

    The new group is listed in the Manage panel.

Examples

This section describes a simple example, and then discusses how to set up a more complex set of rules.

Simple Example

If you want to create an event source group that contains all of your high priority event sources, this example describes the necessary steps.

  1. In the Security Analytics menu, select Administration > Event Sources.
  2. In the Manage > Groups panel, click add_icon.png .
  3. Enter High Priority Devices for the Group Name.
  4. Enter a description, such as, "These devices are our highest priority ones, and must be monitored closely."
  5. Leave All of these selected and click add_icon.png to add a condition.
  6. Select Add condition from the drop-down menu.

    1. Select an Attribute: Priority.
    2. Select an Operator: Less than.
    3. Enter a value: 2.

      The following figure displays the updated Edit Event Group dialog.

      ES_Add02.png

  7. Click Save.

Complex Example

In this example, you want to create a fairly complex rule: match event sources that are in the United States, and in either the Sales, Finance, or Marketing departments. Also, match worldwide internal, high priority Sales event sources. High Priority is assumed to be where the priority is 1 or 0. Logically, the definition is as follows:

(Country=United States AND (Dept.=Sales OR Dept.=Finance OR Dept.=Marketing))
OR
(Priority < 2 AND Division != External AND Dept.=Sales)

The following figure is an example of the criteria for creating such an Event Source Group.

ESM_complexGroup.png

You are here
Table of Contents > Manage Event Source Groups > Create Event Source Groups

Attachments

    Outcomes