When dealing with event source groups in Security Analytics, note the following:
- An event source is essentially the combination of values for all of its attributes.
- An event source group is the set of event sources that match a set of criteria that are defined for that group.
For example, you might have the following groups:
- A group named Windows Devices, consisting of all the event source types associated with Microsoft Windows event sources (winevent_nic, winevent_er, and winevent_snare).
- A group named Low Priority Services, consisting of all services where the Priority attribute has been set lower than 5.
- A group named U.S. Sales Servers, where you gather event sources located in the U.S.A. and having an Organization attribute of Sales, Finance, or Marketing.
Manage Tab Details
The Manage tab in the Event Source module provides an easy way to manage event sources. In this tab, you can:
- Set up event source groups in a consistent way.
- Work with event source attributes in a consistent, straightforward manner.
- Easily search through your entire set of event sources.
- Bulk edit and update your event sources and event source groups.
You can view the details about your event source groups by doing the following:
- In the Security Analytics menu, select Administration > Event Sources.
- Select the Manage panel to see the details for your existing event source groups.
RSA Security Analytics has several default groups. You can customize these as required and use them as templates for creating new groups.
The default groups are as follows:
- All Event Sources
- All Unix Event Sources
- All Windows Event Sources
- Critical Windows Event Sources
- PCI Event Sources
- Quiet Event Sources
You can edit any of these groups to investigate the rules that define the groups.