Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Managing Event Sources

Document created by RSA Information Design and Development Employee on Sep 6, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 19Show Document
  • View in full screen mode

The Event Sources module in NetWitness Platform provides an easy way to manage event sources and configure alerting policies for your event sources.


This workflow shows the overall process for managing event sources, and configure monitoring for them. It also shows where configuring alarms and alerts settings are located in the process.


There are two permissions that affect Event Source Management:

  • View Event Sources is needed for users to view event sources, their attributes, and their thresholds and policies.
  • Modify Event Sources allows users to add, edit, and otherwise update event sources.

For details, see the following topics:

  • The Roles Tab topic available in the System Security and User Management guide > References > Administration Security View > Roles Tab
  • The Role Permissions topic describes the built-in NetWitness Platform system roles, which control access to the user interface. Available in the System Security and User Management guide > How Role-Based Access Control Works.
  • The Manage Users with Roles and Permissions topic describes how to manage users in NetWitness Platform, using roles and permissions. Available in the System Security and User Management guide > Manage Users with Roles and Permissions.

Automatic Mapping

Introduced in RSA NetWitness Platform version 11.1, the system maps incoming events to a type based on previous logs received from that address, reducing the mis-parsing of messages and reducing the number of items that need attention in the Discovery workflow. The User Interface (UI) indicates that an address has been auto-mapped in the Discovery workflow.

Navigate to Event Source Management

You can view the details about your existing event source groups by doing the following:

  1. Go to Admin > Event Sources.

    View existing event source groups is displayed.

  2. Click any of the following:

    • The Discovery tab. Use this tab to review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified completely accurately.
    • The Manage tab. Use this tab to add, edit, and delete event source groups and view details for your existing event source groups.
    • The Monitoring Policies tab. Use this tab to view or edit your event source alerting configuration.
    • The Alarms tab. Use this tab to see the details of the alarms that have been generated. Alarms are generated when event sources exceed or fall below their set thresholds.
    • The Settings tab. Use this tab to view or change the behavior for automatic alerts.

Note: When the system receives logs from an event source that does not currently exist in the Event Source List, NetWitness Platform adds the event source to the list. Additionally, if it matches the criteria for any existing group, it becomes part of that group.

Related Topics

You are here
Table of Contents > Managing Event Sources