ESM: Discovery Tab

Document created by RSA Information Design and Development on Sep 6, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 11Show Document
  • View in full screen mode
 

To access the Discovery tab, go to NetWitness ADMIN> Event Sources. The Discovery tab is displayed.

The Discovery tab lets you review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified completely accurately. If the discovered event source types are correct, you can acknowledge to filter out that event source. If incorrect, you can set the allowed event source types for a particular address so that future logs will parse against the correct parsers.

Note: The following features apply to RSA NetWitness® Suite version 11.1 and later:
- Acknowledging multiple event sources
- Filtering by event source type
- Mapping filter options include None, Auto, and Manual.
- Mapping multiple event sources
- Searching for event sources on the Event Source Discovery page

Introduced in RSA NetWitness Suite version 11.1, the system automatically maps incoming events to a type based on previous logs received from that address, reducing the mis-parsing of messages and reducing the number of items that need attention in the Discovery workflow. A value of Auto in the Mapping Type column indicates that an address has been auto-mapped.

Workflow

This workflow shows the overall process for configuring event sources.

What do you want to do?

                                      
RoleI want to...Documentation
Administrator

Acknowledge and map event sources.*

Acknowledging and Mapping Event Sources

Administrator

Add and configure parser mappings for a Log Decoder.*

Manage Parser Mappings

AdministratorView event source alarms.Viewing Event Source Alarms

Administrator

View log parser rules.

Default Log Parser and Log Parser Rules

Administrator

Troubleshoot event source management.

ESM Troubleshooting & Appendix

*You can perform this task here.

Related Topics

Manage Parser Mappings

Details View

Quick Look

The following example displays a list of addresses and their discovered Event Source types. The Event Source types display the Event Sources that have been discovered.

This is an example of the tab.

                                                                 
1

Displays the Filters and Event Sources panels with the Discovery tab open.

2

Displays the Event Source Filter field with a drop-down menu that offers the following options:

  • Enter the full or partial address (IP, IPv6 or Hostname) of the source(s) you want to review. You can also enter multiple entries that are separated by commas.
    For example, 10.10.10.10,10.10.10.11,host1.company.com
  • Exact: Returns sources that completely match the search term.
    For example, 10.10.10.10 only returns 10.10.10.10, not 10.10.10.101.
  • Starts With: Returns sources that start with the search term.
    For example,10.10.10. returns the whole 10.10.10.x subnet.
  • Contains: Returns sources that start with the search term.
    For example, exch returns all terms such as us-exch-1.company.com, or lab21 returns all hostx.lab21.company.com terms.
  • Ends With: Returns sources that end with the search term.
    For example, lab21.company.com returns all hosts.

Note: When specifying the search string, you can use . - : (period, dash, colon).

3The Event Source Type drop-down menu filters for addresses containing all of the selected event source types.
4
  • Select the Show Acknowledged checkbox to display acknowledged Event Sources.
  • Mapping filter options can include just one of the mapping types listed in the Filter Panel, or multiple Mapping Types can be selected.

Note: If no mapping filter options are selected, the default is to display All, None, Manual, and Auto mapping types.

5
  • The Apply button uses all criteria that is set in all filters.
  • The Clear button clears all filters from the panel.
6Toggles the event sources between acknowledged and not acknowledged states.
7Maps the selected event sources.
8View Details button to view details of the selected Event Source.
9Displays the  addresses of the selected Event Sources.
10Displays the discovery scores of the selected Event Sources.
11Displays whether or not the selected Event Sources have been acknowledged.
12Displays the selected Event Source Mapping type as Auto, Manual, or None. Any changes to the mapping are only displayed here.
13Displays the host names of the Log Collectors where the Event Sources are located.
14Displays the host names of the Log Decoders where the Event sources are located.
15Displays the discovered Event Source Types and their associated discovery scores.

Toolbar and Features

The Discovery tab contains the following features:

                                           
FieldDescription

Tools

The following items are available on the toolbar:

  • Toggle Acknowledge: Toggles the acknowledged state for the selected Event Source between Yes and No.
  • Map: Opens the Manage Parser Mappings dialog box, where you can map an event source to the correct log parser.
  • View Details: Provides details on the selected Event Source.

Event Source

The IP, IPv6, or Hostname of the Event Source.

Discovery Score

Displays the overall discovery score associated with that particular address. Higher scores indicate better confidence. Discovery scores range from 0 (least confident) to 100 (most confident).

AcknowledgedSelections are either Yes (you have acknowledged the Event Source) or
No (you have not acknowledged the Event Source).

Mapping Type

Selections are Manual (you mapped the Event Source), Auto (the system automatically mapped the Event Source), or None (you have not mapped the Event Source).
Note: This features applies to RSA NetWitness version 11.1 and later.
Log Collector(s)

Log Collectors that have received logs from this Event Source address.

Log Decoder(s)Log Decoders that have received logs from this Event Source address.
Event Source Type(s)The parsed type(s) of the Event Source address and the corresponding Discovery Score for each type.

Note: Discovery Scores are only available for 11.0 and above Log Decoders. Discovery Scores for pre-11.0 Log Decoders display as Unavailable.

The following table describes the sorting order for discovery scores. To access the Sorting Order drop-down menu, click on the down arrow in the Event Sources column.

                       
FieldDescription

Sort Ascending

Sort the column by discovery score in ascending order.

Sort Descending

Sort the column by discovery score in descending order.

Columns

Used to hide or show one or more columns.

 

Previous Topic:References
Next Topic:Manage Tab
You are here
Table of Contents > References > Discovery Tab

Attachments

    Outcomes