ESM: Manage Event Source Groups

Document created by RSA Information Design and Development on Sep 6, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 8Show Document
  • View in full screen mode
  

Definitions

When dealing with event source groups in NetWitness Suite, note the following:

  • An event source is essentially the combination of values for all of its attributes.
  • An event source group is the set of event sources that match a set of criteria that are defined for that group.

For example, you might have the following groups:

  • A group named Windows Devices, consisting of all the event source types associated with Microsoft Windows event sources (winevent_nic, winevent_er, and winevent_snare).
  • A group named Low Priority Services, consisting of all services where the Priority attribute has been set lower than 5.
  • A group named U.S. Sales Servers, where you gather event sources located in the U.S.A. and having an Organization attribute of Sales, Finance, or Marketing.

Manage Tab Details

The Manage tab in the Event Source module provides an easy way to manage event sources. In this tab, you can:

  • Set up event source groups in a consistent way.
  • Work with event source attributes in a consistent, straightforward manner.
  • Easily search through your entire set of event sources.
  • Bulk edit and update your event sources and event source groups.

You can view the details about your event source groups by doing the following:

  1. Go to ADMIN > Event Sources.
  2. Select the Manage panel to see the details for your existing event source groups.

Note: When the system receives logs from an event source that does not currently exist in the Event Source List, NetWitness Suite automatically adds the event source to the list. Additionally, if it matches the criteria for any existing groups, it becomes part of that group.

Default Groups

RSA NetWitness Suite has several default groups. You can customize these as required and use them as templates for creating new groups.

The default groups are as follows:

  • All Event Sources
  • All Unix Event Sources
  • All Windows Event Sources
  • Critical Windows Event Sources
  • PCI Event Sources
  • Quiet Event Sources

You can edit any of these groups to investigate the rules that define the groups.

Note: You cannot edit or delete the All event source group.

Topics:

You are here
Table of Contents > Manage Event Source Groups > ESM: Manage Event Source Groups

Attachments

    Outcomes