ESM: Acknowledging and Mapping Event Sources

Document created by RSA Information Design and Development on Sep 8, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 11Show Document
  • View in full screen mode
  

In RSA NetWitness® Platform version 11.1, RSA introduced Automatic Mapping. The system automatically maps incoming events to a type based on previous logs received from that address, reducing the number of items that need attention in the Discovery workflow. The UI indicates that an address has been auto-mapped in the Discovery workflow.

Acknowledge Event Source Types

The Discovery tab lets you review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified accurately. If the discovered event source types are correct, you can acknowledge to filter out that event source from the view by default. If incorrect, you can set the allowed event source types for a particular address so that future logs will parse against the correct parsers.

To acknowledge event sources:

  1. Go to ADMIN > Event Sources.

    The Discovery tab is displayed.

  2. Select one or more event sources.
  3. Click Toggle Acknowledge.

Note the following:

  • Once Event Sources are Acknowledged, they are no longer displayed in the Event Source Type(s) column.
  • The Toggle Acknowledge button behaves as follows:

    • If the Acknowledged state for all of the selected event sources is the same, all values are toggled. That is, if you select only event sources with Yes in Acknowledged column, the value changes to No for all of them. Similarly if they all have No in the Acknowledged column, the value changes to Yes for all selected event sources.
    • If you select a multiple event sources, and the value for some is Yes and for other it is No, when you click Toggle Acknowledge, all of the values are set to Yes for the selected event sources.

Note: Acknowledged Event Sources are not displayed by default.

Manually Map Event Source Types

When discovered event source types are not completely accurate, you can manually map the parsers to obtain additional information.

To map one or more event sources:

  1. Go to ADMIN > Event Sources.

    The Discovery tab is displayed.

  2. Select one or more event sources.
  3. Click Map button.

    The Manage Parser Mappings dialog box is displayed.

  4. Add or remove parser mappings, and change the priority order, based on the needs of your organization. For more details, see Manage Parser Mappings .

Note: Discovery scores for the mapped Event Sources are listed in the Event Source Type(s) column from the lowest to highest discovery scores. Discovery scores range from 0 (least confident) to 100 (most confident).

Viewing Logs from Pre-11.0 Log Decoder

RSA NetWitness® Platform 11.0 added the capability to view a small sampling of recent logs for specific devices through detail tabs of the Discovery View. By default, Log Decoders prior to 11.0 do not have the necessary configuration to enable this feature, but a few minor changes can make it available. For more details, see Viewing Logs from Pre-11.0 Log Decoder.

You are here
Table of Contents > Manage Event Source Groups > Acknowledging and Mapping Event Sources

Attachments

    Outcomes