ESM: Acknowledging and Mapping Event Sources

Document created by RSA Information Design and Development on Sep 8, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 7Show Document
  • View in full screen mode
  

Acknowledge Event Source Types

The Discovery tab lets you review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified accurately. If the discovered event source types are correct, you can acknowledge to filter out that event source from the view by default. If incorrect, you can set the allowed event source types for a particular address so that future logs will parse against the correct parsers.

To acknowledge that the discovered event source types are correct, do the following

  • Select the Event Sources that you want to Acknowledge and click the Acknowledge button in the toolbar. Once the Event Sources are Acknowledged, they are no longer displayed in the Event Source Type(s) column.

Note: Acknowledged Event Sources are not displayed by default.

Map Event Source Types

When discovered event source types are not completely accurate, you can map the parsers to obtain additional information by doing the following:

  • Select the Event Sources that you want to Map and click the Map button in the toolbar.

Note: Discovery scores for the mapped Event Sources are listed in the Event Source Type(s) column from the lowest to highest discovery scores. Discovery scores range from 0 (least confident) to 100 (most confident).

You are here
Table of Contents > Manage Event Source Groups > ESM: Acknowledging and Mapping Event Sources

Attachments

    Outcomes