Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESM: Acknowledging and Mapping Event Sources

Document created by RSA Information Design and Development Employee on Sep 8, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 17Show Document
  • View in full screen mode
 

In RSA NetWitness Platform version 11.1, RSA introduced Automatic Mapping. The system automatically maps incoming events to a type based on previous logs received from that address, reducing the number of items that need attention in the Discovery workflow. The UI indicates that an address has been auto-mapped in the Discovery workflow.

Acknowledge Event Source Types

The Discovery tab lets you review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified accurately. If the discovered event source types are correct, you can acknowledge to filter out that event source from the view by default. If incorrect, you can set the allowed event source types for a particular address so that future logs will parse against the correct parsers.

To acknowledge event sources:

  1. Go to ADMIN > Event Sources.

    The Discovery tab is displayed.

  2. Select one or more event sources.
  3. Click Toggle Acknowledge.

Note the following:

  • After Event Sources are Acknowledged, they are no longer displayed in the Event Source Type(s) column.
  • The Toggle Acknowledge button behaves as follows:

    • If the Acknowledged state for all of the selected event sources is the same, all values are toggled. That is, if you select only event sources with Yes in Acknowledged column, the value changes to No for all of them. Similarly if they all have No in the Acknowledged column, the value changes to Yes for all selected event sources.
    • If you select a multiple event sources, and the value for some is Yes and for other it is No, when you click Toggle Acknowledge, all of the values are set to Yes for the selected event sources.

Note: Acknowledged Event Sources are not displayed by default.

Manually Map Event Source Types

When discovered event source types are not completely accurate, you can manually map the parsers to obtain additional information.

To map one or more event sources:

  1. Go to ADMIN > Event Sources.

    The Discovery tab is displayed.

  2. Select one or more event sources.
  3. Click Map button.

    The Manage Parser Mappings dialog box is displayed.

    Note: For event sources that were created manually, the Manage Parser Mappings window has an empty Display Name in the Log Parsers column. To view the missing display names, close the Manage Parser Mappings dialog box, and then reopen it.

  4. Add or remove parser mappings, and change the priority order, based on the needs of your organization. For more details, see Manage Parser Mappings .

Note: Discovery scores for the mapped Event Sources are listed in the Event Source Type(s) column from the lowest to highest discovery scores. Discovery scores range from 0 (least confident) to 100 (most confident).

Viewing Logs from Pre-11.0 Log Decoder

RSA NetWitness Platform 11.0 added the capability to view a small sampling of recent logs for specific devices through detail tabs of the Discovery View. By default, Log Decoders prior to 11.0 do not have the necessary configuration to enable this feature, but a few minor changes can make it available. For more details, see Viewing Logs from Pre-11.0 Log Decoder.

You are here
Table of Contents > Manage Event Source Groups > Acknowledge and Map Event Sources

Attachments

    Outcomes