Modifying an event map gives you the option to manually categorize events to a QRadar
Identifier (QID) map.
About this task
Any event that is categorized to a log source can be remapped to a new QRadar
Identifier (QID).
Note: Events that do not have a defined log source cannot be mapped to an event. Events without a
log source display SIM Generic Log in the Log Source column.
Procedure
-
On the Event Name column, double-click an unknown event for
Symantec DLP.
The detailed event information is displayed.
-
Click Map Event.
-
From the Browse for QID pane, select any of the following search options
to narrow the event categories for a IBM
QRadar Identifier (QID):
-
From the High-Level Category list, select a high-level event
categorization.
For a full list of high-level and low-level event categories or category definitions, see the
Event Categories section of the IBM
QRadar Administration Guide.
-
From the Low-Level Category list, select a low-level
event categorization.
-
From the Log Source Type list, select a log source
type.
The Log Source Type list gives you the option to search for QIDs from
other log sources. Searching for QIDs by log source is useful when events are similar to another
existing network device. For example, Symantec provides policy and data loss prevention events, you
might select another product that likely captures similar events.
-
To search for a QID by name, type a name in the QID/Name
field.
The QID/Name field gives you the option to filter the full list of QIDs
for a specific word, for example, policy.
-
Click Search.
A list of QIDs are displayed.
-
Select the QID you want to associate to your unknown event.
-
Click OK.
Maps any additional events that are forwarded from your device with the same QID that matches
the event payload. The event count increases each time that the event is identified by QRadar.
If you update an event with a new QRadar
Identifier (QID) map, past events
that are stored in QRadar are
not updated. Only new events are categorized with the new QID.