Event map creation for Symantec DLP events

Event mapping is required for a number of Symantec DLP events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined QRadar Identifier (QID) map to categorize security events.

You can individually map each event for your device to an event category in QRadar. Mapping events allows QRadar to identify, coalesce, and track reoccurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for Symantec DLP are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.