Modifying Event Mapping
You can manually map a normalized or raw event to a high-level and low-level category (or QID).
This manual action is used to map unknown log source events to known JSA events so that they can be categorized and processed appropriately.
For normalization purposes, JSA automatically maps events from log sources to high- and low-level categories.
For more information about event categories, see the Juniper Secure Analytics Administration Guide.
If events are received from log sources that the system is unable to categorize, then the events are categorized as unknown. These events occur for several reasons, including:
User-defined Events— Some log sources, such as Snort, allows you to create user-defined events.
New Events or Older Events— Vendor log sources might update their software with maintenance releases to support new events that JSA might not support.
The Map Event icon is disabled for events when the high-level category is SIM Audit or the log source type is Simple Object Access Protocol (SOAP).
- Click the Log Activity tab.
- Optional. If you are viewing events in streaming mode, click the Pause icon to pause streaming.
- Double-click the event that you want to map.
- Click Map Event.
- If you know the QID that you want to map to this event, type the QID in the Enter QID field.
- If you do not know the QID you want to map to this event,
you can search for a particular QID:
Choose one of the following options: To search for a QID by category, select the high-level category from the High-Level Category list box. To search for a QID by category, select the high-level category from the High-Level Category list box. To search for a QID by log source type, select a log source type from the Log Source Type list box. To search for a QID by name, type a name in the QID/Name field.
Select the QID you want to associate this event with.
- Click OK.