Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Modifying the Event Map for Akamai Kona

 

Modifying an event map allows for the manual categorization of events to a QRadar Identifier (QID) map. Any event that is categorized to a log source can be remapped to a new QRadar Identifier (QID).

Akamai Kona events that do not have a defined log source can't be mapped to a QRadar Identifier (QID) map by a mapped event. Events without a log source display as SIM Generic Log in the Log Source column.

  1. On the Event Name column, double-click an unknown event for Akamai Kona.

    The detailed event information is displayed.

  2. Click Map Event.
  3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a QRadar Identifier (QID):
    • From the High-Level Category list, select a high-level event categorization.

    • For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the JSA Administration Guide.

    • From the Low-Level Category list, select a low-level event categorization.

    • From the Log Source Type list, select a log source type.

    The Log Source Type list gives the option to search for QIDs from other log sources. Searching for QIDs by log source is useful when events are similar to another existing network device. For example, Akamai Kona provides all events. You might select another product that likely captures similar events.

  4. To search for a QID by name, type a name in the QID/Name field.

    The QID/Name field gives the option to filter the full list of QIDs for a specific word, for example, policy.

  5. Click Search.

    A list of QIDs are displayed.

  6. Select the QID that you want to associate to your unknown event.
  7. Click OK.

    JSA maps any additional events that are forwarded from your device with the same QID that matches the event payload. The event count increases each time that the event is identified by JSA.

    If you update an event with a new QRadar Identifier (QID) map, past events that are stored in JSA are not updated. Only new events are categorized with the new QID.