As your device forwards events to IBM
QRadar, it can take time to
categorize all of the events for a device, as some events might not be generated immediately by the
event source appliance or software.
About this task
It is helpful to know how to quickly search for unknown events. When you know how to
search for unknown events, it is suggested you repeat this search until you are
comfortable that you can identify most of your events.
Procedure
-
Log in to QRadar.
-
Click the Log Activity tab.
-
Click Add Filter.
-
From the first list, select Log Source.
-
From the Log Source Group list, select the log
source group or Other.
Log sources that are not assigned to a group are categorized as Other.
-
From the Log Source list, select your Symantec
DLP log source.
-
Click Add Filter.
The Log Activity tab is displayed with a filter for your log source.
-
From the View list, select Last Hour.
Any events that are generated by the Symantec DLP DSM in the last hour are displayed. Events that
are displayed as unknown in the Event Name column or
Low Level Category column require event mapping in QRadar.
Note: You can save your existing search filter by clicking Save
Criteria.
What to do next
You can now modify the event map.