Creating an event map for Akamai Kona events

Event mapping is required for a number of Akamai Kona events. Because of the customizable nature of policy rules, some events might not contain a predefined IBM QRadar Identifier (QID) map to categorize security events.

About this task

You can individually map each event for your device to an event category in QRadar. Mapping events allows QRadar to identify, coalesce, and track recurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for Akamai Kona are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.

As your device forwards events to QRadar, it can take time to categorize all of the events for a device, as some events might not be generated immediately by the event source appliance or software. It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, you might want to repeat this search until you are satisfied that most of your events are identified.

Procedure

Log in to QRadar.
Click the Log Activity tab.
Click Add Filter.
From the first list, select Log Source.
From the Log Source Group list, select the log source group or Other.

Log sources that are not assigned to a group are categorized as Other.
From the Log Source list, select your Akamai Kona log source.
Click Add Filter.

The Log Activity tab is displayed with a filter for your log source.
From the View list, select Last Hour.

Any events that are generated by the Akamai Kona DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in QRadar.

Tip: You can save your existing search filter by clicking Save Criteria.

What to do next

Modify the event map. For more information about modifying the event map for Akamai Kona, see Modifying the event map for Akamai Kona