Discovery TabDiscovery Tab

To access the Discovery tab, go to NetWitness netwitness_adminicon_25x22.png (Admin) > Event Sources. The Discovery tab is displayed.

The Discovery tab lets you review the event source types that NetWitness has discovered for each address and the system’s confidence of how likely it is that they were identified completely accurately. If the discovered event source types are correct, you can acknowledge to filter out that event source. If incorrect, you can set the allowed event source types for a particular address so that future logs will parse against the correct parsers.

Note: The following features apply to NetWitness version 11.1 and later:
- Acknowledging multiple event sources
- Filtering by event source type
- (for 11.2 and later) Mapping filter options include None, Auto, and Manual
- Mapping multiple event sources
- Searching for event sources on the Event Source Discovery page

NetWitness, version 11.2 and later, automatically maps incoming events to a type based on previous logs received from that address, reducing the mis-parsing of messages and reducing the number of items that need attention in the Discovery workflow. A value of Auto in the Mapping Type column indicates that an address has been auto-mapped.

Workflow

This workflow shows the overall process for configuring event sources.

netwitness_111_01viewmodessimple.png

What do you want to do?

Role I want to... Documentation

Administrator

Acknowledge and map event sources.*

Acknowledging and Mapping Event Sources

Administrator

Add and configure parser mappings for a Log Decoder.*

Manage Parser Mappings

Administrator

View event source alarms.

Viewing Event Source Alarms

Administrator

Troubleshoot event source management.

ESM Troubleshooting & Appendix

*You can perform this task here.

Related Topics

Manage Parser Mappings

Details View

Quick Look

The following example displays a list of addresses and their discovered Event Source types. The Event Source types display the Event Sources that have been discovered.

This is an example of the tab.

netwitness_12.1_esdsc1_1122.png

1

Displays the Filters and Event Sources panels with the Discovery tab open.

2

Displays the Event Source Filter field with a drop-down menu that offers the following options:

  • Enter the full or partial address (IP, IPv6 or Hostname) of the source(s) you want to review. You can also enter multiple entries that are separated by commas.
    For example, 10.10.10.10,10.10.10.11,host1.company.com
  • Exact: Returns sources that completely match the search term.
    For example, 10.10.10.10 only returns 10.10.10.10, not 10.10.10.101.
  • Starts With: Returns sources that start with the search term.
    For example,10.10.10. returns the whole 10.10.10.x subnet.
  • Contains: Returns sources that start with the search term.
    For example, exch returns all terms such as us-exch-1.company.com, or lab21 returns all hostx.lab21.company.com terms.
  • Ends With: Returns sources that end with the search term.
    For example, lab21.company.com returns all hosts.

Note: When specifying the search string, you can use . - : (period, dash, colon).

3 The Event Source Type drop-down menu filters for addresses containing all of the selected event source types.
4
  • Select the Show Acknowledged checkbox to display acknowledged Event Sources.
  • Mapping filter options can include just one of the mapping types listed in the Filter Panel, or multiple Mapping Types can be selected.

Note: If no mapping filter options are selected, the default is to display All, None, Manual, and Auto mapping types.

5
  • The Apply button uses all criteria that is set in all filters.
  • The Clear button clears all filters from the panel.
6 Toggles the event sources between acknowledged and not acknowledged states.
7 Maps the selected event sources.
8 View Details button to view details of the selected Event Source.
9 Displays the addresses of the selected Event Sources.
10 Displays the discovery scores of the selected Event Sources.
11 Displays whether or not the selected Event Sources have been acknowledged.
12 Displays the selected Event Source Mapping type as Auto, Manual, or None. Any changes to the mapping are only displayed here.
13 Displays the host names of the Log Collectors where the Event Sources are located.
14 Displays the host names of the Log Decoders where the Event sources are located.
15 Displays the discovered Event Source Types and their associated discovery scores.

Toolbar and Features

The Discovery tab contains the following features:

Field Description

Tools

netwitness_111_toggleacknowledge.png

netwitness_mapbutton.png

netwitness_dets.png

The following items are available on the toolbar:

  • Toggle Acknowledge: Toggles the acknowledged state for the selected Event Source between Yes and No.
  • Map: Opens the Manage Parser Mappings dialog box, where you can map an event source to the correct log parser.
  • View Details: Provides details on the selected Event Source, as well as logs that have been received for this event source. For example:

    12.1_discoveryDetails_1122.png

Event Source

The IP, IPv6, or Hostname of the Event Source.

Discovery Score

Displays the overall discovery score associated with that particular address. Higher scores indicate better confidence. Discovery scores range from 0 (least confident) to 100 (most confident).

Acknowledged

Selections are either Yes (you have acknowledged the Event Source) or
No (you have not acknowledged the Event Source).

Mapping Type

Selections are Manual (you mapped the Event Source), Auto (the system automatically mapped the Event Source), or None (you have not mapped the Event Source).

Auto mapping is content aware. When a log message is parsed to a high confidence header or message that has been tagged, an auto mapping will be set for that address and type. This auto-mapping is valid for 24 hours and will be renewed every time a log message matches a tagged header of a message.

Log messages are first parsed against auto-mapped parsers, and only fall back to discovery if there is no match amongst the mapped parsers. Log messages that fall back to discovery can match the tagged headers or messages from other event sources: this results in multiple types being mapped.

For example, an address could eventually be mapped to Windows, MS SQL, and Apache, and these parsers are evaluated first. If an event source is decommissioned, and its IP re-purposed, the 24-hour timer ages out the mappings for the decommissioned types.

Note: This features applies to NetWitness version 11.2 and later.

Log Collector(s)

Log Collectors that have received logs from this Event Source address.

Log Decoder(s)

Log Decoders that have received logs from this Event Source address.

Event Source Type(s)

The parsed type(s) of the Event Source address and the corresponding Discovery Score for each type.

Note: Discovery Scores are only available for 11.0 and above Log Decoders. Discovery Scores for pre-11.0 Log Decoders display as Unavailable.

The following table describes the sorting order for discovery scores. To access the Sorting Order drop-down menu, click on the down arrow in the Event Sources column.

Field Description

Sort Ascending

Sort the column by discovery score in ascending order.

Sort Descending

Sort the column by discovery score in descending order.

Columns

Used to hide or show one or more columns.