Skip to main content

Event SelectionEvent Selection Guide

Table of Contents

Initial Policy Configuration

When you first access Event Selection, choose your preferred policy and configure your default policy statements.

The first time you access Event Selection, you're prompted to choose your preferred policy.

ESInitialWelcomeScreen.png
ESInitialConfigSettings.png

Event Selection provides several flexible options for configuring your policy:

  • Exabeam Default Policy – The default policy contains event statements recommended by Exabeam. Choosing this policy automatically activates all event statements. For more information, see Activate the Default Policy.

  • Review Exabeam Default Policy (Statements disabled) – This option gives you the same default statements as the previous option, but they are disabled by default. To begin passing events, you will need to review each statement individually. For more information, see Review the Default Policy Before Activating.

  • Manually Create Event Selection Policy – Use this option, if you prefer complete control of event passing and want to manually create each event selection statement from scratch. This requires you to manually enable any event statements. For more information, see Manually Create a Custom Event Selection Policy.

After you choose an option, whenever you access Event Selection, you will be taken to the Event Selection home page. You can then make changes to the policy (such as to set exceptions for event statements).

You can also change the policy type by clicking the More menu ES-More-Menu-Icon.png, then selecting Review Policy Change Options.

Homepage-Actions-Menu.png

Activate the Default Policy

This option is highly recommended, unless you have a specific need to filter out useful fields. When you select this option, Event Selection immediately begins passing all recommended events, based on Exabeam default statements to Advanced Analytics, including everything needed to trigger rules.

  1. (Optional) Review the event statements that make up the default policy before proceeding.

  2. From Event Selection, select the actions menu and choose Review Policy Change Options.

  3. Select Activate Suggested Policy Changes.

    If you previously configured a policy, you can bring up the options from the actions menu and choose Review Policy Change Options.

  4. Click Save and Continue.

Review the Default Policy Before Activating

This option gives you the ability to review those default statements. Selecting this option gives you the same default statements as the previous option, but they are disabled by default, and the system will not automatically start passing events. You will need to edit, delete, or enable each statement individually.

  1. From Event Selection, select the actions menu and choose Review Policy Change Options.

  2. Select Review Exabeam Policy Changes.

  3. Click Save and Continue.

  4. Review each statement.

    Edit and activate the statements based on your filtering preferences.

Manually Create a Custom Event Selection Policy

With this option, you build your Event Selection policy from scratch, one Event Statement at a time.

  1. From Event Selection, select the actions menu and choose Review Policy Change Options.

  2. Select Manually Create Event Selection Policy.

  3. Click Save and Continue.

  4. Create an Event Selection Policy Statement for one or more filtering rules.