Each rule on the system can be mapped to a category or group which creates what is called Normalization.
Rules are named and described by each vendor. As a result, the same type of rule will often have various different names, making it difficult for the user to gather useful information regarding the types of events that are occurring. McAfee has compiled, and will continually update, a list of Normalized IDs that describe rules so that events can be grouped into useful categories. When you click on Normalized in the Rule Types pane on the Policy Editor, these IDs, names, and descriptions will be listed.
The following event features offer the option to organize event information using these normalized IDs:
• View Component Fields - Normalized Event Summary is an option when defining fields for an Event Query in the Pie Chart, Bar Chart, and List components (Custom Query Fields section). • View Component Filters - When you are creating a new view, you can select to filter event data on a component by the normalized IDs (Custom Query Filters section). • View Filters - Normalized ID is an option on View filters lists (View Filters section). • Event Summary - A Normalized Event Summary view is available on the View List.
The Details tab on the Event Analysis view lists the normalization ID for the events that appear on the list.