ArcSight Web UsersGuide

ArcSight ESM 5.0 GA

May, 2010

ArcSight Web Users Guide ArcSight ESM 5.0 GA Copyright 2001-2010 ArcSight, Inc. All rights reserved. ArcSight, the ArcSight logo, ArcSight TRM, ArcSight NCM, ArcSight Enterprise Security Alliance, ArcSight Enterprise Security Alliance logo, ArcSight Interactive Discovery, ArcSight Pattern Discovery, ArcSight Logger, FlexConnector, SmartConnector, SmartStorage and CounterACT are trademarks of ArcSight, Inc. All other brands, products and company names used herein may be trademarks of their respective owners. Follow this link to see a complete statement of ArcSight's copyrights, trademarks, and acknowledgements: http://www.arcsight.com/company/copyright/ The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. This document is ArcSight Confidential.

Revision History
Date 05/2010 01/08/2010 03/20/2009 11/11/2008 Product Version ArcSight ESM v5.0 GA ArcSight ESM v4.5 SP2 ArcSight ESM v4.5 SP1 ArcSight ESM v4.5 Description Update for ESM v5.0 new features Update for ESM v4.5 SP2 Update for ESM v4.5 SP1 Updated version, dates, and copyright information. Added standard content and ArcSight Express topics. Updated version, dates, and copyright information. First edition for this version.

02/18/2008 08/27/2007

ArcSight ESM v.4.0 SP2 ArcSight ESM v4.0 GA

Document template version: 1.0.2.9

ArcSight Customer Support

Phone E-mail Support Web Site Protect 724 Community 1-866-535-3285 (North America) +44 (0)870 141 7487 (EMEA) [email protected] https://support.arcsight.com https://protect724.arcsight.com

Contents
Chapter 1: Welcome to ArcSight Web .................................................................................. 1 Chapter 2: Whats New ....................................................................................................... 3 Chapter 3: Navigating ArcSight Web ................................................................................... 5 Navigating the Home Page ............................................................................................... 5 Basic Navigation ............................................................................................................. 6 Chapter 4: Standard Content ............................................................................................... 9 Standard Content Foundations .......................................................................................... 9 Configuration Monitoring Foundation ............................................................................ 9 Network Monitoring Foundation ................................................................................. 10 ArcSight Workflow Foundation .................................................................................. 10 ArcSight Administration Foundation ........................................................................... 10 ArcSight System Content ......................................................................................... 10 Conditional Variable Filters ....................................................................................... 10 Anti-Virus Reports ................................................................................................... 10 Getting Started Using Standard Content ........................................................................... 11 Monitoring with Standard Content ................................................................................... 11 Reporting with Standard Content ..................................................................................... 12 Chapter 5: ArcSight Express Content ................................................................................ 15 ArcSight Express Home Page .......................................................................................... 16 Recent Notifications ................................................................................................. 16 My Cases ............................................................................................................... 16 Dashboards ............................................................................................................ 16 Active Channels ...................................................................................................... 16 Getting Started Using ArcSight Express Content ................................................................ 17 ArcSight Express Groups .......................................................................................... 17 Monitoring with ArcSight Express Active Channels .............................................................. 18 Monitoring with ArcSight Express Dashboards ............................................................. 19 Reporting with ArcSight Express Reports .......................................................................... 20 Chapter 6: Using Active Channels ..................................................................................... 21 Opening Active Channels ................................................................................................ 21

ArcSight Confidential

ArcSight Web UsersGuide iii

Viewing Active Channels ................................................................................................ 23 Using Active Channel Headers ................................................................................... 23 Using Active Channel Grids ....................................................................................... 23 Supported Expressions for Inline Filtering ............................................................. 25 Inspecting Events .......................................................................................................... 26 Event Inspector Header Features .............................................................................. 26 Event Inspector Field Features .................................................................................. 27 Show Details for Event Attributes .............................................................................. 27 Event Categories .............................................................................................. 27 Event Data Fields .............................................................................................. 34 Audit Events .................................................................................................... 80 Status Monitor Events ....................................................................................... 87 Chapter 7: Using Cases ..................................................................................................... 99 Managing Cases ............................................................................................................ 99 Default Case Management Columns ..........................................................................100 Security Classification Default Letter Codes ...............................................................100 Creating Cases ............................................................................................................101 Initial Tab .............................................................................................................101 Follow Up Tab ........................................................................................................103 Final Tab ..............................................................................................................104 Events Tab ............................................................................................................105 Attachments Tab ....................................................................................................106 Notes Tab .............................................................................................................106 Chapter 8: Handling Notifications ................................................................................... 107 Chapter 9: Using Reports ................................................................................................ 109 Running and Viewing Reports .........................................................................................109 Running and Saving Archived Reports .............................................................................109 Report Parameters .......................................................................................................110 Viewing Archived Reports ..............................................................................................111 Downloading an Archived Report ..............................................................................111 Adding New Archived Reports ..................................................................................111 Deleting Archived Reports .......................................................................................112 Advanced Configuration for Report Performance ...............................................................112 Configurations for Large Reports ..............................................................................112 Configurations for Reports with Large Time Ranges ....................................................112 Chapter 10: Monitoring Dashboards ................................................................................ 115 Viewing and Managing Dashboards .................................................................................115 Changing Dashboard Layouts .........................................................................................115

iv ArcSight Web UsersGuide

ArcSight Confidential

Chapter 11: Using the Knowledge Base ........................................................................... 117 Chapter 12: Using Reference Pages ................................................................................ 119 Chapter 13: Setting Preferences ..................................................................................... 121 Chapter 14: Custom Branding and Styling ....................................................................... 123 Index .................................................................................................................................................... 125

ArcSight Confidential

ArcSight Web UsersGuide v

vi

ArcSight Web UsersGuide

ArcSight Confidential

Welcome to ArcSight Web

ArcSight Web is the web interface to certain features of ArcSight ESM accessible from anywhere on your intranet. Because it can be installed at a location remote from the ArcSight Manager, ArcSight Web can operate outside a firewall that protects the Manager. Because of its new design, it also offers opportunities for custom branding and styling.
Set the starting view of the home display for new ArcSight Web users through the ESM Console.

Chapter 1

Installing ArcSight Web is described in the Installation and Configuration Guide. Information on how to configure ArcSight Express or ESM standard content is described in the ESM Console Help and/or ESM User's Guide. ArcSight Web is the primary interface to the ArcSight Express Information and Event Management (SIEM) appliance. ArcSight Web is the focal point for operators and analysts engaged in network perimeter and security monitoring. See Whats New on page 3 and ArcSight Express Content on page 15 for more information. ArcSight Web provides a more flexible view into standard ESM resources and monitoring information for operators and analysts in an ESM environment. If you are using ArcSight Web in an ESM environment, see Standard Content on page 9 for information on standard content viewable on ArcSight Web. For a list of new features and enhancements to ArcSight Web v4.5, see Whats New on page 3. Ready to get started? See Navigating ArcSight Web on page 5 for a quick tour of all features.

ArcSight Confidential

ArcSight Web UsersGuide 1

ArcSight Web UsersGuide

ArcSight Confidential

Whats New
ArcSight Web offers browser-based access to selected ArcSight Manager installations from anywhere on your intranet. While the ArcSight Console remains your tool for analysis authoring and detailed operational tasks, ArcSight Web provides a way to see and readily use the results of that analytical capability. ArcSight Web is an independent server (not integral to the ArcSight Manager) and can be located anywhere from which it can connect to a Manager, even outside a firewall. The best way to get acquainted with ArcSight Web is to take a quick tour of the user interface. If you are a standard ESM user, see Standard Content on page 9. If you are an ArcSight Express user, see ArcSight Express Content on page 15.

Chapter 2

New in ESM v5.0

If your ESM system is configured to use new ESM v5.0 features such as actors and domain field sets, the associated resources (e.g., field sets, filters, active channels) will be available in ArcSight Web (to users with appropriate permissions).
Feature Actors Related Topics If your ESM system is configured to monitor actors, then filters, fields, and event channels that reflect actor data will be available in ArcSight Web. In ArcSight Web, you can view channels with actor data, create conditions, and filter on those fields just as you would any other data in event channels. (See Chapter 6 Using Active Channels on page 21 in this guide.) For general information about the new actors feature, see the Actors topic in the ESM Users Guide. Domain Field Sets If your ESM system is configured to use domain field sets for specific business verticals, these custom field sets will be available in ArcSight Web. Using domain fields sets as active channel parameters on filters and conditions in ArcSight Web is discussed in Opening Active Channels on page 21 for options Field Set and Filter Override. Using domain field sets to focus the view on an already-displayed active channel in ArcSight Web is discussed in Event Inspector Header Features on page 26 under Viewing Active Channels. For more information about domain field sets in general, see the Domain Field Sets topic in the ESM Users Guide.

ArcSight Confidential

ArcSight Web UsersGuide 3

2 Whats New

Feature Use Cases

Related Topics Starting with ESM v5.0, events related to a use case are preserved in the case for tracking purposes even after the time period where the events would typically age out of the database. For general information on managing use cases in ArcSight Web, see Chapter 7 Using Cases on page 99.

4 ArcSight Web UsersGuide

ArcSight Confidential

Navigating ArcSight Web

Access the ArcSight Web server through whichever web browser you prefer: Internet Explorer 6.0+ or Firefox 2.0+. The ArcSight Web home URL is https://hostname:9443/arcsight/app, where hostname is the machine on which the web server is running. Navigating the Home Page on page 5 Basic Navigation on page 6

Chapter 3

Navigating the Home Page

The ArcSight Web client opens to the Home display. From here you can easily reach everything the client offers. The Home display's summaries are quick references and links to the most-appropriate or most-interesting security resources in your enterprise. The initial or default information in each group is configured by your ArcSight administrator. In the sections that offer a Show menu, you can choose Start Up View to see this default or Personal Folder to switch to resources selected by or assigned to you. The information summarized in the Home display is identical to, although possibly a subset of, the same information managed through the ArcSight Console. It is simply presented in a browser-compatible format.

Home
The Home link returns you to the home page from any other view.

Dashboards
The Dashboards section lists a set of data monitor dashboards that expose selected analytical security information about your enterprise. Click a dashboard's name to open it.

Reports
The Reports section lists available reports. Reports are captured views or summaries of data extrapolated from the ArcSight System by means of queries and trends. Reports communicate the state of your enterprise security. Click a report, set the parameters or accept the defaults (HTML or PDF), and click Run Report. You have the option of saving the Report results in a variety of file formats to your local system, or just viewing the results in the ArcSight Web window.

ArcSight Confidential

ArcSight Web UsersGuide 5

3 Navigating ArcSight Web

Active Channels
Active Channels display the filtered events as they stream through the system. Click a channel to open it as a grid view in which you can inspect individual events. You can pause channels, and sort event columns in the grid.

Cases
The Cases section summarizes currently tracked, event-related security situations by the area they fall into (rows) and the workflow-style stage they have reached (columns). Click a type and stage cell to see more detail.

Recent Notifications
The Recent Notifications section summarizes ArcSight notifications by workflow-style categories. Click a category to see more detail.

Basic Navigation
Use the Dashboards, Reports, Channels, Cases Notifications, and Knowledge Base links at the top of the display to go to those features. A link to ArcSight Support is also provided.
Button Description Home

Dashboards

Reports

Channels

Cases

Notifications

The top bar also has the client's basic controls. Click Help to open this Help window. To visit previously viewed Help pages, you can use standard keyboard commands for Back and Next. For example, on most Web browsers running on Microsoft Windows systems, you can hit the Backspace key to show the previously viewed page (move backward in the History) and Shift + Backspace to move forward in the History of viewed pages. For more information on using the Help (including how to print topics and get a PDF), see Chapter 3 About the Online Help on page vii. Click Options to change your preferences concerning date and time formats, locale settings, active channel setup, and your password. Click Logout to leave the client and log in again, or browse elsewhere. If you leave the client idle for a period of time you may need to log in again because of an automatic security time-out. Click the ArcSight logo in the upper-left corner of the Home display to see version and licensing information.

6 ArcSight Web UsersGuide

ArcSight Confidential

3 Navigating ArcSight Web

ArcSight Confidential

ArcSight Web UsersGuide 7

3 Navigating ArcSight Web

8 ArcSight Web UsersGuide

ArcSight Confidential

Standard Content
ArcSight Enterprise Security Management (ESM) comes with a series of coordinated resource systems (active channels, dashboards, and reports) that address common enterprise network security and ESM management tasks. These resource systems are referred to collectively as standard content. Standard content is designed to give you comprehensive operational function out of the box with minimal configuration. The content that comes with ArcSight ESM provides a broad range of security, network and configuration monitoring tasks, as well as a comprehensive ESM system monitoring coverage. The standard content is organized into functional groups called foundations. For more about the foundations, see Standard Content Foundations on page 9. Standard Content Foundations on page 9 Getting Started Using Standard Content on page 11 Monitoring with Standard Content on page 11 Reporting with Standard Content on page 12

Chapter 4

Standard Content Foundations

Each foundation is a coordinated system of resources that provides real-time monitoring capabilities for its area of focus, as well as after-the-fact analysis in the form of reports, trends, and trend reports.

Configuration Monitoring Foundation

The Configuration Monitoring foundation identifies, analyzes, and provides support for remediation of undesired modifications to systems, devices, and applications. Configuration monitoring is concerned mainly with monitoring hosts and user accounts for configurationrelated activity, such as installing new applications, adding new systems to the network, anti-virus/network scanner/IDS engine and signature updates, and asset vulnerability postures. The configuration monitoring foundation helps you monitor how your networks change over time, measure daily statistics, understand the changes made, and know who's making them. Trends help you know what is normal and spot anomalies that should be investigated. Intrusion Monitoring Foundation

ArcSight Confidential

ArcSight Web UsersGuide 9

4 Standard Content

The focus of the Intrusion Monitoring foundation is to identify hostile activity and enable you to take appropriate action either automatically or manually. This foundation provides statistics about intrusion-related activity, which can be used for incident investigation as well as routine monitoring and reporting. As with previous releases, the essential security monitoring functions of the Intrusion Monitoring foundation make up the bulk of the ESM standard content. The Intrusion Monitoring foundation targets general intrusion types as well as specific types of attacks, such as worms, viruses, denial-of-service (DoS) attacks, and so on.

Network Monitoring Foundation

The Network Monitoring foundation monitors the status of network throughput and network infrastructure as monitored by Argus, the real-time flow monitoring device by Qosient. This foundation provides statistics about traffic and bandwidth usage that helps you identify anomalies and areas of the network that need attention.

ArcSight Workflow Foundation

The ArcSight Workflow foundation is a system of active channels and reports that support incident response tracking using ESM's incident response system. Qualifying events in the other ESM foundation packages trigger notifications and cases that get escalated through ESM's incident response stages.

ArcSight Administration Foundation

The ArcSight Administration foundation provides statistics about the health and performance of ArcSight ESM and its components. This foundation is installed automatically, and is essential for managing and tuning the performance of ESM content and components.

ArcSight System Content

The ArcSight System content consists of resources that ESM requires for basic security processing functions, such as threat escalation and priority calculations, as well as basic event monitoring channels required for out-of-the-box functionality.

Conditional Variable Filters

The Conditional Variable Filters are a library of filters used by variables in standard content report queries, filters, and rule definitions. They express conditions that can also be used by any content in any package. The Conditional Variable Filters are used by the Anti Virus, ArcSight Express, Configuration Monitoring, Intrusion Monitoring, Network Monitoring, and Workflow foundations.

Anti-Virus Reports
The Anti-Virus reports serve both the Configuration Monitoring and Intrusion Monitoring foundations.

10 ArcSight Web UsersGuide

ArcSight Confidential

4 Standard Content

Getting Started Using Standard Content

Whatever your role in the security operations center, you can get started right away using ESM's standard content. Each foundation is organized with content for different types of users. Executive Summaries. Executive summaries provide high-level analysis of event activity for management reports. These views show overall trends and long-term summaries. Operational Summaries. The operational summaries are intended for SOC operators and analysts for daily event monitoring and triage-level investigation. Details. The detailed content is intended for incident responders and analysts who need access to relevant event details in order to investigate situations that arise from monitoring reports in the operational summaries. SANS Top 5 Reports. Each security-related foundation contains a set of reports that address the SANS Institute's list of recommendations of what every IT staff should know about their network at a minimum, based on the Top 5 Essential Log Reports.

Monitoring with Standard Content

You can use standard content active channels to begin monitoring your network immediately after SmartConnectors are added and basic configuration is complete. Each foundation provides high-level channels for observing general activity for its area of focus.
Foundation ArcSight System Channel System Events Last Hour Description Channel showing all events generated by ArcSight during the last hour. A filter prevents the channel from showing events that contributed to the firing of a rule, commonly referred to as correlated events. Channel showing events received today since midnight. A filter prevents the channel from showing events that contributed to the firing of a rule, commonly referred to as correlated events. Channel showing events received during the last five minutes or the last hour. The channel includes a sliding window that always displays exactly the last five minutes of event data. Live Channel showing events received during the last two hours. The channel includes a sliding window that always displays exactly the last two hours of event data. A filter prevents the channel from showing correlation events.

Today

All Events / Last 5 Minutes and Last Hour

Core / Live

ArcSight Confidential

ArcSight Web UsersGuide 11

4 Standard Content

Foundation Configuration Monitoring

Channel Operational Summaries / HighPriority Scan Events Directed Toward HighCriticality Assets Intrusion Monitoring Significant Events

Description This channel shows scan results in real time to give you a view into any highpriority vulnerabilities detected on highly critical assets.

Intrusion Monitoring

This channel provides an overview of hostile, compromise or high priority events. It continuously monitors events matching: Not ArcSight Internal Events Priority greater than 8 or Category Significance Starts With /Compromise or /Hostile Uses the Business Impact Analysis Field Set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Network Monitoring Workflow

Argus Events

This active channel shows all the events coming from Argus SmartConnectors for the past 24 hours. This channel shows events assigned today. The channel always displays events occurring since midnight of the current day up to the current time. A filter prevents the channel from showing correlated events. It shows only events that are not in closed stage and are assigned to a user.

Assigned Events

Each foundation contains more channels that focus on events of different types. Explore the active channels to monitor the activity you are interested in. For more about using active channels, see Using Active Channels on page 21. Use dashboards to view activity from many perspectives in a single screen. Dashboards are also fully drill-down enabled. For more about investigating using dashboards, see Monitoring Dashboards on page 115.

Reporting with Standard Content

ESM standard content supplies a robust set of reports for each ESM foundation. The reports for each foundation are organized into different levels of detail depending on who the reports are for as outlined in Getting Started Using Standard Content.
Foundation Common Reports The Common group contains a set of anti-virus reports that apply to all the foundations.

12 ArcSight Web UsersGuide

ArcSight Confidential

4 Standard Content

Foundation Configuration Monitoring

Reports Detailed reports concentrate on configuration changes by device and by user, inventories of applications and assets by role, and vulnerabilities by asset, asset type, asset criticality, and so on. Executive Summary reports focus on overall host configurations by zone, role, criticality, data role, and operating system. Operational Summaries provide summaries of host configuration modifications by Customer, OS, and over the last 30 days; top user login successes and failures over recent time periods; and asset restarts over recent time periods. SANS Top 5 Reports focus on SANS section 3: Unauthorized Changes to Users, Groups, and Services.

Intrusion Monitoring

Detailed reports are organized into types of activity: anti-virus; attack monitoring; environment state for applications, operating systems, and services; reconnaissance attempts; access events; user activity through device type; vulnerability activity by asset and by vulnerability; and worm outbreak activity. Executive Summary reports provide an overall Security Intelligence Status Report, and summary views by business role and systems that are subject to regulations, such as the Sarbanes-Oxley Act. Operational Summaries provide mid-level summaries organized into device types, such as anti-virus, attack monitoring, and reconnaissance. SANS Top 5 Reports focus on SANS sections 1, 4, and 5: Attempts to Gain Access, Through Existing Accounts, Systems Most Vulnerable to Attack, and Suspicious or Unauthorized Network Traffic Patterns.

Network Monitoring

Detailed reports provide views into traffic by host, by protocol, and by target, and activity over network devices and VPNs. Executive Summary reports provide traffic summaries over daily, monthly, quarterly, and weekly time intervals. Operational Summaries provide an overall traffic snapshot; bandwidth utilization statistics by device and by time interval; and statistics for inbound and outbound traffic by protocol and by host. SANS Top 5 Reports focus on SANS section 5: Suspicious or Unauthorized Network Traffic Patterns.

Workflow

Detailed reports provide statistics for all cases, notifications, and notification action events. Executive Summary reports provide overall case statistics, such as average time to case resolution, number of cases at each escalation stage, and cases as they affect operations. Operational Summaries provide detailed case statistics, including trends over time, notifications that reach level 3, the status of notifications by user, and so on.

Each foundation contains more reports that focus on events of different types. Explore the reports to find the activity you are interested in reporting on. For more about using reports, see Using Reports on page 109.

ArcSight Confidential

ArcSight Web UsersGuide 13

4 Standard Content

14 ArcSight Web UsersGuide

ArcSight Confidential

ArcSight Express Content

ArcSight Express is an Information and Event Management (SIEM) appliance that provides essential network perimeter and security monitoring tools combined with Logger, ArcSight's data retention hardware storage solution. ArcSight Express is a robust and effective enterprise security monitoring, response, and reporting system in a streamlined, low maintenance, and easy-to-use package. ArcSight Express comes with a series of coordinated resource systems that address common enterprise network security and ArcSight administration tasks. These resource systems are referred to collectively as ArcSight Express content. ArcSight Express content is designed to give you comprehensive operational function out of the box with minimal configuration. These resources enable you to use the active channels and dashboards to monitor the network, use the case tracking tools to investigate and resolve issues, and use the reports to communicate the condition of the network to key stakeholders at all levels of the enterprise. ArcSight Express Home Page on page 16 Getting Started Using ArcSight Express Content on page 17 Monitoring with ArcSight Express Active Channels on page 18 Reporting with ArcSight Express Reports on page 20

Chapter 5

ArcSight Confidential

ArcSight Web UsersGuide 15

5 ArcSight Express Content

ArcSight Express Home Page

The ArcSight Express home page displays a series of basic views designed to give you an overview of activity that concerns you. These views are described below.

Recent Notifications
Recent notifications show the status of notifications generated by correlated events that concern you. To view the details of a notification, click any line item to go to the Notifications page. For more about notifications, see Handling Notifications on page 107.

My Cases
My cases show a snapshot of cases assigned to the user who is currently logged in. For details, click the cases icon to go to the Cases page. For more about cases, see Using Cases on page 99.

Dashboards
Dashboards show a selection of key dashboards. You can select among these views: Start Up View: The start-up view provides quick access to the Security Activity Statistics and Current Event Sources dashboards. These dashboards give you a comprehensive general view of the security state of your environment and the sources where the events are generated. Recent Dashboards: This view shows the last five dashboards you viewed to enable you to easily toggle among several dashboards without having to navigate to them in the Dashboard tab. Click any of these links to display the dashboard itself.

Active Channels
Start Up View: The start-up view provides a link to the Correlated Alerts channel, which shows all events generated by ESM rules. These events are considered to be events of interest that warrant attention.

16

ArcSight Web UsersGuide

ArcSight Confidential

5 ArcSight Express Content

Personal Folder: This view contains active channels that you have modified and saved. Recent Channels: This view shows the last five active channels you viewed to enable you to easily toggle among several active channels without having to navigate to them in the active channels tab. For more about the home page, see Navigating ArcSight Web on page 5.

Getting Started Using ArcSight Express Content

Whatever your role in the security operations center, you can get started right away using the ArcSight Express content.

ArcSight Express Groups

ArcSight Express content is organized into the following device groups relevant to the function the content performs:
Function Cross-Device Description This group contains resources that monitor and report on functions that apply to multiple kinds of devices, such as login attempts, bandwidth usage, and configuration changes. This group contains resources that support monitoring and reporting on anti-virus activity, such as update status, virus activity, and configuration changes. This group contains resources that support monitoring and reporting on activity and notifications involving cases opened in ArcSight as a result of activity that warrants investigation. This group contains resources that monitor and report on database activity, such as configuration changes, database logins, errors and warnings. This group contains resources that monitor and report on firewall activity, such as network logins and logouts, denied connections, bandwidth usage, and configuration changes. This group contains resources that monitor and report on user activity, such as logins, user session durations, and configuration changes in order to identify who is doing what activity on the network. This group contains resources that monitor and report on activity involving Intrusion Detection and Prevention Systems, such as signature updates, alerts, and statistics. This group contains resources that monitor and report on activity involving network infrastructure, including system up/down status, configuration changes, bandwidth usage, and login events. This group contains resources that monitor and report on activity involving operating systems, such as user logins, and user modification events. This group contains resources that monitor and report on activity involving VPN connections, including authentication errors, logins, and connection status. This group contains resources that monitor and report on exposed vulnerabilities by asset.

Anti-Virus

Case Management Database

Firewall

Identity Management

IDS-IPS

Network

Operating System VPN

Vulnerabilities

ArcSight Confidential

ArcSight Web UsersGuide

17

5 ArcSight Express Content

Monitoring with ArcSight Express Active Channels

The active channels contain three major groups of channels: ArcSight Administration ArcSight Express Device Class Event Channels

The staple active channels in the ArcSight Express group are a good place to start for monitoring event flows. For instructions about how to use active channels, see Using Active Channels on page 21.

18

ArcSight Web UsersGuide

ArcSight Confidential

5 ArcSight Express Content

Monitoring with ArcSight Express Dashboards

The dashboards contain the ArcSight Administration and ArcSight Express groups. Explore the dashboards to find views you are interested in.

The example below shows the IDS-IPS dashboard, which summarizes the number of events from IDS and IPS systems. Click on any bar to view the details of the events represented in this bar in a channel.

For more about working with dashboards, see Monitoring Dashboards on page 115.

ArcSight Confidential

ArcSight Web UsersGuide

19

5 ArcSight Express Content

Reporting with ArcSight Express Reports

The reports also contain the ArcSight Administration and ArcSight Express groups.

The Security Intelligence Status Report provides a summary of event counts and top events, attacks, targets, ports, and so on, as shown in the example below.

For more about working with reports, see Using Reports on page 109.

20

ArcSight Web UsersGuide

ArcSight Confidential

Using Active Channels

The event information presented in the ArcSight Web active channel views is the same data presented in the ESM Console. The web client makes channels accessible from anywhere on your enterprise network, or even outside a firewall. Using active channels includes opening them, controlling their views, and drilling down into the individual events that channels collect. Opening Active Channels on page 21 Viewing Active Channels on page 23 Inspecting Events on page 26

Chapter 6

Opening Active Channels

To open an active channel, click its name in the Active Channels section of the Home display, or click the Channels icon in the toolbar and choose a channel in the Active Channels resource tree. Channels you click in the Home display open directly, but channels you choose in the resource tree offer a setup page before opening. Use the Open Active Channel setup display to adjust the timing, filter, and column-set parameters of the channel, if necessary. This display appears unless you have turned channel setup off (bypass channel setup) in the Channels panel of the Options display. There is also an option to hide (collapse) the channel tree on the left panel when a channel is already running. By default, this tree remains in view. Click the Show ( buttons at the top of the left panel to show or hide the folder tree. ) or Hide ( )

Active Channel Parameters

Option Channel Start Time Description Read-only field that shows the channel name. The relative or absolute time reference that begins the period in which to actively track the events in the channel. Edit the time expression or clear the Date expression check box to use an absolute date and time. The relative or absolute time reference that ends the period in which to actively track the events in the channel. Edit the time expression or clear the Date expression check box to use an absolute date and time.

End Time

ArcSight Confidential

ArcSight Web UsersGuide 21

6 Using Active Channels

Option Evaluate parameters continuously Use as Timestamp

Description Choose whether the channel will show events that are qualified by Start and End times that are re-evaluated constantly while it is running (selected), or show only the events that qualify when the channel is first run (cleared). Choose the event-timing phase that best supports your analysis. End Time represents the time the event ended, as reported by the device. Manager Receipt Time is the event's recorded arrival time at the ArcSight Manager. The Field Set you choose here determines which columns will show up in the active channel display. By default, a standard list of columns is shown in the channel. Choose an existing field set to control the selection and order of the columns in the grid or choose More Choices or click the plus sign (+) to open the Field Sets resource tree. The None option clears a field set and restores the channel to its original definition. If your ESM system is configured with domain field sets (a new ESM v5.0 feature), these will be available to select here as field set choices. For more information about domain field sets, see Domain Field Sets on page 441 in the ESM Users Guide.

Field Set

Filter Override

You can use the Filter Override to narrow the event flow in the channel to only those events that satisfy conditions you specify here. You have these options for Filter Override: Simply choose an existing filter. You can choose a recently used filter from the drop-down menu, or navigate to other filters by clicking More Choices or clicking the plus sign (+) to override the default channel filter. (The None option clears a filter choices and restores the channel to its original definition.) Explicitly specify new filter conditions for the channel by using event attributes (field groups and fields) or an existing filter (MatchesFilter) as part of a condition. Starting with ESM v5.0, you can use domain fields to create conditions on channels the same way that you use other fields. If available, domain field sets show up under Event Attributes with the other field groups. For more information about domains, see Domain Field Sets on page 441 in the ESM Users Guide. You can review the conditions of the filter in the active channel header (see Using Active Channel Headers on page 23).

Or

22

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Viewing Active Channels

This topic explains how to understand, change, and drill into the grid views of active channels.

Using Active Channel Headers

Using active channels begins with reading and understanding their headers. Headers display the following information:
Feature Name and Total Time Span Evaluation Usage The top line of the header shows the channel's name and the percentage of qualifying events that are currently loaded in the view. The Start Time and End Time show the chronological range of the channel. This flag indicates whether the channel is set to evaluate events continuously as they are received, or only once when the channel opens. Click Modify to change this parameter. This text describes the filter that limits what the channel shows. On the right side of the header is a column of event-priority category totals. The figures are the number of events in those categories. The channel state box contains a play and pause button and a refresh progress bar. This display indicates whether the channel is running or paused, and if it is running, the progress of the next refresh cycle. The Radar display in active channel headers indicates the activity taking place in the entire channel (not just the current page). Its graphics represent units of time horizontally, and numbers of events in vertical bars segmented by Priority attribute-value counts. The time and quantity scales in the graphic automatically adjust to accommodate the scope of the channel. The broader the scope, the smaller the graphical units become. To focus the grid on the event of one period, click that bar in the display. To restore the display, click Clear at the right end of the bar. Your sorting choices in the grid affect the arrangement of the activity units in the Radar. Time Range The Displaying bar below the Radar display and above the grid header shows the time range of the events selected in the Radar display and reflected in the grid. If nothing is selected, the time range shows All.

Filter Priority Totals Channel State

Radar Display

Using Active Channel Grids

Event grids display the individual events that active channels capture.

To page through a grid

Click the navigation buttons on the right side of the grid column header. The numbers represent specific pages, and the advance arrows go one step or all the way forward or back.

ArcSight Confidential

ArcSight Web UsersGuide

23

6 Using Active Channels

To use field sets

Choose a named set of fields from the Field Set drop-down menu. The sets available are usually tailored to your enterprise. Note that the field-set variables found in the ArcSight Console are not available through ArcSight Web. Choose the Field Set Customize option (if available) to temporarily add, remove, or rearrange the columns in the current grid. You can create one custom field set per channel. If your ESM system is configured with domain field sets (a new ESM v5.0 feature), these also will be available here to select as a pre-defined Field Set choice and for use with the Customize option. For more information about domain field sets, see Domain Field Sets on page 441 in the ESM Users Guide.

To sort a grid
Click any grid column heading to sort the whole view by that column. Each click toggles between ascending and descending. The default order of grids is usually determined by the End Time of events, as selected in the current active channel display.

To filter a grid
To apply an inline filter, click Inline Filter in the grid header and choose an available value from the drop-down menus for one or more columns. This enables you to filter by values already available in the channel. Click Apply to put the filter into effect. You can also filter by entering custom expressions into the text field for each column. To customize an inline filter, type a value in the text field above the column on which you want to filter, and click Apply. Supported expressions for custom filtering are shown in the table below.

24

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Supported Expressions for Inline Filtering

Type String-based Columns Supported Expressions and Examples The Contains and StartsWith operators are supported. The values for the operator must be in quotes. Examples: Contains "Event" Contains "Event" OR Contains "Top" Contains "Web" AND Contains "denied" StartsWith "Web" StartsWith "Web" OR Contains "denied" StartsWith "Web" AND Contains "denied" You can use OR and AND Boolean operators in between the expressions. The Column field name is implicitly used as the left-hand parameter. Integer and IP Address Columns The Between operator is supported. The values in the Between expression must be in quotes. Examples: For the port column: Between("20", "80") For the IP address column: Between("10.0.0.1", "10.0.0.255") For priority column: Between("1","2") OR Between("7","8") You can use OR and AND Boolean operators in between the expressions. The Column field name is implicitly used as the left-hand parameter.

To add an event to a case

Select one or more event check boxes on the left, then click Add to Case to choose an existing or new case to add it to in the Cases resource tree. Click the Existing case radio button to add the events to the case you select in the tree. Click the New case radio button to name the case and add it at the currently selected point in your personal tree. Click Add to save the assignments and return to the grid. To view the events associated with a case, click the Cases navigation button at the top of the page, choose a case, and click the Events tab for that case. For more information, see Events Tab on page 105 in Using Cases on page 99.

To change a grid's options

Click Options in the grid header to change the display's update frequency and its number of rows per page.

To save a modified channel

Click Save Channel As in the channel header to add a modified channel to your personal folder in the Active Channels resource tree. In the Save Channel As dialog box, name the channel and click Save.

To inspect an event
Click any individual event in the grid to show that event in the Event Inspector as described in Inspecting Events.

ArcSight Confidential

ArcSight Web UsersGuide

25

6 Using Active Channels

Inspecting Events
Use the Event Inspector display to examine the details of events that appear in active channels. To open the Event Inspector, click an event in an active channel's grid view. The Event Inspector shows the data fields and categories associated with the event you selected. Apart from these fields, the display has the features described below.

Event Inspector Header Features

Feature Associated Articles Usage If a knowledge base article exists for this event, the View Articles link will display the article from the Knowledge Base. If a reference page exists for this event, the View References link will display the reference page. Reference pages provide additional background on an event or a resource. These may be pre-populated by ArcSight, provided by vendors, or added by technologists in your organization. Click this link to view Additional Details on the event, such as vendor and product information, event category information, reference pages, and vulnerability pages. Click this link to run an Event Context Report that shows the events that occurred within a specified number of minutes (a window) before and after this event. Click this link to run a Rule Context Report that shows the events that occurred within a specified number of minutes (a window) before and after the current rule was invoked. Click this link to view the payload for the event. The Payload Viewer option is available only if the event has a payload associated with it. A "payload" is information carried in the body of an event's network packet, as distinct from the packet's header data. Events will include payloads only if the associated SmartConnectors are configured to send events with payloads. Click View iDefense Incident Report to view information about vulnerability IDs related to the event. This option is available only if you have VeriSign iDefense software installed and configured to interact with the Arcsight ESM system, and if the selected event has a vulnerability ID associated with it. In that case, the iDefense report provides more details on the vulnerability. Choose Field Sets to see a predefined set of event data fields rather than all fields. Use the None option to restore the default view. By default, the Hide Empty Rows check box is checked, so the display isn't filled with unused fields. Clear the check box to see all fields, even if empty.

Associated References

Additional Details

View Event Context Report View Rule Context Report

Payload Viewer

View iDefense Incident Report

Field Sets

Hide Empty Rows

26

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Event Inspector Field Features

The values for fields in events are also links. Click these values to open new channels or to filter current channels using them.
Option Create Channel [Field Name = Value] Create Channel [Field Name != Value] Add to Channel [Attribute = Value] Add to Channel [Attribute != Value] Use Open a channel containing only those events that have matching values for the selected field. Open a channel that shows only those events that do not have a matching value for the selected event. Add the attribute-value pair to the channel's filter (require that they match). Exclude the attribute-value pair from the channel's filter (require that they do not match).

Show Details for Event Attributes

View details for each attribute associated with an event. To view event attribute details inline, click the Details button ( attribute. page button ( ) next to the attribute. ) next to the

To view event attribute details on a new Web page, click the Show detail in a new

Event Categories
As of v3.0, ESM uses six primary categories and a flexible set of supporting attributes to more precisely distinguish the events reported by SmartConnectors or generated internally by ArcSight Managers. These categories appear as a field in the Event Inspector. These categories and attributes are designated by ArcSight, based on the information offered to SmartConnectors by sensors. Keep in mind that the applicability of a category always depends on the actual configuration of the environment. The category groups are: Object: The physical or virtual object that was the focus of the event. (See Object Category on page 28.) Behavior: The action taken on the object. (See Behavior Category on page 29.) Outcome: An indication of whether the action succeeded on the object. (See Outcome Category on page 31.) Device Group: The type of device from which the sensor reported the event. (See Device Group Category on page 31.) Technique: The method used to apply the action to the object (i.e., the type of attack). (See Technique Category on page 32.) Significance: A description of the security significance of the event from the reporting sensor's perspective. (See Significance Category on page 34.)

ArcSight Confidential

ArcSight Web UsersGuide

27

6 Using Active Channels

Object Category
Object Category Host Operating System Application Service Description Any end-system on the network, such as a PDA, a Windows computer, or a Linux computer. The system software that controls execution of computer programs and access to resources on a host. A software program that is not an integral part of the operating system. An application that normally executes at operating system startup. A service often accepts network connections. A database application. An application, visible on a host, that listens for network connections and can give a non-authorized user control over that host. A host that is displaying an application that can participate in a (possibly distributed) denial-of-service attack. An application that listens for, and establishes network connections to, other installations of the same application (e.g., Kazaa, Morpheus, Napster). A host that is displaying a replicating infection of a file that also executes other behaviors on the infected host. A host that is displaying a self-replicating program that spreads itself automatically over the network from one computer to the next. An operating system resource that is characteristically limited in its supply. File Process Interface Interface Tunnel Registry A long-term storage mechanism (e.g., files, directories, hard disks, etc.). A single executable module that runs concurrently with other executable modules. An interface to the network. Packaging a lower network protocol layer within a higher layer (e.g., IPSec Tunnel, HTTP tunneling). The central configuration repository for the operating system and the applications. Application-specific information is not stored here. Events directed at this object relate to consumption or use of the overall processing power of the host. Events directed at this object relate to consumption or use of the overall memory of the host. Events that cannot be clearly associated with a host's subitem. Events that involve transport, or many hosts on the same subnet.

Database Backdoor

DoS Client

Peer to Peer

Virus

Worm

Resource

CPU Memory Network

28

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Object Category Routing Switching Actor User Group Vector Virus Worm

Description Routing related events such as BGP. Switching related events such as VLANS.

A single human identity. A named collection of users, such as an employee division or social group. The replication path for a section of malicious code. A replicating infection of a file that also executes other behaviors on the infected host. A self-replicating program that automatically spreads itself across the network, from one computer to the next. An application that listens for network connections and can give a non-authorized user control over that host. An application that will participate in a (possibly distributed) denial-of-service attack.

Backdoor DoS Client

Behavior Category
Behavior Category Access Start Stop Authentication Add Delete Modify Verify Authorization Add Delete Modify Verify Communicate Description Refers to accessing objects, as in reading. The start of an ongoing access, such as login. The end of an ongoing access, such as logging out. Actions that support authentication. Adding new authentication credentials. Deleting authentication credentials. Modifying authentication credentials. Credential verification, such as when logins occur. Authorization-related actions. Adding a privilege for the associated object (e.g., a user). Removing a privilege for the associated object (e.g., a user). Modifying the existing privileges for the associated user or entity. An authorization check, such as a privilege check. Transactions that occur over the wire.

ArcSight Confidential

ArcSight Web UsersGuide

29

6 Using Active Channels

Behavior Category Query Response Create

Description Communicating a request to a service. Communicating a response to a request, from a service. Seeks to create resources, install applications or services, or otherwise cause a new instance of an object. The reverse of creation events. Includes uninstalling applications, services, or similar activity. Involves loading or executing code, booting or shutting systems down, and similar activity. Start The beginning of execution of an application or service. This event is clearly distinguished from a lone "Execute" attribute. The termination of execution of an application or service. This event is clearly distinguished from a lone "Execute" attribute. A query sent to a specific entity - but not over the network (e.g., as when generating a report). The answer returned by an Execute/Query. For example, a report delivered back from an application, or status messages from applications. Involves changing some aspect of an object. Content Attribute Configuration Changing the object's content, such as writing to or deleting from a file or database. Changing some attribute of an object, such as a file name, modification date, or create date. Changing an object's configuration. For example, application, operating system, or registry changes. Replacing files, upgrading software, or service or host failovers. Noticing an object or its state. Vulnerable Misconfigured Insecure An exploitable state that is characteristic of a particular hardware or software release. An exploitable state caused by a weak configuration or similar mishandling. An exploitable state that arises from poor management or implementation. For example, weak authentication, weak passwords, passwords passed in the clear, default passwords, or simplistically named accounts. The targeted object was found to be exhausted (e.g., not enough file descriptors available).

Delete Execute

Stop

Query Response

Modify

Substitute Found

Exhausted

30

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Outcome Category
These attributes indicate the probable success or failure of the specified event, within an overall context. For example, the outcome of an event such as an "operation failed" error message can be reported as a "/Success" given that the operation can be presumed to have actually caused a failure. Another example would be an event that identifies a Code Red infection: on a host running Linux the outcome would be "/Failure" (Code Red is Windows-only) while the same event directed at a host with an unknown OS would be reported as an "/Attempt.
Outcome Category Attempt Failure Success

Description The event occurred but its success or failure cannot be determined. The event can be reasonable presumed to have failed. The event can be reasonable presumed to have succeeded.

Device Group Category

Device Group Category Application Assessment Tool Security Information Manager Firewall IDS Network Host Antivirus File Integrity Identity Management Operating System Network Equipment Router Switches VPN Description An application program. A network- or host-based scanner that monitors issues such as vulnerability, configurations, and ports. A security-event processing correlation engine (e.g. the ESM Manager). This "device" deals only in correlated events. A firewall. An intrusion-detection system. A network-based intrusion-detection system. A host-based intrusion-detection system. An anti-virus scanner. A file-integrity scanner. Identity management. An operating system. Network equipment. A network device with routing (layer 3) capabilities. A network device with switching (layer 2) capabilities. A virtual private network.

ArcSight Confidential

ArcSight Web UsersGuide

31

6 Using Active Channels

Technique Category
Technique Category Traffic Network Layer IP Fragment Man in the Middle Spoof Flow Transport Layer Hijack Spoof Flow Description An anomaly in the network traffic, such as non-RFC compliance. Anomalies related to IP, ICMP, and other network-layer protocols. Fragmented IP packets. A man-in-the-middle attack. Spoofing a source or destination IP address. A problem in network-layer communication logic, such as an out-of-order IP fragment. Anomalies related to TCP, UDP, SSL, and other transport-layer protocols. Hijacking a connection. Spoofing a transport layer property (e.g., a TCP port number, or an SSL entity). A problem in TCP connections or flows, such as a SYNACK without SYN, a sequence number mismatch, or time exceeded. Application-layer anomalies. A peer does not follow the order of commands. A syntax error in an application-layer command. A command which does not exist or is not supported. A man-in-the-middle attack on the application layer.

Application Layer Flow Syntax Error Unsupported Command Man in the Middle

Exploit

Vulnerability Weak Configuration

Exploiting a vulnerability (e.g., a buffer overflow, code injection, or format string. Exploitation of a weak configuration. This is something that could be remedied easily by changing the configuration of the service (e.g., weak passwords, default passwords, insecure software versions, or open SMTP relays). A user identity has received an increase in its user privileges. A user identity is attempting to browse or methodically review directories for which it may not have appropriate privileges. Brute-force attacks. Continued trials for logins. Continued trials for URLs to access information or scripts.

Privilege Escalation Directory Transversal Brute Force Login URL Guessing

32

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Technique Category Redirection ICMP DNS Routing Protocols IP Application

Description Redirecting an entity. ICMP redirects. Unauthorized DNS changes. Attacks aimed at routing protocols (e.g., BGP, RIP, OSPF). Redirection using the IP protocol (e.g., source routing). Redirection attacks on the application layer (e.g., cross-site scripting, mail routing, or JavaScript spoofing). Either the execution or transmission of executable code, or the transmission of a distinctive response from executed code. The code in question is concealed within other code that serves as a Trojan Horse. In other words, it appears to be one thing (that is safe) but is really another (which is unsafe). The code in question is intended to invoke an application command. The code in question is intended to be executed in a shell. Code associated with a worm. Code associated with a virus. Any type of scanning. A network, host, application, or operating system scan can be identified through the specified object. Multiple ports are scanned. A service is scanned (e.g., DoS client discovery, backdoors, RPC services, or scans for a specific application such as NMB). Scanning for hosts on a network. A search for responding protocols. Note that TCP and UDP are not the only transport protocols available. A scan for vulnerabilities. A denial of service (DoS) attack is in progress. Information leaking out of its intended environment (e.g., mail messages leaking out, system file access, FTP data access, or web document access). Convert Channel Leakage was detected from a covert channel, such as Loki. Policy-related violations such as pornographic web site access. Breach A policy-related security breach occurred.

Code Execution

Trojan

Application Command Shell Command Worm Virus Scan

Port Service

Host IP Protocol Vulnerability DoS Information Leak

Policy

ArcSight Confidential

ArcSight Web UsersGuide

33

6 Using Active Channels

Technique Category Compliant

Description A policy-compliant event occurred.

Significance Category
Significance Category Compromise Hostile Informational Error Warning Alert Normal Recon Suspicious Description A potentially compromising event occurred. A malicious event has happened or is happening. Events considered worthy of inspection; for example, those produced by polling. An execution problem. A possible problem. A situational problem that requires immediate attention. Ordinary or expected activity that is significant only for forensic purposes. Relates to scans and other reconnaissance activity. A potentially malicious event occurred.

Event Data Fields

The security monitoring devices throughout your organization report events that are collected, filtered, and formatted by ArcSight SmartConnectors and passed to ArcSight Managers for analytic processing. The events that appear in your client are composed of several data fields, each of which has its own characteristics. Event data fields fall into the groups shown below. Most groups have several attributes. Connector Attacker Category Destination Device Device Custom Event Event Annotation File Final Device Flex Manager

34

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Old File Original Agent Request Source Target Threat

Connector
This category falls into the device-to-Manager information chain. The chain begins at Device, which is the actual network hardware that senses an event. In cases where data is concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original Agent (agents are also known as SmartConnectors). Although the Original Agent is usually the only connector, if the data passes up through a Manager hierarchy the chain will include handling by Connector stages that are the ArcSight Manager SmartConnectors that facilitate Manager-to-Manager connections.
Default Turbo Level 1 1 1 1 1 1 1

Group Connector

Label Address

Script Alias connectorAddress

Data Type IP address

Description The IP address of the device hosting the SmartConnector. The asset that represents the device hosting the SmartConnector. The connector's asset name. The connector resource. The connector descriptor. The Domain Name Service domain name associated with the device hosting the SmartConnector. The name of the device hosting the SmartConnector.

Connector

Asset ID

connectorAssetId

Resource

Connector Connector Connector Connector

Asset Name Asset Resource Descriptor ID DNS Domain

connectorAssetName connectorAssetResource connectorDescriptorId connectorDnsDomain

String Resource ID String

Connector

Host Name

connectorHostName

String

ArcSight Confidential

ArcSight Web UsersGuide

35

6 Using Active Channels

Group Connector

Label ID

Script Alias connectorId

Data Type String

Default Turbo Level 1 1 1 1 2 1 1 1 1

Description The identifier associated with the SmartConnector configuration resource. The format is connectorID(1) | connectorID(2) | The MAC address associated with the SmartConnector (which may or may not be the MAC address of the host device.) The user-supplied name of the associated SmartConnector configuration resource. The Windows NT domain associated with the device hosting the SmartConnector. The time the event arrived at the SmartConnector. The normalized ArcSight form of the event severity value provided by the SmartConnector. The time zone reported by the device hosting the SmartConnector (as TLA). The time zone reported by the device hosting the SmartConnector (shown as a UTC offset). Note that device times may be less accurate than other sources. If network address translation is an issue, this is the translated IP address of the device hosting the SmartConnector.

Connector

MAC Address

connectorMacAddress

MacAddre ss

Connector

Name

connectorName

String

Connector

NT Domain

connectorNtDomain

String

Connector

Receipt Time Severity

connectorReceiptTime

DateTime

Connector

connectorSeverity

Connector Severity Enumerati on String

Connector

Time Zone

connectorTimeZone

Connector

Time Zone Offset

connectorTimeZoneOffset

Integer

Connector

Translated Address

connectorTranslatedAddress

IP address

36

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Connector

Label Translated Zone

Script Alias connectorTranslatedZone

Data Type Zone

Default Turbo Level 1 1 1 1 1 1 1 1 1 1

Description If network address translation is an issue, this is the Network Zone associated with the translated IP address of the device hosting the SmartConnector. See the common set of resource attributes.

Connector

Translated Zone External ID Translated Zone ID Translated Zone Name

connectorTranslatedZoneExt ernalID

String

Connector Connector

connectorTranslatedZoneID connectorTranslatedZoneNa me

String String

See the common set of resource attributes. See the common set of resource attributes. Returns the name from the URI. It assumes that the name is always the last field of the URI. See the common set of resource attributes. Returns the unique descriptor ID for this reference. See the common set of resource attributes. Locates the resource described by this reference. See the common set of resource attributes. A description of the type of SmartConnector that reported the event. The software revision number of the SmartConnector that reported the event The network zone in which the device hosting this SmartConnector resides.

Connector

Translated Zone Reference ID Translated Zone Resource

connectorTranslatedZoneRef erenceID

ID

Connector

connectorTranslatedZoneRe source

Resource

Connector Connector

Translated Zone URI Type

connectorTranslatedZoneUR I connectorType

String String

Connector

Version

connectorVersion

String

Connector

Zone

connectorZone

Zone

ArcSight Confidential

ArcSight Web UsersGuide

37

6 Using Active Channels

Group Connector

Label Zone External ID Zone ID Zone Name Zone Reference ID Zone Resource Zone URI

Script Alias connectorZoneExternalID

Data Type String

Default Turbo Level 1 1 1 1 1 1 Default Turbo Level 1 2 2 2

Description See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. Returns the URI for this reference.

Connector Connector Connector

connectorZoneID connectorZoneName connectorZoneReferenceID

String String ID

Connector Connector

connectorZoneResource connectorZoneURI

Resource String

Attacker

Group Attacker

Label Address

Script Alias attackerAddress

Data Type IP address

Description The IP address of the device hosting the attacker. The asset that represents the device hosting the attacker. The name of the asset that represents the device hosting the attacker. See the common set of resource attributes

Attacker

Asset ID

attackerAssetId

Resource

Attacker

Asset Name

attackerAssetName

String

Attacker

Asset Resource

attackerAssetResource

Resource

38

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Attacker

Label DNS Domain

Script Alias attackerDnsDomain

Data Type String

Default Turbo Level 2 2 1 1 1 1 1 1 L o c a ti o n 1 1 1 2

Description The Domain Name Service domain name associated with the device hosting the attacker. The fully qualified domain name associated with the device hosting the attacker. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes.

Attacker

FQDN

attackerFqdn

String

Attacker Attacker

Geo Geo Country Code Geo Country Flag URL Geo Country Name Geo Descriptor ID Geo Latitude Geo Location Info

attackerGeo attackerGeoCountryCode

GeoDescri ptor String

Attacker

attackerGeoCountryFlagUrl

String

Attacker

attackerGeoCountryName

String

Attacker

attackerGeoDescriptorId

ID

Attacker Attacker

attackerGeoLatitude attackerGeoLocationInfo

Double String

Attacker Attacker

Geo Longitude Geo Postal Code Geo Region Code Host Name

attackerGeoLongitude attackerGeoPostalCode

Double String

See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. The name of the device hosting the attacker.

Attacker

attackerGeoRegionCode

String

Attacker

attackerHostName

String

ArcSight Confidential

ArcSight Web UsersGuide

39

6 Using Active Channels

Group Attacker

Label MAC Address

Script Alias attackerMacAddress

Data Type MAC address

Default Turbo Level 2 2 1 2 2 1 1 1 1 1

Description The MAC address associated with the source of the attack (which may or may not be the MAC address of the host device). The Windows NT domain associated with the device hosting the attacker. The network port associated with the source of the attack. The name of process associated with the source of the attack. The name of service associated with the source of the attack. If network address translation is an issue, this is the translated IP address of the device hosting the attacker. If network address translation is an issue, this is the translated source port associated with the attack. This can happen in a NAT environment. If network address translation is an issue, this is the network zone associated with the translated IP address of the device hosting the attacker. See the common set of resource attributes.

Attacker

NT Domain

attackerNtDomain

String

Attacker

Port

attackerPort

Integer

Attacker

Process Name Service Name Translated Address

attackerProcessName

String

Attacker

attackerServiceName

String

Attacker

attackerTranslatedAddress

IP address

Attacker

Translated Port

attackerTranslatedPort

Integer

Attacker

Translated Zone

attackerTranslatedZone

Zone

Attacker

Translated Zone External ID Translated Zone ID

attackerTranslatedZoneExte rnalID

String

Attacker

attackerTranslatedZoneID

String

See the common set of resource attributes.

40

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Attacker

Label Translated Zone Name

Script Alias attackerTranslatedZoneNam e

Data Type String

Default Turbo Level 1 1 1 1 2 2 2 1 1 1 1 1 1

Description See the common set of resource attributes. It is assumed that the name is always the last field of the URI. See the common set of resource attributes.

Attacker

Translated Zone Reference ID Translated Zone Resource Translated Zone URI User ID

attackerTranslatedZoneRefe renceID

ID

Attacker

attackerTranslatedZoneReso urce attackerTranslatedZoneURI attackerUserId

Resource

See the common set of resource attributes. See the common set of resource attributes. The identifier associated with the OS or application of the attacker, at the source of the attack. The name associated with the attacker, at the source of the attack. The user-privilege associated with the attacker, at the source of the attack. The network zone in which the attacker's device resides. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. It is assumed that the name is always the last field of the URI. See the common set of resource attributes. See the common set of resource attributes.

Attacker Attacker

String String

Attacker

User Name User Privileges

attackerUserName

String

Attacker

attackerUserPrivileges

String

Attacker

Zone

attackerZone

Zone

Attacker

Zone External ID Zone ID Zone Name

attackerZoneExternalID

String

Attacker Attacker

attackerZoneID attackerZoneName

String String

Attacker

Zone Reference ID Zone Resource

attackerZoneReferenceID

ID

Attacker

attackerZoneResource

Resource

ArcSight Confidential

ArcSight Web UsersGuide

41

6 Using Active Channels

Group Attacker

Label Zone URI

Script Alias attackerZoneURI

Data Type String

Default Turbo Level 1 Default Turbo Level 1 1 1 1 1 1 1 1

Description See the common set of resource attributes.

Category
See Event Categories on page 27 for a complete description of the event category types and their supporting attributes.

Group Category

Label Behavior

Script Alias categoryBehavior

Data Type String

Description Describes the action taken with or by the object. Describes the content of a custom formatted field, if present. The unique ID for the sensor that reported the event Describes the type of event this event represents. Describes the physical or virtual object that was the focus of the event Indicates whether the action was successfully applied to the object. Characterizes the event from a networkintrusion-detection perspective. Describes the method used to apply the action to the object.

Category

Custom Format Field Descriptor ID Device Group Object

categoryCustomFormatField

String

Category

categoryDescriptorId

ID

Category

categoryDeviceGroup

String

Category

categoryObject

String

Category

Outcome

categoryOutcome

String

Category

Significan ce

categorySignificance

String

Category

Technique

categoryTechnique

String

42

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Category

Label Tuple Descriptio n

Script Alias categoryTupleDescription

Data Type String

Default Turbo Level 1 Default Turbo Level 1 2 2 2 2 2 1

Description The prose description of the event category, assembled from the category components.

Destination

Group Destination Destination

Label Address Asset ID

Script Alias destinationAddress destinationAssetId

Data Type IP address Resource

Description The IP address of the destination device. The asset that represents the device that was the network traffic's destination. See the common set of resource attributes. See the common set of resource attributes. The Domain Name Service domain name associated with the user at the destination device. The fully qualified domain name associated with the destination device. See the common set of geographical attributes. The country code.

Destination Destination Destination

Asset Name Asset Resource DNS Domain

destinationAssetName destinationAssetResource destinationDnsDomain

String Resource String

Destination

FQDN

destinationFqdn

String

Destination Destination

Geo Geo Country Code

destinationGeo destinationGeoCountryCode

GeoDescri ptor String

ArcSight Confidential

ArcSight Web UsersGuide

43

6 Using Active Channels

Group Destination

Label Geo Country Flag URL Geo Country Name Geo Descriptor ID Geo Latitude Geo Location Info Geo Longitude Geo Postal Code Geo Region Code Host Name MAC Address

Script Alias destinationGeoCountryFlag Url destinationGeoCountryNam e destinationGeoDescriptorId

Data Type String

Default Turbo Level 1 1 1 1 1 1 1 1 2 2 2 1 2

Description The country flag.

Destination

String

The country name.

Destination

ID

See the common set of geographical attributes. The destination latitude. The destination location. The destination longitude. The destination postal code. See the common set of geographical attributes. The name of the destination device. The MAC address associated with the network traffic's destination (which may or may not be the MAC address of the host device). The Windows NT domain associated with the destination device. The network port associated with the network traffic's destination. The name of process associated with the network traffic's destination.

Destination Destination

destinationGeoLatitude destinationGeoLocationInfo

Double String

Destination Destination

destinationGeoLongitude destinationGeoPostalCode

Double String

Destination

destinationGeoRegionCode

String

Destination Destination

destinationHostName destinationMacAddress

String MAC address

Destination

NT Domain Port

destinationNtDomain

String

Destination

destinationPort

Integer

Destination

Process Name

destinationProcessName

String

44

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Destination

Label Service Name

Script Alias destinationServiceName

Data Type String

Default Turbo Level 2 1 1 1 1 1 1 1 1 1 2

Description The name of service associated with the network traffic's destination. If network address translation is an issue, this is the translated IP address of the device that was the network traffic's destination. If network address translation is an issue, this is the translated source port associated with the attack. If network address translation is an issue, this is the network zone associated with the translated IP address of the device at the network's traffic's destination. See the common set of resource attributes.

Destination

Translated Address

destinationTranslatedAddres s

IP address

Destination

Translated Port

destinationTranslatedPort

Integer

Destination

Translated Zone

destinationTranslatedZone

Zone

Destination

Translated Zone External ID Translated Zone ID Translated Zone Name Translated Zone Reference Translated Zone Resource Translated Zone URI User ID

destinationTranslatedZoneE xternalID

String

Destination Destination

destinationTranslatedZoneI D destinationTranslatedZoneN ame destinationTranslatedZoneR eferenceID destinationTranslatedZoneR esource destinationTranslatedZoneU RI destinationUserId

String String

See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. The OS- or applicationbased identifier associated with the user at the network traffic's destination.

Destination

ID

Destination

Resource

Destination Destination

String String

ArcSight Confidential

ArcSight Web UsersGuide

45

6 Using Active Channels

Group Destination

Label User Name

Script Alias destinationUserName

Data Type String

Default Turbo Level 2 2 1 1 1 1 1 1 1

Description The name associated with the user at the network traffic's destination. The privileges accorded the user at the network traffic destination. The network zone in which the destination device resides. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. See the common set of resource attributes. See the common set of resource attributes.

Destination

User Privileges Zone

destinationUserPrivileges

String

Destination

destinationZone

Zone

Destination

Zone External ID Zone ID Zone Name Zone Reference ID

destinationZoneExternalID

String

Destination Destination Destination

destinationZoneID destinationZoneName destinationZoneReferenceID

String String ID

Destination Destination

Zone Resource Zone URI

destinationZoneResource destinationZoneURI

Resource String

Device
This category falls into the device-to-Manager information chain. The chain begins at Device, which is the actual network hardware that senses an event. In cases where data is concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original Connector. Although the Original Connector is usually the only connector, if the data passes up through a Manager hierarchy the chain will

46

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

include handling by Connector stages that are the ESM Manager SmartConnectors that facilitate Manager-to-Manager connections.
Default Turbo Level 2 1 1 1 1 1 2 1 2 2 2 1 1

Group Device

Label Action

Script Alias deviceAction

Data Type String

Description The device-specific description of some activity associated with the event The IP address of the device hosting the sensor. The asset that represents the device hosting the sensor. The name of the device. The resource the asset represents. The asset's descriptor ID. Whether the traffic was inbound or outbound. The Domain Name Service domain name associated with the device hosting the sensor. The specific domain containing the sensor device associated with the event The category description included with the event as reported by the device. The device-specific identifier associated with this type of event The external identifier associated with this sensor device, if provided by the vendor. The sensor submodule that reported the event

Device

Address

deviceAddress

IP address

Device

Asset ID

deviceAssetId

Resource

Device Device Device Device

Asset Name Asset Resource Descriptor ID Direction

deviceAssetName deviceAssetResource deviceDescriptorId deviceDirection

String Resource ID DeviceDir ectionEnu meration String

Device

DNS Domain

deviceDnsDomain

Device

Domain

deviceDomain

String

Device

Event Category

deviceEventCategory

String

Device

Event Class ID External ID

deviceEventClassId

String

Device

deviceExternalId

String

Device

Facility

deviceFacility

String

ArcSight Confidential

ArcSight Web UsersGuide

47

6 Using Active Channels

Group Device Device

Label Host Name Inbound Interface

Script Alias deviceHostName deviceInboundInterface

Data Type String String

Default Turbo Level 1 1 1 1 1 2 1 1 2 2 1

Description The name of the device hosting the sensor. The NIC card on the sensor device that received the network traffic associated with the event. The MAC address associated with the source of the attack (which may or may not be the MAC address of the host device). The Windows NT domain associated with the device hosting the sensor. The NIC card on the sensor device that transmitted the network traffic associated with the event. The internal identifier associated with a payload object associated with this event. The sensor device process that reported the event. The product name of the sensor device. The time when the sensor device observed the event. The device-specific assessment of event severity. This assessment varies with the device involved. The time zone reported by the device hosting the sensor device (shown as TLA).

Device

MAC Address

deviceMacAddress

MAC address

Device

NT Domain

deviceNtDomain

String

Device

Outbound Interface

deviceOutboundInterface

String

Device

Payload ID

devicePayloadId

String

Device

Process Name Product Receipt Time Severity

deviceProcessName

String

Device Device

deviceProduct deviceReceiptTime

String DateTime

Device

deviceSeverity

String

Device

Time Zone

deviceTimeZone

String

48

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Device

Label Time Zone Offset

Script Alias deviceTimeZoneOffset

Data Type Integer

Default Turbo Level 1 1 1 1 1 1 1 1 1 1 1

Description The time zone reported by the device hosting this sensor device (shown as an offset from UTC). If network address translation is an issue, this is the translated IP address of the device hosting the sensor. If network address translation is an issue, this is the network zone associated with the translated IP address of the device hosting the sensor. See the common set of resource attributes.

Device

Translated Address

deviceTranslatedAddress

IP address

Device

Translated Zone

deviceTranslatedZone

Zone

Device

Translated Zone External ID Translated Zone ID Translated Zone Name Translated Zone Resource

deviceTranslatedZoneExtern alID

String

Device Device

deviceTranslatedZoneID deviceTranslatedZoneName

String String

See the common set of resource attributes. See the common set of resource attributes. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. See the common set of resource attributes. See the common set of resource attributes. The vendor who manufactured or sold the sensor device. The software revision number of the sensor device.

Device

deviceTranslatedZoneRefere nceID

ID

Device

Translated Zone Resource Translated Zone URI Vendor

deviceTranslatedZoneResour ce deviceTranslatedZoneURI deviceVendor

Resource

Device Device

String String

Device

Version

deviceVersion

String

ArcSight Confidential

ArcSight Web UsersGuide

49

6 Using Active Channels

Group Device

Label Zone

Script Alias deviceZone

Data Type Zone

Default Turbo Level 1 1 1 1 1 1 1 Default Turbo Level 2 2 2 2

Description The network zone in which the sensor's device resides. See the common set of resource attributes. See the common set of resource attributes. See the common set of resource attributes. Returns the unique descriptor ID for this reference. This is populated only if this reference has been persisted and given a unique database identifier. See the common set of resource attributes. See the common set of resource attributes.

Device

Zone External ID Zone ID Zone Name Zone Reference ID

deviceZoneExternalID

String

Device Device Device

deviceZoneID deviceZoneName deviceZoneReferenceID

String String ID

Device Device

Zone Resource Zone URI

deviceZoneResource deviceZoneURI

Resource String

Device Custom

Group Device Custom Device Custom Device Custom Device Custom

Label Date1 Date1 Label Date2 Date2 Label

Script Alias deviceCustomDate1 deviceCustomDate1Label deviceCustomDate2 deviceCustomDate2Label

Data Type DateTime String DateTime String

Description First customDate First customDate label Second customDate Second customDate label

50

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom Device Custom

Label Descriptor ID Number1 Number1 Label Number2 Number2 Label Number3 Number3 Label String1 String1 Label String2 String2 Label String3 String3 Label String4 String4 Label String5 String5 Label String6 String6 Label

Script Alias deviceCustomDescriptorId deviceCustomNumber1 deviceCustomNumber1Labe l deviceCustomNumber2 deviceCustomNumber2Labe l deviceCustomNumber3 deviceCustomNumber3Labe l deviceCustomString1 deviceCustomString1Label deviceCustomString2 deviceCustomString2Label deviceCustomString3 deviceCustomString3Label deviceCustomString4 deviceCustomString4Label deviceCustomString5 deviceCustomString5Label deviceCustomString6 deviceCustomString6Label

Data Type ID Long String Long String Long String String String String String String String String String String String String String

Default Turbo Level 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

Description Custom descriptior ID First customNumber First customNumber label Second customNumber Second customNumber label Third customNumber Third customNumber label First customString First customString label Second customString Second customString label Third customString Third customString label Fourth customString Fourth customString label Fifth customString Fifth customString label Sixth customString Sixth customString label

ArcSight Confidential

ArcSight Web UsersGuide

51

6 Using Active Channels

Event
Default Turbo Level 3 n / a 2 1 2 2 2 2

Group Event Event

Label Additional Data Aggregated Event Count

Script Alias additionalData (not applicable)

Data Type AdditionalData (not applicable)

Description Reference to additional data. A derived field that reports the number of actual events collectively represented by the event in question. A description of the application layer protocol. May be set, but defaults to Target Port lookup (FTP). The number of events upon which this event is based (e.g., type == BASE|ACTION). The array of event IDs that contributed to generating this correlation event. This is populated only in correlated events. Number of bytes transferred into the device during this transaction (this would typically be associated with entries in HTTP logs). Number of bytes transferred out of the device during this transaction (this would typically be associated with entries in HTTP logs). The chain of concentrators that forwarded the event This is not yet exposed in the user interface.

Event

Application Protocol

applicationProtocol

String

Event

Base Event Count

baseEventCount

Integer

Event

Base Event IDs

baseEventIds

ID

Event

Bytes In

bytesIn

Integer

Event

Bytes Out

bytesOut

Integer

Event

Concentrator Connectors

concentratorConne ctors

ConnectorDes criptor

52

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Event

Label Concentrator Devices

Script Alias concentratorDevice s

Data Type DeviceDescript or

Default Turbo Level 2 n / a 2 1 1 1 1 1 1

Description The list of devices that concentrate events, if applicable. This is not exposed in the user interface. A derived field that reports the number of actual events that had to occur to cause a correlation event to occur. The signature of the event object (meaning in this alert, as opposed to the occurrence represented by the event). Not yet supported. The "customer" resource reference. This is used in MSSP environments to describe the client or divisional entity to whom the event applies. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference.

Event

Correlated Event Count

(not applicable)

(not applicable)

Event

Crypto Signature

cryptoSignature

String

Event

Customer

customer

Customer

Event Event

Customer External ID Customer ID

customerExternalI D customerID

String String

Event

Customer Name

customerName

String

Event

Customer Reference ID

customerReference ID

ID

Event

Customer Resource

customerResource

Resource

ArcSight Confidential

ArcSight Web UsersGuide

53

6 Using Active Channels

Group Event Event Event Event

Label Customer URI End Time Event ID External ID

Script Alias customerURI endTime eventId externalId

Data Type String DateTime ID String

Default Turbo Level 1 1 1 2 1 1 1 1 1 1 1

Description Returns the URI for this reference. Event ends (defaults to deviceReceiptTime). Long value identifying an event. A reference to the ID used by an external device. This is useful for tracking devices that create events that contain references to these IDs (e.g., ManHunt). The "generator" resource reference (the resource that generated the event. This is the subcomponent in the connector that generates the event. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference.

Event

Generator

generator

null

Event Event

Generator External ID Generator ID

generatorExternalI D generatorID

String String

Event

Generator Name

generatorName

String

Event

Generator Reference ID

generatorReferenc eID

ID

Event

Generator Resource Generator URI

generatorResource

Resource

Event

generatorURI

String

54

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Event Event

Label Locality Message

Script Alias locality message

Data Type LocalityEnume ration String

Default Turbo Level 2 2 1 1 2 1 2

Description The locality associated with the event. A brief comment associated with this event. An arbitrary string that describes this type of event. Event details included in other parts of an event shouldn't be used in the event name. Holds the value of Source|Destination. This determines whether source and destination should be translated to attacker and target or they should be inversed. There are two states: Persisted or Transient. Events default to being Transient and are marked as Persisted as soon as they reach the Batch Alert Persistor or when they are loaded by the Alert Broker. The original log entry reported by the sensor (synthesized when the sensor does not log to a file or text stream). A single rule can issue many events, based on several triggers, starting with On First Event and ending with On Threshold Timeout. All such events for a single Rule and a single Group By tuple will be marked with the same identifier using this attribute.

Event

Name

name

String

Event

Originator

originator

OriginatorEnu meration

Event

Persistence

persistence

PersistenceEn umeration

Event

Raw Event

rawEvent

String

Event

Rule Thread ID

ruleThreadId

String

ArcSight Confidential

ArcSight Web UsersGuide

55

6 Using Active Channels

Group Event

Label Session ID

Script Alias sessionId

Data Type Long

Default Turbo Level 2 1 1 1 2 2 2 2 2 2

Description Tags for events created by a correlation simulation, as part of a particular simulation. Event begins (defaults to deviceReceiptTime). The format of the transmitted data associated with the event from a network transport perspective (e.g., TCP, UDP). One of the event types: Base, Correlation, Aggregation, or Action. The vulnerability resource that represents the vulnerability or exposure that may be exploited by this event and is present on the targeted device according to our network model. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference.

Event Event

Start Time Transport Protocol

startTime transportProtocol

DateTime String

Event

Type

type

TypeEnumerati on Vulnerability

Event

Vulnerability

vulnerability

Event Event

Vulnerability External ID Vulnerability ID Vulnerability Name

vulnerabilityExtern alID vulnerabilityID

String String

Event

vulnerabilityName

String

Event

Vulnerability Reference ID

vulnerabilityRefere nceID

ID

Event

Vulnerability Resource

vulnerabilityResour ce

Resource

56

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Event

Label Vulnerability URI

Script Alias vulnerabilityURI

Data Type String

Default Turbo Level 2 Default Turbo Level 2 2 2 2 2 2 2 2 2

Description Returns the URI for this reference.

Event Annotation

Group Event Annotation

Label Audit Trail

Script Alias eventAnnotationAuditTrail

Data Type String

Description The text log of annotation changes. Changes are recorded as sets of commaseparated-value entries. A text description of the event or associated information. The timestamp for an eventannotation. The event ID for the annotation event. The state of the collaboration flags. The time the Manager received the event annotation. The time the annotation was modified. The user ID of the person who last edited this annotation. Returns the external ID for this reference.

Event Annotation Event Annotation Event Annotation Event Annotation Event Annotation Event Annotation Event Annotation Event Annotation

Comment

eventAnnotationComment

String

End Time Event ID Flags Manager Receipt Time Modificati on Time Modified By Modified By External ID

eventAnnotationEndTime eventAnnotationEventId eventAnnotationFlags eventAnnotationManagerRe ceiptTime eventAnnotationModificatio nTime eventAnnotationModifiedBy

DateTime ID FlagsValu eSet DateTime

DateTime

User

eventAnnotationModifiedBy ExternalID

String

ArcSight Confidential

ArcSight Web UsersGuide

57

6 Using Active Channels

Group Event Annotation Event Annotation Event Annotation

Label Modified By ID Modified By Name Modified By Reference ID

Script Alias eventAnnotationModifiedByI D eventAnnotationModifiedBy Name eventAnnotationModifiedBy ReferenceID

Data Type String

Default Turbo Level 2 2 2 2 2 2 2 2 2 2 2

Description Returns the ID for the resource in this resource reference. Returns the name from the URI (the last field of the URI). Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. The current disposition of the event. This enables annotation workflow. The reference to an internal identifier for another event. It is used by 'Mark Similar'. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference is stored and uniquely identified in the database.

String

ID

Event Annotation Event Annotation Event Annotation

Modified By Resource Modified By URI Stage

eventAnnotationModifiedBy Resource eventAnnotationModifiedBy URI eventAnnotationStage

Resource

String Stage

Event Annotation

Stage Event ID

eventAnnotationStageEvent Id

ID

Event Annotation Event Annotation Event Annotation

Stage External ID Stage ID

eventAnnotationStageExter nalID eventAnnotationStageID

String

String

Stage Name

eventAnnotationStageName

String

Event Annotation

Stage Reference ID

eventAnnotationStageRefer enceID

ID

58

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Event Annotation Event Annotation Event Annotation Event Annotation

Label Stage Resource Stage Update Time Stage URI Stage User

Script Alias eventAnnotationStageResou rce eventAnnotationStageUpdat eTime eventAnnotationStageURI eventAnnotationStageUser

Data Type Resource

Default Turbo Level 2 2 2 2 2 2 2 2 2 2 2

Description Locates the resource described by this reference. The time of the last stage change (in UTC). Returns the URI for this reference. The user associated with the current stage. This implements assignment within workflow. Returns the external ID for this reference.

ID

String User

Event Annotation

Stage User External ID Stage User ID Stage User Name Stage User Reference ID

eventAnnotationStageUserE xternalID

String

Event Annotation Event Annotation

eventAnnotationStageUserI D eventAnnotationStageUserN ame

String

Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference is stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. The editing version number which increments with each change. This enables optimistic locking.

String

Event Annotation

eventAnnotationStageUserR eferenceID

ID

Event Annotation Event Annotation Event Annotation

Stage User Resource Stage User URI Version

eventAnnotationStageUserR esource eventAnnotationStageUserU RI eventAnnotationVersion

Resource

String Integer

ArcSight Confidential

ArcSight Web UsersGuide

59

6 Using Active Channels

File
Default Turbo Level 2 2 2 2 2 2 2 2 2

Group File File

Label Create Time Hash

Script Alias fileCreateTime fileHash

Data Type DateTime String

Description The time the file was created (in UTC). The hashcode associated with the file's contents (e.g., MD5). The external identifier associated with the file. The time the file was last changed (in UTC). The name of the file. The directory path to the file in the file system. The user permissions associated with the file (sensor specific). The size of the file's contents (typically in bytes; sensor specific). The type of file contents (sensor specific).

File File File File

ID Modificati on Time Name Path

fileId fileModificationTime fileName filePath

String DateTime String String

File

Permissio n Size

filePermission

String

File

fileSize

Long

File

Type

fileType

String

60

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Final Device
This category falls into the device-to-Manager information chain. The chain begins at Device, which is the actual network hardware that senses an event. In cases where data is concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original Connector. Although the Original Connector is usually the only connector, if the data passes up through a Manager hierarchy the chain will include handling by Connector stages that are the ESM Manager SmartConnectors that facilitate Manager-to-Manager connections.
Default Turbo Level 2 2 2 2 2 2 2 2 2

Group Final Device Final Device Final Device Final Device

Label Address

Script Alias finalDeviceAddress

Data Type IP address

Description The IP address of the trusted reporting device. The asset that represents the trusted reporting device. The name of the trusted reporting device. The resource represented by the trusted reporting device. The descriptor ID of the trusted reporting device. The Domain Name Service domain name associated with the trusted reporting device. The external ID for the trusted reporting device, if provided by the vendor. A facility or capability of a device. This accomodates concentrators (e.g., like syslog, which has a concept of device logging for "parts" of a device). The host name of the trusted reporting device.

Asset ID

finalDeviceAssetId

Resource

Asset Name Asset Resource

finalDeviceAssetName

String

finalDeviceAssetResource

Resource

Final Device Final Device

Descriptor ID DNS Domain

finalDeviceDescriptorId

ID

finalDeviceDnsDomain

String

Final Device

External ID

finalDeviceExternalId

String

Final Device

Facility

finalDeviceFacility

String

Final Device

Host Name

finalDeviceHostName

String

ArcSight Confidential

ArcSight Web UsersGuide

61

6 Using Active Channels

Group Final Device

Label Inbound Interface

Script Alias finalDeviceInboundInterface

Data Type String

Default Turbo Level 2 2 2 2 2 2 2 2 2 2

Description The NIC card on the sensor device that received the network traffic associated with the event. The MAC address associated with the trusted reporting device. The Windows NT domain associated with the trusted reporting device. The NIC card on the trusted reporting device. The process name of the trusted reporting device. The product name of the trusted reporting device. The time zone reported by the trusted reporting device. Returns the raw timezone offset for the trusted reporting device. Note that connector and device times are not always reliably accurate. If network address translation is an issue, this is the translated IP address of the trusted reporting device. If network address translation is an issue, this is the network zone associated with the translated IP address of the trusted reporting device.

Final Device

MAC address

finalDeviceMacAddress

MAC address

Final Device

NT Domain

finalDeviceNtDomain

String

Final Device Final Device Final Device Final Device Final Device

Outbound Interface Process Name Product

finalDeviceOutboundInterfa ce finalDeviceProcessName

String

String

finalDeviceProduct

String

Time Zone Time Zone Offset

finalDeviceTimeZone

String

finalDeviceTimeZoneOffset

Integer

Final Device

Translated Address

finalDeviceTranslatedAddres s

IP address

Final Device

Translated Zone

finalDeviceTranslatedZone

Zone

62

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Final Device

Label Translated Zone External ID Translated Zone ID Translated Zone Name Translated Zone Reference ID

Script Alias finalDeviceTranslatedZoneE xternalID

Data Type String

Default Turbo Level 2 2 2 2 2 2 2 2 2 2 2 2

Description Returns the external ID for this reference.

Final Device Final Device

finalDeviceTranslatedZoneI D finalDeviceTranslatedZoneN ame

String

Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. Device vendor. The software revision number of the trusted reporting device. The network zone in which the trusted reporting device resides. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI.

String

Final Device

finalDeviceTranslatedZoneR eferenceID

ID

Final Device Final Device Final Device Final Device Final Device

Translated Zone Resource Translated Zone URI Vendor Version

finalDeviceTranslatedZoneR esource finalDeviceTranslatedZoneU RI finalDeviceVendor finalDeviceVersion

Resource

String String String

Zone

finalDeviceZone

Zone

Final Device Final Device Final Device

Zone External ID Zone ID

finalDeviceZoneExternalID

String

finalDeviceZoneID

String

Zone Name

finalDeviceZoneName

String

ArcSight Confidential

ArcSight Web UsersGuide

63

6 Using Active Channels

Group Final Device

Label Zone Reference ID

Script Alias finalDeviceZoneReferenceID

Data Type ID

Default Turbo Level 2 2 2 Default Turbo Level 2 2 2 2 2 2 2 2 2 2

Description Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference.

Final Device Final Device

Zone Resource Zone URI

finalDeviceZoneResource

Resource

finalDeviceZoneURI

String

Flex

Group Flex Flex Flex Flex Flex Flex Flex Flex Flex Flex

Label Date1 Date1 Label Number1 Number1 Label Number2 Number2 Label String1 String1 Label String2 String2 Label

Script Alias flexDate1 flexDate1Label flexNumber1 flexNumber1Label flexNumber2 flexNumber2Label flexString1 flexString1Label flexString2 flexString2Label

Data Type DateTime String Long String Long String String String String String

Description First flexDate. Label of first flexDate. First flexNumber. Label of the first FlexNumber. Second flexNumber. Label of the second FlexNumber. First flexString Label of the first FlexString. Second flexString. Label of the second FlexString.

64

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Manager
Default Turbo Level 1 Default Turbo Level 2 2 2 2 2 2 2 2 2

Group Manager

Label Receipt Time

Script Alias managerReceiptTime

Data Type DateTime

Description The time at which the current Manager first received the event.

Old File

Group Old File Old File

Label Create Time Hash

Script Alias oldFileCreateTime oldFileHash

Data Type DateTime String

Description The time the file was created (in UTC). The hashcode associated with the file's contents (e.g., MD5). The external identifier associated with the file. The time the file was last changed (in UTC). The file's name. The directory path to the file in the file system. The user permissions associated with the file (sensor specific). The size of the file's contents (typically in bytes; sensor specific). The type of the file's contents (sensor specific).

Old File Old File Old File Old File Old File

ID Modificati on Time Name Path Permissio n Size

oldFileId oldFileModificationTime oldFileName oldFilePath oldFilePermission

String DateTime String String String

Old File

oldFileSize

Long

Old File

Type

oldFileType

String

ArcSight Confidential

ArcSight Web UsersGuide

65

6 Using Active Channels

Original Connector
This category falls into the device-to-Manager information chain. The chain begins at Device, which is the actual network hardware that senses an event. In cases where data is concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original Connector. Although the Original Connector is usually the only connector, if the data passes up through a Manager hierarchy the chain will include handling by Connector stages that are the ESM Manager SmartConnectors that facilitate Manager-to-Manager connections.
Default Turbo Level 2 2 2 2 2 2 2 2

Group Original Connector

Label Address

Script Alias originalConnectorAddress

Data Type IP address

Description The IP address of the device hosting the first reporting SmartConnector. The asset that represents the device hosting the first reporting SmartConnector. The first reporting connector's asset name. The first reporting connector's resource. The first reporting connector's descriptor. The Domain Name Service domain name associated with the device hosting the first reporting SmartConnector. The name of the device hosting the first reporting SmartConnector. The ID of the connector. The format is connectorId(1)|connect orId(2)|...

Original Connector

Asset ID

originalConnectorAssetID

Resource

Original Connector Original Connector Original Connector Original Connector

Asset Name Asset Resource Descriptor ID DNS Domain

originalConnectorAssetNam e originalConnectorAssetReso urce originalConnectorDescriptor Id originalConnectorDnsDomai n

String

Resource ID String

Original Connector

Host Name

originalConnectorHostName

String

Original Connector

ID

originalConnectorId

String

66

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Original connector

Label MAC address

Script Alias originalconnectorMacAddres s

Data Type MAC address

Default Turbo Level 2 2 2 2 2 2 2 2

Description The MAC address associated with the first reporting Smartconnector (which may or may not be the MAC address of the host device.) User-supplied name of the first reporting connector. The Windows NT domain associated with the device hosting the first reporting Smartconnector. The time zone reported by the device hosting the first reporting Smartconnector. Returns the raw timezone offset for the first reporting connector's time zone. Note that device and connector times may not be reliably accurate. If network address translation is an issue, this is the translated IP address of the device hosting the first reporting Smartconnector. If network address translation is an issue, this is the Network Zone associated with the translated IP address of the device hosting the first reporting Smartconnector. Returns the external ID for this reference.

Original connector Original connector

Name

originalconnectorName

String

NT Domain

originalconnectorNtDomain

String

Original connector

Time Zone

originalconnectorTimeZone

String

Original connector

Time Zone Offset

originalconnectorTimeZone Offset

Integer

Original connector

Translated Address

originalconnectorTranslated Address

IP address

Original connector

Translated Zone

originalconnectorTranslated Zone

Zone

Original connector

Translated Zone External ID

originalconnectorTranslated ZoneExternalID

String

ArcSight Confidential

ArcSight Web UsersGuide

67

6 Using Active Channels

Group Original connector Original connector

Label Translated Zone ID Translated Zone Name Translated Zone Reference ID

Script Alias originalconnectorTranslated ZoneID originalconnectorTranslated ZoneName

Data Type String

Default Turbo Level 2 2 2 2 2 2 2 2 2 2 2

Description Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. A string that describes the type of the first reporting connector. This is not the same as the device type. The software revision number of the Smartconnector that first reported the event. The network zone in which the device hosting the first reporting Smartconnector resides. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI.

String

Original connector

originalconnectorTranslated ZoneReferenceID

ID

Original connector Original connector Original connector

Translated Zone Resource Translated Zone URI Type

originalconnectorTranslated ZoneResource originalconnectorTranslated ZoneURI originalconnectorType

Resource

String String

Original connector

Version

originalconnectorVersion

String

Original connector

Zone

originalconnectorZone

Zone

Original connector Original connector Original connector

Zone External ID Zone ID

originalconnectorZoneExter nalID originalconnectorZoneID

String

String

Zone Name

originalconnectorZoneName

String

68

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Original connector

Label Zone Reference ID

Script Alias originalconnectorZoneRefer enceID

Data Type ID

Default Turbo Level 2 2 2 Default Turbo Level 2 2 2 2

Description Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and is uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference.

Original connector Original connector

Zone Resource Zone URI

originalconnectorZoneResou rce originalconnectorZoneURI

Resource

String

Request

Group Request

Label Client Applicatio n Client Applicatio n

Script Alias requestClientApplication

Data Type String

Description The client application (such as a web browser) used to issue the request. A description of the client application used to initiate this request, e.g., the HTTP User connector. A description of the content from which the request originated, e.g., the HTTP Referrer. Cookie data offered by the client application as part of the request.

Request

requestClientApplication

String

Request

Context

requestContext

String

Request

Cookies

requestCookies

String

ArcSight Confidential

ArcSight Web UsersGuide

69

6 Using Active Channels

Group Request

Label Method

Script Alias requestMethod

Data Type String

Default Turbo Level 2 2 2 2 2 2 2 2

Description The style of the request, i.e., for an HTTP request this could be PUT or GET. The communication protocol used when issuing the request. A universal resource locator associated with the event. The URL component used for authentication and authorization. The URL component that refers to the file containing the resource. The URL component that specifies the host device where the resource resides. The URL component that specifies the port to contact on the host device where the resource resides. The URL component that specifies the query to use to request the resource.

Request

Protocol

requestProtocol

String

Request

URL

requestUrl

String

Request

URL Authority URL File Name

requestUrlAuthority

String

Request

requestUrlFileName

String

Request

URL Host

requestUrlHost

String

Request

URL Port

requestUrlPort

Integer

Request

URL Query

requestUrlQuery

String

70

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Source
Default Turbo Level 1 2 2 2 2 2 1 1 1 1 1 1

Group Source Source

Label Address Asset ID

Script Alias sourceAddress sourceAssetId

Data Type IP address Resource

Description The IP address of the source device. The asset that represents the device that was the network traffic's source. See the common set of resource attributes. See the common set of resource attributes. The Domain Name Service domain name associated with the user at the source device. The fully qualified domain name associated with the source device. This has no value if either the host name or DNS domain are without a value. The geographical information. Country Code.

Source Source Source

Asset Name Asset Resource DNS Domain

sourceAssetName sourceAssetResource sourceDnsDomain

String Resource String

Source

FQDN

sourceFqdn

String

Source Source

Geo Geo Country Code Geo Country Flag URL Geo Country Name Geo Descriptor ID Geo Latitude

sourceGeo sourceGeoCountryCode

GeoDescri ptor String

Source

sourceGeoCountryFlagUrl

String

County Flag.

Source

sourceGeoCountryName

String

Country Code.

Source

sourceGeoDescriptorId

ID

Unique descriptor for the geo field. See the common set of geographical attributes.

Source

sourceGeoLatitude

Double

ArcSight Confidential

ArcSight Web UsersGuide

71

6 Using Active Channels

Group Source

Label Geo Location Info Geo Longitude Geo Postal Code Geo Region Code Host Name MAC Address

Script Alias sourceGeoLocationInfo

Data Type String

Default Turbo Level 1 1 1 1 2 2 2 1 2 2 1 1

Description See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. See the common set of geographical attributes. The name of the source device. The MAC address associated with the network traffic's source (which may or may not be the MAC address of the host device). The Windows NT domain associated with the source device. The network port associated with the network traffic's source. The name of the process associated with the source of the network traffic. The name of the service associated with the network traffic's source. If network address translation is an issue, this is the translated IP address of the device that was the network traffic's source. If network address translation is an issue, this is the translated source port associated with the attack.

Source Source

sourceGeoLongitude sourceGeoPostalCode

Double String

Source

sourceGeoRegionCode

String

Source Source

sourceHostName sourceMacAddress

String MAC address

Source

NT Domain Port

sourceNtDomain

String

Source

sourcePort

Integer

Source

Process Name

sourceProcessName

String

Source

Service Name

sourceServiceName

String

Source

Translated Address

sourceTranslatedAddress

IP address

Source

Translated Port

sourceTranslatedPort

Integer

72

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Source

Label Translated Zone

Script Alias sourceTranslatedZone

Data Type Zone

Default Turbo Level 1 1 1 1 1 1 1 2 2 2

Description If network address translation is an issue, this is the network zone associated with the translated IP address of the device that was the network traffic's source. Returns the external ID for this reference.

Source

Translated Zone External ID Translated Zone ID Translated Zone Name Translated Zone Reference ID

sourceTranslatedZoneExtern alID

String

Source

sourceTranslatedZoneID

String

Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. The OS- or applicationbased identifier associated with the user at the network traffic's source. The OS- or applicationbased name associated with the user at the network traffic's source. The privileges afforded the user at the network traffic's source.

Source

sourceTranslatedZoneName

String

Source

sourceTranslatedZoneRefere nceID

ID

Source

Translated Zone Resource Translated Zone URI User ID

sourceTranslatedZoneResou rce sourceTranslatedZoneURI sourceUserId

Resource

Source Source

String String

Source

User Name

sourceUserName

String

Source

User Privileges

sourceUserPrivileges

String

ArcSight Confidential

ArcSight Web UsersGuide

73

6 Using Active Channels

Group Source

Label Zone

Script Alias sourceZone

Data Type Zone

Default Turbo Level 1 1 1 1 1 1 1 Default Turbo Level 1

Description The network zone where the source device resides. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference.

Source

Zone External ID Zone ID

sourceZoneExternalID

String

Source

sourceZoneID

String

Source

Zone Name

sourceZoneName

String

Source

Zone Reference ID

sourceZoneReferenceID

ID

Source

Zone Resource Zone URI

sourceZoneResource

Resource

Source

sourceZoneURI

String

Target

Group Target

Label Address

Script Alias targetAddress

Data Type IP address

Description The IP address of the device hosting the attacker.

74

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Target

Label Asset ID

Script Alias targetAssetId

Data Type Resource

Default Turbo Level 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1

Description The asset that represents the attacked device's host. See the common set of resource attributes. See the common set of resource attributes. The Domain Name Service domain name associated with the attacked device. The fully qualified domain name associated with the attacked device. The geographical information. Country code.

Target Target Target

Asset Name Asset Resource DNS Domain

targetAssetName targetAssetResource targetDnsDomain

String Resource String

Target

FQDN

targetFqdn

String

Target Target

Geo Geo Country Code Geo Country Flag URL Geo Country Name Geo Descriptor ID Geo Latitude Geo Location Info Geo Longitude Geo Postal Code Geo Region Code

targetGeo targetGeoCountryCode

GeoDescri ptor String

Target

targetGeoCountryFlagUrl

String

County flag.

Target

targetGeoCountryName

String

Country name.

Target

targetGeoDescriptorId

ID

Unique descriptor for the geo field. Latitude. Location information.

Target Target

targetGeoLatitude targetGeoLocationInfo

Double String

Target Target

targetGeoLongitude targetGeoPostalCode

Double String

Longitude. Postal code.

Target

targetGeoRegionCode

String

Region code.

ArcSight Confidential

ArcSight Web UsersGuide

75

6 Using Active Channels

Group Target Target

Label Host Name MAC Address

Script Alias targetHostName targetMacAddress

Data Type String MAC address

Default Turbo Level 2 2 2 1 2 2 1 1 1 1 1

Description The name of the attacked device. The MAC address associated with the target of the attack (which may or may not be the MAC address of the host device). The Windows NT domain associated with the attacked device. The network port associated with the target of the attack. The name of the process associated with the attack's target. The name of service associated with the attack's target. If network address translation is an issue, this is the translated IP address of the attacked device. If network address translation is an issue, this is the translated port associated with the attack. If network address translation is an issue, this is the network zone associated with the translated IP address of the targeted device. Returns the external ID for this reference.

Target

NT Domain Port

targetNtDomain

String

Target

targetPort

Integer

Target

Process Name Service Name Translated Address

targetProcessName

String

Target

targetServiceName

String

Target

targetTranslatedAddress

IP address

Target

Translated Port

targetTranslatedPort

Integer

Target

Translated Zone

targetTranslatedZone

Zone

Target

Translated Zone External ID Translated Zone ID

targetTranslatedZoneExtern alID

String

Target

targetTranslatedZoneID

String

Returns the ID for the resource in this resource reference.

76

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Target

Label Translated Zone Name Translated Zone Reference ID

Script Alias targetTranslatedZoneName

Data Type String

Default Turbo Level 1 1 1 1 2 2 2 1 1 1 1

Description Returns the name from the URI, which is always assumed to be the last field of the URI. Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference. The OS- or applicationbased identifier associated with the attacker, at the target of the attack. The OS- or applicationbased name associated with the attacker, at the target of the attack. The privileges afforded the attacker, at the target of the attack. The network zone in which the attacked device resides. Returns the external ID for this reference. Returns the ID for the resource in this resource reference. Returns the name from the URI, which is always assumed to be the last field of the URI.

Target

targetTranslatedZoneRefere nceID

ID

Target

Translated Zone Resource Translated Zone URI User ID

targetTranslatedZoneResour ce targetTranslatedZoneURI targetUserId

Resource

Target Target

String String

Target

User Name

targetUserName

String

Target

User Privileges Zone

targetUserPrivileges

String

Target

targetZone

Zone

Target

Zone External ID Zone ID

targetZoneExternalID

String

Target

targetZoneID

String

Target

Zone Name

targetZoneName

String

ArcSight Confidential

ArcSight Web UsersGuide

77

6 Using Active Channels

Group Target

Label Zone Reference ID

Script Alias targetZoneReferenceID

Data Type ID

Default Turbo Level 1 1 1 Default Turbo Level 2 2 1 2

Description Returns the unique descriptor ID for this reference. This is populated only if this reference has been stored and uniquely identified in the database. Locates the resource described by this reference. Returns the URI for this reference.

Target

Zone Resource Zone URI

targetZoneResource

Resource

Target

targetZoneURI

String

Threat

Group Threat

Label Asset Criticality

Script Alias assetCriticality

Data Type Integer

Description The relative measure of the importance of the targeted device, on a scale of 0 to 10. The relative measure of ArcSight's confidence in its model of the attacked device, on a scale of 0 to 10. The relative measure of importance of investigating this event on a scale of 0 to 10. This field incorporates Model Confidence. The relative measure of likelihood that this event succeeded, on a scale of 0 to 10.

Threat

Model Confidenc e

modelConfidence

Integer

Threat

Priority

priority

Integer

Threat

Relevance

relevance

Integer

78

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Group Threat

Label Severity

Script Alias severity

Data Type Integer

Default Turbo Level 2

Description The relative measure of possible damage to network security represented by the event on a scale of 0 to 10. It may be noted that event severity is supplied by the device; ArcSight severity is supplied by the Smartconnector; and attack severity is supplied by the threat evaluation process.

Resource Attributes
Attribute Suffix External ID ID Reference ID Type Name URI Description The user-defined identifier associated with a configuration resource. The internal identifier associated with a resource (a UUID). The internal identifier associated with the resource reference (an integer). The type of configuration resource. The URI associated with the resource (e.g., /All Users/Administrators/Mlow).

Geographical Attributes
Attribute Suffix Descriptor ID Country Code Country Flag URL Country Name Latitude Location Info Longitude Description The internal ID of the geographical reference. The identifier for the national-political state in which a device resides. The URL of an image of the flag of the national-political state in which the device resides. The name of the national-political state where a device resides. The latitude of a device (Float). Other, free-form text information about the device's location. The longitude of a device (Float).

ArcSight Confidential

ArcSight Web UsersGuide

79

6 Using Active Channels

Attribute Suffix Postal Code Region Code

Description The postal code of the device's location, as assigned by the nationalpolitical state where it resides. The identifier of the sub-region of the national-political state where a device resides. The style of the identifier varies with the host country.

Audit Events
Audit events are ones generated within ArcSight itself to mark a wide variety of routine actions that can occur manually or automatically, such as adding an event to a case or when a Moving Average data monitor detects a rapidly rising moving average. Audit events have many applications, which can include notifications, task validation, compliance tracking, automated housekeeping, and system administration. In the table below, use the Audit Event Category to locate events. The Audit Event Description approximates the Name you see in active channel grids. Additional details, when necessary, appear in the Notes column. Compare audit events, which report on system activity, with Status Monitor Events, which provide information about a wide variety of system states.

Audit Event Categories

Active Channel Active List Agent Connection Agent Exceptions Agent Login Agent Registration and Configuration Authorization Configuration Resources Dashboard Manager Activation Manager Database Error Conditions Manager External Event Flow Interruption Moving Average Data Monitor Notification Notification Acknowledgement Notification Testing Partition Archiver Partition Manager Reconciliation Data Monitor Report Resource Quota Rule Actions

80

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Rule Activations Rule Firings Rule Warnings Scheduler Execution Scheduler Scheduling Tasks Scheduler Skip Statistical Data Monitor Stress User Login

ArcSight Audit Events

Audit Event Category Active Channel Active Channel Active List Active List Active List Agent Connection Device Event Class ID activechannel:100 activechannel:101 Audit Event Description An active channel was opened An empty active channel was opened An entry was added to an active list An entry was removed from an active list An entry was changed in an active list Manager rejected a connection attempt from an agent for reasons other than authentication failure Agent started Agent shutdown Agent has just connected to Manager Agent is sending events but no heartbeats Agent is sending neither events nor heartbeats An unknown agent attempted to connect to the Manager An agent presented an incorrect shared secret when authenticating Agent detected source events from a sensor device containing incorrect time stamps Agent noted that a new sensor device is sending events

activelist:101

activelist:102

activelist:103

agent:009

Agent Connection Agent Connection Agent Connection Agent Connection Agent Connection Agent Connection Agent Connection

agent:30 agent:31 agent:101

agent:102

agent:103

agent:104

agent:105

Agent Exceptions

agent:012

Agent Exceptions

agent:013

ArcSight Confidential

ArcSight Web UsersGuide

81

6 Using Active Channels

Audit Event Category Agent Exceptions

Device Event Class ID agent:014

Audit Event Description Agent could not find a base event referenced in a syslog aggregate event Agent successfully connected to the sensor device's log Agent successfully executed a command Agent could not execute a command Agent is caching events because they could not be immediately transmitted to the Manager Agent has emptied its cache of events Agent could not communicate with an NT collector sensor Agent could not communicate with a CheckPoint sensor Agent is having difficulty communicating with CheckPoint Agent experienced an unexpected problem Agent was forced to drop its cached data Agent cache filled and part of the cached data was deleted Successful Agent authentication Agent authentication failed Agent successfully registered with Manager Agent did not successfully register with Manager Agent configuration was successfully changed Agent could not process a reconfiguration request Agent configuration was successfully changed Agent content was successfully updated Agent content update failed

Agent Exceptions Agent Exceptions Agent Exceptions Agent Exceptions

agent:016

agent:017

agent:018

agent:019

Agent Exceptions Agent Exceptions Agent Exceptions Agent Exceptions Agent Exceptions Agent Exceptions Agent Exceptions Agent Login Agent Login Agent Registration and Configuration Agent Registration and Configuration Agent Registration and Configuration Agent Registration and Configuration Agent Registration and Configuration Agent Registration and Configuration Agent Registration and Configuration

agent:020

agent:021

agent:023

agent:024

agent:028

agent:029

agent:030

authentication:200 authentication:201 agent:007

agent:008

agent:029

agent:022

agent:032

agent:025

agent:026

82

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Audit Event Category Agent Registration and Configuration Agent Registration and Configuration Authorization Configuration Resources Configuration Resources Configuration Resources Configuration Resources

Device Event Class ID agent:010

Audit Event Description Agent upgrade succeeded, This is currently in the context of an installer upgrade. Agent upgrade failed. This event is not currently being generated. Manager refused to authorize client Deleted a configuration resource Updated a configuration resource Added a new configuration resource Could not locate a configuration resource. Through the supplied universal resource identifer (URI). Dashboard has opened Manager has started A clean Manager shutdown has been requested Database tablespace is low and will be deactivated Database has generated a fatal error and will be deactivated Database has been reactivated Database has more tablespace available after detecting a low tablespace condition Manager has stopped the event flow Manager has allowed the event flow to resume Moving Average data monitor detected a rapidly falling moving average Moving Average data monitor detected a rapidly rising moving average Moving Average data monitor reporting the current moving average

agent:011

authorization:100

resource:100

resource:101

resource:102

resourcereference:10 0

Dashboard Manager Activation Manager Activation Manager Database Error Conditions Manager Database Error Conditions Manager Database Error Conditions Manager Database Error Conditions Manager External Event Flow Interruption Manager External Event Flow Interruption Moving Average Data Monitor Moving Average Data Monitor Moving Average Data Monitor

dashboard:100 manager:100 manager:101

database:100

database:101

database:102

database:103

manager:200

manager:201

datamonitor:102

datamonitor:103

datamonitor:104

ArcSight Confidential

ArcSight Web UsersGuide

83

6 Using Active Channels

Audit Event Category Notification Notification

Device Event Class ID notification:100 notification:101

Audit Event Description Notification has been disabled Notification has been disabled because the queue of notifications to be sent is too large Notification has been enabled Notification has been enabled because the queue of notifications is back under control A particular notification destination has been disabled A particular notification destination has been disabled because too much traffic was directed at it A particular notification destination has been enabled A notification expired without being acknowledged A functioning destination could not be located for this notification Old notification has been purged This notification has been acknowledged Sent a test notification to this destination group The partition was successfully archived There was a problem while archiving the partition Partition archiving is disabled Partition archiving did not complete in the alotted time Partition archiving failed There was an unexpected error while archiving partitions Partitions have been successfully rotated There was a problem rotating partitions

Notification Notification

notification:102 notification:103

Notification Notification

notification:104

notification:105

Notification Notification Notification

notification:106

notification:107

notification:108

Notification Notification Acknowledgement Notification Testing Partition Archiver Partition Archiver Partition Archiver Partition Archiver Partition Archiver Partition Archiver Partition Manager Partition Manager

notification:109 notification:300

notification:200

partitionarchiver:10 0 partitionarchiver:20 0 partitionarchiver:30 0 partitionarchiver:40 0 partitionarchiver:50 0 partitionarchiver:60 0 partitionmanager:100

partitionmanager:200

84

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Audit Event Category Partition Manager Partition Manager Partition Manager Reconciliation Data Monitor Report Report

Device Event Class ID partitionmanager:300

Audit Event Description The partition manager has been disabled Partitions could not be rotated There was an unexpected error while rotating partitions Correlation data monitor reporting a correlated or noncorrelated event Generated a new archivedreport configuration resource Failed to generate a new archived-report configuration resource Generated a new delta archivedreport configuration resource Resource usage has fallen below the fixed-quota level Resource usage has exceeded the fixed-quota level Asset autocreation has exceeded a fixed quota Asset autocreation is proceeding too rapidly Set Severity action. This event has been deprecated. Set Event Attribute action Send to Notifier action Execute Command action Export... action Create New Case action Add to Case action Create New Case action failed Add to Case action failed Add to Active List action Move between Active Lists action. This event has been deprecated. Remove from Active List action Rule has been deactivated

partitionmanager:500 partitionmanager:600

datamonitor:300

report:100

report:101

Report Resource Quota Resource Quota Resource Quota Resource Quota Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions Rule Actions

report:102

quota:100

quota:101

quota:102

quota:103

rule:301

rule:302 rule:303 rule:304 rule:305 rule:306 rule:307 rule:308 rule:309 rule:310 rule:311

Rule Actions Rule Activations

rule:312 rule:700

ArcSight Confidential

ArcSight Web UsersGuide

85

6 Using Active Channels

Audit Event Category Rule Activations

Device Event Class ID rule:701

Audit Event Description Rule has been deactivated because it is unsafe. There was excessive recursion or event matching. Rule has been activated Rule fired OnEveryEvent Rule fired OnFirstEvent Rule fired OnSubsequentEvents Rule fired OnEveryThreshold Rule fired OnFirstThreshold Rule fired OnSubsequentThresholds Rule fired OnTimeUnitExpiration Rule is firing on events generated by itself A task has been executed A task failed to execute A new task has been scheduled A new task could not be scheduled Enabled a task Could not enable a task Deleted a task Failed to delete a task Disable a task Could not disable a task The task scheduler skipped a scheduled task execution because the scheduler was not allowed to run The task scheduler skipped a scheduled task invocation because the last invocation of the task is still executing

Rule Activations Rule Firings Rule Firings Rule Firings Rule Firings Rule Firings Rule Firings Rule Firings Rule Warnings Scheduler Execution Scheduler Execution Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Scheduling Tasks Scheduler Skip

rule:702 rule:101 rule:102 rule:103 rule:104 rule:105 rule:106

rule:107 rule:501

scheduler:200

scheduler:201

scheduler:300

scheduler:301

scheduler:302

scheduler:303

scheduler:304

scheduler:305

scheduler:306

scheduler:307

scheduler:100

Scheduler Skip

scheduler:101

86

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Audit Event Category Statistical Data Monitor Stress

Device Event Class ID datamonitor:200

Audit Event Description Statistical Data Monitor reporting a change in status A stress test event. This event is generated only by ArcSight Quality Assurance. Successful client login Failed client login Client logout Client timed out due to inactivity Too many client login failures occurred within a time period

test:100

User Login User Login User Login User Login User Login

authentication:100 authentication:101 authentication:102 authentication:103 authentication:104

Status Monitor Events

ArcSight status monitor events can reveal and isolate many different quantity and time-unit issues that bear directly on performance and capacity. There are many possible applications of this system-state data, but those applications must always be interpreted within the context of your particular hardware, software, and network environment, and the deployment choices made for ArcSight and its SmartConnectors. Compare status monitoring events, which provide information about a wide variety of system states, to Audit Events, which report on system activity. Active Channel Statistics Active List Statistics Asset Statistics Data Monitor Statistics Event Broker Statistics Filter Engine Statistics Main Flow Statistics Notification Statistics Pattern Discovery Statistics Report Statistics Resource Framework Statistics Rules Engine Statistics Session Management Statistics Side Table Statistics SmartConnector Flow Statistics

Active Channel Statistics

Active channel statistics, specifically any changes that occur in the counts they report, can indicate performance issues and the use of processing cycles. These events summarize: The number of events changed across all open Active Channels per second The number of events inserted into Active Channels per second

ArcSight Confidential

ArcSight Web UsersGuide

87

6 Using Active Channels

The number of currently open Active Channels

Status Monitor Event Category /Monitor/ActiveChannels/Open Device Event Class ID monitor:100

Audit Event Description Open active channel count. Provides count and current value.

/Monitor/ActiveChannels/Events /Insertions

monitor:174

Active channel event insertions per second. Provides count per second since last monitor event.

/Monitor/ActiveChannels/Events /Changes

monitor:175

Active channel event changes per second. Provides count per second since last monitor event.

Active List Statistics

Active list statistics monitor the resources being used by active lists. Active lists entries use some memory and database resources, and use CPU resources when they are referenced by other parts of the system (e.g., rules, reports, and filters). While changes to these temporary lists are not persisted, they do represent some memory overhead. Note that when active lists are used by replay-with-rules, this also creates temporary lists.
Status Monitor Event Category /Monitor/ActiveLists/ListCount Device Event Class ID monitor:114

Audit Event Description Open active list count. Provides count, current value.

/Monitor/ActiveLists/EntryCount

monitor:115

Active list entry count. Provides count, current value.

/Monitor/ActiveLists/EntryCapaci ty /Monitor/ActiveLists/EntryPercen tUsed /Monitor/ActiveLists/TemporaryL istCount /Monitor/ActiveLists/TemporaryE ntryCount

monitor:116

Active list entry capacity. Provides count, current value.

monitor:117

Active list entry usage. Provides percent, current value.

monitor:118

Temporary Active list count. Provides count, current value.

monitor:119

Temporary Active list entry count. Provides count, current value.

/Monitor/ActiveLists/TemporaryC apacity /Monitor/ActiveLists/TemporaryP ercentageUsed /Monitor/ActiveLists/QueriesPer Second

monitor:120

Temporary Active list capacity. Provides count, current value.

monitor:121

Temporary Active list usage. Provides percent, current value.

monitor:122

Active list queries per second. Provides count of queries per second since startup.

88

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Status Monitor Event Category /Monitor/ActiveLists/ChangesPer Second

Device Event Class ID monitor:123

Audit Event Description Active list changes per second. Count per second since startup.

Asset Statistics
Asset statistics offer insight into performance areas that affect assets in the system and can help resolve source, destination, agent, and device asset issues for incoming events. These events summarize: Asset resolutions per second is the average number of end-points in events, that are resolved to assets in a second. Asset resolutions average time is the average time in milliseconds taken to resolve an end-point in an event to an asset. Asset scanner events per second is the number of scanner events processed in a second. Asset scanner events average time is the average time in milliseconds taken to process a scanner event.
Status Monitor Event Category /Monitor/Asset/TotalCount Device Event Class ID monitor:200

Audit Event Description Asset total count. Provides count, current value.

/Monitor/Asset/Scanner/EventsP erSecond

monitor:201

Scanner events processed per second. Provides count per second since last monitor event.

/Monitor/Asset/ResolutionsPerSe cond

monitor:202

Asset resolutions per second. Provides count per second for asset resolutions since last monitor event.

/Monitor/Asset/Scanner/Average Time

monitor:203

Scanner event average processing time. Provides count per second for scanner event average processing time since starup.

/Monitor/Asset/ResolutionsAvera geTime

monitor:204

Asset resolution average time. Provides average time in milliseconds for asset resolution since startup.

/Monitor/Asset/ResolutionsAvera geTime/Source

monitor:205

Asset source resolution average time. Provides average time in milliseconds for asset source resolution since startup.

ArcSight Confidential

ArcSight Web UsersGuide

89

6 Using Active Channels

Status Monitor Event Category /Monitor/Asset/ResolutionsAvera geTime/Destination

Device Event Class ID monitor:206

Audit Event Description Asset destination resolution average time. Provides average time in milliseconds for asset destination resolution since startup.

/Monitor/Asset/Size

monitor:240

Transitive Closure Size. Provides count per second and current value for transitive closure size.

Data Monitor Statistics

The data monitor statistics indicate how intensively the data monitors are working, which in turn can indicate situations such as filters needing adjustment or data monitors needing restructuring. These events summarize: Active probes is the number of currently enabled data monitors. Evaluations per second is the number of events times the number of enabled data monitors per second.
Status Monitor Event Category /Monitor/DataMonitors/ActivePro bes /Monitor/DataMonitors/Evaluatio nsPerSecond Device Event Class ID monitor:101

Audit Event Description Active data monitor probe count. Provides count, current value.

monitor:124

Data monitor evaluations per second. Provides count per second since last monitor event.

Event Broker Statistics

These statistics monitor reading events from, and writing events to, the database. As such, they are database health indicators. These events summarize: Event count is the number of events inserted into the database since the last monitor event. Insert time is the average time taken to insert each event into the database, in microseconds. Retrieval time is the average time taken to retrieve each event from the database in microseconds.
Status Monitor Event Category /Monitor/EventBroker/InsertTim e Device Event Class ID monitor:102

Audit Event Description Events insertion time per event Provices count in microseconds for insertion time per event since last monitor event.

90

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Status Monitor Event Category /Monitor/EventBroker/InsertedE ventCount

Device Event Class ID monitor:103

Audit Event Description Events processed count. Provides count since last monitor event.

/Monitor/EventBroker/RetrievalT ime

monitor:140

Events retrieval time per event. Provides count in microseconds per count, since last monitor event.

Filter Engine Statistics

The count of in-memory filter evaluations can serve as a broad indicator of filter performance.
Status Monitor Event Category /Monitor/Filters/EvaluationCount Device Event Class ID monitor:161

Audit Event Description Filter evaluation count.

Main Flow Statistics

These events report statistically on the overall throughput of the ArcSight Manager, for both incoming and internal events. This flow is the sequence of processing steps applied to each event and is a broad indicator or benchmark of system traffic. These events summarize: Count describes the number of events that have passed through the flow since the manager started. Rate describes the current event rate in events per second.
Status Monitor Event Category /Monitor/MainFlow/EPS Device Event Class ID monitor:230

Audit Event Description Main flow event rate. Provides count per second since last monitor event.

/Monitor/MainFlow/Events

monitor:231

Main flow event count. Provides count since startup.

Notification Statistics
This group reports on notification activity, which can be of diagnostic value in detecting unusually high notifications activity. New count describes the number of new notifications since the last monitor event.

ArcSight Confidential

ArcSight Web UsersGuide

91

6 Using Active Channels

Escalated count describes the number of notifications that were escalated since the last monitor event.
Status Monitor Event Category /Monitor/Notification/New Device Event Class ID monitor:180

Audit Event Description New notification count. Provides count since last monitor event.

/Monitor/Notification/Escalated

monitor:181

Escalated notification count. Provides count since last monitor event.

Pattern Discovery Statistics

These events provide statistics for recent or pending pattern discovery runs. Because pattern discovery is database-intensive, these statistics can indicate or help diagnose database performance issues.
Status Monitor Event Category /Monitor/Patterns/RunCount Device Event Class ID monitor:190

Audit Event Description Pattern discoveries run count. Provides count since last monitor event.

/Monitor/Patterns/RunsQueued

monitor:191

Pattern discoveries queued count. Provides count current value.

Report Statistics
These events provide statistics about the current number of reports querying the database or being rendered. Because reports are database-intensive, these statistics can indicate or help diagnose database performance issues.
Status Monitor Event Category /Monitor/Reports/Running Device Event Class ID monitor:130

Audit Event Description Reports running count. Provides count, current value.

/Monitor/Reports/RunningQueryi ngDB

monitor:131

Reports querying database count. Provides count, current value.

/Monitor/Reports/RunningRende ring

monitor:132

Reports rendering count. Provides count, current value.

Resource Framework Statistics

Resource-framework events report on the database activity connected with updates (reads, writes, and deletions) to system resources such as rules, assets, and filters, since the last

92

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

monitor event. This data can be valuable in tracking or diagnosing performance-related issues such as automatic asset maintenance, the threat-level formula, or rule-driven usage.
Status Monitor Event Category /Monitor/Resource/Activity/Inser t Device Event Class ID monitor:171

Audit Event Description Resources inserted per second. Provides count per second since last monitor event.

/Monitor/Resource/Activity/Upda te

monitor:172

Resources updated per second. Provides count per second since last monitor event.

/Monitor/Resource/Activity/Dele te

monitor:173

Resources deleted per second. Provides count per second since last monitor event.

Rules Engine Statistics

The statistics related to the ArcSight Manager's rules engine can help reveal performance issues in several areas. Please remember that information about rules activity always needs to be considered in the full content of the Manager's operations. For example, a busy Moving Average data monitor, if used inefficiently, can affect several of these statistics; a poorly written rule can inadvertently drive up the rate of actions executed. These statistics have the following performance implications Count of events inserted into the rule engine: CPU. Rate of event insertion into the rule engine: CPU. Count of correlated events generated by the rule engine: CPU. Rate of correlated event generation by the rule engine: CPU. Count of partial matches in the rule engine: memory. Count of events that are still present in rule engine's working memory: memory. Count of groupBy cells that are being used by the rule engine: memory. Count of rules currently active in the rule engine: comparative value only. Rate of actions being executed by the rule engine: CPU.
Status Monitor Event Category /Monitor/Rules/InsertedEventCo unt Device Event Class ID monitor:151

Audit Event Description Rules total event count. Provides count since last monitor event.

/Monitor/Rules/InsertedEventRa te

monitor:152

Rules inserted events per second. Provides count per second since last monitor event.

/Monitor/Rules/GeneratedEvent Rate

monitor:153

Rules generated events per second. Provides count per second since last monitor event.

ArcSight Confidential

ArcSight Web UsersGuide

93

6 Using Active Channels

Status Monitor Event Category /Monitor/Rules/PartialMatchCou nt /Monitor/Rules/EventsInRuleEng ineMemory /Monitor/Rules/GroupByCellsSiz e /Monitor/Rules/ActiveRulesCoun t /Monitor/Rules/ActionsTakenRat e

Device Event Class ID monitor:154

Audit Event Description Rules partial match count. Provides count, current value.

monitor:155

Rules in-memory event count. Provides count, current value.

monitor:156

Rules group by cells size. Provides count, current value.

monitor:157

Active rules count. Provides count, current value.

monitor:158

Rules actions rate. Provides count per second since last monitor event.

/Monitor/Rules/GeneratedEvent Count

monitor:159

Rules generated event count. Provides count since last monitor event.

Session Management Statistics

This statistic tracks the current number of active user sessions.
Status Monitor Event Category /Monitor/Sessions/Active/Total Device Event Class ID monitor:160

Audit Event Description Active session count. Provides count and current value.

Side Table Statistics

Side tables are ones held in-memory and in the database to retain common and relatively static information, similar to a cache. The purpose is to improve access times for inserts and queries. Side tables store event data that includes: geographical information, categorization information, agent information, device information and labels for custom strings and numbers. Size identifies how many entries are presently in the cache. Insert identifies the number of inserts in the past two hours. Cache misses identifies how many failed attempts to find entries occurred in the past two hours. Cache hit rate identifies how many successful attempts to find entries occurred in the past two hours.
Status Monitor Event Category /Monitor/SideTable/GeoInfo/HitR ate Device Event Class ID monitor:210

Audit Event Description Geo info sidetable cache hit rate. Provides a percentage over a moving time frame.

94

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Status Monitor Event Category /Monitor/SideTable/GeoInfo/Inse rts

Device Event Class ID monitor:211

Audit Event Description Geo info sidetable inserts. Provides count over a moving timeframe.

/Monitor/SideTable/GeoInfo/Cac heMisses

monitor:212

Geo info sidetable cache misses. Provides count over a moving timeframe.

/Monitor/SideTable/GeoInfo/Size

monitor:213

Geo info sidetable size. Provides count, current value.

/Monitor/SideTable/Category/Hit Rate

monitor:214

Category sidetable cache hit rate. Provides a percentage over a moving timeframe.

/Monitor/SideTable/Category/Ins erts

monitor:215

Category sidetable inserts. Provides count over a moving timeframe.

/Monitor/SideTable/Category/Ca cheMisses

monitor:216

Category sidetable cache misses. Provides count over a moving timeframe.

/Monitor/SideTable/Category/Siz e /Monitor/SideTable/Agent/HitRat e

monitor:217

Category sidetable size. Provides count, current value.

monitor:218

Agent sidetable cache hit rate. Provides a percentage over a moving timeframe.

/Monitor/SideTable/Agent/Insert s

monitor:219

Agent sidetable inserts. Provides count over a moving timeframe.

/Monitor/SideTable/Agent/Cache Misses

monitor:220

Agent sidetable cache misses. Provides count over a moving timeframe.

/Monitor/SideTable/Agent/Size

monitor:221

Agent sidetable size. Provides count, current value.

/Monitor/SideTable/Device/HitRa te

monitor:222

Device sidetable cache hit rate. Provides a percentage over a moving timeframe.

/Monitor/SideTable/Device/Inser ts

monitor:223

Device sidetable inserts. Provides count over a moving timeframe.

/Monitor/SideTable/Device/Cach eMisses

monitor:224

Device sidetable cache misses. Provides count over a moving timeframe.

/Monitor/SideTable/Device/Size

monitor:225

Device sidetable size. Provides count, current value.

ArcSight Confidential

ArcSight Web UsersGuide

95

6 Using Active Channels

Status Monitor Event Category /Monitor/SideTable/Labels/HitRa te

Device Event Class ID monitor:226

Audit Event Description Labels sidetable cache hit rate. Provides a percentage over a moving timeframe.

/Monitor/SideTable/Labels/Insert s

monitor:227

Labels sidetable inserts. Provides count over a moving timeframe.

/Monitor/SideTable/Labels/Cach eMisses

monitor:228

Labels sidetable cache misses. Provides count over a moving timeframe.

/Monitor/SideTable/Labels/Size

monitor:229

Labels sidetable size. Provides count, current value.

SmartConnector Flow Statistics

SmartConnector flow statistics record the event rates that occur at different stages of agent processing. "Sum of" statistics are sums of all values reported by all agents connected to the ArcSight Manager. All values are statistics over the past 1-minute range. These events summarize: Received event rate is the rate at which agents receive events from devices. Post filter event rate is the rate of events that passed the filter (e.g., were not filtered out). Post aggregation event rate is the rate of event aggregation. Agent-to-manager event rate and count describe how many events were actually sent to the Manager. Cache size describes the estimated size of the on-disk agent event cache.
Status Monitor Event Category /Monitor/Agents/Events/ToMana ger Device Event Class ID monitor:104

Audit Event Description Agent output event count, since startup. Provides count.

/Monitor/Agents/EPS/ToManager

monitor:109

Agent output event rate. Provides count per second and agent-to-manager since last monitor event.

/Monitor/Agents/EPS/Received

monitor:110

Agent input event rate. Provides count per second for the agent received event rate since last monitor event.

/Monitor/Agents/EPS/PostFilter

monitor:111

Agent filtered event rate. Provides count per second for the agent post-filter event rate since last monitor event.

96

ArcSight Web UsersGuide

ArcSight Confidential

6 Using Active Channels

Status Monitor Event Category /Monitor/Agents/EPS/PostAggre gation

Device Event Class ID monitor:112

Audit Event Description Agent aggregated event rate. Provides count per second for the agent post-aggregation event rate since last monitor event.

/Monitor/Agents/CacheSize

monitor:113

Estimated agent cache size, current value. Provides count.

/Monitor/Agents/Total/Events/To Manager

monitor:141

Sum of agent output event counts. Provides count-per-second sum of agent-to-manager event counts since startup.

/Monitor/Agents/Total/EPS/ToMa nager

monitor:146

Sum of agent-to-manager output event rates. Provides counted per-second since last monitor event.

/Monitor/Agents/Total/EPS/Recei ved

monitor:147

Sum of agent input event rates. Provides count per second for the sum of agent received event rates since last monitor event.

/Monitor/Agents/Total/EPS/PostF ilter

monitor:148

Sum of agent filtered event rates. Provides count per second for the sum of agent post-filter event rates since last monitor event.

/Monitor/Agents/Total/EPS/Post Aggregation

monitor:149

Sum of agent aggregated event rates. Provides count per second for the sum of agent postaggregation event rates since the last monitor event.

/Monitor/Agents/Total/CacheSiz e

monitor:150

Sum of estimated agent cache sizes. Provides count as a sum of the estimated agent cache sizes current value.

ArcSight Confidential

ArcSight Web UsersGuide

97

6 Using Active Channels

98

ArcSight Web UsersGuide

ArcSight Confidential

Using Cases
ArcSight cases provide organized, workflow-style tracking and management of interesting events or situations. The ArcSight Web interface enables you to create, manage, or customize cases. Cases have a large number of fields to cover a wide range of event analysis and investigation possibilities. (See Creating Cases on page 101.)
You can add an Export button to the Cases display to export selected cases. Add the line ui.export.enabled=true to the webserver.properties file and restart ArcSight Web.

Chapter 7

. Managing Cases on page 99 Creating Cases on page 101

Managing Cases
The cases display shows cases that are already created in the Cases tree. From the main panel, you can select, view, and customize existing cases, and create new ones.

To view an existing case

1 Navigate to and select the case in the Cases resource tree on the left. Click the group folders in the tree to open or close them. Click a folder to see a list of its cases in the pane to the right. Click the arrow icon in the upper-right corner of the resource pane to hide it or show it. 2 The Cases content pane shows individual listings. Click an individual case to see its fields (see Creating Cases on page 101).

To edit an individual case

1 2 3 Click Lock this case. Make your changes and click Submit. Unlock a case after you finish editing.

To remove a case
1 Select the check box for the case you want to remove and click Remove.

ArcSight Confidential

ArcSight Web UsersGuide 99

7 Using Cases

If you want to keep the case but not allow others to edit it, you can Lock (hold for editing) or Unlock (release for others to edit) buttons. 2 Click Refresh to update the display.

To create a new case

Click New Case to go to the Create a New Case display. For details about how to create a case, see Creating Cases on page 101.

To customize a case
Click Customize to select, deselect, and arrange the columns of the case list.

Default Case Management Columns

Attribute Name Locked Security Classification Code Ticket Type Stage Frequency Created By Description The name assigned to the case. Using descriptive names is important. Whether the case is free to be edited by others. If Locked, it cannot. The letter codes that identify the nature of the security issues the case represents. See Security Classification Default Letter Codes on page 100 below. The source of the case or its means of tracking. The current collaboration or workflow stage assigned to the case. The numerical range of events that occur in regard to a case. The ArcSight user ID of the person who created the case.

Security Classification Default Letter Codes

Classification Category Attack Mechanism Letter Codes I = Informational O = Operational P = Physical U = Unknown Attack Agent C = Collaborative I = Insider O = Outsider U = Unknown Vulnerability D = Design E = Operational Environment O = Operational U = Unknown

100 ArcSight Web UsersGuide

ArcSight Confidential

Using Cases

Classification Category Sensitivity

Letter Codes C = Confidential S = Secret T = Top Secret U = Unclassified

Associated Impact

A = Availability C = Confidentiality I = Integrity U = Unknown

Action

B = Block/Shutdown M = Monitoring O = Other

Creating Cases
To create a case, choose the Initial attributes tab first. Fill in the required and other appropriate fields, tab by tab, then click Submit at the bottom of the display. Overall, the tabs represent: Initial - Basic case information: case ticket attributes, description and security classification. Follow Up - Description of actions taken, planned, or recommended. Final - Ticket resolution and reporting including attack mechanism, attack agent, incident information, and vulnerability information. Events - List of events included in case. Notes - Miscellaneous information applicable to a case. Display ID numbers are assigned automatically when you save the case.

Initial Tab
The fields on this tab provide basic case information.
Field Case Name Display ID Ticket Ticket Type Drop-down list includes Internal, Client, and Incident types. Required field specifying name of case. An automatically assigned unique number. Description

ArcSight Confidential

ArcSight Web UsersGuide 101

7 Using Cases

Field Stage

Description Indicate workflow stage of ticket; selections include Queued, Initial, Follow-up, Final, and Closed. Indicates how often reported issue occurs. Values assigned are 0 (never or once), 1 (less than 10 times), 2 (10 to 15 times), 3 (15 times), 4 (more than 15). Impact of reported issue. Values assigned are 0 (no impact), 1 (no immediate impact), 2 (lowpriority impact), 3 (high-priority impact), 4 (immediate impact). Values assigned are 1 (Unclassified), 2 (Confidential), 3 (Secret), 4 (Top Secret). Values assigned are 0 (None), 1 (Insignificant), 2 (Marginal), 3 (Critical), 4 (Catastrophic). This is a calculated number, based on Ticket info values entered.

Frequency

Operational Impact

Security Classification Consequence Severity Reporting Level Incident Information Detection Time Estimated Start Time Estimated Restore Time External ID Alias Description Assign Owner Notification Groups Description Affected Services Affected Elements Estimated Impact Affected Sites Security Classification

This field is auto-populated. This field is auto-populated. This field is auto-populated. This field is auto-populated. Another name by which the incident is referenced in the system. A text description of the incident.

Users designated as owners of the case. Pre-defined groups that should be notified when the case is created or updated.

This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters.

102 ArcSight Web UsersGuide

ArcSight Confidential

Using Cases

Field Attack Mechanism

Description I = Informational O = Operational P = Physical U = Unknown Attack Agent C = Collaborative I = Insider O = Outsider U = Unknown Incident Source 1 Incident Source 2 Vulnerability This field is auto-populated. This field is auto-populated. D = Design E = Operational Environment U = Unknown Sensitivity C = Confidential S = Secret T = Top Secret U = Unclassified Associated Impact A = Availability C = Confidentiality I = Integrity U = Unknown

Action

B = Block/Shutdown M = Monitoring O = Other

Security Classification Code Security Classification Code This field is auto-populated.

Follow Up Tab
The fields on this tab describe follow-up entries for a case.
Field Actions Taken Planned Actions Recommended Actions Description This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters.

ArcSight Confidential

ArcSight Web UsersGuide 103

7 Using Cases

Field Follow-up Contact

Description This text field can contain up to 4,000 characters.

Final Tab
Fields on this tab provide ticket resolution and reporting information related to the attack agent associated with a case.
Field Attack Mechanism Attack Mechanism Attack Protocol Attack OS Attack Program Attack Time Attack Target Attack Service Attack Impact Final Report Action Attack Agent Attack Agent Attack Location ID Attack Node Attack Address Incident Information Incident Source 1 Incident Source 2 Incident Source Address Vulnerability Vulnerability This field is auto-populated. This field is auto-populated. This field is auto-populated. A text field in which you can record up to 200 characters. This field is auto-populated. A short description of the location under attack, of up to 255 characters. A short description of the network node under attack, of up to 255 characters. A text field in which you can record the IP address under attack, of up to 255 characters. This field is auto-populated. The network protocol that is transporting the attack. The operating system supporting the attack. The program that is performing the attack. The date and time of the attack. The host or device at which the attack is directed. The service at which the attack is directed. The effect of the attack. The action recommended for this case. Description

104 ArcSight Web UsersGuide

ArcSight Confidential

Using Cases

Field Vulnerability Type 1 Vulnerability Type 2 Vulnerability Evidence Vulnerability Source Vulnerability Data Other History No. Occurrences Last Occurrence Time Resistance Consequence Severity Sensitivity Recorded Data Inspection Results Conclusions

Description Selections include: Accidental or Intentional. Selections include: EMI/RFI, Insertion of Data, Theft of Service, Unauthorized, Probes, Root Compromise, DoS Attack, User Account. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters.

Selections include: Known Occurrence and Unknown. A numeric value; the number of occurrences of the incident. The date and time of the most recent incident.

Selections include: High, Low, and Unknown. This field is auto-populated. This field is auto-populated. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters. This text field can contain up to 4,000 characters.

Events Tab
You can add events to a case from the Active Channels page ( ), as described in Using Active Channel Grids. The system then displays these events on the Cases Events tab.
Field Description Event Info and Payload fields Description This field is auto-populated from events included in a case. For selected events, this field displays event values and payload fields, if available.

Starting with ESM v5.0, events related to a use case are preserved in the case for tracking purposes even after the time period where the events would typically age out of the database.

ArcSight Confidential

ArcSight Web UsersGuide 105

7 Using Cases

Attachments Tab
The Attachments tab shows files associated with the selected case. Click the Attach button to attach another file to the case.

If you do not see files as expected, try clicking the Refresh button ( view to show recently added files.
Field Local file Description

) to update the

Select this option to choose a file on your local system. Specify values for the following fields, which are displayed when you choose a local file: Name A descriptive name for the file. This name can differ from the actual file name, and can include spaces. If you do not provide an alternative name here, the original file name is used. A text description of the file. Click Browse and use the file browser to navigate to and select the local file you want to attach to the case. (This field requires user input.) Encoding type. The default is ISO-8859-1. Click this option if you want to make the file available as a shared resource on the ArcSight Manager. Select this option to choose a file on the ArcSight Manager. Files to attach Click the plus button next the drop-down menu to show the file browser on the ArcSight Manager. Navigate to and select a file on the ArcSight Manager. (This field requires user input.)

Description File

Text Encoding Share this file in ArcSight ArcSight file

Click Attach to attach the file to the case. (Or click Cancel to abandon attachment edits.) Click Submit to save the case with the new attachment, the same way you save new settings on the other tabs. Once the file is attached, anyone viewing the case can view details about the file and download it. To do this, navigate to a case, and click the Attachments tab. To view more details about an attachment, click the file name. To download an attachment, click the Download button ( ) for that file.

Notes Tab
Field Note Description Use this field to record notes of up to 4,000 characters.

106 ArcSight Web UsersGuide

ArcSight Confidential

Handling Notifications
The Nofitications feature displays notifications relevant to you that were triggered by certain event conditions. The notifications on the display are grouped according to workflow-style stages such as pending, acknowledged, resolved, or informational. The specific groups you see have been tailored to your enterprise. To see the details of a notification, click its listing in the relevant group.
Notification Categories Pending

Chapter 8

Use These are notifications that you have not yet handled (reassigned to one of the following categories). Pending notifications older than 24 hours are automatically refiled as Not Acknowledged. These are notifications to which you have responded. Pending notifications that go unacknowledged or unresolved for more than 24 hours are automatically refiled as Not Acknowledged. These are notifications for which you or a colleague have found a resolution and so have marked the notification accordingly. These are notifications that are provided for information purposes only and do not require resolution or response.

Acknowledged Not Acknowledged Resolved Informational

ArcSight Confidential

ArcSight Web UsersGuide 107

8 Handling Notifications

108 ArcSight Web UsersGuide

ArcSight Confidential

Using Reports
The ArcSight Web interface enables you to run reports made available from ESM, and view and save the report results. The reports available to you are organized in the Cases resource tree on the left. Click the group folders in the tree to open or close them. Click a folder to see a list of its cases in the right-hand pane. Click the arrow icon in the upper-right corner of the resource pane to hide it or show it. Running and Viewing Reports on page 109 Running and Saving Archived Reports on page 109 Report Parameters on page 110 Viewing Archived Reports on page 111 Advanced Configuration for Report Performance on page 112

Chapter 9

Running and Viewing Reports

To run and view a report 1 2 3 4 Click Report Definitions just below the toolbar. Navigate to a report in the resource tree. Click a report definition name to show it in the right pane. Use the values already defined for the report's parameters or change them as necessary. (See Report Parameters on page 110.) Click Run Report to run the report and display the results.
For tips about how to run large reports that make efficient use of system resources, see Advanced Configuration for Report Performance on page 112.

Running and Saving Archived Reports

To run and save a report 1 2 3 Click Report Definitions just below the toolbar. Navigate to a report in the resource tree. Click a report definition name to show it in the right pane.

ArcSight Confidential

ArcSight Web UsersGuide

109

9 Using Reports

Use the values already defined for the report's parameters or change them as necessary. (See Report Parameters on page 110.) Select the Save Output checkbox to expose the archive report detail fields.

Enter the following details for saving the report output as an archived report and click Run Report:
Field Archive Report Folder Enter this Browse to an existing folder within the ArcSight file system to save the report results. This will make the report results retrievable from the Archived Reports view later. If no folder is selected, you can save the report once the results are displayed using the save method that applies to the report format selected. For example, if you chose the report format PDF, you can use the PDF save feature to save the report results. Archive Report Name Archive Report Expiration Time Accept the default report name or enter a name for the saved report results. Spaces are OK. Accept the default date (6 months from today), or enter a date when the archived report results are deleted. $NOW indicates that the report results will be deleted when you close the report results viewer.

Report Parameters
The following parameters are common to most reports. Depending on the query used as the source for a report, other parameters may be exposed here. For example, a report might prompt for a Start and End Date (timestamps) over which to run the report.
Parameter Report Format Use The format in which to generate the report. Note that RTF appears by default in Word documents, XLS in Excel worksheets, CSV in Excel worksheets, and PDF and HTML in browser windows. The CSVPlain format intentionally has fewer report header lines. Choose a standard paper size for the printed report (whether you send it directly to print or not). As an option, choose an existing ArcSight user's identity as a report constraint. The user identity can serve as a type of filter on the report's output, or it may be desirable to run a report on behalf of a user, as in a provider/customer (MSSP) circumstance. Select one or more e-mail addresses to send notifications to when the report runs. Choose to send the generated report or a URL to the file. Select this option to save the generated report to the ArcSight Manager as an Archived Report. When you select the Save Output option (toggled "on"), provide the name, location, and expiration date of the archived report. Archive Report Folder Indicate the name of the folder in which you want to store the report.

Page Size Run as User

E-mail to E-mail Format Save Output

110 ArcSight Web UsersGuide

ArcSight Confidential

9 Using Reports

Parameter Archive Report Name

Use Enter the name of the report. You can use Velocity Template references here. By default, the report names is set to: ${Today}/${ReportName}_${Now} $CurrentDateTime: Prints the current date and time. (Same as $Now) $CurrentDate: Prints the current date. $CurrentMonth: Prints the current month. $CurrentWeek: Prints the current week. $Now: Prints the current date and time. (Same as $CurrentDateTime) $CurrentDateTime-<Number>: Prints the current date and time minus the number of days you specify.

Archive Report Expiration Time

Enter an expiration date and time for the archived report. Click the calendar button next to the date field to get a popup calendar in which to designate the date. The ArcSight system automatically removes expired reports.

Viewing Archived Reports

To view an archived report 1 2 3 Click Archived Reports just below the toolbar. Navigate to a report in the resource tree. Click the name of an archived report to show it in the right pane.

Downloading an Archived Report

To download an archived report 1 2 3 Click Archived Reports just below the toolbar. In the Download column for the report archive you want, click the Download icon. In the File Download dialog box, choose to open the file or save it to a particular location.

Adding New Archived Reports

To add a new archived report to a folder 1 2 3 4 5 Click Archived Reports just below the toolbar. In the resource tree, select the report folder to which you want to add the new archived report. Above the list of available reports, click New Report. In the Upload Report screen, enter a report name and specify the path to its file, or click Browse to locate it. Click Upload to add the archived file to the others available in the folder.

ArcSight Confidential

ArcSight Web UsersGuide 111

9 Using Reports

Deleting Archived Reports

To delete archived reports 1 2 3 4 Click Archived Reports just below the toolbar. Navigate to a report folder in the resource tree. In the list of archived reports on the right, check those you want to delete. Click Delete to remove the checked reports, then click OK to confirm.

Advanced Configuration for Report Performance

Reports with large file sizes or large time ranges may require special configurations at the Manager to ensure system performance. Set these parameters only as needed if you encounter large or complex reports that repeatedly cause performance problems or cause the Manager to restart when you try to run them. Refer to the ArcSight ESM Administrator's Guide for more information on setting server properties on the Manager. The properties described here are also documented in the server.properties file itself.

Configurations for Large Reports

A very large report (for example, a 500 MB PDF report) might require so much virtual machine (VM) memory that it can cause the ArcSight Manager to crash and re-start. To prevent this scenario, you can set up the Manager to expose a special report parameter for generating the report in a separate process. The separate process has its own VM and heap, so the report is more likely to finish. Even if the memory allocated is still not enough, the report failure will not crash the Manager. This option must be set up on the ArcSight Manager to expose it in the ArcSight Web report parameters list. On the ArcSight Manager in the server.properties file, set report.canarchivereportinseparateprocess=true. Save the server.properties file and restart the Manager. Once this property is set to "true" on the Manager, the Save Output options for a selected report on ArcSight Web include a new parameter called Generate Report In Separate Process. Select this option for a report you want to archive as a separate process, and run the report. If a report is saved with the parameter set to "true", the report is archived as a separate process even if the property report.canarchivereportinseparateprocess in server.properties is set back to "false" later on.

Configurations for Reports with Large Time Ranges

Reports that query over a large time range with complex joins run much faster if the query contains a full scan database hint. This option must be set up on the Manager to expose it in the ArcSight Web report parameters list. On the ArcSight Manager in the server.properties file, set report.canquerywithfullscanhint=true. Save the server.properties file and restart the Manager.

112 ArcSight Web UsersGuide

ArcSight Confidential

9 Using Reports

Once this property is set to "true" on the Manager, the Save Output options for a selected report on ArcSight Web include a new parameter called Query with Full Scan Hint. Select this option for a report you want to run with the full scan hint, and run the report. If a report is saved with the parameter set to "true", the report is archived as a separate process even if the property report.canquerywithfullscanhint in server.properties is set back to "false" later on.

ArcSight Confidential

ArcSight Web UsersGuide 113

9 Using Reports

114 ArcSight Web UsersGuide

ArcSight Confidential

Monitoring Dashboards
The ArcSight Web interface enables you to view dashboards made available from ESM. When you click Dashboards in the toolbar, you see the Dashboards display, usually with the Dashboards tree open in the resource pane and the dashboards of the current branch listed in the content pane. Viewing and Managing Dashboards on page 115 Changing Dashboard Layouts on page 115

Chapter 10

Viewing and Managing Dashboards

The dashboards available to you are organized in the resource tree on the left. Click the group folders in the tree to open or close them. Click a folder to see a list of its dashboards in the pane to the right. Click the arrow icon in the upper-right corner of the resource pane to hide it or show it. Click a specific dashboard's name to open it and its collection of data monitors in the righthand pane. By default, the information on a dashboard refreshes automatically every 60 seconds. Click the "Pause" button (||) to stop refreshing, or click the circular arrow to refresh immediately. Click the arrow head to resume auto-refreshing. Run the mouse pointer over elements in graphic data monitors to see their details in tooltips.
Three types of data monitors are not available through ArcSight Web: Event Graph, Geographic Event Graph, and Hierarchy Map.

Changing Dashboard Layouts

You can change the way data monitors are laid out on dashboard displays. When you click Dashboards and choose one to show from the resource tree, the layout of data monitors in the right panel is a default pattern. In a dashboard display, click Edit Layout to open the Dashboard Layout editor. To rearrange data monitors, click and drag them from one of the display areas to another. The upper and lower "wide" areas are intended to better accommodate tables, which most

ArcSight Confidential

ArcSight Web UsersGuide 115

10

Monitoring Dashboards

often run wide and cannot be resized. The left and right "narrow" areas are intended to accommodate charts, which are more likely to resize successfully. To see a rearrangement, click Save.

116 ArcSight Web UsersGuide

ArcSight Confidential

Using the Knowledge Base

ArcSight Web provides access to viewing knowledge base articles made available from ESM. The articles available to you are organized in the resource tree on the left. Click the folders in the tree to open or close them. Click the arrow icon in the upper-right corner of the resource tree panel to hide it or show it.
Since ESM v3.0, ArcSight offers the Knowledge Base as a convenience for storing user-generated pointers or articles of interest. It is not pre-populated.

Chapter 11

ArcSight Confidential

ArcSight Web UsersGuide 117

11

Using the Knowledge Base

118 ArcSight Web UsersGuide

ArcSight Confidential

Using Reference Pages

An event viewed from the Event Inspector may have a reference page associated with it. The contents of a reference page is set through the ArcSght Console. If present in an event, click View references to show the reference page content in a separate browser window. Use the drop-down menu to navigate or other pages of this reference if more pages are available. Use the browser's Back button to return.

Chapter 12

ArcSight Confidential

ArcSight Web UsersGuide 119

12

Using Reference Pages

120 ArcSight Web UsersGuide

ArcSight Confidential

Setting Preferences
In any display, click Options in the toolbar to set or change your preferences for date formatting, locale, active channel startup, and password. Click the Formats tab to choose the style and punctuation to use for date and time values. Click Update to apply your changes before moving to another tab. Click the Locale tab to choose the time zone you work in. Click Update to apply your changes before moving to another tab. Click the Channels tab to set, or bypass setting, the parameters for active channels, each time you open one. The check box is clear by default, which means that you will see the channel setup options. Select the check box to avoid setup and to go directly to the channel display. There is also an option to hide (collapse) the channel tree on the left panel when a channel is already running. By default, this tree remains in view. Click Update to apply your changes before moving to another tab. Click the Password tab to change your current password. Enter your old password first. Then enter your new password and repeat it to confirm. Click Update to put your change into effect.

Chapter 13

ArcSight Confidential

ArcSight Web UsersGuide

121

13

Setting Preferences

122 ArcSight Web UsersGuide

ArcSight Confidential

Custom Branding and Styling

You can change logo images, colors, and styles for ArcSight Web by creating and editing the file <ArcSightWeb_HOME>/config/web/styles.properties. This file doesn't exist by default, but you can create it by copying either example.styles.properties or full.styles.properties and renaming it to styles.properties.
Please do not modify the file <ArcSightWeb_HOME>/config/web/styles.defaults.properties. This file contains the default settings. It will be overriden by your custom styles.properties file.

Chapter 14

The properties file provides information about those properties that can be changed, along with example values. To add custom branding or styles: 1 Modify the properties in styles.properties as needed to fit your custom branding and style requirements, and remove the comment tags from the lines that contain property settings you want to apply. If you want to add one or more custom logo images as part or your re-branding effort, you will need to both both modify the relevant property settings and add the image(s) to the webapp/images directory: Modify the properties file to call your custom image file(s) and un-comment the relevant lines (e.g., navbarLogoImg=MyCustomLogo.gif and loginLogoImg=logo-login-MyCustomLogo.gif). You might also want to modify and un-comment the logo image size property and navigation bar text colors to make the proper customizations. Add the image file to the directory <ArcSightWeb_HOME>/webapp/images. 3 Restart ArcSight Web to see the effects of your custom changes.

Remember that branding changes are visible to anyone using that instance of ArcSight Web. You can, however, run multiple instances of ArcSight Web against the same ArcSight Manager.

ArcSight Confidential

ArcSight Web UsersGuide 123

14

Custom Branding and Styling

124 ArcSight Web UsersGuide

ArcSight Confidential

Index

A
Active Channels 21 Grids 23 Headers 23 Inline Filters 25 Opening 21 Viewing 23 Archived Reports Saving 109 Viewing 111 ArcSight Contact ii ArcSight Express 15 Getting Started with ArcSight Express 17 Home Page 16 Monitoring 18 Reporting 20 ArcSight Web About 1 Navigating 5 Whats New 3 Audit Events 80

E
Events Audit Events 80 Data Fields 34 Event Categories 27 Events in cases 105 Inspecting 26

F
Formats Preferences 121 Foundations 9 Administration 10 Configuration Monitoring 9 Network Monitoring 10 System Content 10 Workflow 10

G
Getting Started with ArcSight Express 17 with Standard Content 11

B
Branding 123

H
Home Page 5 ArcSight Express Home Page 16

C
Cases 99 Attachments tab 106 Columns 100 Events Tab 105 Final Tab 104 Follow Up tab 103 How to create 101 Initial Tab 101 Notes Tab 106 Security Classification Codes 100 Channels 21 Preferences 121 Contact ArcSight ii Content ArcSight Express 15 Standard Content 9

I
Inline Filters 25 Inspecting Events 26

K
Knowledge Base 117

L
Locale Preferences 121 logo customizing 123

D
Dashboards 115 Changing Layouts 115 Viewing and Managing 115 Data Fields 34

M
Monitoring Active Channels 21 ArcSight Express 18 Dashboards 115

ArcSight Confidential

ArcSight Web UsersGuide 125

Index

Inspecting Events 26 Standard Content 11

R
Reference Pages 119 Reporting with ArcSight Express 20 with Standard Content 12 Reports 109 Advanced Configuration 112 Parameters 110 Running and Viewing 109 Saving Archived Reports 109 Viewing Archived Reports 111

N
Navigating ArcSight Web 5 ArcSight Express Home Page 16 Basic Navigation 6 Home Page 5 New Features 3 Notifications 107

O
Options 121

S
see Active Channels 21 Standard Content 9 Foundations 9 Getting Started using Standard Content 11 styles.properties 123 System Content 10

P
Password Changing 121 Preferences 121

126

ArcSight Web UsersGuide

ArcSight Confidential