ArcSight Web™

User’s Guide
ArcSight ESM™ 5.2

March 2012
ArcSight Web™ User’s Guide ArcSight ESM™ 5.2

Copyright © 2012 Hewlett-Packard Development Company, LP. All rights reserved.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.arcsight.com/copyrightnotice
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is confidential.

Revision History

Date Product Version Description

02/10/2012 ArcSight ESM v5.2 Update for ESM v5.2. Updated version, dates, and
copyright information.

Contact Information

Phone 1-866-535-3285 (North America)

+44 (0)870 141 7487 (EMEA)

Support Web Site http://www.support.openview.hp.com

Protect 724 Community https://protect724.arcsight.com

 Contents

Chapter 1: Welcome to ArcSight Web .................................................................................. 1

Chapter 2: What’s New ....................................................................................................... 3

Reporting .......................................................................................................... 3
Standard Content ............................................................................................... 3
Correlation ......................................................................................................... 4
Dashboards ........................................................................................................ 4
Asset Model Import Connector .............................................................................. 4

Chapter 3: Navigating ArcSight Web ................................................................................... 5

Navigating the Home Page ............................................................................................... 5

Basic Navigation ............................................................................................................. 6

Chapter 4: Standard Content ............................................................................................... 7

Standard Content Foundations .......................................................................................... 7

Configuration Monitoring Foundation ............................................................................ 7
Intrusion Monitoring Foundation .................................................................................. 8
Network Monitoring Foundation ................................................................................... 8
ArcSight Workflow Foundation .................................................................................... 8
ArcSight Administration Foundation ............................................................................. 8
ArcSight System Content ........................................................................................... 8
Conditional Variable Filters ......................................................................................... 8
Anti-Virus Reports ..................................................................................................... 8
Getting Started Using Standard Content ............................................................................. 9
Monitoring with Standard Content ..................................................................................... 9
Reporting with Standard Content ..................................................................................... 10

Chapter 5: ArcSight Express Content ................................................................................ 13

ArcSight Express Home Page .......................................................................................... 14

Recent Notifications ................................................................................................. 14
My Cases ............................................................................................................... 14
Dashboards ............................................................................................................ 14
Active Channels ...................................................................................................... 14
Getting Started Using ArcSight Express Content ................................................................ 15

Confidential ArcSight™ Web User’s Guide iii

 ArcSight Express Groups .......................................................................................... 15
Monitoring with ArcSight Express Active Channels ............................................................. 16
Monitoring with ArcSight Express Dashboards ............................................................. 17
Reporting with ArcSight Express Reports .......................................................................... 18

Chapter 6: Using Active Channels ..................................................................................... 19

Opening Active Channels ................................................................................................ 19

Viewing Active Channels ................................................................................................ 21
Using Active Channel Headers ................................................................................... 21
Using Active Channel Grids ....................................................................................... 21
Supported Expressions for Inline Filtering ............................................................. 23
Inspecting Events .......................................................................................................... 24
Event Inspector Header Features .............................................................................. 24
Event Inspector Field Features .................................................................................. 25
Show Details for Event Attributes .............................................................................. 25
Event Categories .............................................................................................. 25
Event Data Fields .............................................................................................. 32
Audit Events .................................................................................................... 78
Status Monitor Events ....................................................................................... 84

Chapter 7: Using Cases ..................................................................................................... 95

Managing Cases ............................................................................................................ 95

Default Case Management Columns ........................................................................... 96
Security Classification Default Letter Codes ................................................................ 96
Creating Cases ............................................................................................................. 97
Initial Tab .............................................................................................................. 97
Follow Up Tab ......................................................................................................... 99
Final Tab ..............................................................................................................100
Events Tab ............................................................................................................101
Attachments Tab ....................................................................................................101
Notes Tab .............................................................................................................102

Chapter 8: Handling Notifications ................................................................................... 103

Chapter 9: ...................................................................................................................... 105

Chapter 9: Using Reports ................................................................................................ 105

Running and Viewing Reports .........................................................................................105

Running and Saving Archived Reports .............................................................................106
Report Parameters .......................................................................................................106
Viewing Archived Reports ..............................................................................................107
Downloading an Archived Report ..............................................................................107
Adding New Archived Reports ..................................................................................108
Deleting Archived Reports .......................................................................................108

iv ArcSight™ Web User’s Guide Confidential

 Advanced Configuration for Report Performance ...............................................................108
Configurations for Large Reports ..............................................................................108
Configurations for Reports with Large Time Ranges ....................................................109

Chapter 10: Monitoring Dashboards ................................................................................ 111

Viewing and Managing Dashboards .................................................................................111

Changing Dashboard Layouts .........................................................................................111

Chapter 11: Using the Knowledge Base ........................................................................... 113

Chapter 12: Using Reference Pages ................................................................................ 115

Chapter 13: Setting Preferences ..................................................................................... 117

Chapter 14: Custom Branding and Styling ....................................................................... 119

Index .................................................................................................................................................... 121

Confidential ArcSight™ Web User’s Guide v

vi ArcSight™ Web User’s Guide Confidential
 Chapter 1
Welcome to ArcSight Web

ArcSight Web is the web interface to monitoring and reporting features of ArcSight ESM for
operators and analysts engaged in network perimeter and security monitoring.

Because it can be installed at a location remote from the ArcSight Manager, ArcSight Web
can operate outside a firewall that protects the Manager. Because of its design, it also
offers opportunities for custom branding and styling.

Installing ArcSight Web is described in the Installation and Configuration Guide. For a list of
new features, see “What’s New” on page 3. To get started using the ArcSight Web
interface, see the introduction to “ArcSight Express Content” on page 13 if you have an
ArcSight Epxress deployment, or “Standard Content” on page 7 if you have an ESM
depoyment.

See “Navigating ArcSight Web” on page 5 for a quick tour of all ArcSight Web’s features.

Confidential ArcSight Web™ User’s Guide 1

1 Welcome to ArcSight Web

2 ArcSight Web™ User’s Guide Confidential

 Chapter 2
What’s New

ArcSight Web offers browser-based access to selected ArcSight Manager installations from
anywhere on your intranet. While the ArcSight Console remains your tool for analysis
authoring and detailed operational tasks, ArcSight Web provides a way to see and readily
use the results of that analytical capability.

ArcSight Web is an independent server (not integral to the ArcSight Manager) and can be
located anywhere from which it can connect to a Manager, even outside a firewall.

The best way to get acquainted with ArcSight Web is to take a quick tour of the user
interface. If you are a standard ESM user, see “Standard Content” on page 7. If you are an
ArcSight Express user, see “ArcSight Express Content” on page 13.

This topic describes the new features and enhancements added in this release.

Reporting
Standard Content
Correlation
Dashboards
Asset Model Import Connector

Reporting
In the ArcSight Console, reporting has been enhanced to create a report
once and distribute it to multiple recipients. You have the option to not
send empty reports. Reporting has also been enhanced to define non-
ESM users as recipients.

For more information, see “Building Reports” on page 329.

Standard Content
Administration foundation: Made navigation of administration tasks
easier by adding use cases and enhancing the resource monitoring
content to better monitor query-based resources (reports, trends, and
query viewers).

For more information, see “Standard Content” on page 47.

Confidential ArcSight™ Web User’s Guide 3

2 What’s New

Correlation
New, light-weight rules that skip multiple event aliases and aggregation,
limit actions and auditing for significant performance gains. For more
information, see “Rules Authoring” on page 441.

Active List Enhancements:

- SUM, MIN, MAX numeric subtypes 
- Store data in time segments
- Enhanced variable functions to support active lists 
For more information, see “List Authoring” on page 577.

Dashboards
The ArcSight Console has been enhanced to support greater drill-down
from data monitors and query viewers to dashboards, reports, active
channels, and query viewers.

For more information, see “Using Dashboards” on page 154.

Asset Model Import Connector

The Asset Model Import Connector now supports the ability to create and
manage the Asset Model within ESM. The Asset Model Import Connector
monitors changes in an asset model CSV file, enabling you to manage
and maintain your Asset model more easily.

For more information, see “Automatically-Created Assets” on page 747.

4 ArcSight™ Web User’s Guide Confidential

 Chapter 3
Navigating ArcSight Web

Access the ArcSight Web server through whichever web browser you prefer: Internet
Explorer 8.0+ or Firefox 3.6+. The ArcSight Web home URL is
https://hostname:9443/arcsight/app, where hostname is the machine on which
the web server is running.

“Navigating the Home Page” on page 5

“Basic Navigation” on page 6

Navigating the Home Page

The ArcSight Web client opens to the Home display. From here you can easily reach
everything the client offers.

The Home display's summaries are quick references and links to the most-appropriate or
most-interesting security resources in your enterprise. The initial or default information in
each group is configured by your ArcSight administrator. In the sections that offer a Show
menu, you can choose Start Up View to see this default or Personal Folder to switch to
resources selected by or assigned to you.

The information summarized in the Home display is identical to, although possibly a subset
of, the same information managed through the ArcSight Console. It is simply presented in a
browser-compatible format.

Home
The Home link returns you to the home page from any other view.

Dashboards
The Dashboards section lists a set of data monitor dashboards that expose selected
analytical security information about your enterprise. Click a dashboard's name to open it.

Reports
The Reports section lists available reports. Reports are captured views or summaries of
data extrapolated from the ArcSight System by means of queries and trends. Reports
communicate the state of your enterprise security. Click a report, set the parameters or
accept the defaults (HTML or PDF), and click Run Report. You have the option of saving
the Report results in a variety of file formats to your local system, or just viewing the
results in the ArcSight Web window.

Confidential ArcSight Web™ User’s Guide 5

3 Navigating ArcSight Web

Active Channels
Active Channels display the filtered events as they stream through the system. Click a
channel to open it as a grid view in which you can inspect individual events. You can pause
channels, and sort event columns in the grid.

Cases
The Cases section summarizes currently tracked, event-related security situations by the
area they fall into (rows) and the workflow-style stage they have reached (columns). Click
a type and stage cell to see more detail.

Recent Notifications
The Recent Notifications section summarizes ArcSight notifications by workflow-style
categories. Click a category to see more detail.

Basic Navigation
Use the Dashboards, Reports, Channels, Cases Notifications, and Knowledge Base links at
the top of the display to go to those features. A link to Customer Support is also provided.

Button Description

Home

Dashboards

Reports

Channels

Cases

Notifications

The top bar also has the client's basic controls.

 Click Help to open this Help window. To visit previously viewed Help pages, you can
use standard keyboard commands for Back and Next. For example, on most Web
browsers running on Microsoft Windows systems, you can hit the Backspace key to
show the previously viewed page (move backward in the History) and Shift +
Backspace to move forward in the History of viewed pages. For more information on
using the Help (including how to print topics and get a PDF), see Chapter 3‚ About the
Online Help‚ on page vii.
 Click Options to change your preferences concerning date and time formats, locale
settings, active channel setup, and your password.
 Click Logout to leave the client and log in again, or browse elsewhere. If you leave
the client idle for a period of time you may need to log in again because of an
automatic security time-out.
 Click the ArcSight logo in the upper-left corner of the Home display to see version and
licensing information.

6 ArcSight Web™ User’s Guide Confidential

 Chapter 4
Standard Content

The system comes with a series of coordinated resource systems (active channels,
dashboards, and reports) that address common enterprise network security and ESM
management tasks. These resource systems are referred to collectively as standard
content. Standard content is designed to give you comprehensive operational function out
of the box with minimal configuration.

The content that comes with ArcSight ESM provides a broad range of security, network and
configuration monitoring tasks, as well as a comprehensive system monitoring coverage.

The standard content is organized into functional groups called foundations. For more
about the foundations, see “Standard Content Foundations” on page 7.

“Standard Content Foundations” on page 7

“Getting Started Using Standard Content” on page 9
“Monitoring with Standard Content” on page 9
“Reporting with Standard Content” on page 10

Standard Content Foundations

Each foundation is a coordinated system of resources that provides real-time monitoring
capabilities for its area of focus, as well as after-the-fact analysis in the form of reports,
trends, and trend reports.

Configuration Monitoring Foundation

The Configuration Monitoring foundation identifies, analyzes, and provides support for
remediation of undesired modifications to systems, devices, and applications. Configuration
monitoring is concerned mainly with monitoring hosts and user accounts for configuration-
related activity, such as installing new applications, adding new systems to the network,
anti-virus/network scanner/IDS engine and signature updates, and asset vulnerability
postures.

The configuration monitoring foundation helps you monitor how your networks change
over time, measure daily statistics, understand the changes made, and know who's making
them. Trends help you know what is normal and spot anomalies that should be
investigated.

Confidential ArcSight Web™ User’s Guide 7

4 Standard Content

Intrusion Monitoring Foundation

The focus of the Intrusion Monitoring foundation is to identify hostile activity and enable
you to take appropriate action either automatically or manually. This foundation provides
statistics about intrusion-related activity, which you can for incident investigation as well as
routine monitoring and reporting. As with previous releases, the essential security
monitoring functions of the Intrusion Monitoring foundation make up the bulk of the
standard content.

The Intrusion Monitoring foundation targets general intrusion types as well as specific
types of attacks, such as worms, viruses, denial-of-service (DoS) attacks, and so on.

Network Monitoring Foundation

The Network Monitoring foundation monitors the status of network throughput and
network infrastructure as monitored by Argus, the real-time flow monitoring device by
Qosient.

This foundation provides statistics about traffic and bandwidth usage that helps you
identify anomalies and areas of the network that need attention.

ArcSight Workflow Foundation

The ArcSight Workflow foundation is a system of active channels and reports that support
incident response tracking using the incident response system.

Qualifying events in the other foundation packages trigger notifications and cases that get
escalated through the incident response stages.

ArcSight Administration Foundation

The ArcSight Administration foundation provides statistics about component health and
performance. This foundation is installed automatically, and is essential for managing and
tuning the performance of content and components.

ArcSight System Content

The ArcSight System content consists of resources required for basic security processing
functions, such as threat escalation and priority calculations, as well as basic event
monitoring channels required for out-of-the-box functionality.

Conditional Variable Filters

The Conditional Variable Filters are a library of filters used by variables in standard content
report queries, filters, and rule definitions. They express conditions that can also be used
by any content in any package.

The Conditional Variable Filters are used by the Anti Virus, ArcSight Express, Configuration
Monitoring, Intrusion Monitoring, Network Monitoring, and Workflow foundations.

Anti-Virus Reports
The Anti-Virus reports serve both the Configuration Monitoring and Intrusion Monitoring
foundations.

8 ArcSight Web™ User’s Guide Confidential

 4 Standard Content

Getting Started Using Standard Content

Whatever your role in the security operations center, you can get started right away using
the standard content.

Each foundation is organized with content for different types of users.

 Executive Summaries. Executive summaries provide high-level analysis of event

activity for management reports. These views show overall trends and long-term
summaries.
 Operational Summaries. The operational summaries are intended for SOC
operators and analysts for daily event monitoring and triage-level investigation.
 Details. The detailed content is intended for incident responders and analysts who
need access to relevant event details in order to investigate situations that arise from
monitoring reports in the operational summaries.
 SANS Top 5 Reports. Each security-related foundation contains a set of reports that
address the SANS Institute's list of recommendations of what every IT staff should
know about their network at a minimum, based on the Top 5 Essential Log Reports.

Monitoring with Standard Content

You can use standard content active channels to begin monitoring your network
immediately after SmartConnectors are added and basic configuration is complete.

Each foundation provides high-level channels for observing general activity for its area of
focus.

Foundation Channel Description

ArcSight System System Events Channel showing all events generated by

Last Hour ArcSight during the last hour. A filter
prevents the channel from showing
events that contributed to the firing of a
rule, commonly referred to as correlated
events.

Today Channel showing events received today

since midnight. A filter prevents the
channel from showing events that
contributed to the firing of a rule,
commonly referred to as correlated
events.

All Events / Last 5 Channel showing events received during

Minutes and Last the last five minutes or the last hour. The
Hour channel includes a sliding window that
always displays exactly the last five
minutes of event data.

Core / Live Live Channel showing events received

during the last two hours. The channel
includes a sliding window that always
displays exactly the last two hours of
event data. A filter prevents the channel
from showing correlation events.

Confidential ArcSight Web™ User’s Guide 9

4 Standard Content

Foundation Channel Description

Configuration Operational This channel shows scan results in real

Monitoring Summaries / High- time to give you a view into any high-
Priority Scan priority vulnerabilities detected on highly
Events Directed critical assets.
Toward High-
Criticality Assets

Intrusion Intrusion This channel provides an overview of

Monitoring Monitoring - hostile, compromise or high priority
Significant Events events. It continuously monitors events
matching:

Not ArcSight Internal Events

Priority greater than 8 or Category

Significance Starts With /Compromise or
/Hostile

Uses the Business Impact Analysis Field

Set (End Time, Business Role, Data Role,
Attacker Zone Name, Target Host Name,
Category Significance, Category Outcome
and Priority).

Network Argus Events This active channel shows all the events
Monitoring coming from Argus SmartConnectors for
the past 24 hours.

Workflow Assigned Events This channel shows events assigned

today. The channel always displays
events occurring since midnight of the
current day up to the current time. A
filter prevents the channel from showing
correlated events. It shows only events
that are not in closed stage and are
assigned to a user.

Each foundation contains more channels that focus on events of different types. Explore
the active channels to monitor the activity you are interested in.

For more about using active channels, see “Using Active Channels” on page 19.

Use dashboards to view activity from many perspectives in a single screen. Dashboards are
also fully drill-down enabled. For more about investigating using dashboards, see
“Monitoring Dashboards” on page 111.

Reporting with Standard Content

Standard content supplies a robust set of reports for each foundation. The reports for each
foundation are organized into different levels of detail depending on who the reports are
for as outlined in Getting Started Using Standard Content.

Foundation Reports

Common The Common group contains a set of anti-virus reports that apply to
all the foundations.

10 ArcSight Web™ User’s Guide Confidential

 4 Standard Content

Foundation Reports

Configuration Detailed reports concentrate on configuration changes by device and

Monitoring by user, inventories of applications and assets by role, and
vulnerabilities by asset, asset type, asset criticality, and so on.

• Executive Summary reports focus on overall host configurations

by zone, role, criticality, data role, and operating system.
• Operational Summaries provide summaries of host configuration
modifications by Customer, OS, and over the last 30 days; top
user login successes and failures over recent time periods; and
asset restarts over recent time periods.
• SANS Top 5 Reports focus on SANS section 3: Unauthorized
Changes to Users, Groups, and Services.

Intrusion Detailed reports are organized into types of activity: anti-virus;

Monitoring attack monitoring; environment state for applications, operating
systems, and services; reconnaissance attempts; access events;
user activity through device type; vulnerability activity by asset and
by vulnerability; and worm outbreak activity.

• Executive Summary reports provide an overall Security

Intelligence Status Report, and summary views by business role
and systems that are subject to regulations, such as the
Sarbanes-Oxley Act.
• Operational Summaries provide mid-level summaries organized
into device types, such as anti-virus, attack monitoring, and
reconnaissance.
• SANS Top 5 Reports focus on SANS sections 1, 4, and 5:
Attempts to Gain Access, Through Existing Accounts, Systems
Most Vulnerable to Attack, and Suspicious or Unauthorized
Network Traffic Patterns.

Network Detailed reports provide views into traffic by host, by protocol, and
Monitoring by target, and activity over network devices and VPNs.

• Executive Summary reports provide traffic summaries over daily,

monthly, quarterly, and weekly time intervals.
• Operational Summaries provide an overall traffic snapshot;
bandwidth utilization statistics by device and by time interval;
and statistics for inbound and outbound traffic by protocol and by
host.
• SANS Top 5 Reports focus on SANS section 5: Suspicious or
Unauthorized Network Traffic Patterns.

Workflow Detailed reports provide statistics for all cases, notifications, and
notification action events.

• Executive Summary reports provide overall case statistics, such

as average time to case resolution, number of cases at each
escalation stage, and cases as they affect operations.
• Operational Summaries provide detailed case statistics, including
trends over time, notifications that reach level 3, the status of
notifications by user, and so on.

Each foundation contains more reports that focus on events of different types. Explore the
reports to find the activity on which you are interested in reporting.

For more about using reports, see “Using Reports” on page 105.

Confidential ArcSight Web™ User’s Guide 11

4 Standard Content

12 ArcSight Web™ User’s Guide Confidential

 Chapter 5
ArcSight Express Content

ArcSight Express is an Information and Event Management (SIEM) appliance that provides
essential network perimeter and security monitoring tools combined with Logger, ArcSight's
data retention hardware storage solution. ArcSight Express delivers an easy-to-deploy,
enterprise-level security monitoring and response system through a series of coordinated
resources, such as dashboards, rules, and reports included as part of ArcSight Express
Content.

ArcSight Express content is designed to give you comprehensive operational function out of
the box with minimal configuration.

These resources enable you to use the active channels and dashboards to monitor the
network, use the case tracking tools to investigate and resolve issues, and use the reports
to communicate the condition of the network to key stakeholders at all levels of the
enterprise.

“ArcSight Express Home Page” on page 14

“Getting Started Using ArcSight Express Content” on page 15
“Monitoring with ArcSight Express Active Channels” on page 16
“Reporting with ArcSight Express Reports” on page 18

Confidential ArcSight Web™ User’s Guide 13

5 ArcSight Express Content

ArcSight Express Home Page

The ArcSight Express home page displays a series of basic views designed to give you an
overview of activity that concerns you. These views are described below.

Recent Notifications
Recent notifications show the status of notifications generated by correlated events that
concern you. To view the details of a notification, click any line item to go to the
Notifications page. For more about notifications, see “Handling Notifications” on page 103.

My Cases
My cases show a snapshot of cases assigned to the user who is currently logged in. For
details, click the cases icon to go to the Cases page. For more about cases, see “Using
Cases” on page 95.

Dashboards
Dashboards show a selection of key dashboards. You can select among these views:

 Start Up View: The start-up view provides quick access to the Security Activity
Statistics and Current Event Sources dashboards. These dashboards give you a
comprehensive general view of the security state of your environment and the sources
where the events are generated.
 Recent Dashboards: This view shows the last five dashboards you viewed to enable
you to easily toggle among several dashboards without having to navigate to them in
the Dashboard tab.
Click any of these links to display the dashboard itself.

Active Channels
 Start Up View: The start-up view provides a link to the Correlated Alerts channel,
which shows all events generated by rules. These events are considered to be events
of interest that warrant attention.

14 ArcSight Web™ User’s Guide Confidential

 5 ArcSight Express Content

 Personal Folder: This view contains active channels that you have modified and
saved.
 Recent Channels: This view shows the last five active channels you viewed to enable
you to easily toggle among several active channels without having to navigate to them
in the active channels tab.
For more about the home page, see “Navigating ArcSight Web” on page 5.

Getting Started Using ArcSight Express Content

Whatever your role in the security operations center, you can get started right away using
the ArcSight Express content.

ArcSight Express Groups

ArcSight Express content is organized into the following device groups relevant to the
function the content performs:

Function Description

Cross-Device This group contains resources that monitor and report on functions
that apply to multiple kinds of devices, such as login attempts,
bandwidth usage, and configuration changes.

Anti-Virus This group contains resources that support monitoring and reporting
on anti-virus activity, such as update status, virus activity, and
configuration changes.

Case This group contains resources that support monitoring and reporting
Management on activity and notifications involving cases opened in ArcSight as a
result of activity that warrants investigation.

Database This group contains resources that monitor and report on database
activity, such as configuration changes, database logins, errors and
warnings.

Firewall This group contains resources that monitor and report on firewall
activity, such as network logins and logouts, denied connections,
bandwidth usage, and configuration changes.

Identity This group contains resources that monitor and report on user
Management activity, such as logins, user session durations, and configuration
changes in order to identify who is doing what activity on the
network.

IDS-IPS This group contains resources that monitor and report on activity
involving Intrusion Detection and Prevention Systems, such as
signature updates, alerts, and statistics.

Network This group contains resources that monitor and report on activity
involving network infrastructure, including system up/down status,
configuration changes, bandwidth usage, and login events.

Operating This group contains resources that monitor and report on activity
System involving operating systems, such as user logins, and user
modification events.

VPN This group contains resources that monitor and report on activity
involving VPN connections, including authentication errors, logins,
and connection status.

Vulnerabilities This group contains resources that monitor and report on exposed
vulnerabilities by asset.

Confidential ArcSight Web™ User’s Guide 15

5 ArcSight Express Content

Monitoring with ArcSight Express Active Channels

The active channels contain three major groups of channels:

 ArcSight Administration
 ArcSight Express
 Device Class Event Channels

The staple active channels in the ArcSight Express group are a good place to start for
monitoring event flows. For instructions about how to use active channels, see “Using
Active Channels” on page 19.

16 ArcSight Web™ User’s Guide Confidential

 5 ArcSight Express Content

Monitoring with ArcSight Express Dashboards

The dashboards contain the ArcSight Administration and ArcSight Express groups. Explore
the dashboards to find views you are interested in.

The example below shows the IDS-IPS dashboard, which summarizes the number of
events from IDS and IPS systems. Click on any bar to view the details of the events
represented in this bar in a channel.

For more about working with dashboards, see “Monitoring Dashboards” on page 111.

Confidential ArcSight Web™ User’s Guide 17

5 ArcSight Express Content

Reporting with ArcSight Express Reports

The reports also contain the ArcSight Administration and ArcSight Express groups.

The Security Intelligence Status Report provides a summary of event counts and top
events, attacks, targets, ports, and so on, as shown in the example below.

For more about working with reports, see “Using Reports” on page 105.

18 ArcSight Web™ User’s Guide Confidential

 Chapter 6
Using Active Channels

The event information presented in the ArcSight Web active channel views is the same data
presented in the Console. The web client makes channels accessible from anywhere on
your enterprise network, or even outside a firewall.

Using active channels includes opening them, controlling their views, and drilling down into
the individual events that channels collect.

“Opening Active Channels” on page 19

“Viewing Active Channels” on page 21
“Inspecting Events” on page 24

Opening Active Channels

To open an active channel, click its name in the Active Channels section of the Home
display, or click the Channels icon in the toolbar and choose a channel in the Active
Channels resource tree. Channels you click in the Home display open directly, but channels
you choose in the resource tree offer a setup page before opening.

Use the Open Active Channel setup display to adjust the timing, filter, and column-set
parameters of the channel, if necessary. This display appears unless you have turned
channel setup off (bypass channel setup) in the Channels panel of the Options display.

There is also an option to hide (collapse) the channel tree on the left panel when a channel
is already running. By default, this tree remains in view. Click the Show ( ) or Hide ( )
buttons at the top of the left panel to show or hide the folder tree.

Active Channel Parameters

Option Description

Channel Read-only field that shows the channel name.

Start Time The relative or absolute time reference that begins the period in
which to actively track the events in the channel. Edit the time
expression or clear the Date expression check box to use an
absolute date and time.

End Time The relative or absolute time reference that ends the period in which
to actively track the events in the channel. Edit the time expression
or clear the Date expression check box to use an absolute date
and time.

Confidential ArcSight Web™ User’s Guide 19

6 Using Active Channels

Option Description

Evaluate Choose whether the channel shows events that are qualified by Start
parameters and End times that are re-evaluated constantly while it is running
continuously (selected), or show only the events that qualify when the channel is
first run (cleared).

Use as Choose the event-timing phase that best supports your analysis.
Timestamp End Time represents the time the event ended, as reported by the
device. Manager Receipt Time is the event's recorded arrival time
at the ArcSight Manager.

Field Set The Field Set you choose here determines which columns show up in
the active channel display. By default, a standard list of columns is
shown in the channel.

Choose an existing field set to control the selection and order of the
columns in the grid or choose More Choices or click the plus sign
(+) to open the Field Sets resource tree. The None option clears a
field set and restores the channel to its original definition.

Global variables make it possible to define a variable that derives

particular values from existing data, then re-use it in multiple places
wherever conditions can be expressed, and wherever fields can be
selected. For more informatin about global variables, see “Global
Variables” on page 483, in the ArcSight Console User Guide.

If your system is configured with domain field sets (a separately-

licensed feature), these are available to select here as field set
choices. For more information about domain field sets, see “Domain
Field Sets” on page 497the Domain Field Sets topic in the ArcSight
Console User’s Guide.

Filter Override You can use the Filter Override to narrow the event flow in the
channel to only those events that satisfy conditions you specify here.
You have these options for Filter Override:

• Simply choose an existing filter. You can choose a recently used

filter from the drop-down menu, or navigate to other filters by
clicking More Choices or clicking the plus sign (+) to override
the default channel filter. (The None option clears a filter choices
and restores the channel to its original definition.)
Or

• Explicitly specify new filter conditions for the channel by using

event attributes (field groups and fields) or an existing filter
(MatchesFilter) as part of a condition.
You can use domain fields to create conditions on channels the
same way that you use other fields. If available, domain field
sets show up under Event Attributes with the other field groups.
For more information about domains, see “Domain Field Sets” on
page 497the Domain Field Sets topic in the ESM User’s Guide.
You can review the conditions of the filter in the active channel
header (see “Using Active Channel Headers” on page 21).

20 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Viewing Active Channels

This topic explains how to understand, change, and drill into the grid views of active
channels.

Using Active Channel Headers

Using active channels begins with reading and understanding their headers. Headers
display the following information:

Feature Usage

Name and The top line of the header shows the channel's name and the
Total percentage of qualifying events that are currently loaded in the
view.

Time Span The Start Time and End Time show the chronological range of the
channel.

Evaluation This flag indicates whether the channel is set to evaluate events
continuously as they are received, or only once when the channel
opens. Click Modify to change this parameter.

Filter This text describes the filter that limits what the channel shows.

Priority Totals On the right side of the header is a column of event-priority category
totals. The figures are the number of events in those categories.

Channel State The channel state box contains a play and pause button and a
refresh progress bar. This display indicates whether the channel is
running or paused, and if it is running, the progress of the next
refresh cycle.

Radar Display The Radar display in active channel headers indicates the activity
taking place in the entire channel (not just the current page). Its
graphics represent units of time horizontally, and numbers of events
in vertical bars segmented by Priority attribute-value counts. The
time and quantity scales in the graphic automatically adjust to
accommodate the scope of the channel. The broader the scope, the
smaller the graphical units become.

To focus the grid on the event of one period, click that bar in the
display. To restore the display, click Clear at the right end of the bar.
Your sorting choices in the grid affect the arrangement of the activity
units in the Radar.

Time Range The Displaying bar below the Radar display and above the grid
header shows the time range of the events selected in the Radar
display and reflected in the grid. If nothing is selected, the time
range shows All.

Using Active Channel Grids

Event grids display the individual events that active channels capture.

To page through a grid

Click the navigation buttons on the right side of the grid column header. The numbers
represent specific pages, and the advance arrows go one step or all the way forward or
back.

Confidential ArcSight Web™ User’s Guide 21

6 Using Active Channels

To use field sets

Choose a named set of fields from the Field Set drop-down menu. The sets available are
usually tailored to your enterprise. Note that the field-set variables found in the ArcSight
Console are not available through ArcSight Web.

Choose the Field Set Customize option (if available) to temporarily add, remove, or
rearrange the columns in the current grid. You can create one custom field set per channel.

If your ESM system is configured with domain field sets, these are also available here to
select as a pre-defined Field Set choice and for use with the Customize option. For more
information about domain field sets, see the Domain Field Sets topic in the ArcSight
Console User’s Guide.

To sort a grid
Click any grid column heading to sort the whole view by that column. Each click toggles
between ascending and descending. The default order of grids is usually determined by the
End Time of events, as selected in the current active channel display.

To filter a grid
To apply an inline filter, click Inline Filter in the grid header and choose an available value
from the drop-down menus for one or more columns. This enables you to filter by values
already available in the channel. Click Apply to put the filter into effect.

You can also filter by entering custom expressions into the text field for each column. To
customize an inline filter, type a value in the text field above the column on which you want
to filter, and click Apply. Supported expressions for custom filtering are shown in the table
below.

22 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Supported Expressions for Inline Filtering

Type Supported Expressions and Examples

String-based The Contains and StartsWith operators are supported. The

Columns values for the operator must be in quotes.

Examples:

Contains "Event"
Contains "Event" OR Contains "Top"
Contains "Web" AND Contains "denied"
StartsWith "Web"
StartsWith "Web" OR Contains "denied"
StartsWith "Web" AND Contains "denied"
You can use OR and AND Boolean operators in between the
expressions. The Column field name is implicitly used as the
left-hand parameter.

Integer and IP The Between operator is supported. The values in the Between
Address Columns expression must be in quotes.

Examples:

For the port column: Between("20", "80")

For the IP address column: Between("10.0.0.1",
"10.0.0.255")
For priority column: Between("1","2") OR
Between("7","8")
You can use OR and AND Boolean operators in between the
expressions. The Column field name is implicitly used as the
left-hand parameter.

To add an event to a case

Select one or more event check boxes on the left, then click Add to Case to choose an
existing or new case to add it to in the Cases resource tree. Click the Existing case radio
button to add the events to the case you select in the tree. Click the New case radio
button to name the case and add it at the currently selected point in your personal tree.
Click Add to save the assignments and return to the grid.

To view the events associated with a case, click the Cases navigation button at the top
of the page, choose a case, and click the Events tab for that case. For more information,
see “Events Tab” on page 101 in “Using Cases” on page 95.

To change a grid's options

Click Options in the grid header to change the display's update frequency and its number
of rows per page.

To save a modified channel

Click Save Channel As in the channel header to add a modified channel to your personal
folder in the Active Channels resource tree. In the Save Channel As dialog box, name the
channel and click Save.

Confidential ArcSight Web™ User’s Guide 23

6 Using Active Channels

To inspect an event
Click any individual event in the grid to show that event in the Event Inspector as described
in Inspecting Events.

Inspecting Events
Use the Event Inspector display to examine the details of events that appear in active
channels. To open the Event Inspector, click an event in an active channel's grid view. The
Event Inspector shows the data fields and categories associated with the event you
selected. Apart from these fields, the display has the features described below.

Event Inspector Header Features

Feature Usage

Associated Articles If a knowledge base article exists for this event, the View
Articles link displays the article from the Knowledge Base.

Associated References If a reference page exists for this event, the View
References link displays the reference page. Reference
pages provide additional background on an event or a
resource. These may be pre-populated by ArcSight,
provided by vendors, or added by technologists in your
organization.

Additional Details Click this link to view Additional Details on the event,
such as vendor and product information, event category
information, reference pages, and vulnerability pages.

View Event Context Click this link to run an Event Context Report that shows
Report the events that occurred within a specified number of
minutes (a window) before and after this event.

View Rule Context Click this link to run a Rule Context Report that shows
Report the events that occurred within a specified number of
minutes (a window) before and after the current rule was
invoked.

Payload Viewer Click this link to view the payload for the event. The
Payload Viewer option is available only if the event has a
payload associated with it. A "payload" is information
carried in the body of an event's network packet, as distinct
from the packet's header data. Events include payloads
only if the associated SmartConnectors are configured to
send events with payloads.

View iDefense Incident Click View iDefense Incident Report to view information
Report about vulnerability IDs related to the event. This option is
available only if you have VeriSign iDefense software
installed and configured to interact with the Arcsight
system, and if the selected event has a vulnerability ID
associated with it. In that case, the iDefense report
provides more details on the vulnerability.

Field Sets Choose Field Sets to see a predefined set of event data
fields rather than all fields. Use the None option to restore
the default view.

Hide Empty Rows By default, the Hide Empty Rows check box is checked,
so the display isn't filled with unused fields. Clear the check
box to see all fields, even if empty.

24 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Event Inspector Field Features

The values for fields in events are also links. Click these values to open new channels or to
filter current channels using them.

Option Use

Create Channel  Open a channel containing only those events that have
[Field Name = Value] matching values for the selected field.

Create Channel  Open a channel that shows only those events that do
[Field Name != Value] not have a matching value for the selected event.

Add to Channel Add the attribute-value pair to the channel's filter

[Attribute = Value] (require that they match).

Add to Channel Exclude the attribute-value pair from the channel's

[Attribute != Value] filter (require that they do not match).

Show Details for Event Attributes

View details for each attribute associated with an event.

 To view event attribute details inline, click the Details button ( ) next to the
attribute.
 To view event attribute details on a new Web page, click the Show detail in a new
page button ( ) next to the attribute.

Event Categories
ESM uses six primary categories and a flexible set of supporting attributes to more
precisely distinguish the events reported by SmartConnectors or generated internally by
ArcSight Managers. These categories appear as a field in the Event Inspector.

These categories and attributes are designated by ArcSight, based on the information
offered to SmartConnectors by sensors. Keep in mind that the applicability of a category
always depends on the actual configuration of the environment.

The category groups are:

 Object: The physical or virtual object that was the focus of the event. (See “Object
Category” on page 26.)
 Behavior: The action taken on the object. (See “Behavior Category” on page 27.)
 Outcome: An indication of whether the action succeeded on the object. (See
“Outcome Category” on page 29.)
 Device Group: The type of device from which the sensor reported the event. (See
“Device Group Category” on page 29.)
 Technique: The method used to apply the action to the object (i.e., the type of
attack). (See “Technique Category” on page 30.)
 Significance: A description of the security significance of the event from the
reporting sensor's perspective. (See “Significance Category” on page 32.)

Confidential ArcSight Web™ User’s Guide 25

6 Using Active Channels

Object Category

Object Category Description

Host Any end-system on the network, such as a PDA, a

Windows computer, or a Linux computer.

Operating System The system software that controls execution of

computer programs and access to resources on a host.

Application A software program that is not an integral part of the

operating system.

Service An application that normally executes at operating

system startup. A service often accepts network
connections.

Database A database application.

Backdoor An application, visible on a host, that listens for

network connections and can give a non-authorized
user control over that host.

DoS Client A host that is displaying an application that can

participate in a (possibly distributed) denial-of-service
attack.

Peer to Peer An application that listens for, and establishes network

connections to, other installations of the same
application such as Kazaa, Morpheus, or Napster.

Virus A host that is displaying a replicating infection of a file

that also executes other behaviors on the infected
host.

Worm A host that is displaying a self-replicating program that

spreads itself automatically over the network from one
computer to the next.

Resource An operating system resource that is characteristically

limited in its supply.

File A long-term storage mechanism (e.g., files, directories,

hard disks, etc.).

Process A single executable module that runs concurrently with

other executable modules.

Interface An interface to the network.

Interface Tunnel Packaging a lower network protocol layer within a

higher layer such as IPSec Tunnel and HTTP tunneling.

Registry The central configuration repository for the operating

system and the applications. Application-specific
information is not stored here.

CPU Events directed at this object relate to consumption or

use of the overall processing power of the host.

Memory Events directed at this object relate to consumption or

use of the overall memory of the host.

Network Events that cannot be clearly associated with a host's

subitem. Events that involve transport, or many hosts
on the same subnet.

26 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Object Category Description

Routing Routing related events such as BGP.

Switching Switching related events such as VLANS.

Actor

User A single human identity.

Group A named collection of users, such as an employee

division or social group.

Vector The replication path for a section of malicious code.

Virus A replicating infection of a file that also executes other

behaviors on the infected host.

Worm A self-replicating program that automatically spreads

itself across the network, from one computer to the
next.

Backdoor An application that listens for network connections and

can give a non-authorized user control over that host.

DoS Client An application that participates in a (possibly

distributed) denial-of-service attack.

Behavior Category

Behavior
Description
Category

Access Refers to accessing objects, as in reading.

Start The start of an ongoing access, such as login.

Stop The end of an ongoing access, such as logging out.

Authentication Actions that support authentication.

Add Adding new authentication credentials.

Delete Deleting authentication credentials.

Modify Modifying authentication credentials.

Verify Credential verification, such as when logins occur.

Authorization Authorization-related actions.

Add Adding a privilege for the associated object (for

example, a user).

Delete Removing a privilege for the associated object (for

example, a user).

Modify Modifying the existing privileges for the associated

user or entity.

Verify An authorization check, such as a privilege check.

Communicate Transactions that occur over the wire.

Confidential ArcSight Web™ User’s Guide 27

6 Using Active Channels

Behavior
Description
Category

Query Communicating a request to a service.

Response Communicating a response to a request, from a

service.

Create Seeks to create resources, install applications or

services, or otherwise cause a new instance of an
object.

Delete The reverse of creation events. Includes uninstalling

applications, services, or similar activity.

Execute Involves loading or executing code, booting or shutting

systems down, and similar activity.

Start The beginning of execution of an application or service.

This event is clearly distinguished from a lone
"Execute" attribute.

Stop The termination of execution of an application or

service. This event is clearly distinguished from a lone
"Execute" attribute.

Query A query sent to a specific entity - but not over the

network such as when generating a report.

Response The answer returned by an Execute/Query. For

example, a report delivered back from an application,
or status messages from applications.

Modify Involves changing some aspect of an object.

Content Changing the object's content, such as writing to or

deleting from a file or database.

Attribute Changing some attribute of an object, such as a file

name, modification date, or create date.

Configuration Changing an object's configuration. For example,

application, operating system, or registry changes.

Substitute Replacing files, upgrading software, or service or host

failovers.

Found Noticing an object or its state.

Vulnerable An exploitable state that is characteristic of a particular

hardware or software release.

Misconfigured An exploitable state caused by a weak configuration or

similar mishandling.

Insecure An exploitable state that arises from poor management

or implementation. For example, weak authentication,
weak passwords, passwords passed in the clear,
default passwords, or simplistically named accounts.

Exhausted The targeted object was found to be exhausted (for

example, not enough file descriptors are available).

28 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Outcome Category
These attributes indicate the probable success or failure of the specified event, within an
overall context. For example, the outcome of an event such as an "operation failed" error
message can be reported as a "/Success" given that the operation can be presumed to
have actually caused a failure. Another example would be an event that identifies a Code
Red infection: on a host running Linux the outcome would be "/Failure" (Code Red is
Windows-only) while the same event directed at a host with an unknown OS would be
reported as an "/Attempt.

Outcome
Description
Category

Attempt The event occurred but its success or failure cannot be determined.

Failure The event can be reasonable presumed to have failed.

Success The event can be reasonable presumed to have succeeded.

Device Group Category

Device Group
Description
Category

Application An application program.

Assessment Tool A network- or host-based scanner that monitors issues

such as vulnerability, configurations, and ports.

Security A security-event processing correlation engine (such as

Information the Manager). This "device" deals only in correlated
Manager events.

Firewall A firewall.

IDS An intrusion-detection system.

Network A network-based intrusion-detection system.

Host A host-based intrusion-detection system.

Antivirus An anti-virus scanner.

File Integrity A file-integrity scanner.

Identity Identity management.

Management

Operating System An operating system.

Network Network equipment.

Equipment

Router A network device with routing (layer 3) capabilities.

Switches A network device with switching (layer 2) capabilities.

VPN A virtual private network.

Confidential ArcSight Web™ User’s Guide 29

6 Using Active Channels

Technique Category

Technique
Description
Category

Traffic An anomaly in the network traffic, such as non-RFC

compliance.

Network Layer Anomalies related to IP, ICMP, and other network-layer

protocols.

IP Fragment Fragmented IP packets.

Man in the Middle A man-in-the-middle attack.

Spoof Spoofing a source or destination IP address.

Flow A problem in network-layer communication logic, such as

an out-of-order IP fragment.

Transport Layer Anomalies related to TCP, UDP, SSL, and other transport-
layer protocols.

Hijack Hijacking a connection.

Spoof Spoofing a transport layer property such as a TCP port

number, or an SSL entity.

Flow A problem in TCP connections or flows, such as a SYNACK

without SYN, a sequence number mismatch, or time
exceeded.

Application Layer Application-layer anomalies.

Flow A peer does not follow the order of commands.

Syntax Error A syntax error in an application-layer command.

Unsupported A command which does not exist or is not supported.

Command

Man in the Middle A man-in-the-middle attack on the application layer.

Exploit Vulnerability Exploiting a vulnerability such as a buffer overflow, code

injection, or format string.

Weak Exploitation of a weak configuration. This is something

Configuration that could be remedied easily by changing the
configuration of the service Examples of a weak
configuration are weak passwords, default passwords,
insecure software versions, or open SMTP relays.

Privilege Escalation A user identity has received an increase in its user

privileges.

Directory A user identity is attempting to browse or methodically

Transversal review directories for which it may not have appropriate
privileges.

Brute Force Brute-force attacks.

Login Continued trials for logins.

URL Guessing Continued trials for URLs to access information or scripts.

Redirection Redirecting an entity.

30 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Technique
Description
Category

ICMP ICMP redirects.

DNS Unauthorized DNS changes.

Routing Protocols Attacks aimed at routing protocols such as BGP, RIP, and
OSPF.

IP Redirection using the IP protocol (source routing).

Application Redirection attacks on the application layer such as cross-

site scripting, mail routing, or JavaScript spoofing.

Code Execution Either the execution or transmission of executable code,

or the transmission of a distinctive response from
executed code.

Trojan The code in question is concealed within other code that

serves as a Trojan Horse. In other words, it appears to be
one thing (that is safe) but is really another (which is
unsafe).

Application The code in question is intended to invoke an application

Command command.

Shell Command The code in question is intended to be executed in a shell.

Worm Code associated with a worm.

Virus Code associated with a virus.

Scan Any type of scanning. A network, host, application, or

operating system scan can be identified through the
specified object.

Port Multiple ports are scanned.

Service A service is scanned (for example, DoS client discovery,

backdoors, RPC services, or scans for a specific
application such as NMB).

Host Scanning for hosts on a network.

IP Protocol A search for responding protocols. Note that TCP and UDP
are not the only transport protocols available.

Vulnerability A scan for vulnerabilities.

DoS A denial of service (DoS) attack is in progress.

Information Information leaking out of its intended environment such

Leak as mail messages leaking out, system file access, FTP
data access, or web document access.

Convert Channel Leakage was detected from a covert channel such as Loki.

Policy Policy-related violations such as pornographic web site

access.

Breach A policy-related security breach occurred.

Compliant A policy-compliant event occurred.

Confidential ArcSight Web™ User’s Guide 31

6 Using Active Channels

Significance Category

Significance
Description
Category

Compromise A potentially compromising event occurred.

Hostile A malicious event has happened or is happening.

Informational Events considered worthy of inspection; for example,

those produced by polling.

Error An execution problem.

Warning A possible problem.

Alert A situational problem that requires immediate

attention.

Normal Ordinary or expected activity that is significant only for

forensic purposes.

Recon Relates to scans and other reconnaissance activity.

Suspicious A potentially malicious event occurred.

Event Data Fields

The security monitoring devices report events that are collected, filtered, and formatted by
ArcSight SmartConnectors and passed to Managers for analysis. The events that appear in
your client are composed of several data fields, each of which has its own characteristics.

Event data fields fall into the groups shown below. Most groups have several attributes.

 Connector
 Attacker
 Category
 Destination
 Device
 Device Custom
 Event
 Event Annotation
 File
 Final Device
 Flex
 Manager
 Old File
 Original Agent
 Request
 Source
 Target
 Threat

32 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Connector
This category falls into the device-to-Manager information chain. The chain begins at
Device, which is the actual network hardware that senses an event. In cases where data is
concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final
Device before reaching an Original Agent (agents are also known as SmartConnectors).
Although the Original Agent is usually the only connector, if the data passes up through a
Manager hierarchy the chain includes handling by Connector stages that are the ArcSight
Manager SmartConnectors that facilitate Manager-to-Manager connections.

Default Turbo Level

Data
Group Label Script Alias Type Description

Connector Address connectorAddress IP address 1 The IP address of the

device hosting the
SmartConnector.

Connector Asset ID connectorAssetId Resource 1 The asset that

represents the device
hosting the
SmartConnector.

Connector Asset connectorAssetName String 1 The connector's asset

Name name.

Connector Asset connectorAssetResource Resource 1 The connector

Resource resource.

Connector Descriptor connectorDescriptorId ID 1 The connector

ID descriptor.

Connector DNS connectorDnsDomain String 1 The Domain Name

Domain Service domain name
associated with the
device hosting the
SmartConnector.

Connector Host connectorHostName String 1 The name of the device

Name hosting the
SmartConnector.

Connector ID connectorId String 1 The identifier

associated with the
SmartConnector
configuration resource.
The format is
connectorID(1) |
connectorID(2) | …

Connector MAC connectorMacAddress MacAddre 1 The MAC address

Address ss associated with the
SmartConnector (which
may or may not be the
MAC address of the
host device.)

Confidential ArcSight Web™ User’s Guide 33

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Connector Name connectorName String 1 The user-supplied

name of the associated
SmartConnector
configuration resource.

Connector NT connectorNtDomain String 1 The Windows NT

Domain domain associated with
the device hosting the
SmartConnector.

Connector Receipt connectorReceiptTime DateTime 2 The time the event

Time arrived at the
SmartConnector.

Connector Severity connectorSeverity Connector 1 The normalized

Severity ArcSight form of the
Enumerati event severity value
on provided by the
SmartConnector.

Connector Time connectorTimeZone String 1 The time zone reported

Zone by the device hosting
the SmartConnector
(as TLA).

Connector Time connectorTimeZoneOffset Integer 1 The time zone reported

Zone by the device hosting
Offset the SmartConnector
(shown as a UTC
offset). Note that
device times may be
less accurate than
other sources.

Connector Translated connectorTranslatedAddress IP address 1 If network address

Address translation is an issue,
this is the translated IP
address of the device
hosting the
SmartConnector.

Connector Translated connectorTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the Network
Zone associated with
the translated IP
address of the device
hosting the
SmartConnector.

Connector Translated connectorTranslatedZoneExt String 1 See the common set of

Zone ernalID resource attributes.
External
ID

34 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Connector Translated connectorTranslatedZoneID String 1 See the common set of

Zone ID resource attributes.

Connector Translated connectorTranslatedZoneNa String 1 See the common set of

Zone me resource attributes.
Name Returns the name from
the URI. It assumes
that the name is always
the last field of the URI.

Connector Translated connectorTranslatedZoneRef ID 1 See the common set of

Zone erenceID resource attributes.
Reference Returns the unique
ID descriptor ID for this
reference.

Connector Translated connectorTranslatedZoneRe Resource 1 See the common set of

Zone source resource attributes.
Resource Locates the resource
described by this
reference.

Connector Translated connectorTranslatedZoneUR String 1 See the common set of

Zone URI I resource attributes.

Connector Type connectorType String 1 A description of the

type of SmartConnector
that reported the
event.

Connector Version connectorVersion String 1 The software revision

number of the
SmartConnector that
reported the event

Connector Zone connectorZone Zone 1 The network zone in

which the device
hosting this
SmartConnector
resides.

Connector Zone connectorZoneExternalID String 1 See the common set of

External resource attributes.
ID

Connector Zone ID connectorZoneID String 1 See the common set of

resource attributes.

Connector Zone connectorZoneName String 1 See the common set of

Name resource attributes.

Connector Zone connectorZoneReferenceID ID 1 See the common set of

Reference resource attributes.
ID

Confidential ArcSight Web™ User’s Guide 35

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Connector Zone connectorZoneResource Resource 1 See the common set of

Resource resource attributes.

Connector Zone URI connectorZoneURI String 1 Returns the URI for this
reference.

Attacker

Default Turbo Level

Data
Group Label Script Alias Type Description

Attacker Address attackerAddress IP address 1 The IP address of the

device hosting the
attacker.

Attacker Asset ID attackerAssetId Resource 2 The asset that

represents the device
hosting the attacker.

Attacker Asset attackerAssetName String 2 The name of the asset

Name that represents the
device hosting the
attacker.

Attacker Asset attackerAssetResource Resource 2 See the common set of

Resource resource attributes

Attacker DNS attackerDnsDomain String 2 The Domain Name

Domain Service domain name
associated with the
device hosting the
attacker.

Attacker FQDN attackerFqdn String 2 The fully qualified

domain name
associated with the
device hosting the
attacker.

Attacker Geo attackerGeo GeoDescri 1 See the common set of

ptor geographical attributes.

36 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Attacker Geo attackerGeoCountryCode String 1 See the common set of

Country geographical attributes.
Code

Attacker Geo attackerGeoCountryFlagUrl String 1 See the common set of

Country geographical attributes.
Flag URL

Attacker Geo attackerGeoCountryName String 1 See the common set of

Country geographical attributes.
Name

Attacker Geo attackerGeoDescriptorId ID 1 See the common set of

Descriptor geographical attributes.
ID

Attacker Geo attackerGeoLatitude Double 1 See the common set of

Latitude geographical attributes.

Attacker Geo attackerGeoLocationInfo String L See the common set of

Location o geographical attributes.
Info c
a
ti
o
n

Attacker Geo attackerGeoLongitude Double 1 See the common set of

Longitude geographical attributes.

Attacker Geo attackerGeoPostalCode String 1 See the common set of

Postal geographical attributes.
Code

Attacker Geo attackerGeoRegionCode String 1 See the common set of

Region geographical attributes.
Code

Attacker Host attackerHostName String 2 The name of the device

Name hosting the attacker.

Attacker MAC attackerMacAddress MAC 2 The MAC address

Address address associated with the
source of the attack
(which may or may not
be the MAC address of
the host device).

Attacker NT attackerNtDomain String 2 The Windows NT

Domain domain associated with
the device hosting the
attacker.

Attacker Port attackerPort Integer 1 The network port

associated with the
source of the attack.

Confidential ArcSight Web™ User’s Guide 37

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Attacker Process attackerProcessName String 2 The name of process

Name associated with the
source of the attack.

Attacker Service attackerServiceName String 2 The name of service

Name associated with the
source of the attack.

Attacker Translated attackerTranslatedAddress IP address 1 If network address

Address translation is an issue,
this is the translated IP
address of the device
hosting the attacker.

Attacker Translated attackerTranslatedPort Integer 1 If network address

Port translation is an issue,
this is the translated
source port associated
with the attack. This
can happen in a NAT
environment.

Attacker Translated attackerTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the device hosting the
attacker.

Attacker Translated attackerTranslatedZoneExte String 1 See the common set of

Zone rnalID resource attributes.
External
ID

Attacker Translated attackerTranslatedZoneID String 1 See the common set of

Zone ID resource attributes.

Attacker Translated attackerTranslatedZoneNam String 1 See the common set of

Zone e resource attributes. It
Name is assumed that the
name is always the last
field of the URI.

Attacker Translated attackerTranslatedZoneRefe ID 1 See the common set of

Zone renceID resource attributes.
Reference
ID

Attacker Translated attackerTranslatedZoneReso Resource 1 See the common set of

Zone urce resource attributes.
Resource

Attacker Translated attackerTranslatedZoneURI String 1 See the common set of

Zone URI resource attributes.

38 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Attacker User ID attackerUserId String 2 The identifier

associated with the OS
or application of the
attacker, at the source
of the attack.

Attacker User attackerUserName String 2 The name associated

Name with the attacker, at the
source of the attack.

Attacker User attackerUserPrivileges String 2 The user-privilege

Privileges associated with the
attacker, at the source
of the attack.

Attacker Zone attackerZone Zone 1 The network zone in

which the attacker's
device resides.

Attacker Zone attackerZoneExternalID String 1 See the common set of

External resource attributes.
ID

Attacker Zone ID attackerZoneID String 1 See the common set of

resource attributes.

Attacker Zone attackerZoneName String 1 See the common set of

Name resource attributes. It
is assumed that the
name is always the last
field of the URI.

Attacker Zone attackerZoneReferenceID ID 1 See the common set of

Reference resource attributes.
ID

Attacker Zone attackerZoneResource Resource 1 See the common set of

Resource resource attributes.

Attacker Zone URI attackerZoneURI String 1 See the common set of

resource attributes.

Confidential ArcSight Web™ User’s Guide 39

6 Using Active Channels

Category
See “Event Categories” on page 25 for a complete description of the event category types
and their supporting attributes.

Default Turbo Level

Data
Group Label Script Alias Type Description

Category Behavior categoryBehavior String 1 Describes the action

taken with or by the
object.

Category Custom categoryCustomFormatField String 1 Describes the content

Format of a custom formatted
Field field, if present.

Category Descriptor categoryDescriptorId ID 1 The unique ID for the

ID sensor that reported
the event

Category Device categoryDeviceGroup String 1 Describes the type of

Group event this event
represents.

Category Object categoryObject String 1 Describes the physical

or virtual object that
was the focus of the
event

Category Outcome categoryOutcome String 1 Indicates whether the

action was successfully
applied to the object.

Category Significan categorySignificance String 1 Characterizes the event

ce from a network-
intrusion-detection
perspective.

Category Technique categoryTechnique String 1 Describes the method

used to apply the
action to the object.

Category Tuple categoryTupleDescription String 1 The prose description

Descriptio of the event category,
n assembled from the
category components.

40 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Destination

Default Turbo Level

Data
Group Label Script Alias Type Description

Destination Address destinationAddress IP address 1 The IP address of the

destination device.

Destination Asset ID destinationAssetId Resource 2 The asset that

represents the device
that was the network
traffic's destination.

Destination Asset destinationAssetName String 2 See the common set of

Name resource attributes.

Destination Asset destinationAssetResource Resource 2 See the common set of

Resource resource attributes.

Destination DNS destinationDnsDomain String 2 The Domain Name

Domain Service domain name
associated with the
user at the destination
device.

Destination FQDN destinationFqdn String 2 The fully qualified

domain name
associated with the
destination device.

Destination Geo destinationGeo GeoDescri See the common set of

ptor geographical attributes.

Destination Geo destinationGeoCountryCode String 1 The country code.

Country
Code

Destination Geo destinationGeoCountryFlag String 1 The country flag.

Country Url
Flag URL

Destination Geo destinationGeoCountryNam String 1 The country name.

Country e
Name

Destination Geo destinationGeoDescriptorId ID 1 See the common set of

Descriptor geographical attributes.
ID

Destination Geo destinationGeoLatitude Double 1 The destination

Latitude latitude.

Destination Geo destinationGeoLocationInfo String 1 The destination

Location location.
Info

Destination Geo destinationGeoLongitude Double 1 The destination

Longitude longitude.

Confidential ArcSight Web™ User’s Guide 41

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Destination Geo destinationGeoPostalCode String 1 The destination postal

Postal code.
Code

Destination Geo destinationGeoRegionCode String 1 See the common set of

Region geographical attributes.
Code

Destination Host destinationHostName String 2 The name of the

Name destination device.

Destination MAC destinationMacAddress MAC 2 The MAC address

Address address associated with the
network traffic's
destination (which may
or may not be the MAC
address of the host
device).

Destination NT destinationNtDomain String 2 The Windows NT

Domain domain associated with
the destination device.

Destination Port destinationPort Integer 1 The network port

associated with the
network traffic's
destination.

Destination Process destinationProcessName String 2 The name of process

Name associated with the
network traffic's
destination.

Destination Service destinationServiceName String 2 The name of service

Name associated with the
network traffic's
destination.

Destination Translated destinationTranslatedAddres IP address 1 If network address

Address s translation is an issue,
this is the translated IP
address of the device
that was the network
traffic's destination.

Destination Translated destinationTranslatedPort Integer 1 If network address

Port translation is an issue,
this is the translated
source port associated
with the attack.

42 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Destination Translated destinationTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the device at the
network's traffic's
destination.

Destination Translated destinationTranslatedZoneE String 1 See the common set of

Zone xternalID resource attributes.
External
ID

Destination Translated destinationTranslatedZoneI String 1 See the common set of

Zone ID D resource attributes.

Destination Translated destinationTranslatedZoneN String 1 See the common set of

Zone ame resource attributes.
Name

Destination Translated destinationTranslatedZoneR ID 1 See the common set of

Zone eferenceID resource attributes.
Reference

Destination Translated destinationTranslatedZoneR Resource 1 See the common set of

Zone esource resource attributes.
Resource

Destination Translated destinationTranslatedZoneU String 1 See the common set of

Zone URI RI resource attributes.

Destination User ID destinationUserId String 2 The OS- or application-

based identifier
associated with the
user at the network
traffic's destination.

Destination User destinationUserName String 2 The name associated

Name with the user at the
network traffic's
destination.

Destination User destinationUserPrivileges String 2 The privileges accorded

Privileges the user at the network
traffic destination.

Destination Zone destinationZone Zone 1 The network zone in

which the destination
device resides.

Destination Zone destinationZoneExternalID String 1 See the common set of

External resource attributes.
ID

Confidential ArcSight Web™ User’s Guide 43

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Destination Zone ID destinationZoneID String 1 See the common set of

resource attributes.

Destination Zone destinationZoneName String 1 See the common set of

Name resource attributes.

Destination Zone destinationZoneReferenceID ID 1 Returns the unique

Reference descriptor ID for this
ID reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Destination Zone destinationZoneResource Resource 1 See the common set of

Resource resource attributes.

Destination Zone URI destinationZoneURI String 1 See the common set of

resource attributes.

Device
This category falls into the device-to-Manager information chain. The chain begins at
Device, which is the actual network hardware that senses an event. In cases where data is
concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final
Device before reaching an Original Connector. Although the Original Connector is
usually the only connector, if the data passes up through a Manager hierarchy the chain
includes handling by Connector stages that are the Manager SmartConnectors that
facilitate Manager-to-Manager connections.
Default Turbo Level

Data
Group Label Script Alias Type Description

Device Action deviceAction String 2 The device-specific

description of some
activity associated with
the event

Device Address deviceAddress IP address 1 The IP address of the

device hosting the
sensor.

Device Asset ID deviceAssetId Resource 1 The asset that

represents the device
hosting the sensor.

44 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Device Asset deviceAssetName String 1 The name of the

Name device.

Device Asset deviceAssetResource Resource 1 The resource the asset

Resource represents.

Device Descriptor deviceDescriptorId ID 1 The asset's descriptor

ID ID.

Device Direction deviceDirection DeviceDir 2 Whether the traffic was

ectionEnu inbound or outbound.
meration

Device DNS deviceDnsDomain String 1 The Domain Name

Domain Service domain name
associated with the
device hosting the
sensor.

Device Domain deviceDomain String 2 The specific domain

containing the sensor
device associated with
the event

Device Event deviceEventCategory String 2 The category

Category description included
with the event as
reported by the device.

Device Event deviceEventClassId String 2 The device-specific

Class ID identifier associated
with this type of event

Device External deviceExternalId String 1 The external identifier

ID associated with this
sensor device, if
provided by the vendor.

Device Facility deviceFacility String 1 The sensor submodule

that reported the event

Device Host deviceHostName String 1 The name of the device

Name hosting the sensor.

Device Inbound deviceInboundInterface String 1 The NIC card on the

Interface sensor device that
received the network
traffic associated with
the event.

Device MAC deviceMacAddress MAC 1 The MAC address

Address address associated with the
source of the attack
(which may or may not
be the MAC address of
the host device).

Confidential ArcSight Web™ User’s Guide 45

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Device NT deviceNtDomain String 1 The Windows NT

Domain domain associated with
the device hosting the
sensor.

Device Outbound deviceOutboundInterface String 1 The NIC card on the

Interface sensor device that
transmitted the
network traffic
associated with the
event.

Device Payload devicePayloadId String 2 The internal identifier

ID associated with a
payload object
associated with this
event.

Device Process deviceProcessName String 1 The sensor device

Name process that reported
the event.

Device Product deviceProduct String 1 The product name of

the sensor device.

Device Receipt deviceReceiptTime DateTime 2 The time when the

Time sensor device observed
the event.

Device Severity deviceSeverity String 2 The device-specific

assessment of event
severity. This
assessment varies with
the device involved.

Device Time deviceTimeZone String 1 The time zone reported

Zone by the device hosting
the sensor device
(shown as TLA).

Device Time deviceTimeZoneOffset Integer 1 The time zone reported

Zone by the device hosting
Offset this sensor device
(shown as an offset
from UTC).

Device Translated deviceTranslatedAddress IP address 1 If network address

Address translation is an issue,
this is the translated IP
address of the device
hosting the sensor.

46 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Device Translated deviceTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the device hosting the
sensor.

Device Translated deviceTranslatedZoneExtern String 1 See the common set of

Zone alID resource attributes.
External
ID

Device Translated deviceTranslatedZoneID String 1 See the common set of

Zone ID resource attributes.

Device Translated deviceTranslatedZoneName String 1 See the common set of

Zone resource attributes.
Name

Device Translated deviceTranslatedZoneRefere ID 1 Returns the unique

Zone nceID descriptor ID for this
Resource reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Device Translated deviceTranslatedZoneResour Resource 1 See the common set of

Zone ce resource attributes.
Resource

Device Translated deviceTranslatedZoneURI String 1 See the common set of

Zone URI resource attributes.

Device Vendor deviceVendor String 1 The vendor who

manufactured or sold
the sensor device.

Device Version deviceVersion String 1 The software revision

number of the sensor
device.

Device Zone deviceZone Zone 1 The network zone in

which the sensor's
device resides.

Device Zone deviceZoneExternalID String 1 See the common set of

External resource attributes.
ID

Device Zone ID deviceZoneID String 1 See the common set of

resource attributes.

Confidential ArcSight Web™ User’s Guide 47

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Device Zone deviceZoneName String 1 See the common set of

Name resource attributes.

Device Zone deviceZoneReferenceID ID 1 Returns the unique

Reference descriptor ID for this
ID reference. This is
populated only if this
reference has been
persisted and given a
unique database
identifier.

Device Zone deviceZoneResource Resource 1 See the common set of

Resource resource attributes.

Device Zone URI deviceZoneURI String 1 See the common set of

resource attributes.

Device Custom
Default Turbo Level

Data
Group Label Script Alias Type Description

Device Date1 deviceCustomDate1 DateTime 2 First customDate

Custom

Device Date1 deviceCustomDate1Label String 2 First customDate label

Custom Label

Device Date2 deviceCustomDate2 DateTime 2 Second customDate

Custom

Device Date2 deviceCustomDate2Label String 2 Second customDate

Custom Label label

Device Descriptor deviceCustomDescriptorId ID 2 Custom descriptior ID

Custom ID

Device Number1 deviceCustomNumber1 Long 2 First customNumber

Custom

Device Number1 deviceCustomNumber1Labe String 2 First customNumber

Custom Label l label

48 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Device Number2 deviceCustomNumber2 Long 2 Second customNumber

Custom

Device Number2 deviceCustomNumber2Labe String 2 Second customNumber

Custom Label l label

Device Number3 deviceCustomNumber3 Long 2 Third customNumber

Custom

Device Number3 deviceCustomNumber3Labe String 2 Third customNumber

Custom Label l label

Device String1 deviceCustomString1 String 2 First customString

Custom

Device String1 deviceCustomString1Label String 2 First customString label

Custom Label

Device String2 deviceCustomString2 String 2 Second customString

Custom

Device String2 deviceCustomString2Label String 2 Second customString

Custom Label label

Device String3 deviceCustomString3 String 2 Third customString

Custom

Device String3 deviceCustomString3Label String 2 Third customString

Custom Label label

Device String4 deviceCustomString4 String 2 Fourth customString

Custom

Device String4 deviceCustomString4Label String 2 Fourth customString

Custom Label label

Device String5 deviceCustomString5 String 2 Fifth customString

Custom

Device String5 deviceCustomString5Label String 2 Fifth customString label

Custom Label

Device String6 deviceCustomString6 String 2 Sixth customString

Custom

Device String6 deviceCustomString6Label String 2 Sixth customString

Custom Label label

Confidential ArcSight Web™ User’s Guide 49

6 Using Active Channels

Event

Default Turbo Level

Group Label Script Alias Data Type Description

Event Additional additionalData AdditionalData 3 Reference to additional

Data data.

Event Aggregated (not applicable) (not n A derived field that

Event Count applicable) / reports the number of
a actual events
collectively represented
by the event in
question.

Event Application applicationProtocol String 2 A description of the

Protocol application layer
protocol. May be set,
but defaults to Target
Port lookup (FTP).

Event Base Event baseEventCount Integer 1 The number of events

Count upon which this event
is based (e.g., type ==
BASE|ACTION).

Event Base Event baseEventIds ID 2 The array of event IDs

IDs that contributed to
generating this
correlation event. This
is populated only in
correlated events.

Event Bytes In bytesIn Integer 2 Number of bytes

transferred into the
device during this
transaction (this would
typically be associated
with entries in HTTP
logs).

Event Bytes Out bytesOut Integer 2 Number of bytes

transferred out of the
device during this
transaction (this would
typically be associated
with entries in HTTP
logs).

Event Concentrator concentratorConne ConnectorDes 2 The chain of

Connectors ctors criptor concentrators that
forwarded the event
This is not yet exposed
in the user interface.

50 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Group Label Script Alias Data Type Description

Event Concentrator concentratorDevice DeviceDescript 2 The list of devices that

Devices s or concentrate events, if
applicable. This is not
exposed in the user
interface.

Event Correlated (not applicable) (not n A derived field that

Event Count applicable) / reports the number of
a actual events that had
to occur to cause a
correlation event to
occur.

Event Crypto cryptoSignature String 2 The signature of the

Signature event object (meaning
in this alert, as opposed
to the occurrence
represented by the
event). Not yet
supported.

Event Customer customer Customer 1 The "customer"

resource reference.
This is used in MSSP
environments to
describe the client or
divisional entity to
whom the event
applies.

Event Customer customerExternalI String 1 Returns the external ID

External ID D for this reference.

Event Customer ID customerID String 1 Returns the ID for the

resource in this
resource reference.

Event Customer customerName String 1 Returns the name from

Name the URI, which is
always assumed to be
the last field of the URI.

Event Customer customerReference ID 1 Returns the unique

Reference ID ID descriptor ID for this
reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Event Customer customerResource Resource 1 Locates the resource

Resource described by this
reference.

Confidential ArcSight Web™ User’s Guide 51

6 Using Active Channels

Default Turbo Level

Group Label Script Alias Data Type Description

Event Customer URI customerURI String 1 Returns the URI for this
reference.

Event End Time endTime DateTime 1 Event ends (defaults to

deviceReceiptTime).

Event Event ID eventId ID 1 Long value identifying

an event.

Event External ID externalId String 2 A reference to the ID

used by an external
device. This is useful
for tracking devices
that create events that
contain references to
these IDs (e.g.,
ManHunt).

Event Generator generator null 1 The "generator"

resource reference (the
resource that
generated the event.
This is the
subcomponent in the
connector that
generates the event.

Event Generator generatorExternalI String 1 Returns the external ID

External ID D for this reference.

Event Generator ID generatorID String 1 Returns the ID for the

resource in this
resource reference.

Event Generator generatorName String 1 Returns the name from

Name the URI, which is
always assumed to be
the last field of the URI.

Event Generator generatorReferenc ID 1 Returns the unique

Reference ID eID descriptor ID for this
reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Event Generator generatorResource Resource 1 Locates the resource

Resource described by this
reference.

Event Generator URI generatorURI String 1 Returns the URI for this
reference.

52 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Group Label Script Alias Data Type Description

Event Locality locality LocalityEnume 2 The locality associated

ration with the event.

Event Message message String 2 A brief comment

associated with this
event.

Event Name name String 1 An arbitrary string that

describes this type of
event. Event details
included in other parts
of an event shouldn't
be used in the event
name.

Event Originator originator OriginatorEnu 1 Holds the value of

meration Source|Destination.
This determines
whether source and
destination should be
translated to attacker
and target or they
should be inversed.

Event Persistence persistence PersistenceEn 2 There are two states:

umeration Persisted or Transient.
Events default to being
Transient and are
marked as Persisted as
soon as they reach the
Batch Alert Persistor or
when they are loaded
by the Alert Broker.

Event Raw Event rawEvent String 1 The original log entry

reported by the sensor
(synthesized when the
sensor does not log to a
file or text stream).

Event Rule Thread ruleThreadId String 2 A single rule can issue

ID many events, based on
several triggers,
starting with On First
Event and ending with
On Threshold Timeout.
All such events for a
single Rule and a single
Group By tuple are
marked with the same
identifier using this
attribute.

Confidential ArcSight Web™ User’s Guide 53

6 Using Active Channels

Default Turbo Level

Group Label Script Alias Data Type Description

Event Session ID sessionId Long 2 Tags for events created

by a correlation
simulation, as part of a
particular simulation.

Event Start Time startTime DateTime 1 Event begins (defaults

to deviceReceiptTime).

Event Transport transportProtocol String 1 The format of the

Protocol transmitted data
associated with the
event from a network
transport perspective
(e.g., TCP, UDP).

Event Type type TypeEnumerati 1 One of the event types:

on Base, Correlation,
Aggregation, or Action.

Event Vulnerability vulnerability Vulnerability 2 The vulnerability

resource that
represents the
vulnerability or
exposure that may be
exploited by this event
and is present on the
targeted device
according to our
network model.

Event Vulnerability vulnerabilityExtern String 2 Returns the external ID

External ID alID for this reference.

Event Vulnerability vulnerabilityID String 2 Returns the ID for the

ID resource in this
resource reference.

Event Vulnerability vulnerabilityName String 2 Returns the name from

Name the URI, which is
always assumed to be
the last field of the URI.

Event Vulnerability vulnerabilityRefere ID 2 Returns the unique

Reference ID nceID descriptor ID for this
reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Event Vulnerability vulnerabilityResour Resource 2 Locates the resource

Resource ce described by this
reference.

54 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Group Label Script Alias Data Type Description

Event Vulnerability vulnerabilityURI String 2 Returns the URI for this

URI reference.

Event Annotation

Default Turbo Level

Data
Group Label Script Alias Type Description

Event Audit Trail eventAnnotationAuditTrail String 2 The text log of

Annotation annotation changes.
Changes are recorded
as sets of comma-
separated-value
entries.

Event Comment eventAnnotationComment String 2 A text description of the

Annotation event or associated
information.

Event End Time eventAnnotationEndTime DateTime 2 The timestamp for an

Annotation eventannotation.

Event Event ID eventAnnotationEventId ID 2 The event ID for the

Annotation annotation event.

Event Flags eventAnnotationFlags FlagsValu 2 The state of the

Annotation eSet collaboration flags.

Event Manager eventAnnotationManagerRe DateTime 2 The time the Manager

Annotation Receipt ceiptTime received the event
Time annotation.

Event Modificati eventAnnotationModificatio DateTime 2 The time the

Annotation on Time nTime annotation was
modified.

Event Modified eventAnnotationModifiedBy User 2 The user ID of the

Annotation By person who last edited
this annotation.

Event Modified eventAnnotationModifiedBy String 2 Returns the external ID

Annotation By ExternalID for this reference.
External
ID

Confidential ArcSight Web™ User’s Guide 55

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Event Modified eventAnnotationModifiedByI String 2 Returns the ID for the

Annotation By ID D resource in this
resource reference.

Event Modified eventAnnotationModifiedBy String 2 Returns the name from

Annotation By Name Name the URI (the last field of
the URI).

Event Modified eventAnnotationModifiedBy ID 2 Returns the unique

Annotation By ReferenceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference has been
stored and uniquely
identified in the
database.

Event Modified eventAnnotationModifiedBy Resource 2 Locates the resource

Annotation By Resource described by this
Resource reference.

Event Modified eventAnnotationModifiedBy String 2 Returns the URI for this

Annotation By URI URI reference.

Event Stage eventAnnotationStage Stage 2 The current disposition

Annotation of the event. This
enables annotation
workflow.

Event Stage eventAnnotationStageEvent ID 2 The reference to an

Annotation Event ID Id internal identifier for
another event. It is
used by 'Mark Similar'.

Event Stage eventAnnotationStageExter String 2 Returns the external ID

Annotation External nalID for this reference.
ID

Event Stage ID eventAnnotationStageID String 2 Returns the ID for the

Annotation resource in this
resource reference.

Event Stage eventAnnotationStageName String 2 Returns the name from

Annotation Name the URI, which is
always assumed to be
the last field of the URI.

Event Stage eventAnnotationStageRefer ID 2 Returns the unique

Annotation Reference enceID descriptor ID for this
ID reference. This is
populated only if this
reference is stored and
uniquely identified in
the database.

56 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Event Stage eventAnnotationStageResou Resource 2 Locates the resource

Annotation Resource rce described by this
reference.

Event Stage eventAnnotationStageUpdat ID 2 The time of the last

Annotation Update eTime stage change (in UTC).
Time

Event Stage URI eventAnnotationStageURI String 2 Returns the URI for this
Annotation reference.

Event Stage eventAnnotationStageUser User 2 The user associated

Annotation User with the current stage.
This implements
assignment within
workflow.

Event Stage eventAnnotationStageUserE String 2 Returns the external ID

Annotation User xternalID for this reference.
External
ID

Event Stage eventAnnotationStageUserI String 2 Returns the ID for the

Annotation User ID D resource in this
resource reference.

Event Stage eventAnnotationStageUserN String 2 Returns the name from

Annotation User ame the URI, which is
Name always assumed to be
the last field of the URI.

Event Stage eventAnnotationStageUserR ID 2 Returns the unique

Annotation User eferenceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference is stored and
uniquely identified in
the database.

Event Stage eventAnnotationStageUserR Resource 2 Locates the resource

Annotation User esource described by this
Resource reference.

Event Stage eventAnnotationStageUserU String 2 Returns the URI for this

Annotation User URI RI reference.

Event Version eventAnnotationVersion Integer 2 The editing version

Annotation number which
increments with each
change. This enables
optimistic locking.

Confidential ArcSight Web™ User’s Guide 57

6 Using Active Channels

File

Default Turbo Level

Data
Group Label Script Alias Type Description

File Create fileCreateTime DateTime 2 The time the file was

Time created (in UTC).

File Hash fileHash String 2 The hashcode

associated with the
file's contents (e.g.,
MD5).

File ID fileId String 2 The external identifier

associated with the file.

File Modificati fileModificationTime DateTime 2 The time the file was

on Time last changed (in UTC).

File Name fileName String 2 The name of the file.

File Path filePath String 2 The directory path to

the file in the file
system.

File Permissio filePermission String 2 The user permissions

n associated with the file
(sensor specific).

File Size fileSize Long 2 The size of the file's

contents (typically in
bytes; sensor specific).

File Type fileType String 2 The type of file

contents (sensor
specific).

58 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Final Device
This category falls into the device-to-Manager information chain. The chain begins at
Device, which is the actual network hardware that senses an event. In cases where data is
concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final
Device before reaching an Original Connector. Although the Original Connector is
usually the only connector, if the data passes up through a Manager hierarchy the chain
includes handling by Connector stages that are the Manager SmartConnectors that
facilitate Manager-to-Manager connections.

Default Turbo Level

Data
Group Label Script Alias Type Description

Final Address finalDeviceAddress IP address 2 The IP address of the

Device trusted reporting
device.

Final Asset ID finalDeviceAssetId Resource 2 The asset that

Device represents the trusted
reporting device.

Final Asset finalDeviceAssetName String 2 The name of the

Device Name trusted reporting
device.

Final Asset finalDeviceAssetResource Resource 2 The resource

Device Resource represented by the
trusted reporting
device.

Final Descriptor finalDeviceDescriptorId ID 2 The descriptor ID of the

Device ID trusted reporting
device.

Final DNS finalDeviceDnsDomain String 2 The Domain Name

Device Domain Service domain name
associated with the
trusted reporting
device.

Final External finalDeviceExternalId String 2 The external ID for the

Device ID trusted reporting
device, if provided by
the vendor.

Final Facility finalDeviceFacility String 2 A facility or capability of

Device a device. This
accomodates
concentrators (e.g., like
syslog, which has a
concept of device
logging for "parts" of a
device).

Final Host finalDeviceHostName String 2 The host name of the

Device Name trusted reporting
device.

Confidential ArcSight Web™ User’s Guide 59

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Final Inbound finalDeviceInboundInterface String 2 The NIC card on the

Device Interface sensor device that
received the network
traffic associated with
the event.

Final MAC finalDeviceMacAddress MAC 2 The MAC address

Device address address associated with the
trusted reporting
device.

Final NT finalDeviceNtDomain String 2 The Windows NT

Device Domain domain associated with
the trusted reporting
device.

Final Outbound finalDeviceOutboundInterfa String 2 The NIC card on the

Device Interface ce trusted reporting
device.

Final Process finalDeviceProcessName String 2 The process name of

Device Name the trusted reporting
device.

Final Product finalDeviceProduct String 2 The product name of

Device the trusted reporting
device.

Final Time finalDeviceTimeZone String 2 The time zone reported

Device Zone by the trusted reporting
device.

Final Time finalDeviceTimeZoneOffset Integer 2 Returns the raw time-

Device Zone zone offset for the
Offset trusted reporting
device. Note that
connector and device
times are not always
reliably accurate.

Final Translated finalDeviceTranslatedAddres IP address 2 If network address

Device Address s translation is an issue,
this is the translated IP
address of the trusted
reporting device.

Final Translated finalDeviceTranslatedZone Zone 2 If network address

Device Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the trusted reporting
device.

60 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Final Translated finalDeviceTranslatedZoneE String 2 Returns the external ID

Device Zone xternalID for this reference.
External
ID

Final Translated finalDeviceTranslatedZoneI String 2 Returns the ID for the

Device Zone ID D resource in this
resource reference.

Final Translated finalDeviceTranslatedZoneN String 2 Returns the name from

Device Zone ame the URI, which is
Name always assumed to be
the last field of the URI.

Final Translated finalDeviceTranslatedZoneR ID 2 Returns the unique

Device Zone eferenceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference has been
stored and uniquely
identified in the
database.

Final Translated finalDeviceTranslatedZoneR Resource 2 Locates the resource

Device Zone esource described by this
Resource reference.

Final Translated finalDeviceTranslatedZoneU String 2 Returns the URI for this

Device Zone URI RI reference.

Final Vendor finalDeviceVendor String 2 Device vendor.

Device

Final Version finalDeviceVersion String 2 The software revision

Device number of the trusted
reporting device.

Final Zone finalDeviceZone Zone 2 The network zone in

Device which the trusted
reporting device
resides.

Final Zone finalDeviceZoneExternalID String 2 Returns the external ID

Device External for this reference.
ID

Final Zone ID finalDeviceZoneID String 2 Returns the ID for the

Device resource in this
resource reference.

Final Zone finalDeviceZoneName String 2 Returns the name from

Device Name the URI, which is
always assumed to be
the last field of the URI.

Confidential ArcSight Web™ User’s Guide 61

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Final Zone finalDeviceZoneReferenceID ID 2 Returns the unique

Device Reference descriptor ID for this
ID reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Final Zone finalDeviceZoneResource Resource 2 Locates the resource

Device Resource described by this
reference.

Final Zone URI finalDeviceZoneURI String 2 Returns the URI for this
Device reference.

Flex
Default Turbo Level

Data
Group Label Script Alias Type Description

Flex Date1 flexDate1 DateTime 2 First flexDate.

Flex Date1 flexDate1Label String 2 Label of first flexDate.

Label

Flex Number1 flexNumber1 Long 2 First flexNumber.

Flex Number1 flexNumber1Label String 2 Label of the first

Label FlexNumber.

Flex Number2 flexNumber2 Long 2 Second flexNumber.

Flex Number2 flexNumber2Label String 2 Label of the second

Label FlexNumber.

Flex String1 flexString1 String 2 First flexString

Flex String1 flexString1Label String 2 Label of the first FlexString.

Label

Flex String2 flexString2 String 2 Second flexString.

Flex String2 flexString2Label String 2 Label of the second

Label FlexString.

62 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Manager

Default Turbo Level

Data
Group Label Script Alias Type Description

Manager Receipt managerReceiptTime DateTime 1 The time at which the

Time current Manager first
received the event.

Old File

Default Turbo Level

Data
Group Label Script Alias Type Description

Old File Create oldFileCreateTime DateTime 2 The time the file was
Time created (in UTC).

Old File Hash oldFileHash String 2 The hashcode associated

with the file's contents
(e.g., MD5).

Old File ID oldFileId String 2 The external identifier

associated with the file.

Old File Modificati oldFileModificationTime DateTime 2 The time the file was last
on Time changed (in UTC).

Old File Name oldFileName String 2 The file's name.

Old File Path oldFilePath String 2 The directory path to the

file in the file system.

Old File Permissio oldFilePermission String 2 The user permissions

n associated with the file
(sensor specific).

Old File Size oldFileSize Long 2 The size of the file's

contents (typically in bytes;
sensor specific).

Old File Type oldFileType String 2 The type of the file's

contents (sensor specific).

Confidential ArcSight Web™ User’s Guide 63

6 Using Active Channels

Original Connector
This category falls into the device-to-Manager information chain. The chain begins at
Device, which is the actual network hardware that senses an event. In cases where data is
concentrated or otherwise pre-processed, it may be passed to a trusted reporting Final
Device before reaching an Original Connector. Although the Original Connector is
usually the only connector, if the data passes up through a Manager hierarchy the chain
includes handling by Connector stages that are the Manager SmartConnectors that
facilitate Manager-to-Manager connections.

Default Turbo Level

Data
Group Label Script Alias Type Description

Original Address originalConnectorAddress IP address 2 The IP address of the

Connector device hosting the first
reporting
SmartConnector.

Original Asset ID originalConnectorAssetID Resource 2 The asset that

Connector represents the device
hosting the first
reporting
SmartConnector.

Original Asset originalConnectorAssetNam String 2 The first reporting

Connector Name e connector's asset
name.

Original Asset originalConnectorAssetReso Resource 2 The first reporting

Connector Resource urce connector's resource.

Original Descriptor originalConnectorDescriptor ID 2 The first reporting

Connector ID Id connector's descriptor.

Original DNS originalConnectorDnsDomai String 2 The Domain Name

Connector Domain n Service domain name
associated with the
device hosting the first
reporting
SmartConnector.

Original Host originalConnectorHostName String 2 The name of the device

Connector Name hosting the first
reporting
SmartConnector.

Original ID originalConnectorId String 2 The ID of the

Connector connector. The format
is
connectorId(1)|connect
orId(2)|...

64 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Original MAC originalconnectorMacAddres MAC 2 The MAC address

connector address s address associated with the first
reporting
Smartconnector (which
may or may not be the
MAC address of the
host device.)

Original Name originalconnectorName String 2 User-supplied name of

connector the first reporting
connector.

Original NT originalconnectorNtDomain String 2 The Windows NT

connector Domain domain associated with
the device hosting the
first reporting
Smartconnector.

Original Time originalconnectorTimeZone String 2 The time zone reported

connector Zone by the device hosting
the first reporting
Smartconnector.

Original Time originalconnectorTimeZone Integer 2 Returns the raw time-

connector Zone Offset zone offset for the first
Offset reporting connector's
time zone. Note that
device and connector
times may not be
reliably accurate.

Original Translated originalconnectorTranslated IP address 2 If network address

connector Address Address translation is an issue,
this is the translated IP
address of the device
hosting the first
reporting
Smartconnector.

Original Translated originalconnectorTranslated Zone 2 If network address

connector Zone Zone translation is an issue,
this is the Network
Zone associated with
the translated IP
address of the device
hosting the first
reporting
Smartconnector.

Original Translated originalconnectorTranslated String 2 Returns the external ID

connector Zone ZoneExternalID for this reference.
External
ID

Confidential ArcSight Web™ User’s Guide 65

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Original Translated originalconnectorTranslated String 2 Returns the ID for the

connector Zone ID ZoneID resource in this
resource reference.

Original Translated originalconnectorTranslated String 2 Returns the name from

connector Zone ZoneName the URI, which is
Name always assumed to be
the last field of the URI.

Original Translated originalconnectorTranslated ID 2 Returns the unique

connector Zone ZoneReferenceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference has been
stored and uniquely
identified in the
database.

Original Translated originalconnectorTranslated Resource 2 Locates the resource

connector Zone ZoneResource described by this
Resource reference.

Original Translated originalconnectorTranslated String 2 Returns the URI for this

connector Zone URI ZoneURI reference.

Original Type originalconnectorType String 2 A string that describes

connector the type of the first
reporting connector.
This is not the same as
the device type.

Original Version originalconnectorVersion String 2 The software revision

connector number of the
Smartconnector that
first reported the event.

Original Zone originalconnectorZone Zone 2 The network zone in

connector which the device
hosting the first
reporting
Smartconnector
resides.

Original Zone originalconnectorZoneExter String 2 Returns the external ID

connector External nalID for this reference.
ID

Original Zone ID originalconnectorZoneID String 2 Returns the ID for the

connector resource in this
resource reference.

Original Zone originalconnectorZoneName String 2 Returns the name from

connector Name the URI, which is
always assumed to be
the last field of the URI.

66 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Original Zone originalconnectorZoneRefer ID 2 Returns the unique

connector Reference enceID descriptor ID for this
ID reference. This is
populated only if this
reference has been
stored and is uniquely
identified in the
database.

Original Zone originalconnectorZoneResou Resource 2 Locates the resource

connector Resource rce described by this
reference.

Original Zone URI originalconnectorZoneURI String 2 Returns the URI for this
connector reference.

Request
Default Turbo Level

Data
Group Label Script Alias Type Description

Request Client requestClientApplication String 2 The client application

Applicatio (such as a web
n browser) used to issue
the request.

Request Client requestClientApplication String 2 A description of the

Applicatio client application used
n to initiate this request,
e.g., the HTTP User
connector.

Request Context requestContext String 2 A description of the

content from which the
request originated,
e.g., the HTTP Referrer.

Request Cookies requestCookies String 2 Cookie data offered by

the client application as
part of the request.

Confidential ArcSight Web™ User’s Guide 67

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Request Method requestMethod String 2 The style of the

request, i.e., for an
HTTP request this could
be PUT or GET.

Request Protocol requestProtocol String 2 The communication

protocol used when
issuing the request.

Request URL requestUrl String 2 A universal resource

locator associated with
the event.

Request URL requestUrlAuthority String 2 The URL component

Authority used for authentication
and authorization.

Request URL File requestUrlFileName String 2 The URL component

Name that refers to the file
containing the
resource.

Request URL Host requestUrlHost String 2 The URL component

that specifies the host
device where the
resource resides.

Request URL Port requestUrlPort Integer 2 The URL component

that specifies the port
to contact on the host
device where the
resource resides.

Request URL requestUrlQuery String 2 The URL component

Query that specifies the query
to use to request the
resource.

68 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Source

Default Turbo Level

Data
Group Label Script Alias Type Description

Source Address sourceAddress IP address 1 The IP address of the

source device.

Source Asset ID sourceAssetId Resource 2 The asset that

represents the device
that was the network
traffic's source.

Source Asset sourceAssetName String 2 See the common set of

Name resource attributes.

Source Asset sourceAssetResource Resource 2 See the common set of

Resource resource attributes.

Source DNS sourceDnsDomain String 2 The Domain Name

Domain Service domain name
associated with the
user at the source
device.

Source FQDN sourceFqdn String 2 The fully qualified

domain name
associated with the
source device. This has
no value if either the
host name or DNS
domain are without a
value.

Source Geo sourceGeo GeoDescri 1 The geographical

ptor information.

Source Geo sourceGeoCountryCode String 1 Country Code.

Country
Code

Source Geo sourceGeoCountryFlagUrl String 1 County Flag.

Country
Flag URL

Source Geo sourceGeoCountryName String 1 Country Code.

Country
Name

Source Geo sourceGeoDescriptorId ID 1 Unique descriptor for

Descriptor the geo field.
ID

Source Geo sourceGeoLatitude Double 1 See the common set of

Latitude geographical attributes.

Confidential ArcSight Web™ User’s Guide 69

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Source Geo sourceGeoLocationInfo String 1 See the common set of

Location geographical attributes.
Info

Source Geo sourceGeoLongitude Double 1 See the common set of

Longitude geographical attributes.

Source Geo sourceGeoPostalCode String 1 See the common set of

Postal geographical attributes.
Code

Source Geo sourceGeoRegionCode String 1 See the common set of

Region geographical attributes.
Code

Source Host sourceHostName String 2 The name of the source

Name device.

Source MAC sourceMacAddress MAC 2 The MAC address

Address address associated with the
network traffic's source
(which may or may not
be the MAC address of
the host device).

Source NT sourceNtDomain String 2 The Windows NT

Domain domain associated with
the source device.

Source Port sourcePort Integer 1 The network port

associated with the
network traffic's
source.

Source Process sourceProcessName String 2 The name of the

Name process associated with
the source of the
network traffic.

Source Service sourceServiceName String 2 The name of the

Name service associated with
the network traffic's
source.

Source Translated sourceTranslatedAddress IP address 1 If network address

Address translation is an issue,
this is the translated IP
address of the device
that was the network
traffic's source.

Source Translated sourceTranslatedPort Integer 1 If network address

Port translation is an issue,
this is the translated
source port associated
with the attack.

70 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Source Translated sourceTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the device that was the
network traffic's
source.

Source Translated sourceTranslatedZoneExtern String 1 Returns the external ID

Zone alID for this reference.
External
ID

Source Translated sourceTranslatedZoneID String 1 Returns the ID for the

Zone ID resource in this
resource reference.

Source Translated sourceTranslatedZoneName String 1 Returns the name from

Zone the URI, which is
Name always assumed to be
the last field of the URI.

Source Translated sourceTranslatedZoneRefere ID 1 Returns the unique

Zone nceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference has been
stored and uniquely
identified in the
database.

Source Translated sourceTranslatedZoneResou Resource 1 Locates the resource

Zone rce described by this
Resource reference.

Source Translated sourceTranslatedZoneURI String 1 Returns the URI for this

Zone URI reference.

Source User ID sourceUserId String 2 The OS- or application-

based identifier
associated with the
user at the network
traffic's source.

Source User sourceUserName String 2 The OS- or application-

Name based name associated
with the user at the
network traffic's
source.

Source User sourceUserPrivileges String 2 The privileges afforded

Privileges the user at the network
traffic's source.

Confidential ArcSight Web™ User’s Guide 71

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Source Zone sourceZone Zone 1 The network zone

where the source
device resides.

Source Zone sourceZoneExternalID String 1 Returns the external ID

External for this reference.
ID

Source Zone ID sourceZoneID String 1 Returns the ID for the

resource in this
resource reference.

Source Zone sourceZoneName String 1 Returns the name from

Name the URI, which is
always assumed to be
the last field of the URI.

Source Zone sourceZoneReferenceID ID 1 Returns the unique

Reference descriptor ID for this
ID reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Source Zone sourceZoneResource Resource 1 Locates the resource

Resource described by this
reference.

Source Zone URI sourceZoneURI String 1 Returns the URI for this
reference.

Target
Default Turbo Level

Data
Group Label Script Alias Type Description

Target Address targetAddress IP address 1 The IP address of the

device hosting the
attacker.

72 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Target Asset ID targetAssetId Resource 2 The asset that

represents the attacked
device's host.

Target Asset targetAssetName String 2 See the common set of

Name resource attributes.

Target Asset targetAssetResource Resource 2 See the common set of

Resource resource attributes.

Target DNS targetDnsDomain String 2 The Domain Name

Domain Service domain name
associated with the
attacked device.

Target FQDN targetFqdn String 2 The fully qualified

domain name
associated with the
attacked device.

Target Geo targetGeo GeoDescri 1 The geographical

ptor information.

Target Geo targetGeoCountryCode String 1 Country code.

Country
Code

Target Geo targetGeoCountryFlagUrl String 1 County flag.

Country
Flag URL

Target Geo targetGeoCountryName String 1 Country name.

Country
Name

Target Geo targetGeoDescriptorId ID 1 Unique descriptor for

Descriptor the geo field.
ID

Target Geo targetGeoLatitude Double 1 Latitude.

Latitude

Target Geo targetGeoLocationInfo String 1 Location information.

Location
Info

Target Geo targetGeoLongitude Double 1 Longitude.

Longitude

Target Geo targetGeoPostalCode String 1 Postal code.

Postal
Code

Target Geo targetGeoRegionCode String 1 Region code.

Region
Code

Confidential ArcSight Web™ User’s Guide 73

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Target Host targetHostName String 2 The name of the

Name attacked device.

Target MAC targetMacAddress MAC 2 The MAC address

Address address associated with the
target of the attack
(which may or may not
be the MAC address of
the host device).

Target NT targetNtDomain String 2 The Windows NT

Domain domain associated with
the attacked device.

Target Port targetPort Integer 1 The network port

associated with the
target of the attack.

Target Process targetProcessName String 2 The name of the

Name process associated with
the attack's target.

Target Service targetServiceName String 2 The name of service

Name associated with the
attack's target.

Target Translated targetTranslatedAddress IP address 1 If network address

Address translation is an issue,
this is the translated IP
address of the attacked
device.

Target Translated targetTranslatedPort Integer 1 If network address

Port translation is an issue,
this is the translated
port associated with the
attack.

Target Translated targetTranslatedZone Zone 1 If network address

Zone translation is an issue,
this is the network zone
associated with the
translated IP address of
the targeted device.

Target Translated targetTranslatedZoneExtern String 1 Returns the external ID

Zone alID for this reference.
External
ID

Target Translated targetTranslatedZoneID String 1 Returns the ID for the

Zone ID resource in this
resource reference.

74 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Target Translated targetTranslatedZoneName String 1 Returns the name from

Zone the URI, which is
Name always assumed to be
the last field of the URI.

Target Translated targetTranslatedZoneRefere ID 1 Returns the unique

Zone nceID descriptor ID for this
Reference reference. This is
ID populated only if this
reference has been
stored and uniquely
identified in the
database.

Target Translated targetTranslatedZoneResour Resource 1 Locates the resource

Zone ce described by this
Resource reference.

Target Translated targetTranslatedZoneURI String 1 Returns the URI for this

Zone URI reference.

Target User ID targetUserId String 2 The OS- or application-

based identifier
associated with the
attacker, at the target
of the attack.

Target User targetUserName String 2 The OS- or application-

Name based name associated
with the attacker, at the
target of the attack.

Target User targetUserPrivileges String 2 The privileges afforded

Privileges the attacker, at the
target of the attack.

Target Zone targetZone Zone 1 The network zone in

which the attacked
device resides.

Target Zone targetZoneExternalID String 1 Returns the external ID

External for this reference.
ID

Target Zone ID targetZoneID String 1 Returns the ID for the

resource in this
resource reference.

Target Zone targetZoneName String 1 Returns the name from

Name the URI, which is
always assumed to be
the last field of the URI.

Confidential ArcSight Web™ User’s Guide 75

6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Target Zone targetZoneReferenceID ID 1 Returns the unique

Reference descriptor ID for this
ID reference. This is
populated only if this
reference has been
stored and uniquely
identified in the
database.

Target Zone targetZoneResource Resource 1 Locates the resource

Resource described by this
reference.

Target Zone URI targetZoneURI String 1 Returns the URI for this
reference.

Threat
Default Turbo Level

Data
Group Label Script Alias Type Description

Threat Asset assetCriticality Integer 2 The relative measure of

Criticality the importance of the
targeted device, on a
scale of 0 to 10.

Threat Model modelConfidence Integer 2 The relative measure of

Confidenc ArcSight's confidence in
e its model of the
attacked device, on a
scale of 0 to 10.

Threat Priority priority Integer 1 The relative measure of

importance of
investigating this event
on a scale of 0 to 10.
This field incorporates
Model Confidence.

Threat Relevance relevance Integer 2 The relative measure of

likelihood that this
event succeeded, on a
scale of 0 to 10.

76 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Default Turbo Level

Data
Group Label Script Alias Type Description

Threat Severity severity Integer 2 The relative measure of

possible damage to
network security
represented by the
event on a scale of 0 to
10. It may be noted
that event severity is
supplied by the device;
ArcSight severity is
supplied by the
Smartconnector; and
attack severity is
supplied by the threat
evaluation process.

Resource Attributes

Attribute
Suffix Description

External ID The user-defined identifier associated with a configuration resource.

ID The internal identifier associated with a resource (a UUID).

Reference ID The internal identifier associated with the resource reference (an
integer).

Type Name The type of configuration resource.

URI The URI associated with the resource (e.g., /All

Users/Administrators/Mlow).

Geographical Attributes

Attribute
Suffix Description

Descriptor ID The internal ID of the geographical reference.

Country Code The identifier for the national-political state in which a device
resides.

Country Flag The URL of an image of the flag of the national-political state in
URL which the device resides.

Country Name The name of the national-political state where a device resides.

Latitude The latitude of a device (Float).

Location Info Other, free-form text information about the device's location.

Longitude The longitude of a device (Float).

Confidential ArcSight Web™ User’s Guide 77

6 Using Active Channels

Attribute
Suffix Description

Postal Code The postal code of the device's location, as assigned by the national-
political state where it resides.

Region Code The identifier of the sub-region of the national-political state where a
device resides. The style of the identifier varies with the host
country.

Audit Events
Audit events are ones generated within ArcSight itself to mark a wide variety of routine
actions that can occur manually or automatically, such as adding an event to a case or
when a Moving Average data monitor detects a rapidly rising moving average. Audit events
have many applications, which can include notifications, task validation, compliance
tracking, automated housekeeping, and system administration.

In the table below, use the Audit Event Category to locate events. The Audit Event
Description approximates the Name you see in active channel grids. Additional details,
when necessary, appear in the Notes column.

Compare audit events, which report on system activity, with Status Monitor Events, which
provide information about a wide variety of system states.

Audit Event Categories

 Active Channel
 Active List
 Agent Connection
 Agent Exceptions
 Agent Login
 Agent Registration and Configuration
 Authorization
 Configuration Resources
 Dashboard
 Manager Activation
 Manager Database Error Conditions
 Manager External Event Flow Interruption
 Moving Average Data Monitor
 Notification
 Notification Acknowledgement
 Notification Testing
 Partition Archiver
 Partition Manager
 Reconciliation Data Monitor
 Report
 Resource Quota
 Rule Actions

78 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

 Rule Activations
 Rule Firings
 Rule Warnings
 Scheduler Execution
 Scheduler Scheduling Tasks
 Scheduler Skip
 Statistical Data Monitor
 Stress
 User Login
ArcSight Audit Events

Audit Event Device Event Class

Category ID Audit Event Description

Active Channel activechannel:100 An active channel was opened

Active Channel activechannel:101 An empty active channel was opened

Active List activelist:101 An entry was added to an active list

Active List activelist:102 An entry was removed from an active list

Active List activelist:103 An entry was changed in an active list

Agent Connection agent:009 Manager rejected a connection attempt from an

agent for reasons other than authentication failure

Agent Connection agent:30 Agent started

Agent Connection agent:31 Agent shutdown

Agent Connection agent:101 Agent has just connected to Manager

Agent Connection agent:102 Agent is sending events but no heartbeats

Agent Connection agent:103 Agent is sending neither events nor heartbeats

Agent Connection agent:104 An unknown agent attempted to connect to the

Manager

Agent Connection agent:105 An agent presented an incorrect shared secret

when authenticating

Agent Exceptions agent:012 Agent detected source events from a sensor

device containing incorrect time stamps

Agent Exceptions agent:013 Agent noted that a new sensor device is sending
events

Agent Exceptions agent:014 Agent could not find a base event referenced in a
syslog aggregate event

Agent Exceptions agent:016 Agent successfully connected to the sensor

device's log

Agent Exceptions agent:017 Agent successfully executed a command

Agent Exceptions agent:018 Agent could not execute a command

Agent Exceptions agent:019 Agent is caching events because they could not be
immediately transmitted to the Manager

Confidential ArcSight Web™ User’s Guide 79

6 Using Active Channels

Audit Event Device Event Class

Category ID Audit Event Description

Agent Exceptions agent:020 Agent has emptied its cache of events

Agent Exceptions agent:021 Agent could not communicate with an NT collector

sensor

Agent Exceptions agent:023 Agent could not communicate with a CheckPoint

sensor

Agent Exceptions agent:024 Agent is having difficulty communicating with

CheckPoint

Agent Exceptions agent:028 Agent experienced an unexpected problem

Agent Exceptions agent:029 Agent was forced to drop its cached data

Agent Exceptions agent:030 Agent cache filled and part of the cached data was
deleted

Agent Login authentication:200 Successful Agent authentication

Agent Login authentication:201 Agent authentication failed

Agent Registration agent:007 Agent successfully registered with Manager

and Configuration

Agent Registration agent:008 Agent did not successfully register with Manager
and Configuration

Agent Registration agent:022 Agent could not process a reconfiguration request

and Configuration

Agent Registration agent:032 Agent configuration was successfully changed

and Configuration

Agent Registration agent:025 Agent content was successfully updated

and Configuration

Agent Registration agent:026 Agent content update failed

and Configuration

Agent Registration agent:010 Agent upgrade succeeded, This is currently in the

and Configuration context of an installer upgrade.

Agent Registration agent:011 Agent upgrade failed. This event is not currently
and Configuration being generated.

Authorization authorization:100 Manager refused to authorize client

Configuration resource:100 Deleted a configuration resource

Resources

Configuration resource:101 Updated a configuration resource

Resources

Configuration resource:102 Added a new configuration resource

Resources

Configuration resourcereference:10 Could not locate a configuration resource. Through

Resources 0 the supplied universal resource identifer (URI).

Dashboard dashboard:100 Dashboard has opened

Manager Activation manager:100 Manager has started

Manager Activation manager:101 A clean Manager shutdown has been requested

80 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Audit Event Device Event Class

Category ID Audit Event Description

Manager Database database:100 Database tablespace is low and are deactivated

Error Conditions

Manager Database database:101 Database has generated a fatal error and are
Error Conditions deactivated

Manager Database database:102 Database has been reactivated

Error Conditions

Manager Database database:103 Database has more tablespace available after

Error Conditions detecting a low tablespace condition

Manager External manager:200 Manager has stopped the event flow

Event Flow
Interruption

Manager External manager:201 Manager has allowed the event flow to resume
Event Flow
Interruption

Moving Average datamonitor:102 Moving Average data monitor detected a rapidly

Data Monitor falling moving average

Moving Average datamonitor:103 Moving Average data monitor detected a rapidly

Data Monitor rising moving average

Moving Average datamonitor:104 Moving Average data monitor reporting the

Data Monitor current moving average

Notification notification:100 Notification has been disabled

Notification notification:101 Notification has been disabled because the queue

of notifications to be sent is too large

Notification notification:102 Notification has been enabled

Notification notification:103 Notification has been enabled because the queue

of notifications is back under control

Notification notification:104 A particular notification destination has been

disabled

Notification notification:105 A particular notification destination has been

disabled because too much traffic was directed at
it

Notification notification:106 A particular notification destination has been

enabled

Notification notification:107 A notification expired without being acknowledged

Notification notification:108 A functioning destination could not be located for

this notification

Notification notification:109 Old notification has been purged

Notification notification:300 This notification has been acknowledged

Acknowledgement

Notification Testing notification:200 Sent a test notification to this destination group

Partition Archiver partitionarchiver:10 The partition was successfully archived

0

Confidential ArcSight Web™ User’s Guide 81

6 Using Active Channels

Audit Event Device Event Class

Category ID Audit Event Description

Partition Archiver partitionarchiver:20 There was a problem while archiving the partition
0

Partition Archiver partitionarchiver:30 Partition archiving is disabled

0

Partition Archiver partitionarchiver:40 Partition archiving did not complete in the alotted
0 time

Partition Archiver partitionarchiver:50 Partition archiving failed

0

Partition Archiver partitionarchiver:60 There was an unexpected error while archiving

0 partitions

Partition Manager partitionmanager:100 Partitions have been successfully rotated

Partition Manager partitionmanager:200 There was a problem rotating partitions

Partition Manager partitionmanager:300 The partition manager has been disabled

Partition Manager partitionmanager:500 Partitions could not be rotated

Partition Manager partitionmanager:600 There was an unexpected error while rotating

partitions

Reconciliation Data datamonitor:300 Correlation data monitor reporting a correlated or

Monitor non-correlated event

Report report:100 Generated a new archived-report configuration

resource

Report report:101 Failed to generate a new archived-report

configuration resource

Report report:102 Generated a new delta archived-report

configuration resource

Resource Quota quota:100 Resource usage has fallen below the fixed-quota
level

Resource Quota quota:101 Resource usage has exceeded the fixed-quota

level

Resource Quota quota:102 Asset autocreation has exceeded a fixed quota

Resource Quota quota:103 Asset autocreation is proceeding too rapidly

Rule Actions rule:301 Set Severity action. This event has been
deprecated.

Rule Actions rule:302 Set Event Attribute action

Rule Actions rule:303 Send to Notifier action

Rule Actions rule:304 Execute Command action

Rule Actions rule:305 Export... action

Rule Actions rule:306 Create New Case action

Rule Actions rule:307 Add to Case action

Rule Actions rule:308 Create New Case action failed

Rule Actions rule:309 Add to Case action failed

82 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Audit Event Device Event Class

Category ID Audit Event Description

Rule Actions rule:310 Add to Active List action

Rule Actions rule:311 Move between Active Lists action. This event has
been deprecated.

Rule Actions rule:312 Remove from Active List action

Rule Activations rule:700 Rule has been deactivated

Rule Activations rule:701 Rule has been deactivated because it is unsafe.

There was excessive recursion or event matching.

Rule Activations rule:702 Rule has been activated

Rule Firings rule:101 Rule fired OnEveryEvent

Rule Firings rule:102 Rule fired OnFirstEvent

Rule Firings rule:103 Rule fired OnSubsequentEvents

Rule Firings rule:104 Rule fired OnEveryThreshold

Rule Firings rule:105 Rule fired OnFirstThreshold

Rule Firings rule:106 Rule fired OnSubsequentThresholds

Rule Firings rule:107 Rule fired OnTimeUnitExpiration

Rule Warnings rule:501 Rule is firing on events generated by itself

Scheduler scheduler:200 A task has been executed

Execution

Scheduler scheduler:201 A task failed to execute

Execution

Scheduler scheduler:300 A new task has been scheduled

Scheduling Tasks

Scheduler scheduler:301 A new task could not be scheduled

Scheduling Tasks

Scheduler scheduler:302 Enabled a task

Scheduling Tasks

Scheduler scheduler:303 Could not enable a task

Scheduling Tasks

Scheduler scheduler:304 Deleted a task

Scheduling Tasks

Scheduler scheduler:305 Failed to delete a task

Scheduling Tasks

Scheduler scheduler:306 Disable a task

Scheduling Tasks

Scheduler scheduler:307 Could not disable a task

Scheduling Tasks

Scheduler Skip scheduler:100 The task scheduler skipped a scheduled task

execution because the scheduler was not allowed
to run

Confidential ArcSight Web™ User’s Guide 83

6 Using Active Channels

Audit Event Device Event Class

Category ID Audit Event Description

Scheduler Skip scheduler:101 The task scheduler skipped a scheduled task

invocation because the last invocation of the task
is still executing

Statistical Data datamonitor:200 Statistical Data Monitor reporting a change in

Monitor status

Stress test:100 A stress test event. This event is generated only

by ArcSight Quality Assurance.

User Login authentication:100 Successful client login

User Login authentication:101 Failed client login

User Login authentication:102 Client logout

User Login authentication:103 Client timed out due to inactivity

User Login authentication:104 Too many client login failures occurred within a
time period

Status Monitor Events

ArcSight status monitor events can reveal and isolate many different quantity and time-unit
issues that bear directly on performance and capacity. There are many possible
applications of this system-state data, but those applications must always be interpreted
within the context of your particular hardware, software, and network environment, and
the deployment choices made for ArcSight and its SmartConnectors.

Compare status monitoring events, which provide information about a wide variety of
system states, to Audit Events, which report on system activity.

 Active Channel Statistics

 Active List Statistics
 Asset Statistics
 Data Monitor Statistics
 Event Broker Statistics
 Filter Engine Statistics
 Main Flow Statistics
 Notification Statistics
 Pattern Discovery Statistics
 Report Statistics
 Resource Framework Statistics
 Rules Engine Statistics
 Session Management Statistics
 Side Table Statistics
 SmartConnector Flow Statistics

Active Channel Statistics

Active channel statistics, specifically any changes that occur in the counts they report, can
indicate performance issues and the use of processing cycles. These events summarize:

84 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

 The number of events changed across all open Active Channels per second
 The number of events inserted into Active Channels per second
 The number of currently open Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/ActiveChannels/Open monitor:100 Open active channel count.

Provides count and current

value.

/Monitor/ActiveChannels/Events monitor:174 Active channel event insertions

/Insertions per second.

Provides count per second since

last monitor event.

/Monitor/ActiveChannels/Events monitor:175 Active channel event changes

/Changes per second.

Provides count per second since

last monitor event.

Active List Statistics

Active list statistics monitor the resources being used by active lists. Active lists entries use
some memory and database resources, and use CPU resources when they are referenced
by other parts of the system (e.g., rules, reports, and filters). While changes to these
temporary lists are not persisted, they do represent some memory overhead. Note that
when active lists are used by replay-with-rules, this also creates temporary lists.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/ActiveLists/ListCount monitor:114 Open active list count.

Provides count, current value.

/Monitor/ActiveLists/EntryCount monitor:115 Active list entry count.

Provides count, current value.

/Monitor/ActiveLists/EntryCapaci monitor:116 Active list entry capacity.

ty
Provides count, current value.

/Monitor/ActiveLists/EntryPercen monitor:117 Active list entry usage.

tUsed
Provides percent, current value.

/Monitor/ActiveLists/TemporaryL monitor:118 Temporary Active list count.

istCount
Provides count, current value.

/Monitor/ActiveLists/TemporaryE monitor:119 Temporary Active list entry

ntryCount count.

Provides count, current value.

Confidential ArcSight Web™ User’s Guide 85

6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/ActiveLists/TemporaryC monitor:120 Temporary Active list capacity.

apacity
Provides count, current value.

/Monitor/ActiveLists/TemporaryP monitor:121 Temporary Active list usage.

ercentageUsed
Provides percent, current value.

/Monitor/ActiveLists/QueriesPer monitor:122 Active list queries per second.

Second
Provides count of queries per
second since startup.

/Monitor/ActiveLists/ChangesPer monitor:123 Active list changes per second.

Second
Count per second since startup.

Asset Statistics
Asset statistics offer insight into performance areas that affect assets in the system and can
help resolve source, destination, agent, and device asset issues for incoming events. These
events summarize:

 Asset resolutions per second is the average number of end-points in events, that
are resolved to assets in a second.
 Asset resolutions average time is the average time in milliseconds taken to resolve
an end-point in an event to an asset.
 Asset scanner events per second is the number of scanner events processed in a
second.
 Asset scanner events average time is the average time in milliseconds taken to process
a scanner event.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Asset/TotalCount monitor:200 Asset total count.

Provides count, current value.

/Monitor/Asset/Scanner/EventsP monitor:201 Scanner events processed per second.

erSecond
Provides count per second since last monitor
event.

/Monitor/Asset/ResolutionsPerSe monitor:202 Asset resolutions per second.

cond
Provides count per second for asset
resolutions since last monitor event.

/Monitor/Asset/Scanner/Average monitor:203 Scanner event average processing time.

Time
Provides count per second for scanner event
average processing time since starup.

/Monitor/Asset/ResolutionsAvera monitor:204 Asset resolution average time.

geTime
Provides average time in milliseconds for
asset resolution since startup.

86 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Asset/ResolutionsAvera monitor:205 Asset source resolution average time.

geTime/Source
Provides average time in milliseconds for
asset source resolution since startup.

/Monitor/Asset/ResolutionsAvera monitor:206 Asset destination resolution average time.

geTime/Destination
Provides average time in milliseconds for
asset destination resolution since startup.

/Monitor/Asset/Size monitor:240 Transitive Closure Size.

Provides count per second and current value

for transitive closure size.

Data Monitor Statistics

The data monitor statistics indicate how intensively the data monitors are working, which
in turn can indicate situations such as filters needing adjustment or data monitors needing
restructuring. These events summarize:

 Active probes is the number of currently enabled data monitors.

 Evaluations per second is the number of events times the number of enabled data
monitors per second.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/DataMonitors/ActivePro monitor:101 Active data monitor probe count.

bes
Provides count, current value.

/Monitor/DataMonitors/Evaluatio monitor:124 Data monitor evaluations per second.

nsPerSecond
Provides count per second since last monitor
event.

Event Broker Statistics

These statistics monitor reading events from, and writing events to, the database. As such,
they are database health indicators. These events summarize:

 Event count is the number of events inserted into the database since the last monitor
event.
 Insert time is the average time taken to insert each event into the database, in
microseconds.
 Retrieval time is the average time taken to retrieve each event from the database in
microseconds.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/EventBroker/InsertTim monitor:102 Events insertion time per event

e
Provices count in microseconds for insertion
time per event since last monitor event.

Confidential ArcSight Web™ User’s Guide 87

6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/EventBroker/InsertedE monitor:103 Events processed count.

ventCount
Provides count since last monitor event.

/Monitor/EventBroker/RetrievalT monitor:140 Events retrieval time per event.

ime
Provides count in microseconds per count,
since last monitor event.

Filter Engine Statistics

The count of in-memory filter evaluations can serve as a broad indicator of filter
performance.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Filters/EvaluationCount monitor:161 Filter evaluation count.

Main Flow Statistics

These events report statistically on the overall throughput of the ArcSight Manager, for
both incoming and internal events. This flow is the sequence of processing steps applied to
each event and is a broad indicator or benchmark of system traffic. These events
summarize:

 Count describes the number of events that have passed through the flow since the
manager started.
 Rate describes the current event rate in events per second.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/MainFlow/EPS monitor:230 Main flow event rate.

Provides count per second since last monitor

event.

/Monitor/MainFlow/Events monitor:231 Main flow event count.

Provides count since startup.

Notification Statistics
This group reports on notification activity, which can be of diagnostic value in detecting
unusually high notifications activity.

 New count describes the number of new notifications since the last monitor event.

88 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

 Escalated count describes the number of notifications that were escalated since the
last monitor event.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Notification/New monitor:180 New notification count.

Provides count since last monitor event.

/Monitor/Notification/Escalated monitor:181 Escalated notification count.

Provides count since last monitor event.

Pattern Discovery Statistics

These events provide statistics for recent or pending pattern discovery runs. Because
pattern discovery is database-intensive, these statistics can indicate or help diagnose
database performance issues.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Patterns/RunCount monitor:190 Pattern discoveries run count.

Provides count since last monitor event.

/Monitor/Patterns/RunsQueued monitor:191 Pattern discoveries queued count.

Provides count current value.

Report Statistics
These events provide statistics about the current number of reports querying the database
or being rendered. Because reports are database-intensive, these statistics can indicate or
help diagnose database performance issues.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Reports/Running monitor:130 Reports running count.

Provides count, current value.

/Monitor/Reports/RunningQueryi monitor:131 Reports querying database count.

ngDB
Provides count, current value.

/Monitor/Reports/RunningRende monitor:132 Reports rendering count.

ring
Provides count, current value.

Resource Framework Statistics

Resource-framework events report on the database activity connected with updates (reads,
writes, and deletions) to system resources such as rules, assets, and filters, since the last

Confidential ArcSight Web™ User’s Guide 89

6 Using Active Channels

monitor event. This data can be valuable in tracking or diagnosing performance-related

issues such as automatic asset maintenance, the threat-level formula, or rule-driven usage.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Resource/Activity/Inser monitor:171 Resources inserted per second.

t
Provides count per second since last monitor
event.

/Monitor/Resource/Activity/Upda monitor:172 Resources updated per second.

te
Provides count per second since last monitor
event.

/Monitor/Resource/Activity/Dele monitor:173 Resources deleted per second.

te
Provides count per second since last monitor
event.

Rules Engine Statistics

The statistics related to the ArcSight Manager's rules engine can help reveal performance
issues in several areas. Please remember that information about rules activity always needs
to be considered in the full content of the Manager's operations. For example, a busy
Moving Average data monitor, if used inefficiently, can affect several of these statistics; a
poorly written rule can inadvertently drive up the rate of actions executed.

These statistics have the following performance implications

 Count of events inserted into the rule engine: CPU.

 Rate of event insertion into the rule engine: CPU.
 Count of correlated events generated by the rule engine: CPU.
 Rate of correlated event generation by the rule engine: CPU.
 Count of partial matches in the rule engine: memory.
 Count of events that are still present in rule engine's working memory: memory.
 Count of groupBy cells that are being used by the rule engine: memory.
 Count of rules currently active in the rule engine: comparative value only.
 Rate of actions being executed by the rule engine: CPU.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Rules/InsertedEventCo monitor:151 Rules total event count.

unt
Provides count since last monitor event.

/Monitor/Rules/InsertedEventRa monitor:152 Rules inserted events per second.

te
Provides count per second since last monitor
event.

/Monitor/Rules/GeneratedEvent monitor:153 Rules generated events per second.

Rate
Provides count per second since last monitor
event.

90 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Rules/PartialMatchCou monitor:154 Rules partial match count.

nt
Provides count, current value.

/Monitor/Rules/EventsInRuleEng monitor:155 Rules in-memory event count.

ineMemory
Provides count, current value.

/Monitor/Rules/GroupByCellsSiz monitor:156 Rules group by cells size.

e
Provides count, current value.

/Monitor/Rules/ActiveRulesCoun monitor:157 Active rules count.

t
Provides count, current value.

/Monitor/Rules/ActionsTakenRat monitor:158 Rules actions rate.

e
Provides count per second since last monitor
event.

/Monitor/Rules/GeneratedEvent monitor:159 Rules generated event count.

Count
Provides count since last monitor event.

Session Management Statistics

This statistic tracks the current number of active user sessions.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Sessions/Active/Total monitor:160 Active session count.

Provides count and current value.

Side Table Statistics

Side tables are ones held in-memory and in the database to retain common and relatively
static information, similar to a cache. The purpose is to improve access times for inserts
and queries. Side tables store event data that includes: geographical information,
categorization information, agent information, device information and labels for custom
strings and numbers.

 Size identifies how many entries are presently in the cache.

 Insert identifies the number of inserts in the past two hours.
 Cache misses identifies how many failed attempts to find entries occurred in the past
two hours.

Confidential ArcSight Web™ User’s Guide 91

6 Using Active Channels

 Cache hit rate identifies how many successful attempts to find entries occurred in
the past two hours.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/SideTable/GeoInfo/HitR monitor:210 Geo info sidetable cache hit rate.

ate
Provides a percentage over a moving time
frame.

/Monitor/SideTable/GeoInfo/Inse monitor:211 Geo info sidetable inserts.

rts
Provides count over a moving timeframe.

/Monitor/SideTable/GeoInfo/Cac monitor:212 Geo info sidetable cache misses.

heMisses
Provides count over a moving timeframe.

/Monitor/SideTable/GeoInfo/Size monitor:213 Geo info sidetable size.

Provides count, current value.

/Monitor/SideTable/Category/Hit monitor:214 Category sidetable cache hit rate.

Rate
Provides a percentage over a moving
timeframe.

/Monitor/SideTable/Category/Ins monitor:215 Category sidetable inserts.

erts
Provides count over a moving timeframe.

/Monitor/SideTable/Category/Ca monitor:216 Category sidetable cache misses.

cheMisses
Provides count over a moving timeframe.

/Monitor/SideTable/Category/Siz monitor:217 Category sidetable size.

e
Provides count, current value.

/Monitor/SideTable/Agent/HitRat monitor:218 Agent sidetable cache hit rate.

e
Provides a percentage over a moving
timeframe.

/Monitor/SideTable/Agent/Insert monitor:219 Agent sidetable inserts.

s
Provides count over a moving timeframe.

/Monitor/SideTable/Agent/Cache monitor:220 Agent sidetable cache misses.

Misses
Provides count over a moving timeframe.

/Monitor/SideTable/Agent/Size monitor:221 Agent sidetable size.

Provides count, current value.

/Monitor/SideTable/Device/HitRa monitor:222 Device sidetable cache hit rate.

te
Provides a percentage over a moving
timeframe.

/Monitor/SideTable/Device/Inser monitor:223 Device sidetable inserts.

ts
Provides count over a moving timeframe.

92 ArcSight Web™ User’s Guide Confidential

 6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/SideTable/Device/Cach monitor:224 Device sidetable cache misses.

eMisses
Provides count over a moving timeframe.

/Monitor/SideTable/Device/Size monitor:225 Device sidetable size.

Provides count, current value.

/Monitor/SideTable/Labels/HitRa monitor:226 Labels sidetable cache hit rate.

te
Provides a percentage over a moving
timeframe.

/Monitor/SideTable/Labels/Insert monitor:227 Labels sidetable inserts.

s
Provides count over a moving timeframe.

/Monitor/SideTable/Labels/Cach monitor:228 Labels sidetable cache misses.

eMisses
Provides count over a moving timeframe.

/Monitor/SideTable/Labels/Size monitor:229 Labels sidetable size.

Provides count, current value.

SmartConnector Flow Statistics

SmartConnector flow statistics record the event rates that occur at different stages of
agent processing. "Sum of" statistics are sums of all values reported by all agents
connected to the ArcSight Manager. All values are statistics over the past 1-minute range.
These events summarize:

 Received event rate is the rate at which agents receive events from devices.
 Post filter event rate is the rate of events that passed the filter (e.g., were not filtered
out).
 Post aggregation event rate is the rate of event aggregation.
 Agent-to-manager event rate and count describe how many events were actually
sent to the Manager.
 Cache size describes the estimated size of the on-disk agent event cache.

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Agents/Events/ToMana monitor:104 Agent output event count, since startup.

ger
Provides count.

/Monitor/Agents/EPS/ToManager monitor:109 Agent output event rate.

Provides count per second and agent-to-

manager since last monitor event.

/Monitor/Agents/EPS/Received monitor:110 Agent input event rate.

Provides count per second for the agent

received event rate since last monitor event.

Confidential ArcSight Web™ User’s Guide 93

6 Using Active Channels

Status Monitor Event Device Event

Category Class ID Audit Event Description

/Monitor/Agents/EPS/PostFilter monitor:111 Agent filtered event rate.

Provides count per second for the agent post-

filter event rate since last monitor event.

/Monitor/Agents/EPS/PostAggre monitor:112 Agent aggregated event rate.

gation
Provides count per second for the agent post-
aggregation event rate since last monitor
event.

/Monitor/Agents/CacheSize monitor:113 Estimated agent cache size, current value.

Provides count.

/Monitor/Agents/Total/Events/To monitor:141 Sum of agent output event counts.

Manager
Provides count-per-second sum of agent-to-
manager event counts since startup.

/Monitor/Agents/Total/EPS/ToMa monitor:146 Sum of agent-to-manager output event rates.

nager
Provides counted per-second since last
monitor event.

/Monitor/Agents/Total/EPS/Recei monitor:147 Sum of agent input event rates.

ved
Provides count per second for the sum of
agent received event rates since last monitor
event.

/Monitor/Agents/Total/EPS/PostF monitor:148 Sum of agent filtered event rates.

ilter
Provides count per second for the sum of
agent post-filter event rates since last monitor
event.

/Monitor/Agents/Total/EPS/Post monitor:149 Sum of agent aggregated event rates.

Aggregation
Provides count per second for the sum of
agent post-aggregation event rates since the
last monitor event.

/Monitor/Agents/Total/CacheSiz monitor:150 Sum of estimated agent cache sizes.

e
Provides count as a sum of the estimated
agent cache sizes current value.

94 ArcSight Web™ User’s Guide Confidential

 Chapter 7
Using Cases

ArcSight cases provide organized, workflow-style tracking and management of interesting

events or situations.

The ArcSight Web interface enables you to create, manage, or customize cases.

Cases have a large number of fields to cover a wide range of event analysis and
investigation possibilities. (See “Creating Cases” on page 97.).

You can add an Export button to the Cases display to export selected cases. Add the
line ui.export.enabled=true to the webserver.properties file and restart
ArcSight Web.

“Managing Cases” on page 95

“Creating Cases” on page 97

Managing Cases
The cases display shows cases that are already created in the Cases tree. From the main
panel, you can select, view, and customize existing cases, and create new ones.

To view an existing case

1 Navigate to and select the case in the Cases resource tree on the left.

 Click the group folders in the tree to open or close them.

 Click a folder to see a list of its cases in the pane to the right.
 Click the arrow icon in the upper-right corner of the resource pane to hide it or
show it.
2 The Cases content pane shows individual listings. Click an individual case to see its
fields (see “Creating Cases” on page 97).

To edit an individual case

1 Click Lock this case.

2 Make your changes and click Submit.

3 Unlock a case after you finish editing.

To remove a case
1 Select the check box for the case you want to remove and click Remove.

Confidential ArcSight Web™ User’s Guide 95

7 Using Cases

If you want to keep the case but not allow others to edit it, you can Lock (hold for
editing) or Unlock (release for others to edit) buttons.

2 Click Refresh to update the display.

To create a new case

Click New Case to go to the Create a New Case display. For details about how to create a
case, see “Creating Cases” on page 97.

To customize a case
Click Customize to select, deselect, and arrange the columns of the case list.

Default Case Management Columns

Attribute Description

Name The name assigned to the case. Using descriptive names is

important.

Locked Whether the case is free to be edited by others. If Locked, it cannot.

Security The letter codes that identify the nature of the security issues the
Classification case represents. See “Security Classification Default Letter Codes”
Code on page 96 below.

Ticket Type The source of the case or its means of tracking.

Stage The current collaboration or workflow stage assigned to the case.

Frequency The numerical range of events that occur in regard to a case.

Created By The ArcSight user ID of the person who created the case.

Security Classification Default Letter Codes

Classification
Letter Codes
Category

Attack I = Informational
Mechanism

O = Operational

P = Physical

U = Unknown

Attack Agent C = Collaborative

I = Insider

O = Outsider

U = Unknown

Vulnerability D = Design

E = Operational Environment

O = Operational

U = Unknown

96 ArcSight Web™ User’s Guide Confidential

 7 Using Cases

Classification
Letter Codes
Category

Sensitivity C = Confidential

S = Secret

T = Top Secret

U = Unclassified

Associated A = Availability
Impact

C = Confidentiality

I = Integrity

U = Unknown

Action B = Block/Shutdown

M = Monitoring

O = Other

Creating Cases
To create a case, choose the Initial attributes tab first. Fill in the required and other
appropriate fields, tab by tab, then click Submit at the bottom of the display. Overall, the
tabs represent:

 Initial - Basic case information: case ticket attributes, description and security
classification.
 Follow Up - Description of actions taken, planned, or recommended.
 Final - Ticket resolution and reporting including attack mechanism, attack agent,
incident information, and vulnerability information.
 Events - List of events included in case.
 Notes - Miscellaneous information applicable to a case.
Display ID numbers are assigned automatically when you save the case.

Initial Tab
The fields on this tab provide basic case information.

Field Description

Case

Name Required field specifying name of case.

Display ID An automatically assigned unique number.

Ticket

Ticket Type Drop-down list includes Internal, Client, and

Incident types.

Confidential ArcSight Web™ User’s Guide 97

7 Using Cases

Field Description

Stage Indicate workflow stage of ticket; selections

include Queued, Initial, Follow-up, Final, and
Closed.

Frequency Indicates how often reported issue occurs. Values

assigned are 0 (never or once), 1 (less than 10
times), 2 (10 to 15 times), 3 (15 times), 4 (more
than 15).

Operational Impact of reported issue. Values assigned are 0

Impact (no impact), 1 (no immediate impact), 2 (low-
priority impact), 3 (high-priority impact), 4
(immediate impact).

Security Values assigned are 1 (Unclassified), 2

Classification (Confidential), 3 (Secret), 4 (Top Secret).

Consequence Values assigned are 0 (None), 1 (Insignificant), 2

Severity (Marginal), 3 (Critical), 4 (Catastrophic).

Reporting This is a calculated number, based on Ticket info

Level values entered.

Incident Information

Detection This field is auto-populated.

Time

Estimated This field is auto-populated.

Start Time

Estimated This field is auto-populated.

Restore Time

External ID This field is auto-populated.

Alias Another name by which the incident is referenced

in the system.

Description A text description of the incident.

Assign

Owner Users designated as owners of the case.

Notification Pre-defined groups that should be notified when

Groups the case is created or updated.

Description

Affected This text field can contain up to 4,000 characters.

Services

Affected This text field can contain up to 4,000 characters.

Elements

Estimated This text field can contain up to 4,000 characters.

Impact

Affected Sites This text field can contain up to 4,000 characters.

Security Classification

98 ArcSight Web™ User’s Guide Confidential

 7 Using Cases

Field Description

Attack I = Informational
Mechanism O = Operational
P = Physical
U = Unknown

Attack Agent C = Collaborative

I = Insider
O = Outsider
U = Unknown

Incident This field is auto-populated.

Source 1

Incident This field is auto-populated.

Source 2

Vulnerability D = Design
E = Operational Environment
U = Unknown

Sensitivity C = Confidential
S = Secret
T = Top Secret
U = Unclassified

Associated A = Availability
Impact C = Confidentiality
I = Integrity
U = Unknown

Action B = Block/Shutdown
M = Monitoring
O = Other

Security Classification Code

Security This field is auto-populated.

Classification
Code

Follow Up Tab
The fields on this tab describe follow-up entries for a case.

Field Description

Actions Taken This text field can contain up to 4,000 characters.

Planned This text field can contain up to 4,000 characters.

Actions

Recommended This text field can contain up to 4,000 characters.

Actions

Follow-up This text field can contain up to 4,000 characters.

Contact

Confidential ArcSight Web™ User’s Guide 99

7 Using Cases

Final Tab
Fields on this tab provide ticket resolution and reporting information related to the attack
agent associated with a case.

Field Description

Attack
Mechanism

Attack This field is auto-populated.

Mechanism

Attack The network protocol that is transporting the

Protocol attack.

Attack OS The operating system supporting the attack.

Attack The program that is performing the attack.

Program

Attack Time The date and time of the attack.

Attack Target The host or device at which the attack is directed.

Attack Service The service at which the attack is directed.

Attack Impact The effect of the attack.

Final Report The action recommended for this case.

Action

Attack Agent

Attack Agent This field is auto-populated.

Attack A short description of the location under attack, of

Location ID up to 255 characters.

Attack Node A short description of the network node under

attack, of up to 255 characters.

Attack Address A text field in which you can record the IP address
under attack, of up to 255 characters.

Incident
Information

Incident This field is auto-populated.

Source 1

Incident This field is auto-populated.

Source 2

Incident A text field in which you can record up to 200

Source characters.
Address

Vulnerability

Vulnerability This field is auto-populated.

Vulnerability Selections include: Accidental or Intentional.

Type 1

100 ArcSight Web™ User’s Guide Confidential

 7 Using Cases

Field Description

Vulnerability Selections include: EMI/RFI, Insertion of Data,

Type 2 Theft of Service, Unauthorized, Probes, Root
Compromise, DoS Attack, User Account.

Vulnerability This text field can contain up to 4,000 characters.

Evidence

Vulnerability This text field can contain up to 4,000 characters.

Source

Vulnerability This text field can contain up to 4,000 characters.

Data

Other

History Selections include: Known Occurrence and

Unknown.

No. A numeric value; the number of occurrences of the

Occurrences incident.

Last The date and time of the most recent incident.

Occurrence
Time

Resistance Selections include: High, Low, and Unknown.

Consequence This field is auto-populated.

Severity

Sensitivity This field is auto-populated.

Recorded Data This text field can contain up to 4,000 characters.

Inspection This text field can contain up to 4,000 characters.

Results

Conclusions This text field can contain up to 4,000 characters.

Events Tab
You can add events to a case from the Active Channels page ( ), as described in Using
Active Channel Grids. The system then displays these events on the Cases Events tab.

Field Description

Description This field is auto-populated from events included in a case.

Event Info and For selected events, this field displays event values and payload
Payload fields fields, if available.

Events related to a use case are preserved in the case for tracking purposes even after the
time period where the events would typically age out of the database.

Attachments Tab
The Attachments tab shows files associated with the selected case. Click the Attach button
to attach another file to the case.

Confidential ArcSight Web™ User’s Guide 101

7 Using Cases

If you do not see files as expected, try clicking the Refresh button ( ) to update the
view to show recently added files.

Field Description

Local file Select this option to choose a file on your local

system. Specify values for the following fields,
which are displayed when you choose a local file:

Name A descriptive name for the file. This name can

differ from the actual file name, and can include
spaces. If you do not provide an alternative name
here, the original file name is used.

Description A text description of the file.

File Click Browse and use the file browser to navigate

to and select the local file you want to attach to
the case. (This field requires user input.)

Text Encoding Encoding type. The default is ISO-8859-1.

Share this file Click this option if you want to make the file
in ArcSight available as a shared resource on the ArcSight
Manager.

ArcSight file Select this option to choose a file on the ArcSight

Manager.

Files to attach Click the plus button next the drop-down menu to
show the file browser on the ArcSight Manager.
Navigate to and select a file on the ArcSight
Manager. (This field requires user input.)

Click Attach to attach the file to the case. (Or click Cancel to abandon attachment edits.)

Click Submit to save the case with the new attachment, the same way you save new
settings on the other tabs.

Once the file is attached, anyone viewing the case can view details about the file and
download it. To do this, navigate to a case, and click the Attachments tab. To view more
details about an attachment, click the file name. To download an attachment, click the
Download button ( ) for that file.

Notes Tab
Field Description

Note Use this field to record notes of up to 4,000 characters.

102 ArcSight Web™ User’s Guide Confidential

 Chapter 8
Handling Notifications

The Notifications feature displays notifications relevant to you that were triggered by
certain event conditions.

The notifications on the display are grouped according to workflow-style stages such as
pending, acknowledged, resolved, or informational. The specific groups you see have been
tailored to your enterprise.

To see the details of a notification, click its listing in the relevant group.

Notification
Use
Categories

Pending These are notifications that you have not yet handled (reassigned to
one of the following categories). Pending notifications older than 24
hours are automatically refiled as Not Acknowledged.

Acknowledged These are notifications to which you have responded.

Not Pending notifications that go unacknowledged or unresolved for

Acknowledged more than 24 hours are automatically refiled as Not Acknowledged.

Resolved These are notifications for which you or a colleague have found a
resolution and so have marked the notification accordingly.

Informational These are notifications that are provided for information purposes
only and do not require resolution or response.

Confidential ArcSight Web™ User’s Guide 103

8 Handling Notifications

104 ArcSight Web™ User’s Guide Confidential

 Chapter 9

Using Reports

The ArcSight Web interface enables you to run reports, and view and save the report
results.

The reports available to you are organized in the Cases resource tree on the left. Click the
group folders in the tree to open or close them. Click a folder to see a list of its cases in the
right-hand pane. Click the arrow icon in the upper-right corner of the resource pane to hide
it or show it.

“Running and Viewing Reports” on page 105

“Running and Saving Archived Reports” on page 106
“Report Parameters” on page 106
“Viewing Archived Reports” on page 107
“Advanced Configuration for Report Performance” on page 108

Running and Viewing Reports

To run and view a report

1 Click Report Definitions just below the toolbar.

2 Navigate to a report in the resource tree.

3 Click a report definition name to show it in the right pane.

4 Use the values already defined for the report's parameters or change them as
necessary. (See “Report Parameters” on page 106.)

5 Click Run Report to run the report and display the results.

If you are running the context report from the event inspector, click View Report to
run and display the report.

For tips about how to run large reports that make efficient use of system
resources, see “Advanced Configuration for Report Performance” on
page 108.

Confidential ArcSight™ Web User’s Guide 105

9 Using Reports

Running and Saving Archived Reports

To run and save a report

1 Click Report Definitions just below the toolbar.

2 Navigate to a report in the resource tree.

3 Click a report definition name to show it in the right pane.

4 Use the values already defined for the report's parameters or change them as
necessary. (See “Report Parameters” on page 106.)

5 Select the Save Output checkbox to expose the archive report detail fields.

If you are archiving the context report from the event inspector, click Archive
Report. The report generates and be displayed in the viewer panel. You can save the
report output using the browser Save As function.

6 Enter the following details for saving the report output as an archived report and click
Run Report:

Field Enter this

Archive Report Folder Browse to an existing folder in the ArcSight file system
to save the report results. This makes the report
results retrievable from the Archived Reports view
later.

If you do not select a folder, you can save the report

once the results are displayed using the save method
that applies to the report format. For example, if you
chose PDF, you can use the PDF save to save the
results.

Archive Report Name Accept the default report name or enter a name for the
saved report results. Spaces are OK.

Archive Report Accept the default date (6 months from today), or

Expiration Time enter a date when the archived report results are
deleted. $NOW indicates that the report results are
deleted when you close the report results viewer.

Report Parameters
The following parameters are common to most reports. Depending on the query used as
the source for a report, other parameters may be exposed here. For example, a report
might prompt for a Start and End Date (timestamps) over which to run the report.

Parameter Use

Report Format The format in which to generate the report. Note that RTF appears
by default in Word documents, XLS in Excel worksheets, CSV in
Excel worksheets, and PDF and HTML in browser windows. The CSV-
Plain format intentionally has fewer report header lines.

Page Size Choose a standard paper size for the printed report (whether you
send it directly to print or not).

106 ArcSight™ Web User’s Guide Confidential

 9 Using Reports

Parameter Use

Run as User As an option, choose an existing ArcSight user's identity as a report

constraint. The user identity can serve as a type of filter on the
report's output, or it may be desirable to run a report on behalf of a
user, as in a provider/customer (MSSP) circumstance.

E-mail to Select one or more e-mail addresses to send notifications to when

the report runs.

E-mail Format Choose to send the generated report or a URL to the file.

Save Output Select this option to save the generated report to the ArcSight
Manager as an Archived Report.

When you select the Save Output option (toggled "on"), provide the
name, location, and expiration date of the archived report.

Archive Report Indicate the name of the folder in which you want to store the
Folder report.

Archive Report Enter the name of the report. You can use Velocity Template
Name references here. By default, the report names is set to:
${Today}/${ReportName}_${Now}

$CurrentDateTime: Prints the current date and time. (Same as

$Now)

$CurrentDate: Prints the current date.

$CurrentMonth: Prints the current month.

$CurrentWeek: Prints the current week.

$Now: Prints the current date and time. (Same as

$CurrentDateTime)

$CurrentDateTime-<Number>: Prints the current date and time

minus the number of days you specify.

Archive Report Enter an expiration date and time for the archived report. Click the
Expiration calendar button next to the date field to get a popup calendar in
Time which to designate the date. The ArcSight system automatically
removes expired reports.

Viewing Archived Reports

To view an archived report

1 Click Archived Reports just below the toolbar.

2 Navigate to a report in the resource tree.

3 Click the name of an archived report to show it in the right pane.

Downloading an Archived Report

To download an archived report

1 Click Archived Reports just below the toolbar.

2 In the Download column for the report archive you want, click the Download icon.

3 In the File Download dialog box, choose to open the file or save it to a particular
location.

Confidential ArcSight™ Web User’s Guide 107

9 Using Reports

Adding New Archived Reports

To add a new archived report to a folder

1 Click Archived Reports just below the toolbar.

2 In the resource tree, select the report folder to which you want to add the new
archived report.

3 Above the list of available reports, click New Report.

4 In the Upload Report screen, enter a report name and specify the path to its file, or
click Browse to locate it.

5 Click Upload to add the archived file to the others available in the folder.

Deleting Archived Reports

To delete archived reports

1 Click Archived Reports just below the toolbar.

2 Navigate to a report folder in the resource tree.

3 In the list of archived reports on the right, check those you want to delete.

4 Click Delete to remove the checked reports, then click OK to confirm.

Advanced Configuration for Report Performance

Reports with large file sizes or large time ranges may require special configurations at the
Manager to ensure system performance.

Set these parameters only as needed if you encounter large or complex reports that
repeatedly cause performance problems or cause the Manager to restart when you try to
run them. Refer to the ArcSight Administrator's Guide for more information on setting
server properties on the Manager. The properties described here are also documented in
the server.properties file itself.

Configurations for Large Reports

A very large report (for example, a 500 MB PDF report) might require so much virtual
machine (VM) memory that it can cause the ArcSight Manager to crash and re-start.

To prevent that, set up the Manager to expose a special report parameter for generating
the report in a separate process. The separate process has its own VM and heap, so the
report is more likely to finish. Even if the memory allocated is still not enough, the report
failure will not crash the Manager.

This option must be set up on the ArcSight Manager to expose it in the ArcSight Web report
parameters list. On the ArcSight Manager in the server.properties file, set
report.canarchivereportinseparateprocess=true. Save the
server.properties file and restart the Manager.

Once this property is set to "true" on the Manager, the Save Output options for a selected
report on ArcSight Web include a new parameter called Generate Report In Separate
Process. Select this option for a report you want to archive as a separate process, and run
the report.

108 ArcSight™ Web User’s Guide Confidential

 9 Using Reports

If a report is saved with the parameter set to "true", the report is archived as a separate
process even if the property report.canarchivereportinseparateprocess in
server.properties is set back to "false" later on.

Configurations for Reports with Large Time Ranges

Reports that query over a large time range with complex joins run much faster if the query
contains a full scan database hint. This option must be set up on the Manager to expose it
in the ArcSight Web report parameters list.

On the ArcSight Manager in the server.properties file, set

report.canquerywithfullscanhint=true. Save the server.properties file and
restart the Manager.

Once this property is set to "true" on the Manager, the Save Output options for a selected
report on ArcSight Web include a new parameter called Query with Full Scan Hint. Select
this option for a report you want to run with the full scan hint, and run the report.

If a report is saved with the parameter set to "true", the report is archived as a separate
process even if the property report.canquerywithfullscanhint in
server.properties is set back to "false" later on.

Confidential ArcSight™ Web User’s Guide 109

9 Using Reports

110 ArcSight™ Web User’s Guide Confidential

 Chapter 10
Monitoring Dashboards

The ArcSight Web interface enables you to view dashboards made available from the
ArcSight Console.

When you click Dashboards in the toolbar, you see the Dashboards display, usually with
the Dashboards tree open in the resource pane and the dashboards of the current branch
listed in the content pane.

“Viewing and Managing Dashboards” on page 111

“Changing Dashboard Layouts” on page 111

Viewing and Managing Dashboards

The dashboards are organized in the resource tree on the left. Click the group folders in the
tree to open or close them. Click a folder to see a list of its dashboards in the pane to the
right. Click the arrow icon in the upper-right corner of the resource pane to hide or show it.

Click a dashboard's name to open it and its collection of data monitors in the right pane.

By default, the information on a dashboard refreshes automatically every 60 seconds. Click

the "Pause" button (||) to stop refreshing, or click the circular arrow to refresh
immediately. Click the arrow head to resume auto-refreshing.

Run the mouse pointer over elements in graphic data monitors to see their details in
tooltips.

Three types of data monitors are available through ArcSight Web: Event Graph, Geographic
Event Graph, and Hierarchy Map.

Changing Dashboard Layouts

You can change the way data monitors are laid out on dashboard displays. When you click
Dashboards and choose one to show from the resource tree, the layout of data monitors
in the right panel is a default pattern.

In a dashboard display, click Edit Layout to open the Dashboard Layout editor.

To rearrange data monitors, click and drag them from one of the display areas to another.
The upper and lower "wide" areas are intended to better accommodate tables, which most
often run wide and cannot be resized. The left and right "narrow" areas are intended to
accommodate charts, which are more likely to resize successfully.

To see a rearrangement, click Save.

Confidential ArcSight Web™ User’s Guide 111

10 Monitoring Dashboards

112 ArcSight Web™ User’s Guide Confidential

 Chapter 11
Using the Knowledge Base

ArcSight Web provides access to viewing knowledge base articles. The articles available to
you are organized in the resource tree on the left. Click the folders in the tree to open or
close them. Click the arrow icon in the upper-right corner of the resource tree panel to hide
it or show it.

ArcSight offers the Knowledge Base as a convenience for storing user-

generated pointers or articles of interest. It is not pre-populated.

Confidential ArcSight Web™ User’s Guide 113

11 Using the Knowledge Base

114 ArcSight Web™ User’s Guide Confidential

 Chapter 12
Using Reference Pages

An event viewed from the Event Inspector may have a reference page associated with it.
The contents of a reference page is set through the ArcSght Console.

 If present in an event, click View references to show the reference page content in a
separate browser window.
 Use the drop-down menu to navigate or other pages of this reference if more pages
are available.
 Use the browser's Back button to return.

Confidential ArcSight Web™ User’s Guide 115

12 Using Reference Pages

116 ArcSight Web™ User’s Guide Confidential

 Chapter 13
Setting Preferences

In any display, click Options in the toolbar to set or change your preferences for date
formatting, locale, active channel startup, and password.

Click the Formats tab to choose the style and punctuation to use for date and time values.
Click Update to apply your changes before moving to another tab.

Click the Locale tab to choose the time zone you work in. Click Update to apply your
changes before moving to another tab.

Click the Channels tab to set, or bypass setting, the parameters for active channels, each
time you open one. The check box is clear by default, which means that you see the
channel setup options. Select the check box to avoid setup and to go directly to the
channel display. There is also an option to hide (collapse) the channel tree on the left panel
when a channel is already running. By default, this tree remains in view. Click Update to
apply your changes before moving to another tab.

Click the Password tab to change your current password. Enter your old password first.
Then enter your new password and repeat it to confirm. Click Update to put your change
into effect.

Confidential ArcSight Web™ User’s Guide 117

13 Setting Preferences

118 ArcSight Web™ User’s Guide Confidential

 Chapter 14
Custom Branding and Styling

You can change logo images, colors, and styles for ArcSight Web by creating and editing
the file <ArcSightWeb_HOME>/config/web/styles.properties.

This file doesn't exist by default, but you can create it by copying either
example.styles.properties or full.styles.properties and renaming it to
styles.properties.

Please do not modify the file

<ArcSightWeb_HOME>/config/web/styles.defaults.properties. This file
contains the default settings. It is overriden by your custom
styles.properties file.

The properties file provides information about those properties that can be changed, along
with example values.

To add custom branding or styles:

1 Modify the properties in styles.properties as needed to fit your custom branding

and style requirements, and remove the comment tags from the lines that contain
property settings you want to apply.

2 If you want to add one or more custom logo images as part or your re-branding effort,
you need to both both modify the relevant property settings and add the image(s) to
the webapp/images directory:

 Modify the properties file to call your custom image file(s) and un-comment the
relevant lines (e.g., navbarLogoImg=MyCustomLogo.gif and
loginLogoImg=logo-login-MyCustomLogo.gif). You might also want to
modify and un-comment the logo image size property and navigation bar text
colors to make the proper customizations.
 Add the image file to the directory <ArcSightWeb_HOME>/webapp/images.
3 Restart ArcSight Web to see the effects of your custom changes.

Remember that branding changes are visible to anyone using that instance of ArcSight
Web. You can, however, run multiple instances of ArcSight Web against the same ArcSight
Manager.

Confidential ArcSight Web™ User’s Guide 119

14 Custom Branding and Styling

120 ArcSight Web™ User’s Guide Confidential

 Index

A E
Active Channels 19 Events
Grids 21 Audit Events 78
Headers 21 Data Fields 32
Inline Filters 23 Event Categories 25
Opening 19 Events in cases 101
Viewing 21 Inspecting 24
Archived Reports
Saving 106
Viewing 107 F
ArcSight Express 13 Formats
Getting Started with ArcSight Express 15 Preferences 117
Home Page 14 Foundations 7
Monitoring 16 Administration 8
Reporting 18 Configuration Monitoring 7
ArcSight Web Network Monitoring 8
About 1 System Content 8
Navigating 5 Workflow 8
What’s New 3
Audit Events 78
G
Getting Started
B with ArcSight Express 15
Branding 119 with Standard Content 9

C H
Cases 95 Home Page 5
Attachments tab 101 ArcSight Express Home Page 14
Columns 96
Events Tab 101
Final Tab 100
I
Follow Up tab 99 Inline Filters 23
Inspecting Events 24
How to create 97
Initial Tab 97
Notes Tab 102 K
Security Classification Codes 96
Knowledge Base 113
Channels 19
Preferences 117
Content L
ArcSight Express 13 Locale
Standard Content 7 Preferences 117
logo
customizing 119
D
Dashboards 111
Changing Layouts 111 M
Viewing and Managing 111 Monitoring
Data Fields 32 Active Channels 19
ArcSight Express 16
Dashboards 111

Confidential ArcSight™ Web User’s Guide 121

Index

Inspecting Events 24 R
Standard Content 9
Reference Pages 115
Reporting
N with ArcSight Express 18
Navigating ArcSight Web 5 with Standard Content 10
Reports 105
ArcSight Express Home Page 14
Advanced Configuration 108
Basic Navigation 6
Home Page 5 Parameters 106
Running and Viewing 105
New Features 3
Saving Archived Reports 106
Notifications 103
Viewing Archived Reports 107

O
Options 117
S
see Active Channels 19
Standard Content 7
P Foundations 7
Password Getting Started using Standard Content 9
Changing 117 styles.properties 119
Preferences 117 System Content 8

122 ArcSight™ Web User’s Guide Confidential