Active Channels

When the ARB package is imported to ArcSight, the following active channels become available:

• CyberTrace alerts

  Displays service events from Feed Service in real time.

  • The Reason field contains the identifier of the service event.
  • The Message field contains additional information about the event (if available).

  

  CyberTrace alerts active channel

• CyberTrace all matches

  Displays detection events from Feed Service in real time.

  • The Reason field contains the category of the detected object.
  • The Detected indicator field contains the detected object.
  • The Request Url field contains the URL that was detected in the event that was sent from ArcSight to Feed Service.
  • The File Hash field contains the hash that was detected in the event that was sent from ArcSight to Feed Service.
  • The Source Service Name field contains the name of the device vendor that sent the event to ArcSight.
  • The Source Process Name field contains the name of the device that sent the event to ArcSight.
  • The Event Outcome field contains the identifier of the original event that arrived in ArcSight and was then sent to Feed Service.
  • The Message field contains a brief description of the detection. The description is in the following format: "CyberTrace detected <name_of_the_feed_involved_in_the_detection_process>".
  • The Source User Name field contains the name of the user that was active on the endpoint device.
  • The Source Address field contains the IPv4 address that identifies the source to which the original event refers in an IP network.
  • The Destination Address field contains the destination IPv4 address that was detected in the event sent from ArcSight to Feed Service.
  • The Device Action field contains the action taken by the device as specified in the original event.
  • The Popularity, Threat Score, Threat, and other fields are taken from the feed that was involved in the detection process.

  

  CyberTrace all matches active channel

• CyberTrace hash matches

  Displays hash detection events from Feed Service in real time.

• CyberTrace URL matches

  Displays URL detection events from Feed Service in real time.

• CyberTrace IP matches

  Displays IP detection events from Feed Service in real time.

Page top