Filtering events to forward from ArcSight

This section describes how ArcSight filters the events to be forwarded to Feed Service.

Filter imported from the ARB package

After the ARB package is imported, ArcSight contains the CyberTrace forwarding events filter used for filtering events to be forwarded to Feed Service.

The original CyberTrace forwarding events filter selects those events containing an IP address in the Destination Address field, a URL in the Request URL field, or a hash in the fileHash field that are sent by a device of one of the following vendors:

• Cisco®
• Microsoft®
• Juniper Networks®
• Trend Micro™
• McAfee®
• Imperva®
• CheckPoint
• Blue Coat®
• Apache®
• Fortinet
• Sourcefire®
• F5 Networks®
• FireEye®
• Palo Alto Networks
• Squid
• CyberTrace Verification Kit (for the verification test)

Additionally, the events selected by the original CyberTrace forwarding events filter must meet one of the following conditions:

• The Source Address or Source Host Name field of an event is not empty and the value of the Destination Address field is not subnets 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8.
• The Destination Address or Destination Host Name field of an event is not empty and the value of the Source Address field is not subnets 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8.
• The Request URL field of an event contains a URL.
• The fileHash field of an event contains a hash.

The use of the original CyberTrace forwarding events filter can significantly diminish the performance of ArcSight ESM. To reduce the load on the ArcSight ESM computer, edit the filter so that it will send fewer events or will make fewer checks. For example, you can remove from the filter those vendors whose events do not arrive in ArcSight or that need not be checked by Feed Service.

Checking an existing filter

You may want to check whether the desired events are selected by an existing filter.

To check whether the desired events are selected by an existing filter:

1. Create an active channel with the filter.

   Right-click the filter node in the Filters tree and select Create Channel with Filter.

   

   Creating a channel

2. Optionally, set the time interval for events to be displayed.

   

   Setting the time interval

3. Optionally, in the Inline Filter field, set an additional filter to narrow the output result.

   For example, you can set the device vendor, device product, or both, for events to be displayed.

   

   Setting the inline filter

4. Make sure that the events you want selected (and that meet the added condition) are displayed in the created active channel.

Editing an existing filter

You may want to change an existing filter. For example, if no events from a specific device vendor are displayed in the active channel, you can add the device vendor to a condition in the filter that filters device vendors.

To add a device vendor to the filter:

1. Open the filter.
2. Select the Filter tab.

   The filter conditions will be displayed, nested in the Event conditions tree item.

3. Edit a Device Vendor condition and add to it the device vendor whose events must be sent to Feed Service.

   

   Filter conditions

Browsing event information in ArcSight

You can browse the information contained in an event in order to select fields for filtering or for adding to output events.

To browse event information in ArcSight,

In an active channel, double-click an event that will be forwarded to Feed Service.

ArcSight Console will display the Event Inspector tab, which will contain the event data.

Event Inspector tab

Note that ArcSight and Feed Service operate events in CEF format, but ArcSight Console displays the event field names in human-readable form. The table below shows the correspondence between some of the field names in these two sets.

Field names in CEF format and in ArcSight Console

Field name in CEF	Field name in ArcSight Console
dst	Destination Address
dvc	Device Address
msg	Message
shost	Source Host Name

Page top