Acclaimed Contributor.
Acclaimed Contributor.

ArcSight categorization methods, overrides and precedence

There are several ways in which an event can be categorized within ArcSight. Each method will affect the final outcome of the categorization differently.  This document is meant to clarify the different methods and the final outcomes of each. The basic rule is that the first method to categorize an event wins. Once the event is categorized, the other methods will no longer categorize the event. The methods are listed below in order they are evaluated. The exception are map files which can modify existing categorization.

1. User override files on the connector

These are manually created csv files placed in one of two directories:

  • For destination-specific overrides, files are placed in the following directory. Categorization files placed in this directory will only affect categorization for the particular destination corresponding to the given agent ID.

  • For general overrides for all destinations for the given connector, files should be placed in this directory:

In either case, the file should be named as <device_product>.csv.  Device_vendor and device_product are lowercase representations of the values displayed in the Device Vendor and Device Product columns in the ArcSight Console for that device with everything except letters and digits are replaced with the underscore (_) character.

Categorization in these files will always override the AUP categorization for the specified vendor/product pair. Use this method if you want an event to always be categorized a certain way, disregarding ArcSight’s categorization.

The standard format for a categorization file is as follows: A header line, specifying the event identifier and the category fields being set, followed by each event ID and the specific categorization values.  For example, a user override file for snort.csv may contain:

event.deviceEventClassId,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechniqu e,set.event.categoryDeviceGroup,set.event.categorySignificance,set.event.categoryOutcome [1:7925],/Host/Application,/Communicate,/Exploit/Vulnerability,/IDS/Network,/Compromise,/Attempt [1:7928],/Host/Application,/Communicate/Query,/IDS/Network,/Compromise,/Attempt

It is not necessary to set every categorization field in the file, but you should set every field that you want to populate.

2. Map files

Standard connector mapping can be used also to set or change categorization values.

Change categorization by placing a file map.X.properties  in the folder $ARCSIGHT_HOME/user/agent/map (X is a sequence number which need to be consecutive among all map files in the folder) and using a "setter" for a category field.

For example such a file can look like this:

event.name,set.event.categoryBehavior  SQL_Login,/Authentication

3. Content AUP file on the connector

This is the basic method by which most events are categorized. A default AUP file is shipped with the connector, however, this file is updated regularly by ArcSight in the form of Content AUP updates. The AUP is placed on the ESM host, and pushed to registered connectors by the Manager.

4. User overrides generated through the Console categorization tool

A user can specify how they want an event to be categorized using the Console’s categorization tool.

This method will create a file called <device_product>.csv on ESM in the <Manager_home>/user/agent/acp/categorizer/current/<device_vendor>/ directory. All files in this base directory will be packaged by ESM into an AUP file in the <home>/updates/ directory and given a name similar to:

“user-categorizations_user_supplied_00000000008200287873.aup.”. This process is completely automated and does not require user interaction. The process and file names are provided here for informational purposes only.

Categorization for events categorized using this method will only take effect if the events are not already categorized by one of the other methods listed above. Using the Console tool method allows a user to categorize events that have not been categorized by ArcSight, yet will be overridden by the AUP if ArcSight does categorize the event.

Labels (2)
3 Replies
Super Contributor.. Super Contributor..
Super Contributor..


Good information like usual!  Could you add to this page and describe how to package and deploy the various methods (where applicable) using ArcMC?

If I haven't done one in a while, it usually takes me a few tries to get the directory structure right when creating the repository zip file.

I'm sure this would be helpful for others in the forums...



Regular Contributor.. Regular Contributor..
Regular Contributor..

i have case that i am trying to write categorize override file but the issue i have two events both of them have multiple values under the same ID the difference is in the action so i wanna make categorization based on the event ID and the device action , how can i do that ? and is there a guide for categorization ?

Super Contributor.
Super Contributor.

Hi ArcSight Team,

The layout of this page is somewhat askew, could you please fix it, just add some end of line by hitting the Return button at the right place 🙂



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.