Event context channel question
There is such nice option for the investigation - "event context channel". Problem is that it is based on "Manager receipt time". Is it possible to force this option with event end time as we mainly work with event end times? Thanks.
I dont find a straight solution to your question where as i could see a work around is that you could edit the "event context channel". In which you could change to event end time.
Varun P G
Yeah, it does seem that no matter what the Active Channel is that you run the Event Context Channel from, it will always provide the option for the time span to be based on managerReceiptTime only! Reading through the error messages I think I understand the reasoning though.
Back when ArcSight supported Oracle, we had to be very careful on the timestamps used and how they were indexed. Extended time frames on the timestamps would place undue load on the system when it had to work backwards through the events. In general the way that CORR works is that you dont really have this issue, but it does seem that the restriction on the functionality is still there. Not great, but its still there.
I will drop a note to the PM group to see if there are any options here. However, do not that you can still use the Event Graph option though. While not the same thing, it does give you a drill down based on the events for that time frame and allows you to at least visualize things a little.
I do agree though, the Event Context Channel is an extremely powerful tool to understand related events to those in the range that you have selected. I wonder how many other users know its there?
I use also this incredible feature to make the first investigations.
You take the problem in the wrong way. It take the [managerReceiptTime] because it is at that time that the ESM receives events and it is the same for Active List creation Time until recent ESM version where I think you could choose which time to put in that field, it is also that time used for Correlation Engine.
If it could take the [endTime], you will have incomplete result because of this:
- events with wrong Time Zone defined
- events received in real-time compare to events received with a delay
- events not sent yet because of the ArcSight Rules 70% Real_time / 30% Cached Events
This is why the answer is to design, configure and fine-tune properly your infra as much as possible to have all your events in real-time which means with the small acceptable delay (1-2 min). You will see your SIEM infra will work better, no cache, no drop events, no issue, less false positives in correlated events. And it will be easier to monitor.
It is possible,
- if you use the proper solution to collect the logs,
- if you solve all ESM/Connectors issues one by one,
- if you configure time sync correctly,
- if you configure and fine-tune all the connectors perfectly to do not add a bottleneck to do not enter a delay on the process flow.
I have personally done this when it was possible and the SIEM infra is working better than expected by HP.
80 Connectors - ESM v5.2 with Oracle DB - (>8000 EPS Avg & >15000 EPS Peak)
I have few cache or for short period of time. Now it is time to migrate to ESM v6.9.1c because ESM v5.2 is not supported.
If you have any question, do not hesitate to contact me.
Paul, thank you for your answer. Do you have an advice how can I do investigations in most efficient way NOW when this option is not available. I'll explain why do I need such option available. We have events sources where events are recorded to pcap files. So I had to create some scripts which are run every 5 or 10 minutes and which parse these pcap files to the files which custom connection can understand. So events are introduced to Arcsight only after 5-10 minutes after their occurrence. So we have situation where event time is < than manager receipt time. So in our case search by event end time is useless:( I think the best way would be an ability to choose which time to use for event context channel. As for now I don't know what to do:(