Absent Member.
Absent Member.
239 views

I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can som

Jump to solution

Hi,

I need to understand 2 things :

1> How device event category is assigned? Can we customize it? Or is it auto assigned? What role does it play ?

2> How we define custom strings in Arcsight for an event? Do we define them at connector level?

Can someone please assist

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Those are just rules of a specific type. You can find them by searching for " Pre-persistence rules" in the ESM console guide. Page 398 in the 6.8c version.

View solution in original post

0 Likes
8 Replies
Highlighted
Absent Member.
Absent Member.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Hello!

1) How device event category is assigned? Can we customize it? Or is it auto assigned? What role does it play ?

It is assigned at the connector leve. The role is that iIt can be widely used in a correlation rules, like the other categorization fields. For example, when parsing Windows, this field is showing log type (Application, Security, System etc).

2) How we define custom strings in Arcsight for an event? Do we define them at connector level?

It is assigned fully at the connector level. You can assign it by:

    2.1) Editing connector parser (when writing your own flex).

    2.2) By mapping an additional field in a console using Connector -> Send Comnand -> Mapping -> Map Additional Data Name, as well as the other fields.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Hi Nikolay,

Thanks for your valuable answer!

Can I view this configuration directly in connector configuration by logging into say a VM where I have installed my connector?

Thanks,

Vishesh

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Hello,

1. Also don't forget to deploy the contect and content AUP's for categorization (AUP Master must be set to true on the ESM destination).

2. Do you want to modify the base or the correlation event?

Volker

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Can I view this configuration directly in connector configuration by logging into say a VM where I have installed my connector?


I think for the standard connectors this is pre-defined and obfuscated.

But you may change the mapping anytime you want.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Hi Volker,

I want to modify the base event and add some custom strings to it?

Thanks,

Vishesh

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

To modify based events you can use:

  • Pre-persistence rules in ESM or Express
  • Parser overrides or map files at the connector level

~ Ofer

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Hi Ofer,

Can you please assist me how can I modify pre-persistence rules in ESM?

Thanks,

Vishesh

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: I am facing challenge while understanding how device event category is assigned to an event by the connector in Arcsight and can we customize it or does it get auto-assigned? Besides how do we define custom strings for an evemt at connector level? Can

Jump to solution

Those are just rules of a specific type. You can find them by searching for " Pre-persistence rules" in the ESM console guide. Page 398 in the 6.8c version.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.