Open topic with navigation

Annotating an Event

Purpose: To flag one or more events that enables tracking those events through a workflow. See the topic, "Annotations" in ESM 101.

Where: Viewer panel displaying an active channel of events

Procedure:

  1. Select one or more events in any active channel. If not already annotated, you can start a collaboration cycle.

  2. Right-click the events and select Annotate Events or press Ctrl+T.

  3. In the Annotate Events dialog popup, set or change the events' Annotations fields, as described below.

    Event Annotation Fields

    Field

    Usage

    Stage

    Click this field to choose a different disposition state for the events' collaboration cycle. The default stage is [Queued] and available stages run from Initial to Closed.

    If you created your own stages as described in Creating or Editing Stages, these custom stages would be displayed here.

    Setting the event's Stage through a rule action:

    You can also automate the setting of the selected event's stage through the Set Event Field rule action. Every time the rule triggers, the stage set by the rule will take precedence over the stage setting done by this manual event annotation. Other events marked as similar to this event are affected in the same way: their stages will be set by the Set Event Field rule action.

    If you want to override the rule action, add this statement to the server.properties file:

    mark-as-similar.override-annotation-stage=true

    For the instructions on how to edit the server.properties file and implement your change, refer to the topic, "Managing and Changing Properties File Settings" in the ESM Administrator's Guide.

    See also Set Event Field in the Rule Actions Reference topic.

    Assign to

    Click this field to choose an ESM user to take the next step.

    Is Reviewed

    This read-only field tells you whether this event has been reviewed.

    In Case

    This read-only field tells you whether these events are already part of an ESM case. If they are, you have more ways to track their disposition.

    See Viewing a Case's Events in a Channel for related information.

    Correlated

    This read-only field tells you whether these events are part of a correlated event chain. If so, you can learn more through the rules authored to control that chain of correlation.

    Note: You can configure the ArcSight Forwarding Connector to send correlation events along with the correlated base events from a source Manager to a destination Manager. However, the forwarded base events display the Correlated flag only in memory, which you can view on an active channel. If you want the forwarded base event’s Correlated flag to persist in the database, set this property in server.properties on the source Manager: 

    logger.base-event-annotation.enabled = true

    For instructions on how to edit the server.properties file, refer to the ESM Administrator’s Guide’s topic on “Managing and Changing Properties File Settings.”

    Hidden

    This read-only field tells you whether these events are hidden from all but the assigned users of this stage.

    Closed

    This read-only field tells you whether the investigation of these events has been marked as closed. Closed events may no longer be visible to interested parties through active channels, for example.

  4. Add information in the Comments field as needed to clarify the collaborative process.

  5. To have your changes also affect related events, use the Mark Similar Events fields, as described in Mark Similar Events Fields.

  6. Click OK to update the event.