Events begin at network devices that can sense and record instances of security-sensitive activity. Examples include a database record change, a syslog entry, a firewall transit, a router access, or scanning a door access card.
Such initial events are typically recorded in logs, and are sometimes called base or raw events.
When numerous source devices are reporting large volumes of relatively similar events, it is desirable to funnel these events through central event concentrators that forward a much-reduced set of representative or summary events.
When these events reach ArcSight SmartConnectors, several things can happen.
All received events are normalized (restructured) to make their information consistent and ready for analysis.
All received events are categorized (appended with classification information) using ArcSight's event categorization taxonomy.
If appropriate and the SmartConnector is configured to do so, events are aggregated to issue fewer and more meaningful events and to reduce network traffic.
If appropriate and the SmartConnector is configured to do so, selected events are filtered out, to eliminate them as a further traffic or processing burden.
For certain devices, the option may be available for the SmartConnector to apply analysis rules to incoming events and to issue correlation events concerning them.
At SmartConnectors, filtering removes events from the system. Aggregation replaces events with fewer new ones bearing summary information.
When the events from SmartConnectors pass to Managers they can again be considered base events in the sense that they are in a state prior to processing. More specifically, any event that is subject to further processing, even if the result of previous processing, can be considered a base event.
All base events entering the Manager are subject to:
Correlation to derive more intelligence from the events. Correlation adds new events containing the results of correlation activity. You apply correlation through the rules and data monitors in their respective resource trees of the Navigator panel. Correlation events have flash icons in grid views.
Filtering to selectively see and report on events. Filtering within the Manager does not actually discard events. You apply filtering with the resources in the Filters tree in the Navigator panel.
Note that all aggregation actually occurs at SmartConnectors, not within the Manager. You apply aggregation through the resources in the Rules tree of the Navigator panel.
There are only base, aggregation, and correlation events. It is important to note that any such event in the system can (if the right rules and data monitors are present) become the input to produce new correlation events. You should also note that the Manager's rules engine is designed to prevent infinite loops.
Apart from the events that originate on the network, and the correlation events the Manager issues in response to them, the Manager generates many other events of its own for a variety of purposes.
These internal events can be divided into Audit Events and Status Monitor Events. You can use audit events to track, or react to, system activity at all levels of operation from data monitors to the database. Status monitor events are valuable for getting system state information. Review these topics on Audit Events and Status Monitor Events to become familiar with the characteristics of all the available events.
You can apply all analytic tools to any events present, whether base or correlation, originating externally or internally.