Creating or Editing an Active Channel

This topic shows how to create active channels manually, from triggered rules, and from filters.

Tip: Press Enter to register edits made in editors and channel columns.

To ensure that ESM registers a change you make to a field in editor and channel columns, press Enter before clicking Apply or OK.

Where: Navigator > Resources > Active Channels

To create or edit an active channel:

Locate an active channel group.
If you are creating an active channel, select New Active Channel.

If you are editing an active channel, expand the group, right-click an active channel, and choose Edit Active Channel.

Set these options:

Active Channel Attributes
Attribute	Usage
Start Time	The relative or absolute time reference that begins the period to track events in the channel. Edit the time expression, choose a common expression from the drop-down menu, or click the Selector button to choose an absolute date and time value. See Timestamp Variables for more options. Notes: Time intervals: Based on Start Time and End Time settings, the active channel rounds up time as follows: If the interval from start to end time in minutes is less than 10 minutes, the time interval will be at seconds precision. If the interval from start to end time in minutes is greater than 1440 minutes, then the time interval will be at hours precision. Otherwise, the time interval will be at minutes precision. Change in Daylight Savings Time: If a channel is open when Daylight Savings Time starts or ends, it does not show the correct start time until you restart it. You can change the default start time for new channels by editing the `console.properties` file in the `<ArcSight_Console_HOME>/ current/config` directory.For example, add the this line... `console.channel.newChannel.defaultSubtractTime="$Now - 2h"` ... to change the start time to two hours ago. For a list of possible time values see the Start Time: field pull-down menu. Refer to the topic, "Managing and Changing Properties File Settings" in the ESM Administrator's Guide.
End Time	The relative or absolute time that ends the period to actively track the events in the channel. Edit the time expression, choose a common expression from the drop-down menu, or click the Selector button to choose an absolute date/time value. See Timestamp Variables for more options. Notes: Time intervals: Based on Start Time and End Time settings, the active channel rounds up time as follows: If the interval from start to end time in minutes is less than 10 minutes, the time interval will be at seconds precision. If the interval from start to end time in minutes is greater than 1440 minutes, then the time interval will be at hours precision. Otherwise, the time interval will be at minutes precision. Change in Daylight Savings Time: If a channel is open when Daylight Savings Time starts or ends, it does not show the correct start time until you restart it. If a channel is open when Daylight Savings Time starts/ends, the live channel does not show the correct start time until you restart it. If setting the End Time results in the message “Invalid end date for sliding channel,” the channel is set to `Continuously evaluate` instead of `Evaluate once at attach time`. Either re-set the End Time or change the Time Parameters option for the channel to `Continuously evaluate`. Avoid creating active channels that query more than once day. For active channels that query more than once day, use `Evaluate time parameters once at attach time` instead of `Continuously evaluate`. Better yet, use trends for these types of active channels. See also Best Practices to Optimize Channel Performance.
Use as Timestamp	Choose the event-timing phase that best supports your analysis. End Time represents the time the event ended, as reported by the device. Manager Receipt Time is the event's recorded arrival time at the ArcSight Manager.
Evaluation of time parameters	Choose whether the channel will Continuously evaluate to show events that are qualified by Start and End times which are re-evaluated constantly while the channel is running, or Evaluate once at attach time to show only the events that qualify when the channel is first run. A channel set to `Continuously evaluate` is also known as a sliding channel, and typically has its End Time option set to $Now.
Filter	If creating a new channel, select an existing filter for the events processed through the channel. If you prefer, click Define to create a new filter to be used by this channel. Follow the instructions in If editing a channel, go to the Filter tab to make your edits.
Fields	Choose an existing event field set for the events processed through the channel. The default field set is for users who view a channel for the first time. If no default is specified, the ArcSight system default is used. When a user closes a channel, ArcSight saves the field set (and all other Console settings) to the user’s `.ast` file. After a user has opened a channel once, the Console does not use the default field set for that user again. Changing the default only affects other users who have never opened the channel before.

Click the Examples button to see how to specify commonly used channel values.

Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see Common Resource Attribute Fields.
Click the Filter tab to edit the channel's filter condition as described in Creating or Editing a Filter.

To view the full conditions for the MatchesFilter operator, click the Summary tab and then click the Expand Filter button to display the filter conditions for debugging.

Note that in this case, the display of the MatchesFilter full logic does not display the sub-filter of the matched filter. Full logic is displayed only for the first level of matched filter conditions.
Click the Sort Fields tab to explicitly set which fields to sort the channel on in grid views, the sort order for those fields, and whether sorting for each field is ascending (A to Z) or descending (Z to A).
Click the Local Variables tab to use ArcSight local variables with the channel's filters.

Tip: You can create local variables, which are only available to the resource you are creating (in this case, an active channel), or use global variables. For information on creating global variables, see Creating or Editing a Filter and Global Variables.
Optional: To add information in the Notes tab, refer to Using Notes.
Click OK to save the channel and to open and run it in the Viewer panel.

To view results of triggered rules in channels:

See Verifying Rules with Events.

To create active channels from filters:

In the Filters resource tree, right-click a filter and select Create Channel with Filter.
Do the same for:
- Connectors
- Assets, including vulnerabilities, zones, and categories
- Stages
- Cases with events. For such cases, right-click and select Case Details Channel. See Viewing a Case's Events in a Channel.