Configuring Event Graphs
Purpose: You can modify the way graphs plot events, choosing to keep the source-event-target visual relationships compact; or to emphasize unique sources, targets; or both, in order to clarify the nature of attacks or situations.
Where: Edit > Preferences > Event Graph
-
Show Event Nodes: Choose a basis for visually expanding or aggregating event nodes, relative to their source and target node instances.
Choice
Description
Once per common event
Graph only one instance of a given event node, regardless of the number of unique sources and targets that have it in common. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there may be visual instances for each source and target, but only one of the event node.
Once per unique source
Graph one instance of a given event node per unique source, regardless of the commonality of associated targets. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are two visual instances of the event in support of the two distinct sources.
Once per unique target
Graph one instance of a given event node per unique target, regardless of the commonality of associated sources. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are three visual instances of the event in support of the three distinct targets.
Once per unique source or target
Graph one instance of a given event node per unique source-target pair, regardless of the commonality of the events involved. For example, if sources 1 and 2 are directing a given event at targets 1, 2, and 3; and as a chain, targets 1, 2, and 3 are sourcing the same events on to targets 4, 5, and 6; then there are six visual instances of the event in support of six distinct targets.
-
Show Source/Target IP Addresses as: In cases where one source-event-target chains to another, you can choose to graph a source/target IP address as a single node, or to graph both the source and target instances of such an IP address.
Choice
Description
Distinct nodes
Visually plot both the source and target instances of a chained IP address.
Simple nodes
Visually plot a single node for an IP address that represents both source and target.
-
Source Node Identifier: Choose a different event attribute to use as the identifier for source nodes. The default attribute is Source Address. Note that while all attributes are available, not all are appropriate choices for this purpose.
-
Event Node Identifier: Choose a different event attribute to use as the identifier for event nodes. The default attribute is ArcSight Category. Note that while all attributes are available, not all are appropriate choices for this purpose.
-
Target Node Identifier: Choose a different event attribute to use as the identifier for target nodes. The default attribute is Target Address. Note that while all attributes are available, not all are appropriate choices for this purpose.
-
Graph Layout: Set the layout for all event graphs.
Note: You can override this default layout setting when you are actually viewing an event graph. For more details, refer to the topic, "Event Graphs as an Investigation and Analysis Tool" in ESM 101.
Hierarchical Layout
Display the event graph in tree-like nodes to show a related, sequential flow.
Organic Layout
The default layout.
Circular Layout
Display the source node as the center and the destination nodes arranged in a circle around the source.
Orthogonal Layout
Display the edges of the graph to run horizontally or vertically, parallel to the layout's X and Y axes.
-
Default Field Set: Choose from the ArcSight-provided field sets to supply the data points in the graph. The default field set is from
/All Field Sets/ArcSight System/Event Field Sets/Active Channels/Standard
.