Showing Event Details and Rule Chains

Rule-based correlation events are those generated by a triggered ArcSight rule as a reaction to an original sensor-generated event. In other words, an event concerning an event. You recognize correlation events in active channels by their red Flash icon . To mask active channels so they show only correlation events, select the check box at the top of the channel's left-most column.

To display event details:

1. In an active channel, select an event.

2. Right-click and select Show event details. The event's details appear in the Event Inspector.

More:

• Some system operations, for example, audit event generations, are done on behalf of a special system user called 1ROOTUSER. When you are investigating event details, you might see a user ID with this value. This user ID is valid and intended for internal use only.

• When you apply an actor field set to an event being displayed in the event inspector, you may experience an extended load time.

To display simple event rule chains:

1. In an active channel, select a correlation event. You recognize correlation events in active channels by their red Flash icon .

2. Right-click and select Rule options > Simple chain.

To display detailed event rule chains:

1. In an active channel, select a correlation event.

2. Right-click and choose Correlation options > Detailed chain.

   The events leading up to the correlation event appear in the Description panel at the top of the Inspector.

3. Click any event in the chain to see its details on the panel, below the description.

To view forwarded correlation events and their correlated (base) events:

Based on your requirements, you can configure the Forwarding Connector to send only the correlation events without the correlated (also referred to as base) events from one source Manager to a destination Manager. You can also configure the connector to include the correlated events automatically, whenever a correlation event is forwarded.

After the correlation and correlated events are forwarded, you can view them on the destination through the Event Inspector. Make sure the source Manager is configured correctly according to the instructions in the Forwarding Connector Configuration Guide.

To display correlation-event rules:

1. In an active channel, select a correlation event. You recognize correlation events in active channels by their red Flash icon .

2. Right-click and select Correlation options, then Show triggering resource.

The rule or resource that triggered the correlation event is selected in the Navigator panel's Rules resource tree and that rule appears in the Rules Editor.

To execute or clear rule actions:

1. In an active channel, select a correlation event. You recognize correlation events in active channels by their red Flash icon .

2. Right-click and select Rule options, then Clear Rule Actions to clear all actions associated with this rule.

For more information, see Managing Rule Actions.

To launch event details in a browser:

1. In an active channel, right-click an event and choose Show event details.

2. In the condition table of the Event Inspector, right-click and choose Launch Event Details in Browser.

A Web browser opens with the selected event's details.

To hide empty rows in the Event Inspector:

1. In an active channel, right-click an event and choose Show event details.

2. In the condition table of the Event Inspector, right-click and choose Hide Empty Rows.