Creating or Editing a Session List

Purpose: Session lists are defined in conjunction with rules specifically tailored to interact with and populate the lists dynamically.

Where: Navigator > Resources > Lists > Session Lists tab

To create or edit a session list:

  1. To create a session list, right-click a session list group and select New Session List.

    To edit a session list, right-click the session list and select Edit Session List.

  2. Set options as follows:

    Session List Attributes

    In this field...

    ...enter this

    Name

    Enter a name for the session list. This name identifies the session list in ArcSight pick lists. Spaces and special characters are allowed.

    Overlapping Entries

    Check this box to alert the system to allow multiple instances of key pairings, which keeps the previous session with the same key field open. For example, you might check this box if the list is tracking activity for an asset that supports multiple user logins.

    In Memory Capacity (x1000)

    This setting indicates the maximum number of session entries the system keeps in memory. The default value is 10,000. For most cases, 10,000 is appropriate; however, you may wish to adjust this setting if the devices you are monitoring for this session list contain a lot of data to ensure you have adequate memory cache available.

    As a best practice, be sure to set In Memory Capacity higher than the number of live sessions you anticipate. This helps optimize performance and, therefore, keeps results reliable.

    Entry Expiration Time

    Enter an expiration time in hours, minutes, and seconds for session list entries. This indicates the time after which entries are marked as terminated (if no explicit termination event is received previous to this). Maximum expiration is 24 days.

    The default is Unlimited , which means the entry never expires. An entry with no expiry date/time can only be terminated explicitly through user action on ArcSight Console, rule actions, or archives.

    TTL Days

    Set the least number of days a closed session should remain on the list before it is removed. Default is 0 days. Use 0 to keep the closed session indefinitely. The maximum number of days is 999999.

    Case Sensitivity

    You can optionally configure the list to be case-sensitive or ‑insensitive. Furthermore for case-insensitive lists, you can specify case-insensitivity for keys only, or for both keys and values. The feature enables you to store and look up values in lists regardless of case.

    Select one:

    • Case-Sensitive (the default)

    • Key Case-Insensitive

    • Key & Value Case-Insensitive

    Important: After you save the list, you cannot change this setting. If you want to revert the case sensitivity setting, define a new list instead.

    Caution: Lookups on case-insensitive lists will slow down query and active channel performance. Make sure your queries and variables (used by channels) get values from case-sensitive lists.

    Common and Assign fields

    Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see Common Resource Attribute Fields.

  3. Under the Name column, replace <Enter Name> with a descriptive name for each session parameter you want to track.

    The name you enter here appears as a label in the session list and in the Variable pick list. Names can contain spaces, such as User Name. For a list of restricted characters in field names, see Field Naming Restrictions.

    Columns for Start Time, End Time, and Creation Time are pre-defined.

  4. Enter the corresponding data type, sub-type, and mark as key field as required. Refer to the following table for guidance:

    Session List Column Types and Subtypes

    Type

    Subtype

    IP Address

    This field supports IPv4 or IPv6 address. If the value is an IPv6 address, the resulting address is displayed in simplified format if applicable. For example, 2001:db8:0000:0000:0000 is displayed as

    2001:db8::

    Date

    This Date field is used as a default Timestamp value for interval-type queries on session lists.

    Double, Integer, or Long

    Select the applicable numeric type.

    Note: Leave the Subtype column blank even if you see the selections. The numeric subtypes MIN, MAX, and SUM are not supported in session lists.
    MAC Address

    MAC address of the format consisting of six groups of two hexadecimal digits per group. Use hyphen (-) as separators. For example

    01-00-5E-90-10-FF

    Resource Reference

    Any ArcSight Resource such as asset, report, actor, and so on.

    String

    This is optional for lists in general but required, along with a Date field, if your list is time partitioned.

    Key field

    Select one or more fields that must be unique to indicate a session start. In most cases, you would select at least two fields to make a key-value pair. For example, in the case of a DHCP login event, when a new IP and zone combination are written to the list, this indicates that a new session has started.

    Database columns are defined after the session list is created. Column definitions cannot be added, removed, or changed once the new session list is saved.

  5. Click Apply.

    The Filter tab for the list becomes enabled.

  6. Click the Filter tab in the Session List Editor and define a filter that limits the number of events to consider for the new session list.

    Session lists without filters must evaluate every event, which can negatively affect performance. The Filter tab presents the Field Set selection panel. Session list filters are different from regular filter resources; they use different fields.

    Session lists are often concerned with logins to specific machines. In this case, you would write a filter that would limit evaluation to IP address ranges of interest. By filtering out all events except those targeting IP addresses in the DHCP server's subnet, for example, you are effectively limiting session list evaluation to inside traffic, reducing the overhead of session list evaluation. Other uses of session lists suggest other installation-specific knowledge that can be used to create session list filters that restrict the number of events matched against the session list.

    Note: Filters are used to improve session list performance by restricting the number of events that must be evaluated. Filters, such as DHCP IP address ranges, are installation-specific. Therefore, consider adding a filter to pre-defined session lists, such as /All Session Lists/ArcSight Foundation/Network Monitoring/DHCP, to improve performance.

  7. Optional: To add information in the Notes tab, refer to Using Notes.

  8. Click Apply to save and continue editing or OK to save and close.

Tip: Use the Add Entry button in the Session List Editor to manually add entries to the current session list.

More information: