Field Sets

The field sets panel provides access to resources that are used to group and extend the fields of the event and resource schema.

Field sets are named subsets of available data fields. Field sets can help you focus a grid view, Event Inspector, or other field array on a particular context, such as customer accounts or vulnerability.

Field sets are a shareable resource that you can manage and apply through the Field Sets resource tree in the Field Sets section of the Navigator panel. Field sets also support local and global variable data fields.

In addition to field sets based on the Security Event schema, you can create field sets based on certain resources. ArcSight supports the following types of field sets:

Actor field set. An actor field set contains fields that make up the Actors resource. Actor fields are attributes to identify users and track their activity. ArcSight provides a base set of Actors fields from which you can make user-defined subsets.
Asset field set. An asset field set contains fields that make up the Assets resource. Asset fields are attributes used to identify monitored assets. ArcSight provides a base set of Asset fields from which you can make user-defined subsets.
Case field set. A case field set contains fields that make up the Cases resource. Case fields are attributes used to track events that have been added to cases. ArcSight provides a base set of Case fields from which you can make user-defined subsets.
Event field set. An event field set is a named subset of available data fields from the ArcSight security event schema.

A base or root field set is provided for each schema type (Event, Actor, Asset, and so on) from which you can create user-defined subsets. A derived field set may inherit all or a subset of its parent's base fields, and additionally may include local or global variables not present in the parent. All field sets will have a parent (field sets created in previous versions of ArcSight will by default use the Event base field set as its parent).

Note: The ArcSightCommand Center includes a search feature, fieldset, that is different from the field set resource on the ArcSight Console.

The Field Sets tree presents tools for the following tasks:

Creating Field Sets

Who: SOC operators, authors, and analysts concerned with traditional security-related use cases.
What: A named subset of available data fields in the standard schema and the user-defined dynamic schema.
Why: To narrow the fields available in the standard 400+ field event schema and the user-defined dynamic schema to make it easier to select and view fields.
Where: Active channels, CCE
How: See Creating a Field Set.

Creating Global Variables

Who: SOC operators, authors, and analysts concerned with any type of use case.
What: A way to derive a unique value from existing values in a data field, and the derived value itself, stored in a global variable field.
Why: To make correlation, monitoring, and investigation more precise.
Where: Active channels, CCE, regular field sets, other global variables
How: See Global Variables.