Review the Content Guidelines
The ArcSight Platform provides optics for different personas such as CISOs, SOC Analysts, and other users. Data must follow a predefined structure so that the widgets display data correctly.
The widgets cannot display data correctly if incorrect data is entered into fields. If the data is correct but entered into the wrong fields, the widgets do not populate at all.
Content authors must ensure that their content has the correct information and that it creates alert conditions such that the data needed to be displayed in the widgets is correctly populated.
The following are the minimum requirements that every tenant must meet:
-
Provide the following tenant information:
-
Network ranges
-
Zone Location
-
Department
-
Line of Business
-
Sector
-
Customer name
Based on the information provided for these entities, the ArcSight Platform populates the widgets.
-
-
Forward only the required correlation events from ArcSight Platform.
-
All correlation events that are sent to the ArcSight Platform must contain correct values for the following mandatory fields:
Field ESM Field Name
Description
Alert ID Event ID ID of the alert Name
Name
Name of the alert
Priority
Priority
Priority of the alert
Source Address
Source Address
Source IP address of the alert
Destination Address
Destination Address
Destination IP address of the alert
Tenant Customer URI Customer in ESM. The customer name field must use the tenant key. For example, /All Customers/MSSP/CUSTOMERNAME where CUSTOMERNAME is the tenant key in ArcSight Platform Alert Category Old File Permission Alert category is inferred by the rule that triggers alerts.
Destination Zone Destination Zone URI Destination zone for the alert Source Zone Source Zone URI Source zone for the alert -
The values for the following fields can be derived from the network model: Destination Industry, Destination Department, and Destination Line of Business.
Any correlation event that does not follow the data criteria for the mandatory fields will not be considered for data visualization in the ArcSight Platform console.
To view the base event global ID in ArcSight Platform enriched alerts, all alerts from the tenant must contain the base event global ID along with their correlation events.