ArcSight Built-in Event Field Mappings

The following table lists ArcSight event fields. See the numbered Range Notes (n) following this table for further explanations of certain field ranges.

ArcSight Mapping

Type

Length

Range

applicationProtocol

String

31

n/a

baseEventCount

Integer

n/a

0 -> 231-1

bytes In

Long

n/a

0 -> 263-1

bytesOut

Long

n/a

0 -> 263-1 -1

categoryBehavior

String

1023

n/a (1)

categoryDeviceGroup

String

1023

n/a (1)

categoryObject

String

1023

n/a (1)

categoryOutcome

String

1023

n/a (1)

categorySignificance

String

1023

n/a (1)

categoryTechnique

String

1023

n/a (1)

cryptoSignature

String

512

n/a

customerURI

String

-

n/a (2)

destinationAddress

IPAddress

n/a

IPv4 or IPv6 (3)

destinationDnsDomain

String

255

n/a

destinationHostName

String

1023

n/a

destinationMacAddress

MacAddress

n/a

MAC (4)

destinationNtDomain

String

255

n/a

destinationPort

Integer

n/a

0 ->65535

destinationProcessName

String

1023

n/a

destinationServiceName

String

1023

n/a

destinationTranslatedAddress

IPAddress

n/a

IPv4 or IPv6 (3)

destinationTranslatedPort

Integer

n/a

0 -> 65535

destinationTranslatedZoneURI

String

-

n/a (2)

destinationUserId

String

1023

n/a

destinationUserName

String

1023

n/a

destinationUserPrivileges

String

1023

n/a

destinationZoneURI

String

-

n/a (2)

deviceAction

String

63

n/a

deviceAddress

IPAddress

n/a

IPv4 or IPv6 (3)

deviceCustomDate1

TimeStamp

n/a

n/a (5)

deviceCustomDate1Label

String

1023

n/a

deviceCustomDate2

TimeStamp

n/a

n/a (5)

deviceCustomDate2Label

String

1023

n/a

deviceCustomIPv6Address1

IPAddress

n/a

IPv6 (8)

deviceCustomIPv6Address1Label

String

1023

Should be “Device IPv6 Address”

deviceCustomIPv6Address2

IPAddress

n/a

IPv6 (8)

deviceCustomIPv6Address2Label

String

1023

Should be “Source IPv6 Address”

deviceCustomIPv6Address3

IPAddress

n/a

IPv6 (8)

deviceCustomIPv6Address3Label

String

1023

Should be “Destination IPv6 Address”

deviceCustomNumber1

Long

n/a

- 263 -> 263-1

deviceCustomNumber1Label

String

1023

n/a

deviceCustomNumber2

Long

n/a

- 263 -> 263-1

deviceCustomNumber2Label

String

1023

n/a

deviceCustomNumber3

Long

n/a

- 263 -> 263-1

deviceCustomNumber3Label

String

1023

n/a

deviceCustomString1

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString1Label

String

1023

n/a

deviceCustomString2

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString2Label

String

1023

n/a

deviceCustomString3

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString3Label

String

1023

n/a

deviceCustomString4

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString4Label

String

1023

n/a

deviceCustomString5

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString5Label

String

1023

n/a

deviceCustomString6

String

1023 (4.x)

4000 (5.x)

n/a

deviceCustomString6Label

String

1023

n/a

deviceDnsDomain

String

255

n/a

deviceDomain

String

1023

n/a

deviceEventCategory

String

1023

n/a

deviceEventClassId

String

1023

n/a

deviceExternalId

String

255

n/a

deviceFacility

String

1023

n/a

deviceHostName

String

63

n/a

deviceInboundInterface

String

15

n/a

deviceMacAddress

MacAddress

n/a

MAC (4)

deviceNtDomain

String

255

n/a

deviceOutboundInterface

String

15

n/a

devicePayloadId

String

128

n/a

deviceProcessName

String

1023

n/a

deviceProduct

String

63

n/a

deviceReceiptTime

TimeStamp

n/a

n/a (5)

deviceSeverity

String

63

n/a

deviceTimeZone

String

255

n/a

deviceTranslatedAddress

IPAddress

n/a

IPv4 or IPv6 (3)

deviceTranslatedZoneURI

String

-

n/a (2)

deviceVendor

String

63

n/a

deviceVersion

String

31

n/a

deviceZoneURI

String

-

n/a (2)

endTime

TimeStamp

n/a

n/a (5)

externalId

String

40

n/a

fileCreateTime

TimeStamp

n/a

n/a (5)

fileHash

String

255

n/a

fileId

String

1023

n/a

fileModificationTime

TimeStamp

n/a

n/a (5)

fileName

String

1023

n/a

filePath

String

1023

n/a

filePermission

String

1023

n/a

fileSize

Long

n/a

0 -> 263-1

fileType

String

1023

n/a

flexDate1

TimeStamp

n/a

n/a (5)

flexDate1Label

String

128

n/a

flexNumber1

Long

n/a

- 263 -> 263-1

flexNumber1Label

String

128

n/a

flexNumber2

Long

n/a

-2 63 -> 263-1

flexNumber2Label

String

128

n/a

flexString1

String

1023

n/a

flexString1Label

String

128

n/a

flexString2

String

1023

n/a

flexString2Label

String

128

n/a

message

String

1023

n/a

name

String

512

n/a (9)

oldFileCreateTime

TimeStamp

n/a

n/a (5)

oldFileHash

String

255

n/a

oldFileId

String

1023

n/a

oldFileModificationTime

TimeStamp

n/a

n/a (5)

oldFileName

String

1023

n/a

oldFilePath

String

1023

n/a

oldFilePermission

String

1023

n/a

oldFileSize

Long

n/a

0 -> 263-1

oldFileType

String

1023

n/a

rawEvent

String

4000

n/a (7)

requestClientApplication

String

1023

n/a

requestContext

String

2048

n/a

requestCookies

String

1023

n/a

requestMethod

String

1023

n/a

requestUrl

String

1023

n/a

sourceAddress

IPAddress

n/a

IPv4 or IPv6 (3)

sourceDnsDomain

String

255

n/a

sourceHostName

String

1023

n/a

sourceMacAddress

MacAddress

n/a

MAC (4)

sourceNtDomain

String

255

n/a

sourcePort

Integer

n/a

0 -> 65535

sourceProcessName

String

1023

n/a

sourceServiceName

String

1023

n/a

sourceTranslatedAddress

IPAddress

n/a

IPv4 or IPv6 (3)

sourceTranslatedPort

Integer

n/a

0 -> 65535

sourceTranslatedZoneURI

String

-

n/a (2)

sourceUserId

String

1023

n/a

sourceUserName

String

1023

n/a

sourceUserPrivileges

String

1023

n/a

sourceZoneURI

String

-

n/a (2)

startTime

TimeStamp

n/a

n/a (5)

transportProtocol

String

31

n/a (6)

Range Notes

  1. Although these fields can be set using the FlexConnector properties file, the recommended way is to create a categorization file. For more about the possible values, see the "Categories" topic in the Console Help or the ArcSight Console User’s Guide. Also, seeCategorizing Events.

  2. Although URI fields can be set using the FlexConnector properties file, these are really links to resources in the database. Therefore, it is recommended that those fields be set using the network-model and customer-setting features.

  3. This can be an IPv4 address (from 0.0.0.0 to 255.255.255.255) or an IPv6 address (xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

  4. This is a MAC address: XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX.

  5. This is a timestamp stored as milliseconds since January 1, 1970.

  6. The options are: TCP, UDP, ICMP, IGMP, ARP.

  7. Set PreserveRawEvent to Yes to have the connector automatically preserve the original event log received from the device. With the default No, you can configure this field. To find the PreserveRawEvent field in the ArcSight Console interface, go to the Connectors resource tree > Configure > Default tab > Content >Processing section > PreserveRawEvent.

  8. For a non-IPv6-aware parser, the IPv6 fields (deviceCustomIPv6Address1, 2, and 3) should consistently use 1 for device, 2 for source, and 3 for destination. The labels for them will automatically be set if the IPv6 address field is set, but if your ArcSight Console parser sets them explicitly, it should use the exact strings shown above.

    For an IPv6-aware parser, the IPv6 fields (deviceCustomIPv6Address1, 2, and 3) can contain either IPv4 or IPv6 addresses. In practice, these fields should rarely be used. If they are, the labels should be set to an appropriate value.

  9. The name field is mandatory.

See ArcSight Built-in Tokens for a list of ArcSight built-in tokens.