Categorizing Events

This topic describes categorization in the context of FlexConnectors.

For details on using categorization, see the ArcSight Console User’s Guide, Reference Guide section, specifically the topic “Event Categorization” for information on custom categorization for FlexConnectors.

Categorization

You can categorize the events collected by your FlexConnector. The following examples illustrate categorization for HTTP status code-based devices (such as proxy, cache, or web servers) and for Firewall devices (which use pass/open/allow, drop/deny/reject). Put the categorization file in this location:

ARCSIGHT_HOME/user/agent/acp/categorizer/current/
<device_vendor>/
<device_product>.csv

In this case, <device_vendor> is the value of the event.deviceVendor field (in lower case and with spaces or other special characters replaced by an underline). The <device_product> is the value the event.deviceProduct field (likewise in lower case with spaces replaced by underlines). Your FlexConnector must set these fields before you can use categorization.

HTTP Status Code Categorization Example

event.deviceEventClassId,set.event.categoryObject,
set.event.categoryBehavior,set.event.categoryTechnique,set.event.
categoryDeviceGroup,set.event.categorySignificance,set.event.
categoryOutcome
100,/Host/Application/Service,/Communicate/Query,,/Application,/
Informational,/Success
101,/Host/Application/Service,/Communicate/Query,,/Application,/
Informational/Error,/Attempt
200,/Host/Application/Service,/Communicate/Query,,/Application,/
Normal,/Success
201,/Host/Resource,/Create,,/Application,/Normal,/Success
202,/Host/Application,/Execute,,/Application,/Informational/Error,
/Failure
203,,,,/Application,,
204,/Host/Resource,/Access/Start,,/Application,/Normal,/Success
205,/Host/Resource,/Access/Start,,/Application,/Informational,/
Success	
			
206,/Host/Resource,/Access/Start,,/Application,/Informational,/
Success
300,/Host/Resource,/Access/Start,,/Application,/Informational,/
Success
301,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational,/Success
302,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational,/Success
303,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational,/Success
304,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational,/Success
305,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational/Error,/Attempt
306,/Host/Application/Service,/Execute/Query,,/Application,/
Informational/Alert,/Failure
307,/Host/Application/Service,/Communicate/Query,/Redirection/
Application,/Application,/Informational,/Success
400,/Host/Application/Service,/Access/Start,/Traffic
Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Warning,/Failure
401,/Host/Application/Service,/Authentication/Verify,,/Application
,/Informational/Warning,/Failure
402,/Host/Application/Service,/Communicate/Query,/Traffic
Anomaly/Application Layer/Unsupported
Command,/Application,/Informational/Error,/Failure
403,/Host/Application/Service,/Authentication/Verify,,/Application
,/Informational/Warning,/Failure
404,/Host/Resource,/Access/Start,,/Application,/Informational/
Warning,/Failure
405,/Host/Application/Service,/Communicate/Query,/Traffic
Anomaly/Application Layer/Unsupported
Command,/Application,/Informational/Error,/Failure
406,/Host/Application/Service,/Communicate/Query,,/Application,/
Informational/Error,/Failure
407,/Host/Application/Service,/Authentication,,/Application,/
Informational/Error,/Failure
408,/Host/Application/Service,/Communicate/Query,,/Application,/
Informational/Error,/Failure
409,/Host/Application/Service,/Communicate/Query,,/Application,/
Informational/Error,/Failure
410,/Host/Resource,/Access/Start,,/Application,/Informational/
Warning,/Failure
411,/Host/Application/Service,/Access/Start,/Traffic
Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Warning,/Failure
412,/Host/Application/Service,/Access/Start,,/Application,/
Informational/Warning,/Failure
413,/Host/Application/Service,/Communicate/Query,/
Traffic Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Error,/Failure
414,/Host/Application/Service,/Communicate/Query,/
Traffic Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Error,/Failure
415,/Host/Application/Service,/Communicate/Query,/
Traffic Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Error,/Failure
416,/Host/Application/Service,/Communicate/Query,/
Traffic Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Error,/Failure
417,/Host/Application/Service,/Communicate/Query,/
Traffic Anomaly/Application Layer/Syntax
Error,/Application,/Informational/Error,/Failure
500,/Host/Application/Service,/Execute,,/Application,/
Informational/Error,/Failure
501,/Host/Application/Service,/Execute,,/Application,/
Informational/Error,/Failure
502,/Host/Application/Service,/Execute,,/Application,/
Informational/Error,/Failure
503,/Host/Application/Service,/Access/Start,,/Application,/
Informational/Error,/Failure
504,/Host/Application/Service,/Execute,,/Application,/
Informational/Error,/Failure

Firewall Example

event.deviceEventClassId,set.event.categoryObject,
set.event.categoryBehavior,set.event.categoryDeviceGroup,
set.event.categorySignificance,set.event.categoryOutcome
OPEN,/Host/Application/Service,/Communicate/Query,/Firewall,/
Normal,/Success
pass,/Host/Application/Service,/Communicate/Query,/Firewall,/
Normal,/Success
DROP,/Host/Application/Service,/Communicate/Query,/Firewall,/
Informational/Warning,/Failure