Resource Structure and Naming Conventions


ArcSight Activate is a standardized approach to content development that provides guidance for developers to create familiar content. During early workshops, we ran tests where two separate groups where given the same training and documentation and then asked to create a content package from scratch. The results were as expected, the same content was created, placed in the same location, and put together in the exact same manner. The only notable difference between the two was the analysis of the event stream for certain indicators and warnings.

Content Directory Structure

The Activate directory structure described provides the appropriate foundation for content developers to create modular content. Below, you will find everything you need to know about the current structure as well as what you will need to create should you want to include additional content within certain packages or even build a new package from scratch.

Directory Description
/All <Resource Type>/ArcSight Activate This will be the root directory for all resources. This directory should not contain any content.
/All <Resource Type>/ArcSight Activate/Core This directory will house sub-directories that are common across multiple use cases and packages. This directory will also be used for access control between teams (ie: Active Lists for suppression).
/All <Resource Type>/ArcSight Activate/Core/Product <Resource>/<Vendor Product> For every vendor/product, there will be a directory to handle particular indicators and warnings that cannot be combined within a single filter. This is considered level 1 content or "Indicators and Warnings"
/All <Resource Type>/ArcSight Activate/Development This directory will be the main holding area for content in development. It's recommended that you store content in a logical structure beneath this directory. This will facilitate promoting the package to production.
/All <Resource Type>/ArcSight Activate/Solutions This directory will be the main holding area for content dealing with Use cases.
/All <Resource Type>/ArcSight Activate/Solutions/ This is the top level directory for all use cases. This directory will not have any content, it will simply store the solution packages. For any customer specific content, a customer directory may be created at this level.
/All <Resource Type>/ArcSight Activate/Product <Content>/<Vendor Product>/<I&W Group>

Under each vendor product, there will be one directory for each group of indicators and warnings. The groups are:

  • System and Service Errors
  • System and Service Changes
  • Entity Authentication
  • Entity Management
  • Product Specific Events
  • Product Specific Patterns.
/All <Resource Type>/ArcSight Activate/Solutions/<DMiD Layer>/Indicators and Warnings Content that is used to track indicators and warning information that is shared between vendor products will be stored in this path. The usual hooks into this content will be a filter that combines the required events in an 'OR' statement. This is considered level 1 content or "Indicators and Warnings"
/All <Resource Type>/ArcSight Activate/Solutions/<DMiD Layer>/Situational Awareness Content that builds on tracking and identification correlation by adding any external situation information such as network model data or vulnerability information. This is considered level 2 content or "Situational Awareness"
All <Resource Type>/ArcSight Activate/Workflow This directory will hold all content that drives or monitors workflow.

This directory structure is replicated for all relevant ArcSight resources. For new products, make sure to create the product directory under .../ArcSight Activate/Core/Product <CONTENT TYPE>/<PRODUCT NAME>. So far we've been using some variation of the device vendor and device product fields within ArcSight.

Naming Convention

When naming content, use short descriptive sentences much like a white paper title. Resource titles should give the user an idea of what the resource covers without having to analyze the supporting content.

Here are some guidelines:
  • Resource Name
    • Capitalize all major words in a resource name
    • Articles, short prepositions and coordinating conjunctions are not capitalized (short is less than 5 letters)
    • Always capitalize a word following a colon
  • Avoid using special characters such as commas, colons, semicolons.
    • If punctuation is required, use a dash with spaces on both ends
      ie: Trend - Windows Logon Events
  • Try to avoid using numbers in the title
    ie: Top 10 Attackers becomes Top Attackers
  • For non-event queries, specify the type in the name
    ie: Trend - Connector Feed Counts
    ie: AL - Default Windows Administration Accounts
    ie: SL - Active Windows RDP Sessions
  • If you need/want a resource to show up at the top of directory list, precede the title with a '_'
  • Time resolution is important but don't hard code set timelines.
    • Daily report would show hourly data points
    • Weekly reports would show daily data points
    • Monthly reports would show daily or weekly data points depending on the information being displayed.

BAD: VPN Logins Collected Daily for the Past Week, Successful and Unsuccessful
  • Too wordy 'Collected Daily' and ambiguous
BETTER: Successful and Unsuccessful Daily VPN Logins - Past Week
  • Provides unnecessary information "Successful and Unsuccessful"
GOOD: Daily VPN Login Attempts for the Past Week
  • Time resolution is hard-coded even though it can vary based on user
BEST: Daily VPN Logins

For reference:

Resource Description

Try to always provide a description of how the content is supposed to work or how it is used within the use case. That said, in some cases, the description is simply the title. For example, a good Filter name will most likely not require a description. Here are some guidelines for Resource Descriptions :
  • Avoid listing specifics
    i.e.: field names
    i.e.: related resource URI
  • Don't copy/paste from word, special chars have the potential of causing problems.
Topic revision: r2 - 30 Dec 2017, PrenticeHayes


Activate Wiki

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback