Environment
ArcSight Connectors
Situation
Some SmartConnectors use Payload sampling to send a portion of the packet payload (as opposed to the complete payload) along with the original event. This portion is retrieved using the on-demand payload retrieval in the event inspector.
Overview of Payload Sampling
For security event analysis, including investigating the packet records data that triggered the security event. In ArcSight terms, these packet records are called payload. Payload refers to the information carried in the body of an event's network packet, as distinct from the packet's header data. While security event detection and analysis usually centers on header data, packet payload may also be forensically significant.
ArcSight supports the following ways to retrieve payload:
- Payload Sampling allows up to 1023 bytes of the payload to be retrieved and displayed as ASCII characters in a custom string field for each event. An option is also provided to display up to 511 bytes in hexadecimal format. By default, the payload sampling feature is not enabled due to its potentially large storage requirements. To enable payload sampling, select true for the Enable payload sampling parameter during connector installation.
- On-Demand Payload Retrieval lets you retrieve the entire payload if the payload is still held on the device.
It is possible to retrieve, preserve, view, or discard payloads using the ArcSight Console. Because event payloads are relatively large, ArcSight does not store them by default. Instead, it can request payloads from devices for selected events through the Console. If the payload is still held on the device, the ArcSight SmartConnector retrieves it and sends it to the Console.
Payloads are downloaded and stored only on demand. Must configure ESM to log these packets. By default, 256 bytes of payload will be retrieved.
Whether an event has a payload to store is visible in event grids. Unless specifically request to do so, only the event's "payload ID" (information required to retrieve the payload from the event source) is stored. Payload retention periods are controlled by the configuration of each source device.
Locate Payload-Bearing Events
The first step in handling event payloads is to be able to locate payload-bearing events among the general flow of events in a grid view.
In an ArcSight Console Viewer panel grid view, right click a column header and choose Add Column > Device > Payload ID. Look for events showing a Payload ID in that column.
Retrieve Payloads
In a Viewer panel grid view, double-click an event with an associated payload. In the Event Inspector, click the Payload tab, then click Retrieve Payload.
Preserve Payloads
In a grid view, right-click an event with an associated payload, select Payload, then Preserve. Alternatively, in the Event Inspector, click the Payload tab, then Preserve Payload.
Discard Payloads
In a grid view, right-click an event with an associated payload and select Payload, then Discard Preserved. You also can use the Event Inspector: In a grid view, double-click an event with an associated payload. In the Event Inspector, click the Payload tab. Click Discard Preserved Payload
Save Payloads to Files
In a grid view, double-click an event with an associated payload. In the Event Inspector, click the Payload tab. Click Save Payload. In the Save dialog box, navigate to a directory and enter a name in the File name text field. Click Save.