Configuration
The Configuration page of the local configuration UI gives you access to the Arc configuration options.
Upstream connection
Endpoint: This shows the internet protocol (IP) address of the upstream machine that the sensor is connected to.
Token: The token Arc needs to authenticate to the Guardian/Vantage endpoint.
Check connection button: This checks if the connection parameters are correct.Execution options
Sigma rules (Windows only): This lets you enable/disable Sigma rules.
USB detections (Windows only): This lets you enable/disable universal serial bus (USB) detections.
Node points: This lets you enable/disable the production of node points.
Discovery: When enabled, this sends out unsolicited lightweight network announcements to discover neighboring nodes.
Smart Polling: This lets you enable/disable the execution of Smart Polling strategies from Arc. When enabled, this sends out Smart Polling queries following remote requests coming from Guardian to poll assets that Arc can reach, or assets that have been identified with Discovery.
Local ARP table: This lets you enable/disable the ability to use the local address resolution protocol (ARP) table to confirm media access control (MAC) addresses. The Use static entries checkbox lets you enable/disable the use of static entries in the ARP table. Static entries are user-defined. You should only use them if they can be trusted.
- Debug
- Info
- Error
Traffic monitoring
Enable checkbox: This lets you enable/disable traffic monitoring.
Enable continuous mode checkbox: This lets you enable/disable continuous mode. For more details, see Continuous mode.
- Intermittent mode
- Continuous mode
- Monitoring time [s] per notification
- Max packets per notification
- Max used Memory (MB): this value can be tuned to allow more or less traffic buffering in case the traffic to process exceeds the Arc and network capacity to send it out
Continuous mode sniffs traffic continuously from the host's network interface controllers. Depending on the amount of sniffed traffic, continuous mode might utilize more CPU and memory on the host. As the traffic is processed upstream, the performance of the remote endpoint is also affected. You can configure:
- Max used Memory (MB): this value can be tuned to allow more or less traffic buffering in case the traffic to process exceeds the Arc and network capacity to send it out
Network interface dropdown: This lets you select a network interface to configure. Each network interface can then be enabled, and be tuned with a monitoring filter.
If you add, remove, or edit the network interfaces on the host, Arc does not automatically add it to the list of sniffing interfaces. For example, if you add a new network card, to enable Arc to use it, you should stop Arc, and then start it again.