Home
Arc
Introduction
An overview of Arc.
Viewing data from Arc
The data Arc acquires can be viewed in different places, and in different formats.

Arc
- Introduction
  An overview of Arc.
  - Arc overview
    Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
  - Arc Embedded
    This version of Arc can be embedded directly on programmable logic controllers (PLCs).
  - Architecture
    It is important to understand the different architecture possibilities that are available with Arc.
  - Arc in Guardian
    The Arc button in the Guardian Web UI lets you access the different pages for Arc.
  - Arc in CMC
    The Arc button in the Central Management Console (CMC) Web UI lets you access the different pages for Arc.
  - Deployment
    The Deployment page shows a table of all the devices available for Arc deployment.
  - Deployment settings
    The Deployment settings page lets you configure the settings for your Arc deployment.
  - Node points
    The Node points page shows data points that are collected over time, and represent the state of the target machine.
  - Dependencies
    The Dependencies page shows the status of the dependencies. When a dependency is missing, you can use the upload icon in the Actions column to upload it.
  - Arc in Vantage
    The Sensors page shows all the Arc sensors in the network. It also lets you connect an Arc sensor.
  - Viewing data from Arc
    The data Arc acquires can be viewed in different places, and in different formats.
  - Commands syntax
    The example commands given in this documentation are for Microsoft Windows. Some of these commands are the same in other operating systems (OS), but when a procedure is specific to a different OS, the correct syntax for that OS is used.
  - Security measures
    A description of the security measures that Arc uses.
  - Detection information
    The information that Arc detects, listed for each operating system (OS). The table shows two types of Category: network and asset. When the Category is listed as network, it means that the detection is based on information that has been extracted from the network. When the Category is listed as asset, it means that the detection is based on information that has been extracted from the asset.
- Requirements
  The machine and network requirements necessary to use Arc.
- Preparation
  Information on how to import Arc packages, and install a license.
- Configuration
  Details on how to configure Arc.
- Deployment
  Information on how to deploy Arc. This includes details for manual and automatic deployments, and deployment through a mobile device management (MDM) system.
- Execution
  Information on the different modes that you can use with Arc.
- Troubleshooting
  Troubleshooting procedures to help you solve problems that might occur when you use Arc.
- Print format documentation
  A list of all the print-format documentation that is available for Arc.

Viewing data from Arc

The data Arc acquires can be viewed in different places, and in different formats.

Nodes discovered

You can view nodes by their capture device:

In Network view > Nodes, check that the capture_device field contains arc
In Queries, with the term: nodes | where capture_device include? arc

Asset view information sources

When Arc asset detections populate a field, an Arc dedicated source is used. When Arc uses network monitoring to discover nodes, the source will show as passive. See Nodes discovered.

Node points

When Smart Polling is not enabled, all node points come from Arc. When both Arc and Smart Polling are active in Guardian, you can find nodes that are from Arc:

In Arc > Node points
In Queries, with the term: node_points | where source.type == arc

Dedicated alerts

Alerts such as those shown below, come from Arc:

SIGN:SIGMA-RULE
SIGN:MALICIOUS-HID
SIGN:USB-DEVICE
SIGN:USB-FILE-TRANSFER

Users field in alerts

Alerts that are generated from Arc, or involve a node hosting Arc, include information about the logged users. In case of SIGN:SIGMA-RULE alerts, the user associated to the process triggering the Sigma rule is used.