Deployment settings

The Deployment settings page lets you configure the settings for your Arc deployment.

Figure 1. Deployment settings page

Deployment settings page

Execution options

Execution time dropdown: This sets the time that Arc will run to collect data. This is applicable for One-shot and Offline modes.
Note: When this is set to 0, the execution time is interpreted as infinite.

Sigma rules (Windows only): This lets you enable/disable Sigma rules.

USB detections (Windows only): This lets you enable/disable universal serial bus (USB) detections.

Node points: This lets you enable/disable the production of node points.

Discovery: When enabled, this sends out unsolicited lightweight network announcements to discover neighboring nodes.

Smart Polling: This lets you enable/disable the execution of Smart Polling strategies from Arc. When enabled, this sends out Smart Polling queries following remote requests coming from Guardian to poll assets that Arc can reach, or assets that have been identified with Discovery.

Note: Node points and Smart Polling require that a Smart Polling license is enabled upstream.

Local ARP table: This lets you enable/disable the ability to use the local address resolution protocol (ARP) table to confirm media access control (MAC) addresses. The Use static entries checkbox lets you enable/disable the use of static entries in the ARP table. Static entries are user-defined. You should only use them if they can be trusted.

Log level dropdown: This lets you select the verbosity level for the log files. The options are:
  • Debug
  • Info
  • Error

Traffic monitoring

Enable checkbox: This lets you enable/disable traffic monitoring.

Enable continuous mode checkbox: This lets you enable/disable continuous mode. For more details, see Continuous mode.

Arc uses two different methods for traffic monitoring:
  • Intermittent mode
  • Continuous mode
Intermittent mode is the default mode, the traffic is monitored, or sniffed, for a duration of 10 seconds at each notify. The purpose of this limitation is to preserve the resources of the host machine, which prevents excessive memory, or central processing unit (CPU), spikes. You can configure these options:
  • Monitoring time [s] per notification
  • Max packets per notification
  • Max used Memory (MB): this value can be tuned to allow more or less traffic buffering in case the traffic to process exceeds the Arc and network capacity to send it out

Continuous mode sniffs traffic continuously from the host's network interface controllers. Depending on the amount of sniffed traffic, continuous mode might utilize more CPU and memory on the host. As the traffic is processed upstream, the performance of the remote endpoint is also affected. You can configure:

  • Max used Memory (MB): this value can be tuned to allow more or less traffic buffering in case the traffic to process exceeds the Arc and network capacity to send it out

Network interface dropdown: This lets you select a network interface to configure. Each network interface can then be enabled, and be tuned with a monitoring filter.

If you add, remove, or edit the network interfaces on the host, Arc does not automatically add it to the list of sniffing interfaces. For example, if you add a new network card, to enable Arc to use it, you should stop Arc, and then start it again.

Restore default

Once the settings have been saved, you can use this button to restore the default configuration.