ArcSight Console User's Guide ESM Arc Sight User 6.9.1
User Manual:
Open the PDF directly: View PDF
Page Count: 1106 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Chapter 1: Getting Started
- Chapter 2: Working in the Console
- Navigating
- Viewing
- Inspecting and Editing
- Controlling the Console
- Using the Network Tools
- Staying Informed
- Using the File Menu
- Using the Edit Menu
- Using the View Menu
- Using the Window Menu
- Using the Tools Menu
- Using the System Menu
- Using Right-Click Context Menus
- Using the Help Menu
- Keyboard Shortcuts (Hot Keys)
- Printing from the Console
- Error and Warning Messages
- Chapter 3: Personalizing the Console
- Changing the Console Display
- Changing User Preferences
- Changing Your Password
- Changing Other Users' Passwords
- Setting Default Editors and Viewers
- Changing Global Options
- Setting Dialog Options
- Setting Grid Options for the Viewer Panel
- Customizing the Default Selections for Active Lists
- Setting Date and Time Formats
- Setting Latitude and Longitude Options
- Configuring Event Graphs
- Setting Notification Popups
- Managing Hot Keys
- Saving and Sending Settings
- Chapter 4: Modeling the Network
- The Network Model
- Asset Model
- Populating the Network Model with Assets
- Populating the Network Model Using the Wizard
- Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories
- Chapter 5: Managing SmartConnectors
- Selecting and Setting SmartConnector Parameters
- Managing SmartConnector Filter Conditions
- Setting Special Severity Levels
- Sending Model Mappings to SmartConnectors
- Sending Control Commands to SmartConnectors
- Managing SmartConnector Groups
- Importing and Exporting SmartConnector Configurations
- Using Additional Data Fields
- Upgrading SmartConnectors
- Chapter 6: Managing Users
- Chapter 6: Managing Permissions
- Editing Access Control Lists (ACLs)
- Granting or Removing Resource Permissions
- Granting or Removing Operations Permissions
- Granting or Removing User Group Permissions
- Adding or Removing Enforced Filters
- Permissions for Sortable Field Sets
- Sharing Resources
- Controlling Who Has Permissions to Deploy Data Monitors
- Chapter 7: Managing Notifications
- Chapter 8: Monitoring Events
- Monitoring Active Channels
- Using Views
- Viewing and Using Channels
- Viewing an Active Channel
- Sorting Events in an Active Channel
- Creating or Editing an Active Channel
- Applying a Field Set to an Active Channel
- Using an Active Channel Header
- Filtering an Active Channel
- Defining Grid Fields Options
- Saving Copies of Active Channels and Filters
- Discovering Patterns in an Active Channel
- Deleting an Active Channel
- Adding a View Format
- Changing View Layouts
- Best Practices to Optimize Channel Performance
- Active Channels or Reports?
- Active Channels or Query Viewers?
- Active Channel Query Time Ranges
- Active Channel Filters
- Filtering on Indexed Fields
- Filtering on Join Fields
- Continuously Updating Time Parameters
- End Time or Manager Receipt Time
- Sorting in Active Channels
- Use of the “Live” Channel from Standard Content
- Case Sensitive or Case-Insensitive Conditions?
- I/O Subsystem Performance
- Diagnostics: Start with Basic Channel Characteristics
- Investigating Views
- Using Charts
- Using Active Channels
- Customizing Columns
- Using Dashboards
- Monitoring Dashboards
- Loading Dashboards
- Inspecting Events in Dashboards
- Drilling Down to Other Resources
- Displaying Dashboards
- Displaying Dashboards in a Slide Show Rotation
- Rearranging Elements in Dashboard Layouts
- Using Dashboard Menu Options
- Zooming In or Out of Dashboards
- Fitting all Dashboard Elements
- Saving Dashboard Layouts
- Closing a Dashboard
- Editing Dashboard Elements
- Changing a Dashboard's Layout
- Managing Dashboards
- Managing Dashboard Groups
- Monitoring Dashboards
- Using Data Monitors
- Creating a Data Monitor
- Editing a Data Monitor
- Adding a Drilldown
- Editing a Drilldown
- Changing the Default Drilldown
- Sorting or Changing the Order of Drilldowns
- Removing a Drilldown
- Moving or Copying a Data Monitor
- Deleting a Data Monitor
- Enabling or Disabling a Data Monitor
- Overriding a Data Monitor's Last State
- Managing Data Monitor Groups
- Optimizing the Evaluation of Event Filters for Data Monitors
- Using Query Viewers
- Using Custom View Dashboards
- Monitoring Active Lists
- Graphing Attacks
- Monitoring Active Channels
- Chapter 9: Selecting and Investigating Events in Active Channels
- Chapter 10: Filtering Events
- Chapter 11: Building Queries
- How Queries Work
- Using Queries and Trends Together for Reports
- Using Queries in Query Viewers
- Building a Query
- Defining Query Settings
- General Query Attributes
- Query Fields
- SELECT Query Fields
- Query Structure (SELECT)
- Applying Functions to SELECT Columns
- GROUP BY Query Fields
- Query Structure (GROUP BY)
- Applying Time-Based Functions to GROUP BY Columns
- ORDER BY Query Fields
- Query Structure (ORDER BY)
- Applying a Column Function to Order By
- Sort Order
- Query Conditions
- Creating Conditions on a Field
- Tips on Creating Conditions
- Creating Group Conditions
- Query Variables
- Editing a Query
- Example: Creating Asset-Related Conditions for Queries on Lists
- Chapter 12: Query Viewers
- What are Query Viewers?
- Pre-Built and Custom Query Viewers
- Creating or Editing a Query Viewer
- Defining Query Viewer Settings
- Deleting a Query Viewer
- Defining and Using Baselines
- Managing Drilldowns from Query Viewers
- Running Queries and Viewing Results
- Troubleshooting Query Viewers
- Adding Query Viewers to Dashboards
- Adding Query Viewers as Startup Views
- Generating Reports from Query Viewers
- Example Queries for Common Scenarios
- Chapter 13: Building Reports
- Understanding the Reporting Workflow
- Using Report Templates
- Creating Reports
- How Reports Work
- Creating or Editing a Report
- Defining Report Settings
- Binding Data to the Report
- Binding Data to Charts
- Selecting Data for the X-Axis on a Chart
- Selecting Data for the Y-Axis on a Chart
- Selecting Data for the Z-Axis on a Chart (Optional)
- Effect of Sorting on Bar Charts with Series Data
- Specifying Top/Bottom Filters Aggregation Filters for a Chart (Optional)
- Setting Display Options and Scale Formats for Charts
- Binding Data to Tables
- Setting Default and Custom Report Parameters
- Generating Reports with Asian Fonts
- Creating Focused Reports
- End-to-End Reporting Examples
- Example of Creating a Simple Report with the Wizard
- Advanced Reporting Example Overview
- Chapter 14: Building Trends
- How Trends Work
- Snapshot Trend
- Interval Trend
- Query-Trend Relationships in Reporting
- Building a Trend
- Defining Trend Settings
- Trend Attributes
- Trend Schedule
- Trend Parameters
- Trend Actions (Add to Active List)
- How Trend Actions are Useful (Summary Views and Rules)
- Plan and Define Active Lists with Fields Mapped to Trend
- Define a Trend Action
- Example: Populating Active Lists with Trend Results
- Notes on Trend Action Behavior
- Editing a Trend Action
- Removing a Trend Action
- Testing a Trend
- Viewing Trend Data
- Refreshing Trend Data
- Editing or Viewing a Trend Definition
- Using a Trend in a Query or Report
- Disabling or Enabling a Trend
- Deleting a Trend
- Chapter 15: Running and Managing Reports
- Chapter 16: List Authoring
- Required Settings for Large Lists
- Creating an Active List
- Editing Active Lists and Active List Entries
- Using Rules to Populate an Active List
- Adding Events from a Channel to an Active List
- Moving or Copying an Active List
- Importing and Exporting an Active List
- Deleting an Active List
- Managing Active List Groups
- Managing Session Lists
- Field Naming Restrictions
- Chapter 17: Rules Authoring
- Designing Rules
- Rule Types
- Managing Rules
- Specifying Rule Conditions
- Specifying Rule Thresholds and Aggregation
- Managing Rule Actions
- Converting Rule Types
- Testing Rules
- Verifying Rules with Events
- Deploying Real-time Rules
- Managing Rule Groups
- Importing and Exporting Rules
- Scheduling Rules
- Chapter 18: Field Sets
- Chapter 19: Global Variables
- Chapter 20: Identity Correlation
- Understanding Session Correlation
- Managing Session Lists
- Example: Using Session Lists to Correlate Session Data on User Logins
- Example: Using Active Lists to Correlate Users
- Chapter 21: Case Management and Queries
- Creating or Editing a Case
- Using the Initial - Attributes Tab
- Using the Initial - Description Tab
- Using the Initial - Security Classification Tab
- Using the Follow Up Tab
- Using the Final - Attack Mechanism Tab
- Using the Final - Attack Agent Tab
- Using the Final - Incident Information Tab
- Using the Final - Vulnerability Tab
- Using the Final - Other Tab
- Using the Events Tab
- Using the Attachments Tab
- Managing Cases
- Working with Events in Cases
- Managing Case Groups
- Viewing Group Cases in a Grid View
- Running Case Queries
- Creating a Report from a Case
- Using External Case Management Systems
- Creating or Editing a Case
- Chapter 22: Integration Commands
- What are Integration Commands?
- Planning Checklist and Workflow
- Navigating to Integration Command Resources
- Defining Commands
- Using Configurations to Group Commands
- Specifying Targets
- Authorization and Authentication Settings
- Running Integration Commands
- Entering/Saving Command Parameters at Runtime
- Ready-Made ArcSight Threat Response Manager (TRM) Commands
- ArcSight Logger Search Commands
- Network Tools as Integration Commands
- More Integration Examples
- Chapter 23: Knowledge Base Authoring
- Chapter 24: Managing Resources
- Chapter 25: Managing Packages
- Chapter 26: Pattern Discovery
- Chapter 27: Actors
- About Actors
- Configuring Actors
- Permissions Required to Use Actor-Related Data
- Viewing Actors on the Console
- Viewing an Actor in the Actor Editor
- Viewing Actors in an Actor Channel
- Filtering Actor Channels
- Managing Actor Channels
- Investigating Actors
- Creating and Editing Actors for Testing Purposes
- Leveraging Actor Data Using Variables
- Creating and Using Category Models
- Chapter 28: Reference Guide
- Access Control Lists
- Active Channels
- Active Lists
- Administrator
- Advanced Editor
- Aggregation
- ArcSight Console
- Assets
- Asset Auto-Creation
- Attack
- Audit Events
- Audit Events Common to Most Resources
- Active Channel
- Active List
- Actor
- Archive
- Authentication
- Authorization
- Connector Connection
- Connector Exceptions
- Connector Login
- Connector Registration and Configuration
- Content Management
- Dashboard
- Data Monitors
- Global Variables
- Group Management
- License Audit
- Logger Component
- Manager Activation
- Manager External Event Flow Interruption
- Notification
- Notification Acknowledgement, Escalation, and Resolution
- Notification Testing
- Pattern Discovery
- Query Viewers
- Reports
- Resource Quota
- Rule Actions
- Rule Activations
- Rule Firings
- Rule Warnings
- Scheduler Execution
- Scheduler Scheduling Tasks
- Scheduler Skip
- Session Lists
- Stress
- Trends
- Trend Partitions
- User Login
- User Management
- Base Queries for Query Viewers
- Batching
- Case Editor Tab Fields
- Case Editor Initial - Attributes Tab
- Case Editor Initial - Description Tab
- Case Editor Initial - Security Classification Tab
- Case Editor Follow-Up Tab
- Case Editor Final - Attack Mechanism Tab
- Case Editor Final - Attack Agent Tab
- Case Editor Final - Incident Information Tab
- Case Editor Final - Vulnerability Tab
- Case Editor Final - Other Tab
- Case Editor Events Tab
- Case Editor Attachments Tab
- Case Editor Notes Tab
- Cases
- Categories
- Collaboration
- Common Conditions Editor (CCE)
- Conditional Statements
- Conditions
- Content
- CORR-Engine
- Correlation
- Correlation Rule
- Customers
- Dashboards
- Dashboard Context Menu Commands
- Data Fields
- Connector Group
- Attacker Group
- Category Group
- Destination Group
- Device Group
- Device Custom Group
- Event Group
- Event Annotation Group
- File Group
- Final Device Group
- Flex Group
- Manager Group
- Old File Group
- Original Connector Group
- Request Group
- Source Group
- Target Group
- Threat Group
- Resource Attributes
- Geographical Attributes
- Data Monitors
- Asset Category Count Data Monitor
- Event Correlation Data Monitor
- Event Graph Data Monitor
- Event Reconciliation Data Monitor
- Geographic Event Graph Data Monitor
- Hierarchy Map Data Monitor
- Features
- Use Cases
- Defining a Hierarchy Map Data Monitor
- Adding Variables
- Specifying the Source Node Identifiers
- Hierarchy Levels and Group Delimiters
- Specifying Group Attributes
- Hierarchy Map Display and Visualization Controls
- Map Display and An Example
- Labels, Size, and Color Controls
- Selecting Colors for the Blocks
- Hourly Counts Data Monitor
- Last N Events Data Monitor
- Last State Data Monitor
- Moving Average Data Monitor
- Rules Partial Match Data Monitor
- Session Reconciliation Data Monitor
- Statistics Data Monitor
- System Monitor Data Monitor
- System Monitor Attribute Data Monitor
- Top Value Counts Data Monitor
- Data Monitor Expressions
- Device
- Event Inspector
- Events
- Event Categorization
- Event Handling Stages
- Field Sets
- Filters
- Global Variables
- Grid View
- iDefense
- Inspect/Edit Panel
- Job Scheduler
- Knowledge Base
- Logical Operators
- Managed Security Service Providers (MSSPs)
- Manager
- Navigator Panel
- Notifications
- Packages
- Pattern Discovery
- Payload
- Prioritization Fields
- Priority Calculations and Ratings
- Queries
- Query Viewers
- Reference Pages
- Regex (Regular Expressions)
- Reports
- Report Templates
- Resources
- Resource Attributes
- Rules
- Rule Actions
- Rule Conditions
- Rules Editor
- Schema
- Send Logs
- Session Correlation
- Session Lists
- SmartConnectors
- SMTP
- Sortable Field Sets
- Status Monitor Events
- Active Channel Statistics
- Active List Statistics
- Asset Statistics
- Data Monitor Statistics
- Event Broker Statistics
- Filter Engine Statistics
- Main Flow Statistics
- Notification Statistics
- Pattern Discovery Statistics
- Report Statistics
- Resource Framework Statistics
- Rules Engine Statistics
- Session List Statistics
- Session Management Statistics
- SmartConnector Flow Statistics
- Threat
- Threat Evaluation
- Thresholds
- Time Error Correction
- Timestamps
- Timestamp Variables
- Time Zone Correction
- Trends
- User Groups
- Users
- Variables
- About Functions
- About Remote Variables
- Local and Global Variables
- Variable Definition Fields
- Alias Functions
- Arithmetic Functions
- Category Model Function
- Condition Functions
- Group Functions
- IP Address Functions
- List Functions
- String Functions
- Timestamp Functions
- Type Conversion Functions
- Value List Functions
- Using Functions: Examples with Lists
- Variable Availability and Contexts
- Variable Functions for In-Memory Operations
- Velocity Templates
- Views
- Vulnerabilities
- Web Browsers
- Send Documentation Feedback