ArcSight Console User's Guide ESM Arc Sight User 6.9.1

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 1106

DownloadArcSight Console User's Guide ESM Arc Sight User 6.9.1
Open PDF In BrowserView PDF
HP ArcSight ESM
Software Version: 6.9.1c

ArcSight Console User's Guide

February 17, 2016

Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products
and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of
your data is your responsibility. Implement a comprehensive security strategy and follow good security practices.
This document is confidential.

Restricted Rights Legend
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211
and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items
are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice
© Copyright 2016 Hewlett-Packard Development Company, L.P.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.hpenterprisesecurity.com/copyright

Support
Contact Information
Phone

A list of phone numbers is available on the HP ArcSight Technical Support
Page: https://softwaresupport.hp.com/documents/10180/14684/esp-supportcontact-list

Support Web Site

https://softwaresupport.hp.com

Protect 724 Community

https://protect724.hp.com

HP ESM (6.9.1c)

Page 2 of 1106

Contents
Chapter 1: Getting Started

38

Starting the Console

38

Quick Start Tools and Standard Content

38

Use Cases

39

Chapter 2: Working in the Console
Navigating

40
40

Navigator Panel Resource Tree

41

Using SmartFolders

43

Using Resource Groups

44

Adding or Editing a Resource Group

44

Using the Categories Tab for Asset Groups

45

Batch Editing

45

Batch-Editing Cases or Connectors

45

Cases Reminder

46

SmartConnector Reminders

46

Reconnecting to the Manager
Viewing

46
46

The Viewer Panel

46

Console Look-and-Feel

48

Inspecting and Editing
Overview of Inspect/Edit Features and Utilities

48
49

Searching for Fields in Event Inspector, Resource Editors, or CCE

50

Getting More Help

51

Controlling the Console

51

Using the Network Tools

53

Running a Tools Command

53

Adding or Editing a Tool

54

Staying Informed

56

Acknowledging Notifications

56

Using Notes

57

License Tracking

58

HP ESM (6.9.1c)

License Tracking Notifications

58

Standard Reports for License Status Tracking

58

Page 3 of 1106

ArcSight Console User's Guide

Using the File Menu

59

Using the Edit Menu

59

Using the View Menu

60

Using the Window Menu

61

Using the Tools Menu

61

Using the System Menu

62

Using Right-Click Context Menus

63

Using the Help Menu

65

Keyboard Shortcuts (Hot Keys)

66

Printing from the Console

67

Printing Navigation Tree Views of Resources

68

Printing Resource Definitions

68

Printing Grid Views

69

Printing Conditions Tree Summary

70

Using Column Flip Limit to Format Grid View Printouts

71

Error and Warning Messages

Chapter 3: Personalizing the Console

74

76

Changing the Console Display

76

Changing User Preferences

77

Changing Your Password

78

Changing Other Users' Passwords

78

Setting Default Editors and Viewers

78

Changing Global Options

79

Setting Dialog Options

81

Setting Grid Options for the Viewer Panel

83

Customizing the Default Selections for Active Lists

85

Setting Date and Time Formats

86

Setting Latitude and Longitude Options

86

Configuring Event Graphs

87

Setting Notification Popups

89

Managing Hot Keys

89

HP ESM (6.9.1c)

Adding Shortcuts for Frequently Used Resources

90

Modifying a Custom Shortcut

92

Modifying Custom Shortcuts for Resources

94

Removing a Custom Shortcut

94

Removing Custom Shortcuts for Resources

95

Page 4 of 1106

ArcSight Console User's Guide

Activating a New Shortcut Schema

96

Sharing Custom Shortcut Schemas

96

Saving and Sending Settings

Chapter 4: Modeling the Network
The Network Model
Assets

97

98
99
100

Automatically-Created Assets

100

Asset Aging and Model Confidence

102

Asset Ranges

103

Zones

103

Dynamic and Static Zones

104

Networks

104

Asset Model

105

Locations

105

Vulnerabilities

105

Asset Categories

106

Asset Categories Assigned to Assets, Asset Ranges, and Asset Groups

106

Asset Categories Assigned to Zones

106

Populating the Network Model with Assets
Console-Based Methods

107

Manually, Using Network Modeling Resources

108

In a Batch Using the Network Modeling Wizard

108

SmartConnector-Based Methods

109

Using the Asset Model Import FlexConnector

109

Automatically From a Vulnerability Scanner Report

109

ArcSight-Assisted Methods
As an Archive File From an Existing Configuration Database
Populating the Network Model Using the Wizard
Specifying CSV Column Types

110
110
110
111

Specify the Column Type Using a Header

112

Specifying Multiple Categories in one Category Column

113

Assign the Column Type in the Wizard

113

Zones CSV File Format
An Example of a Zones CSV File
Assets CSV File Format

115
116
116

An Example of an Assets CSV File

118

Static Addressing in a Dynamic Zone

118

Asset Ranges CSV File Format

HP ESM (6.9.1c)

107

119

Page 5 of 1106

ArcSight Console User's Guide

An Example of an Asset Ranges CSV File

120

Increasing the Number of Displayed Rows

120

Summary of Data to Import

121

Network Data Imported into ArcSight Manager

121

Auto-Zoning of Imported Assets

122

Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories
Managing Assets

122
123

Selecting Assets in the Common Conditions Editor

125

Auto Zoning an Asset

126

Managing Asset Groups

127

Managing Vulnerabilities

128

Selecting Vulnerabilities in the Common Conditions Editor

130

Working with Vulnerable Assets

131

Managing Vulnerability Groups

132

Showing Affected Assets

133

Reporting on Output from Vulnerability Scanners

134

Reporting on Asset Vulnerabilities

134

Managing Zones

135

Managing Networks

136

Managing Asset Categories

136

Managing Locations

137

Managing Customers

138

Chapter 5: Managing SmartConnectors
Selecting and Setting SmartConnector Parameters

140
140

Configuring the SmartConnector

140

Connector Editor Tabs

142

Connector Tab Configuration Fields

143

Default Content Tab Configuration Fields

144

SmartConnector Processing Categories

157

SmartConnector Time Interval Options

158

Managing SmartConnector Filter Conditions

159

Adding SmartConnector Filter Conditions

159

Deleting SmartConnector Filter Conditions

160

Setting Special Severity Levels

161

Sending Model Mappings to SmartConnectors

163

Sending Control Commands to SmartConnectors

163

Getting Status Reports

HP ESM (6.9.1c)

163

Page 6 of 1106

ArcSight Console User's Guide

Sending Standard Flow-Control Commands

164

Tech Support Commands

166

Mapping Commands

168

Managing SmartConnector Groups

171

Importing and Exporting SmartConnector Configurations

173

Importing a SmartConnector Configuration

173

Exporting a SmartConnector Configuration

174

SmartConnector Filters

175

Using Additional Data Fields

175

Upgrading SmartConnectors

175

Overview of the Upgrade Process

176

SmartConnector Upgrade Procedure

177

Rolling back to a Previous Version

178

Troubleshooting

178

Getting Status and Versions on Installed SmartConnectors

179

Chapter 6: Managing Users

180

Managing User Groups

180

Managing Users

182

Creating or Editing a User

183

Resetting User Passwords

186

Moving or Linking a User

186

Deactivating and Reactivating a User

186

Deleting a User

187

Chapter 6: Managing Permissions

189

Editing Access Control Lists (ACLs)

189

Granting or Removing Resource Permissions

190

Granting or Removing Operations Permissions

192

Granting or Removing User Group Permissions

193

Adding or Removing Enforced Filters

196

Permissions for Sortable Field Sets

198

Sharing Resources

199

Controlling Who Has Permissions to Deploy Data Monitors

200

How Upgrades Affect Data Monitor Deploy Permissions

201

Deployment Permissions on Imported Data Monitors

201

HP ESM (6.9.1c)

Page 7 of 1106

ArcSight Console User's Guide

Chapter 7: Managing Notifications

203

Managing Received Notifications

203

Managing Notification Groups

204

Managing Notification Destinations

205

Changing Notification and Acknowledgment Settings

207

Testing Notification Groups and Destinations

208

Managing Escalation Levels

209

Chapter 8: Monitoring Events

210

Monitoring Active Channels

210

Using Views

210

Viewing and Using Channels

211

HP ESM (6.9.1c)

Viewing an Active Channel

211

Sorting Events in an Active Channel

212

Creating or Editing an Active Channel

213

Applying a Field Set to an Active Channel

216

Using an Active Channel Header

216

Filtering an Active Channel

218

Defining Grid Fields Options

218

Saving Copies of Active Channels and Filters

219

Discovering Patterns in an Active Channel

219

Deleting an Active Channel

219

Adding a View Format

219

Changing View Layouts

219

Best Practices to Optimize Channel Performance

220

Active Channels or Reports?

220

Active Channels or Query Viewers?

220

Active Channel Query Time Ranges

220

Active Channel Filters

220

Filtering on Indexed Fields

221

Filtering on Join Fields

221

Continuously Updating Time Parameters

221

End Time or Manager Receipt Time

221

Sorting in Active Channels

221

Use of the “Live” Channel from Standard Content

222

Case Sensitive or Case-Insensitive Conditions?

222

I/O Subsystem Performance

222

Diagnostics: Start with Basic Channel Characteristics

222

Page 8 of 1106

ArcSight Console User's Guide

Investigating Views
Using an Event Attribute to Show a New Filtered View

223

Refining a Filter with an Event Attribute

224

Adding an Event Attribute to a Filtering Condition

224

Permanently Modifying an Active Channel

225

Showing an Exploited Vulnerability

225

Showing a Targeted Asset

225

Using Charts

226

Charting an Active Channel's Contents

226

Charting a Data Monitor's Contents

226

Exploring the Events Behind a Chart

227

Using Active Channels

228

Monitoring Events in the Active Channel

228

Sorting Columns in the Active Channel

228

Adding, Replacing, or Removing a Column

228

Sizing a Column in the Active Channel

230

Showing or Hiding Column Text and Icons

230

Exporting Events to a File

230

Choosing Active Channel Menu Commands

232

Filtering Active Channels with Inline Filters

234

Customizing Columns

236

Creating a Custom Column

236

Showing a Custom Column

237

Advanced Example: Creating a Custom Column with Velocity Template

237

Using Dashboards
Monitoring Dashboards

HP ESM (6.9.1c)

223

238
238

Loading Dashboards

238

Inspecting Events in Dashboards

239

Drilling Down to Other Resources

240

Displaying Dashboards

240

Displaying Dashboards in a Slide Show Rotation

240

Rearranging Elements in Dashboard Layouts

240

Using Dashboard Menu Options

241

Zooming In or Out of Dashboards

241

Fitting all Dashboard Elements

241

Saving Dashboard Layouts

241

Closing a Dashboard

241

Editing Dashboard Elements

241

Changing a Dashboard's Layout

241

Page 9 of 1106

ArcSight Console User's Guide

Managing Dashboards

241

Creating or Editing a Dashboard

242

Adding a Data Monitor to a Dashboard

242

Adding a Query Viewer to a Dashboard

243

Display Formats

243

Deleting a Dashboard

244

Managing Dashboard Groups

244

Using Data Monitors

246

Creating a Data Monitor

246

Editing a Data Monitor

250

Adding a Drilldown

250

Editing a Drilldown

255

Changing the Default Drilldown

255

Sorting or Changing the Order of Drilldowns

256

Removing a Drilldown

257

Moving or Copying a Data Monitor

257

Deleting a Data Monitor

257

Enabling or Disabling a Data Monitor

257

Enabling or Disabling a Data Monitor from the Editor

258

Enabling or Disabling a Data Monitor in the Navigator

259

Overriding a Data Monitor's Last State

259

Managing Data Monitor Groups

259

Creating a Data Monitor Group

260

Renaming a Data Monitor Group

260

Editing a Data Monitor Group

260

Moving or Copying a Data Monitor Group

260

Deleting a Data Monitor Group

260

Enabling or Disabling Data Monitor Groups

261

Optimizing the Evaluation of Event Filters for Data Monitors

261

Requirement

261

Automating the Optimization of Filter Conditions

262

Tracing the Optimization

262

Disabling the Optimization Feature

264

Using Query Viewers

264

Using Custom View Dashboards

264

Displaying Custom View Dashboards

HP ESM (6.9.1c)

264

Refreshing the Custom View Dashboard Layout

265

Custom View Dashboard Context Menu Options

265

Reverting to the Regular Dashboard View

266

Page 10 of 1106

ArcSight Console User's Guide

Working with Custom View Dashboards
To Select View Mode
Arranging Custom View Dashboards

266
267
267

Selecting Arrange Mode

267

Loading a Background Image

267

Selecting a Previously Uploaded Background Image

268

Verifying the Background Image

268

Removing a Background Image

268

Monitoring Active Lists

269

Graphing Attacks

270

Creating Static Event Graphs

271

Creating Live Event Graphs

271

Event Graph Notes

272

Chapter 9: Selecting and Investigating Events in Active Channels

274

Selecting Events in the Active Channel

274

Showing Event Details and Rule Chains

274

Investigating Session Events

276

Collaborating on Events (Event Annotation)

277

Annotating an Event

278

Event Annotation Fields

278

Comments Field

279

Mark Similar Events Fields

279

Annotation Preservation

280

Viewing Annotations for an Event

280

Creating or Editing Stages

280

Working with Event Payloads

282

Exporting Data Fields to a CSV File

283

Getting Knowledge Base Articles

285

Chapter 10: Filtering Events
Creating Filters

286
286

Creating or Editing a Filter

286

Creating and Editing an Inline Filter

288

Applying Filters

289

Moving or Copying Filters

291

Deleting Filters

291

HP ESM (6.9.1c)

Page 11 of 1106

ArcSight Console User's Guide

Debugging Filters to Match Events

291

Importing and Exporting filters

294

Managing Filter Groups

294

Investigating Views

296

Using an Event Attribute to Show a New Filtered View

297

Refining a Filter with an Event Attribute

297

Filtering Out ArcSight Events

298

Adding an Event Attribute to a Filtering Condition

298

Modifying Views

Chapter 11: Building Queries

299

301

How Queries Work

301

Using Queries and Trends Together for Reports

301

Using Queries in Query Viewers

302

Building a Query

302

Navigating to Queries

302

Creating a New Query

303

Defining Query Settings

303

General Query Attributes

303

Query Fields

308

SELECT Query Fields

309

Query Structure (SELECT)

310

Applying Functions to SELECT Columns

310

GROUP BY Query Fields

311

Query Structure (GROUP BY)

312

Applying Time-Based Functions to GROUP BY Columns

313

ORDER BY Query Fields

314

Query Structure (ORDER BY)

315

Applying a Column Function to Order By

316

Sort Order

316

Query Conditions

316

Creating Conditions on a Field

317

Tips on Creating Conditions

318

Creating Group Conditions

318

Query Variables

318

Editing a Query

319

Example: Creating Asset-Related Conditions for Queries on Lists

320

HP ESM (6.9.1c)

Page 12 of 1106

ArcSight Console User's Guide

Chapter 12: Query Viewers

323

What are Query Viewers?

323

Pre-Built and Custom Query Viewers

325

Standard Content

325

Custom Query Viewers

326

Customizing Query Viewers as Needed

326

inActiveList Conditions for Queries

326

Creating or Editing a Query Viewer

326

Defining Query Viewer Settings

328

Query Viewer Attributes

328

Query Viewer Fields

331

Sort Options

333

Baselines

333

Query Viewer Variables

334

Deleting a Query Viewer

335

Defining and Using Baselines

335

Why Baselines are Useful

336

Planning for Baseline Comparisons

337

Adding a Baseline

337

Comparing Displayed Results to a Baseline

338

Show or Hide Baseline Columns

340

Sort Baseline Data

340

Filter Baseline Data

341

Removing a Baseline
Managing Drilldowns from Query Viewers

341
342

Adding a Drilldown

342

Editing a Drilldown

346

Changing the Default Drilldown

346

Sorting or Changing the Order of Drilldowns

346

Removing a Drilldown

347

Running Queries and Viewing Results
Working with Query Viewer Results

348
352

Results in Table Format

352

Investigate View Options

352

Column Sort, Display, and Edit Options

355

Results in Chart Formats

357

Filtering Query Viewer Results

359

Viewing an Event or Resource Directly from the Query Viewer

360

HP ESM (6.9.1c)

Page 13 of 1106

ArcSight Console User's Guide

Troubleshooting Query Viewers

360

Adding Query Viewers to Dashboards

360

Adding Query Viewers as Startup Views

361

Generating Reports from Query Viewers

362

Example Queries for Common Scenarios

363

Basic Analysis High Level Summaries

364

Analyst’s First View of Events

364

How the Events Query Viewer is Built

365

Drilldown Example
How the Console Builds Drilldowns
Non-Event Analysis Example

367
369
369

Baseline Analysis for Data Comparison

369

History Analysis Example

370

Chapter 13: Building Reports

371

Understanding the Reporting Workflow

371

Step 1 - Build a Query

372

Step 2 - Build a Trend Based on a Query

373

Step 3 - Build a Query Based on a Trend

373

Step 4 - Select or Design a Report Template

373

Step 5 - Create a Report

374

Step 6 - Run a Report

374

Step 7 - Archive and Maintain Reports

375

Managing Dependencies for Reports Resources

375

Using Report Templates

375

Applying a Template to an Existing Report

376

Creating a New Report Based on a Template

377

Copying a Template

378

Editing a Template

378

Creating Reports

379

How Reports Work

379

Creating or Editing a Report

379

Defining Report Settings

381

Report Attributes

381

Report Templates

382

HP ESM (6.9.1c)

Report Template Selection

382

Text Attributes

383

Preview

385

Page 14 of 1106

ArcSight Console User's Guide

Binding Data to the Report

385

Binding Data to Charts

386

Selecting Data for the X-Axis on a Chart

387

Selecting Data for the Y-Axis on a Chart

388

Selecting Data for the Z-Axis on a Chart (Optional)

391

Effect of Sorting on Bar Charts with Series Data

391

Specifying Top/Bottom Filters Aggregation Filters for a Chart (Optional)

394

Setting Display Options and Scale Formats for Charts

395

Binding Data to Tables

396

Specifying Fields for a Table

397

Enabling the Aggregation Tab for a Table

400

Setting Top/Bottom Counts in Table Aggregation Tab (Optional)

401

Setting Default and Custom Report Parameters

402

Adding Custom Parameters for Report Data

405

Displaying a Custom Parameter Prompt at Report Runtime

406

Defining the Prompt in the Query’s Condition Tab

406

Adding or Removing a Prompt for Custom Parameters in the Report

408

Generating Reports with Asian Fonts

410

Creating Focused Reports

411

End-to-End Reporting Examples

412

Example of Creating a Simple Report with the Wizard

413

Advanced Reporting Example Overview

415

Step 1 - Build the VPN Logins Outcome Query

415

Query Name and Other General Attributes

415

Fields to Include in Query Result

416

Query Conditions

417

Step 2 - Build the VPN Logins Outcome Hourly Trend

418

Step 3 - Filter the Trend Data (Login Attempts, Successes, Failures)

420

Step 4 - Create the VPN Logins Outcome Report on Trend Data

422

Choose a Template and Bind it to Result Data

422

Use Custom Parameters

423

Step 5 - Run the Report

Chapter 14: Building Trends

425

427

How Trends Work

427

Snapshot Trend

428

Interval Trend

428

Query-Trend Relationships in Reporting

428

HP ESM (6.9.1c)

Page 15 of 1106

ArcSight Console User's Guide

Building a Trend

429

Navigating to Trends

430

Creating a Trend

430

Defining Trend Settings

431

Trend Attributes

431

Trend Schedule

436

Trend Parameters

437

Trend Actions (Add to Active List)

438

How Trend Actions are Useful (Summary Views and Rules)

438

Plan and Define Active Lists with Fields Mapped to Trend

439

Define a Trend Action

439

Example: Populating Active Lists with Trend Results

441

Notes on Trend Action Behavior

443

Editing a Trend Action

444

Removing a Trend Action

444

Testing a Trend

444

Viewing Trend Data

445

Refreshing Trend Data

446

Editing or Viewing a Trend Definition

447

Using a Trend in a Query or Report

447

Disabling or Enabling a Trend

447

Deleting a Trend

447

Chapter 15: Running and Managing Reports
Running a New or Archived Report

448
449

Running a Defined Report

449

Displaying an Archived Report

453

Running a Delta Report

453

Running Reports from a Grid View

454

Running a Rule Context Report

454

Running an Event Context Report

455

Running a Channel Report

455

Running a Query Viewer Report

455

Running Large or Complex Reports

457

Moving or Copying a Report

458

Managing Report Groups

458

HP ESM (6.9.1c)

Page 16 of 1106

ArcSight Console User's Guide

Archiving and Scheduling Reports

460

Archiving a Report

460

Scheduling Report Tasks

463

Scheduling Individual-Report Archiving

463

Scheduling Report Archiving by Resource Group

465

Standard Time Transitions

465

Viewing an Archived Report

466

Editing a Report Archiving Schedule

466

Editing Report Archiving Parameters

467

Deleting a Report Archiving Schedule

467

Chapter 16: List Authoring

469

Required Settings for Large Lists

469

Creating an Active List

470

Editing Active Lists and Active List Entries

477

Using Rules to Populate an Active List

478

Example Active List

478

Example Rule to Populate Active List

479

Adding Events from a Channel to an Active List

482

Moving or Copying an Active List

483

Importing and Exporting an Active List

483

Deleting an Active List

484

Managing Active List Groups

484

Managing Session Lists

485

Creating a Session List

486

Using Rules to Populate a Session List

489

Editing Session Lists and List Entries

489

Moving or Copying a Session List

491

Exporting a Session List

491

Field Naming Restrictions

Chapter 17: Rules Authoring

491

493

Designing Rules

493

Rule Types

494

Managing Rules

495

Creating or Editing Rules

495

Moving or Copying Rules

496

HP ESM (6.9.1c)

Page 17 of 1106

ArcSight Console User's Guide

Enabling and Disabling Rules

497

Deleting Rules

498

Specifying Rule Conditions

498

Creating Rule Conditions

498

Adding Filter Conditions

500

Adding Asset Conditions

500

Adding Vulnerability Conditions

501

Adding Active List (InActiveList) Conditions

502

Creating Matching or Join Conditions

504

Editing or Deleting Join Data Field Conditions

506

Negating Event Conditions

506

Optimizing the Evaluation of Event Conditions

508

Automating Condition Optimization

509

Tracing the Optimization

509

Disabling the Optimization Feature

511

Specifying Rule Thresholds and Aggregation

511

Setting or Changing Rule Thresholds

511

Examples of Grouping Unique or Identical Field Values

512

Aggregation Time Criteria

513

Deleting Aggregation from a Rule

515

Managing Rule Actions

515

Adding, Editing, or Removing a Rule Action

516

Activating or De-activating a Rule Trigger

517

Enabling or Disabling a Rule Action

517

Threshold Triggering Options

518

Rule Actions Reference

520

Applying Rule Actions on Cases

527

Using a Rule to Create a Case

527

Using a Rule to Add to an Existing Case

528

Converting Rule Types

530

Testing Rules

530

Testing a Rule from the Rule Editor

531

Showing Rule Errors

532

Verifying Rules with Events

532

Deploying Real-time Rules

536

Deploying a Rule

536

Removing or Un-deploying a Rule

537

Managing Rule Groups

HP ESM (6.9.1c)

537

Page 18 of 1106

ArcSight Console User's Guide

Importing and Exporting Rules

539

Scheduling Rules

539

Scenarios for Using Scheduled Rules

540

Scheduling a Rule Group

541

Example of a Scheduled Rule (Badge Swipes and Logins)

543

Chapter 18: Field Sets
Creating and Using Field Sets
Creating a Field Set

546
546
547

Field Set Editor: Attributes Tab

548

Field Set Editor: Fields Tab

548

Field Set Editor: Local Variables Tab

549

Using the Fields & Global Variables Subtab

549

Using the Field Sets Subtab

550

Using the Local Variables Subtab

551

Adding Custom Columns

552

Editing a Field Set

552

Sharing a Field Set

553

Deleting a Field Set

553

Resources That Use Field Sets

553

About Global Variables

553

Chapter 19: Global Variables

555

Remote Variables Processing

555

Global Variable Dependencies

555

Navigating to Global Variables

556

Creating or Editing a Global Variable

556

Global Variable Editor: Attributes Tab

557

Global Variable Editor: Parameters Tab

558

Global Variable Editor: Local Variables Tab

559

Managing Global Variables

559

Promoting a Local Variable to a Global Variable

559

Adding a Global Variable to a Resource

562

Accessing a Global Variable Using the CCE

562

Adding Global Variables to an Active Channel

563

Adding a Global Variable to a Data Monitor

564

Adding a Global Variable to a Field Set

566

HP ESM (6.9.1c)

Page 19 of 1106

ArcSight Console User's Guide

Chaining a Global Variable

567

Chapter 20: Identity Correlation

569

Understanding Session Correlation

569

Managing Session Lists

570

Creating a Session List Rule

571

Using the Session List Output

572

Creating a Variable

573

Example: Using Session Lists to Correlate Session Data on User Logins

574

Step 1 - Create a Session List to Store Windows Sessions

574

Step 2 - Create Rules to Populate the Session List with Windows Logins

576

Rule 1: Triggers on Windows Session Logins

577

Attributes

577

Conditions

577

Aggregation

578

Actions

579

Rule 2: Triggers on Termination of Windows Sessions

580

Step 3 - Verify Rules

582

Step 4 - Use the Session List in a Report

584

Example: Using Active Lists to Correlate Users

585

Example Overview

586

Step 1 - Build and Populate the Active List with User IDs

587

Populating an Active List with User Data
Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs

588
590

Attributes

590

Variable

591

Conditions

592

Aggregation

594

Actions

594

Chapter 21: Case Management and Queries
Creating or Editing a Case

596
596

Using the Initial - Attributes Tab

598

Using the Initial - Description Tab

599

Using the Initial - Security Classification Tab

600

Using the Follow Up Tab

600

Using the Final - Attack Mechanism Tab

601

Using the Final - Attack Agent Tab

601

Using the Final - Incident Information Tab

602

HP ESM (6.9.1c)

Page 20 of 1106

ArcSight Console User's Guide

Using the Final - Vulnerability Tab

602

Using the Final - Other Tab

603

Using the Events Tab

603

Using the Attachments Tab

604

Managing Cases

604

Finding Cases

604

Attaching a File to a Case

605

Best Practices on Attaching Files to a Case

605

Viewing a Case Attachment

606

Tracking Modifications to a Case

606

Viewing the Case’s Notes Tab

606

Creating an Event Viewer for Cases’ Internal Audit Events

607

Moving or Copying a Case to a Group

608

Granting Permission to Delete Cases

608

Deleting a Case

609

Working with Events in Cases

609

Viewing a Case's Events in a Channel

610

Including Base Events through a Rule

610

Creating or Updating a Case from Displayed Events

611

Copying Event Details from Case to Case

612

Deleting Events from a Case

612

Managing Case Groups

613

Viewing Group Cases in a Grid View

614

Running Case Queries

615

Creating a Report from a Case

615

Running Case Reports and Setting Default Parameters

616

Customizing the Case Report

619

Customize Selected Case Query

620

Customize Selected Case Report

621

Add a Server Property for the New Report URI

621

Using External Case Management Systems

Chapter 22: Integration Commands

622

623

What are Integration Commands?

623

Supported Command Types

624

Out-of-the-Box Commands for ArcSight Appliances

624

Local Scripts and Commands to Other Applications

625

How It Works

625

HP ESM (6.9.1c)

Page 21 of 1106

ArcSight Console User's Guide

Planning Checklist and Workflow

626

Navigating to Integration Command Resources

627

Defining Commands

628

Command Types and Attributes

629

Script Commands

629

URL Commands

630

Connector Commands

631

Adding and Editing Command Parameters

633

Removing a Command Parameter

635

Using Configurations to Group Commands

635

Configurations Attributes

636

Configurations Contexts

637

Configurations Commands

639

Adding a Command to a Configuration

639

Editing Commands in a Configuration

640

Removing Commands from a Configuration

640

Configuration Targets

640

Adding a Target to a Configuration

640

Editing Targets in a Configuration

640

Removing Commands from a Configuration

641

Specifying Targets

641

Target Attributes

642

Target Integration Parameters

642

Authorization and Authentication Settings
Setting User Login Parameters

643
643

Setting Login Credentials

643

Setting Login Credentials on Target Servers

644

Setting Logins and Other Parameters to Prompt for Values at Runtime

644

Running Integration Commands

645

Entering/Saving Command Parameters at Runtime

646

Ready-Made ArcSight Threat Response Manager (TRM) Commands

647

Prerequisites

647

Options for Up-Front or On-the-Fly Configuration

647

TRM Integration Commands

647

Enabling TRM Commands

649

HP ESM (6.9.1c)

Step 1 - Set up the Command Targets

649

Step 2 - Set up the Command Configuration

650

Step 3 - Set up Users for TRM Access

650

Page 22 of 1106

ArcSight Console User's Guide

Understanding NSP Authentication

651

How to Get an NSP Authentication Token

651

Examples of Running TRM URL Commands

653

Attacker-Target Network Map

653

Investigate Node

654

Going Further with TRM Command Results

654

ArcSight Logger Search Commands

655

Logger Integration Commands

655

Enabling Integrated Logger Searches

656

1. Set up Logger Command Targets

656

2. Set up the Logger Command Configuration

657

3. Set up Users for Logger Access

657

Example of Running a Logger Quick Search

658

Network Tools as Integration Commands

659

More Integration Examples

661

Chapter 23: Knowledge Base Authoring

665

Managing Knowledge Base Articles

665

Managing Knowledge Base Article Groups

667

Associating Knowledge Base Articles

669

Chapter 24: Managing Resources

670

Moving, Copying, Linking, and Deleting Resources

670

Managing File Resources

671

Uploading Files and Creating a File Resource

672

Working with Files

672

Locking and Unlocking Resources

674

ArcSight Standard Content

675

User-Created Content

675

Selecting Resources

676

Visualizing Resources

676

Graphing Resources

676

Using Graphs

677

Configuring Resource Graphs

678

Viewing Resources in Grids

679

Validating Resources
About Valid and Invalid Resources

HP ESM (6.9.1c)

679
679

Page 23 of 1106

ArcSight Console User's Guide

Fixing and Validating Resources

680

Troubleshooting (Requirements for Valid Resources)

682

Automatic and Manual Validation

683

Resource Validation During Upgrade

683

Extending Audit Event Logging

684

Common Resource Attribute Fields

685

Common

685

Assign

686

Saving Copies of Read-Only Resources

686

Finding Resources

687

How Fields are Indexed

687

Using Text Search Syntax

688

Using the Search Field on the Console Tool Bar

690

Using the Search Result Columns

692

Locating Specific Resources

692

Chapter 25: Managing Packages

693

Creating or Editing Packages

694

Adding Resources to Packages

698

Supported Package Resources for Content Synchronization

699

Exporting Packages

700

Importing Packages

701

Best Practices for Importing Packages

701

Backing Up and Restoring with Packages

703

ID Checking During Import

703

Package Modifications

704

List Data

704

Backup and Restore Summary

704

Installing or Uninstalling Packages

705

Deleting Packages

707

Removing Resources from Packages

708

Resolving Package Conflicts

708

Chapter 26: Pattern Discovery
Pattern Discovery Overview
What Pattern Detection Provides

HP ESM (6.9.1c)

710
710
710

Page 24 of 1106

ArcSight Console User's Guide

Pattern Components

711

How Pattern Discovery Works

712

Pattern Discovery Life Cycle

713

Creating or Editing a Profile

713

Specifying Actions

718

Creating Local Variables

721

Adding Notes

722

Deleting a Profile

722

Taking a Snapshot

723

Exploring a Snapshot

724

Arranging Elements in Graphic View

726

Scheduling a Snapshot

727

Re-opening a Snapshot

728

Deleting a Snapshot

728

Investigating Patterns

729

Investigating Patterns in the Snapshots View

729

Investigating Patterns in the Patterns View

731

Viewing Patterns with Filter

732

Inspecting Patterns

733

Creating Rules from Patterns

735

Annotating Patterns

737

Deleting a Pattern

738

Usage Guidelines

738

Establishing a Baseline of Normal Patterns

738

Using Pattern Discovery in Routine Operations

738

Performance Considerations

739

Adjusting Pattern Discovery Memory

739

Chapter 27: Actors
About Actors

740
740

How the Actors Feature Works

742

About the Actor Model Import Connectors

744

Troubleshooting Errors with Actor Model Imports

745

Configuring Actors

745

Permissions Required to Use Actor-Related Data

747

Viewing Actors on the Console

749

Viewing an Actor in the Actor Editor

750

HP ESM (6.9.1c)

Page 25 of 1106

ArcSight Console User's Guide

Viewing Actor Base Attributes

750

Viewing Actor Account Attributes

752

Viewing Actor Role Attributes

752

Viewing Actors in an Actor Channel

753

Sorting Fields in Actor Channels

754

Actor Channel Options

755

Filtering Actor Channels

756

Adding a Local Filter to the Actor Channel Resource

756

Creating an Inline Filter

757

Managing Actor Channels

758

Investigating Actors

758

Running Context Reports from an Actor Channel

759

Investigating an Actor from an Event Channel

761

Actor Context Reports in Standard Content

762

Creating and Editing Actors for Testing Purposes

762

Important Points to Consider About Making Manual Changes to Actors

763

Creating Actors for Testing Purposes

763

Editing Actors for Testing Purposes

765

Deleting Actors

766

Leveraging Actor Data Using Variables

766

Creating an Actor Global Variable

766

Creating an Actor-Based Variable in Another Resource

767

Creating and Using Category Models

768

Memory Recommendations for Using Category Models

768

Creating Category Models

769

Creating Actor-to-Actor Category Models

770

Creating Actor Attribute Category Models

773

Creating User-Defined Category Models

775

Managing Category Models

777

Viewing Category Models in Graphs

778

Leveraging Category Model Data Using Variables

781

Chapter 28: Reference Guide
Access Control Lists
Resource ACLs
Active Channels

783
783
783
785

Active Channel Views

785

Active Channel Headers

786

HP ESM (6.9.1c)

Page 26 of 1106

ArcSight Console User's Guide

Comparisons

787

Active Channel Views for Assets and Cases

787

Active Lists

787

Uses of Active Lists

788

Active Lists for Long-Term State Retention

788

Optimize Data with Hash-Based Active Lists

788

Active List Audit Events

789

Active List Monitor Events

790

Active Lists with Values

790

Using Variables to Retrieve Data from Active Lists with Values

791

Example: Active List with Values to Store Directory Information

791

Create an Active List

791

Populate the Active List

792

Correlate Information Stored in UserRoles List

792

Administrator

794

Advanced Editor

794

Aggregation

796

ArcSight Console

797

Assets

797

Assets Tab

797

Zones Tab

798

Networks Tab

798

Categories Tab

799

Vulnerabilities Tab

799

Locations Tab

800

Asset Auto-Creation

800

Creating Assets from a Vulnerability Scan Report
Creating Assets from a Vulnerability Scan Report for Static Zones

801

Creating Assets from a Vulnerability Scan Report for Dynamic Zones

801

Creating Assets for SmartConnectors

802

Creating Assets for SmartConnectors in Static Zones

803

Creating Assets for SmartConnectors in Dynamic Zones

804

Creating Assets for Network Devices

805

Creating Assets for Network Devices in Static Zones

806

Creating Assets for Network Devices in Dynamic Zones

806

Asset Names

HP ESM (6.9.1c)

800

807

Naming Assets from Scanner Events

807

Naming SmartConnector and Device Assets

808

Page 27 of 1106

ArcSight Console User's Guide

Asset Auto-Creation Advanced Configuration Options

808

Asset Auto-Creation from Scanners in Dynamic Zones

808

Create Asset with IP Address or Host Name

808

Preserve Previous Assets

810

Changing the Default Naming Scheme

811

Attack

812

Audit Events

812

Audit Events Common to Most Resources

813

Active Channel

814

Active List

814

Actor

815

Archive

815

Authentication

816

Authorization

817

Connector Connection

817

Connector Exceptions

818

Connector Login

819

Connector Registration and Configuration

819

Content Management

820

Dashboard

820

Data Monitors

821

Last State Data Monitors

821

Moving Average Data Monitor

821

Reconciliation Data Monitor

821

Statistical Data Monitor

822

Top Value Counts Data Monitor

822

Global Variables

822

Group Management

823

License Audit

823

Logger Component

824

HP ESM (6.9.1c)

Alerts

825

Certificates

828

Archives

829

Filters

831

Peers

832

Saved Searches

833

Storage Groups

834

Storage Rules (Storage Mapping)

835

Storage Volume

836

Page 28 of 1106

ArcSight Console User's Guide

Searches

836

Manager Activation

838

Manager External Event Flow Interruption

838

Notification

838

Notification Acknowledgement, Escalation, and Resolution

839

Notification Testing

839

Pattern Discovery

839

Query Viewers

839

Reports

840

Resource Quota

840

Rule Actions

840

Rule Activations

841

Rule Firings

841

Rule Warnings

842

Scheduler Execution

842

Scheduler Scheduling Tasks

842

Scheduler Skip

843

Session Lists

843

Stress

844

Trends

844

Trend Partitions

844

User Login

845

User Management

845

Base Queries for Query Viewers

846

Batching

846

Case Editor Tab Fields

846

Case Editor Initial - Attributes Tab

847

Case Editor Initial - Description Tab

848

Case Editor Initial - Security Classification Tab

849

Case Editor Follow-Up Tab

849

Case Editor Final - Attack Mechanism Tab

850

Case Editor Final - Attack Agent Tab

850

Case Editor Final - Incident Information Tab

851

Case Editor Final - Vulnerability Tab

851

Case Editor Final - Other Tab

851

Case Editor Events Tab

852

Case Editor Attachments Tab

852

Case Editor Notes Tab

852

Cases

853

HP ESM (6.9.1c)

Page 29 of 1106

ArcSight Console User's Guide

Case Groups
Categories

853
854

Object Category

855

Behavior Category

857

Outcome Category

858

Device Group Category

859

Technique Category

859

Significance Category

862

Asset Categories

863

Event Categories

863

Collaboration

863

Common Conditions Editor (CCE)

864

Editor Features

864

Condition Tree Command Buttons

866

Condition Tree Context Menu Commands

868

Adding Conditions

872

Search Box to Find Fields in the List

873

Field Comparisons with Variable or Static Values

874

Matching or Join Rules

875

Using Field Sets

876

Adding or Removing Global Variables Using the CCE

877

Testing for Zone Relevance

878

Conditional Statements

879

Conditions

880

Parameterized Conditions
Content

880
882

Content Packages

882

Custom Content

882

SmartConnector Content

882

CORR-Engine

883

Correlation

883

Correlation Rule

883

Customers

883

Dashboards

884

Dashboard Context Menu Commands

884

Data Fields

885

Connector Group

HP ESM (6.9.1c)

886

Page 30 of 1106

ArcSight Console User's Guide

Attacker Group

890

Category Group

895

Destination Group

896

Device Group

902

Device Custom Group

907

Event Group

911

Event Annotation Group

920

File Group

924

Final Device Group

925

Flex Group

928

Manager Group

929

Old File Group

929

Original Connector Group

929

Request Group

935

Source Group

936

Target Group

940

Threat Group

944

Resource Attributes

945

Geographical Attributes

945

Data Monitors

946

Asset Category Count Data Monitor

947

Event Correlation Data Monitor

948

Event Graph Data Monitor

950

Event Reconciliation Data Monitor

951

Correlation Event-Generating Fields

953

Geographic Event Graph Data Monitor

955

Hierarchy Map Data Monitor

956

Features

956

Use Cases

957

Defining a Hierarchy Map Data Monitor

957

Adding Variables

959

Specifying the Source Node Identifiers

959

Hierarchy Levels and Group Delimiters

960

Specifying Group Attributes

961

Hierarchy Map Display and Visualization Controls

962

Map Display and An Example

962

Labels, Size, and Color Controls

963

Selecting Colors for the Blocks

964

Hourly Counts Data Monitor

HP ESM (6.9.1c)

965

Page 31 of 1106

ArcSight Console User's Guide

Last N Events Data Monitor

966

Last State Data Monitor

967

Last State Data Monitor Parameters

968

Options for Table and Tile Views

969

Table View (Color Chooser and Remove Entry)

969

Tile View (Customize View)

969

Options for Table and Tile Views

972

Table View (Color Chooser and Remove Entry)

972

Tile View (Customize View)

972

Moving Average Data Monitor

974

Rules Partial Match Data Monitor

977

Session Reconciliation Data Monitor

978

Statistics Data Monitor

980

System Monitor Data Monitor

983

System Monitor Attribute Data Monitor

983

Top Value Counts Data Monitor

984

Data Monitor Expressions

986

Supported Data Monitor Expression Operators

987

Supported Data Monitor Expression Functions

987

Device

988

Event Inspector

988

Events

989

Event Categorization

990

Event Handling Stages

990

Field Sets

991

Filters

992

Filtering Options

992

Global Variables

993

Grid View

994

iDefense

994

Inspect/Edit Panel

995

Job Scheduler

996

To view all scheduled jobs

998

Troubleshooting Tips

998

Knowledge Base

998

Logical Operators

999

HP ESM (6.9.1c)

Page 32 of 1106

ArcSight Console User's Guide

Managed Security Service Providers (MSSPs)

1001

Manager

1001

Navigator Panel

1002

Notifications

1002

Notification Operation

1002

Testing Notification Escalations

1003

Notification Destinations

1003

Notification Acknowledgements

1004

Packages

1004

Pattern Discovery

1004

Pattern Concepts

1005

Discovering Patterns

1005

Pattern Analysis

1006

Initial Phase

1006

Routine Pattern Processing

1006

Workflow Management

1006

Pattern Analysis

1007

Pattern Disposition

1007

Pattern Discovery Expertise

1007

Workflow

1008

Visualization

1008

Applications

1008

Payload

1009

Prioritization Fields

1009

Priority Calculations and Ratings

1010

Priority Elements

1013

Priority Operators

1014

MaxValue Attribute

1014

Weight Attribute

1014

Priority Rating
Queries

1015
1016

Queries and Trends

1016

Building and Running Queries

1016

Query Viewers

1016

Reference Pages

1017

Regex (Regular Expressions)

1017

Perl Constructs not Supported in Java

HP ESM (6.9.1c)

1017

Page 33 of 1106

ArcSight Console User's Guide

Java Constructs not Supported in Perl

1018

Notable Differences between Java and Perl

1018

Character Matches

1019

Reports

1019

Working with Report Templates, Queries, and Trends

1020

Viewing and Managing Reports

1020

Archived Reports

1020

Report Groups

1021

Delta Reports

1021

Report Parameters

1022

Running Reports

1022

ArcSight-Provided Reports

1022

Report Templates

1023

Resources

1024

Valid and Invalid Resources

1024

Fixing and Validating Resources

1024

Resource Attributes

1026

Rules

1029

Loading Rules

1029

Automatically Disabled Rules

1029

Rules Processing and Correlation

1032

Rule Groups

1033

Scheduled Rules

1034

Rule-triggering Timing

1034

Rule Chains

1035

Variables

1035

Rule Actions

1035

Active List Rule Actions

1035

Execute Connector Command Rule Actions

1035

Rule Conditions

1036

Rules Editor

1037

Schema

1037

Avoiding Field Naming Collisions
Event Fields

1039

Precise Event Categorization

1039

Send Logs
Guidelines for Using the Send Logs Utility

HP ESM (6.9.1c)

1038

1040
1041

Page 34 of 1106

ArcSight Console User's Guide

Options for Running Diagnostics and Sending Logs

1041

Starting the Send Logs Wizard on the ArcSight Console

1042

Session Correlation
Why Session Correlation Matters

1042
1042

Session Lists

1043

SmartConnectors

1044

Operational Status

1044

Configuration

1045

Zones

1045

Upgrading

1046

Filtering

1046

SMTP

1046

Sortable Field Sets

1047

Sorting Columns in Grid Views
Status Monitor Events

1048
1048

Active Channel Statistics

1049

Active List Statistics

1049

Asset Statistics

1050

Data Monitor Statistics

1052

Event Broker Statistics

1052

Filter Engine Statistics

1053

Main Flow Statistics

1053

Notification Statistics

1054

Pattern Discovery Statistics

1054

Report Statistics

1055

Resource Framework Statistics

1055

Rules Engine Statistics

1055

Session List Statistics

1057

Session Management Statistics

1058

SmartConnector Flow Statistics

1058

Threat

1060

Threat Evaluation

1060

Evaluation Process

1060

Evaluation Definitions

1061

Maintaining Model Confidence

1062

Using Threat Evaluation Information

1062

Limitations and Workarounds

1062

Thresholds

HP ESM (6.9.1c)

1063

Page 35 of 1106

ArcSight Console User's Guide

Time Error Correction

1063

Timestamps

1063

Timestamps for Security Events

1064

Timestamps for Resources

1064

Timestamp Variables

1065

Inclusive Timestamps

1065

Time Zone Correction

1066

Trends

1066

Understanding Trends and Queries

1066

Building Trends

1066

User Groups

1067

Users

1067

User Types

1068

Variables

1069

About Functions

1069

About Remote Variables

1070

Local and Global Variables

1070

Variable Definition Fields

1071

Alias Functions

1072

Arithmetic Functions

1073

Category Model Function

1075

Condition Functions

1076

Group Functions

1077

IP Address Functions

1079

List Functions

1079

String Functions

1080

Timestamp Functions

1081

Type Conversion Functions

1085

Value List Functions

1089

Using Functions: Examples with Lists

1090

Getting Login Session Data from a Session List

1090

Extracting a List Element from an Active List

1091

Variable Availability and Contexts

1092

Variable Functions for In-Memory Operations

1093

Velocity Templates

1093

Velocity Application Points

1094

Using Velocity Expressions to Retrieve Values from Event Fields or Variables

1095

Retrieving Values from Event Fields

HP ESM (6.9.1c)

1095

Page 36 of 1106

ArcSight Console User's Guide

Using Variables in a Velocity Expression

1095

Using Velocity Expressions in Rule Actions

1096

Example of Rule Action that Uses Velocity Expressions to Retrieve Values

1096

More Velocity Template Examples

1097

Velocity References for Reports

1097

Velocity Template Usage Tips

1101

Views

1101

View Types

1102

Dashboards

1103

Other Views

1103

Vulnerabilities

1103

Vulnerability Groups

1104

Standardized Vulnerability Tracking

1104

Web Browsers

1104

Browser Preferences for HTML Displays

1105

Browser Preference Overrides for Specific Features

1105

Send Documentation Feedback

HP ESM (6.9.1c)

1106

Page 37 of 1106

Chapter 1: Getting Started
Welcome to ESM and the ArcSight Console.
ESM is a comprehensive software solution that combines traditional security event monitoring with
network intelligence, context correlation, anomaly detection, historical analysis tools, and automated
remediation. It consolidates and normalizes data from disparate devices across your enterprise
network in a centralized view.

Starting the Console
Start the Console as you would any other application. The login mechanism varies according to the
type of authentication you have set up during installation.
Depending on the chosen shortcuts during installation, start the Console using any of these methods:
l

Using the Console desktop icon

l

Selecting from the system tray

l

Selecting from the Start menu

Alternatively, open a command window in the Console’s bin directory and type
arcsight console
If you are using SSL authentication, set it up and import the certificate as described in the
Administrator’s Guide’s “Configuration” chapter, in the section entitled “Understanding SSL
Authentication.” After the certificate is imported, you can start the Console without entering a user ID or
password.
If you are using password authentication, see the Administrator’s Guide’s “Configuration” chapter, in
the section entitled “Managing Password Configuration.” Log in with your user ID and password.
Certificates are imported automatically.
If you have selected “Password or SSL Authentication,” you choose which way to log in, each time.
If you are using FIPS and using a browser, make sure that browser is configured for FIPS. See the
Administrator’s Guide’s topic on “Configure Your Browser for FIPS.”

Quick Start Tools and Standard Content
The Console serves as the control point for administrators to configure ESM content and resources;
and manage, monitor, and respond to network security issues across the enterprise.

HP ESM (6.9.1c)

Page 38 of 1106

ArcSight Console User's Guide
Chapter 1: Getting Started

A Network Model Wizard is provided to facilitate the process of describing network devices and assets
in ESM. For more about the Network Model wizard and instructions how to use it, see "Populating the
Network Model Using the Wizard" on page 110.
A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address
common security and management tasks. The set of standard content is designed to give you
comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with
minimal configuration required on the Console.
For information about standard System or Administration content, refer to the Standard Content Guide
— ArcSight Administration and ArcSight System. All ESM documentation is available on Protect 724 at
(https://protect724.hp.com).

Use Cases
Use cases are special groupings of related ArcSight content that address specific security issues and
business requirements.
Use cases provide an integrated Console-based alternative for viewing and interacting with resources
to the standard one-resource-at-a-time viewing method offered in the Resource tree of the Navigator
panel. You can configure shared resources in a single operation, and export related resources in an
ArcSight Resource Bundle (arb) for use in other ArcSight instances.
HP provides use cases for some of the standard content that is installed with ESM and for additional
content (Security Use Cases) provided through the Marketplace. The standard content use cases are
described in the ArcSight Administration and ArcSight System Standard Content Guide. Each Security
Use Case comes with its own documentation that provides information about how to install, configure,
and use the use case.
Tip: Use case configuration requires having a network model in place. Model your network first as
part of the initial configuration of ESM. Follow instructions in "Modeling the Network" on page 98.

HP ESM (6.9.1c)

Page 39 of 1106

Chapter 2: Working in the Console
In addition to the capabilities built into the Console, the Console itself is a tool with its own
characteristics and specialized controls. The Help topics in this section describe the basics of using
Console tools and controls to make the most of its features.

Navigating
Use the Navigator panel on the Console to locate and manage security resources, and the Viewer and
Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources
producing the data.
The Navigator panel showing the Dashboards resource tree

The resources available in the Navigator panel can be affected by permissions set for your user type.
On the Navigator panel, you can:

HP ESM (6.9.1c)

Page 40 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

l

l

l

Choose a resource tree from the drop-down list.
Expand (+) and collapse (-) resource groups to locate particular subgroups or individual resources.
You can also use the keyboard right arrow key to expand and left arrow key to collapse the
Navigator resource trees.
Right-click groups or individual resources to choose from their context menus.

Use the Viewer or Inspect/Edit panels to see or act on the results of the context menu commands.

Navigator Panel Resource Tree
Resource Tree on the Console’s Navigator Panel
Tree

Icon Resource

Active
Channels

Create, modify, and delete security-event views that actively and continuously
evaluate the events they display, on the basis of time and other filter
conditions. This view also includes the Field Sets resource tree for managing
named field sets. See "Monitoring Events" on page 210.

Actors

Map humans or agents to activity in applications and on the network, and
identify actors behind events. See "Actors" on page 740.

Assets

Security-sensitive devices and device groups installed in your enterprise, and
the known exposures to potential threats those devices may represent.
Assets also includes the related network, zone, location, category, and
vulnerability information you use to manage network devices. See "Modeling
the Network" on page 98.

Cases

Track enterprise security incident cases, by status and priority. See "Case
Management and Queries" on page 596.

Connectors

Manage the SmartConnectors installed at your enterprise. See "Managing
SmartConnectors" on page 140.

Customers

Manage resources that represent the security concerns of particular MSSP
(Managed Security Services Provider) clients. See "Managing Customers" on
page 138.

Dashboards

Various event data monitors and their library of supporting resources. See
"Using Dashboards" on page 238.

Field Sets

Define subsets of available data fields so you can quickly focus a grid view, an
Event Inspector, or other field arrays on a particular context. See "Field Sets"
on page 546.

HP ESM (6.9.1c)

Page 41 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

Resource Tree on the Console’s Navigator Panel, continued
Tree

Icon Resource

Files

The Files resource tree, when populated, lists files saved as resources on the
Manager. This makes them accessible to all users of the system who are
authorized for such access. File resources include Case file attachments,
templates, and general-purpose shared files. See " Managing File Resources"
on page 671.

Filters

Event filtering definitions, organized in groups. See "Filtering Events" on
page 286 and "Managing Filter Groups" on page 294.

Integration
Commands

Application integration resources used to configure and launch commands,
tools, and views in custom and third party applications and other ArcSight
products from within the Console. Provides the ability to configure custom
scripts, URLs, and Connector commands, and integrate them into the
Console UI in various contexts. Leverages velocity expressions and the UI
contexts for pulling the content of event data, for example, as command
parameter values. Provides support for ArcSight Network Synergy Platform
(NSP) and Threat Response Manager (TRM). See "Integration Commands "
on page 623.

Knowledge
Base

A database of articles and groups of articles that aid problem-solving,
analysis, and operation. See "Getting Knowledge Base Articles" on page 285
and "Knowledge Base Authoring" on page 665.

Lists

Active Lists are lists of active source and target IP addresses of interest, as
defined by enterprise rules. See "List Authoring" on page 469 for more
information.
Session Lists are similar to active lists, but are optimized for time-based
queries and monitoring of rule-driven combinations of event attributes or
custom fields. See "Identity Correlation" on page 569 for more information.

Notifications

Destinations and settings for the automatic messages that alert you to predefined situations or events. See " Acknowledging Notifications" on page 56
and "Managing Notifications" on page 203.

Pattern
Discovery

Profiles to capture, and snapshots of, potentially threatening event patterns.
See "Pattern Discovery" on page 710.

Query
Viewers

A resource for defining and running SQL queries on other ESM resources
(independent of reports), including trends, assets, cases, connectors, events,
and so forth. Each query viewer contains an SQL query along with other logic
for establishing and comparing baseline results, analyzing historical data to
find patterns in network activity, and performing drill-down investigation on a
particular aspect of the results. Query viewers can use the same queries as
reports do, but can be run independently of them. See "Query Viewers" on
page 323.

HP ESM (6.9.1c)

Page 42 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

Resource Tree on the Console’s Navigator Panel, continued
Tree

Icon Resource

Reports

Definitions for, and archived output from, various activity reports. See
"Running and Managing Reports" on page 448 and "Building Reports" on
page 371.

Rules

Rules and groups of rules created for isolating, analyzing, and responding to
events. See "Rules Authoring" on page 493.

Saved
Searches

Saved Searches are created on the ArcSight Command Center. Refer to the
ArcSight Command Center User’s Guide for information on how to create and
save searches.
This resource is displayed on the ArcSight Console for packaging and content
synchronization purposes. See "Managing Resources" on page 670 and
"Managing Packages" on page 693.

Search
Filters

Search Filters are created and used on the ArcSightCommand Center. Refer
to the ArcSightCommand Center User’s Guide for information on how to
create searches, then save them as filters.
This resource is displayed on the ArcSight Console for packaging and content
synchronization purposes. See "Managing Resources" on page 670 and
"Managing Packages" on page 693.

Stages

Workflow and annotation features for real-time analyst collaboration on
security events.

Use Cases

Resource collections that address common security issues and business
requirements.
When use cases are installed, a Use Case tab is displayed in the Navigator
panel. A wizard is available for configuration of the use case resources.
Instructions for using the wizard are provided in the documentation provided
with the specific Use Case.

Users

ArcSight users and user groups. See "Managing Users" on page 180.

Using SmartFolders
ArcSight has special, automatically maintained folders to track the results of your case searches or to
track your currently selected replay rules and currently running reports. When you create them, these
folders appear just below the root of each resource type in the Navigator, prefixed with your ArcSight
user name.

HP ESM (6.9.1c)

Page 43 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

To create a case-search SmartFolder:
1. Right-click a folder in the Cases tree and choose New Search Group in the context menu to open
the Search Group Editor.
2. Use the Editor to define a search that updates dynamically each time a change occurs to one of
your cases.
A given group contains the result of this search when it is applied to those cases.

Using Reports SmartFolders
The Reports tree in the Navigator panel shows a folder for each user name and the suffix “Reports.”
These folders list the reports that user is applying, and the right-click context menu offers the
commands available for those reports. These folders are maintained automatically and you cannot
change them.
You can use this feature to control report runs. For example, if a report is running too long and you
would like to end it, right-click it and choose Stop Report.
Note: Reports you run using the Run button in the Report Editor are initiated outside the usual
Console processes. These reports do not appear in, and are not controllable from, the Reports tree
in the Navigator.

Using Resource Groups
You can group resource types in the Navigator panel to help you organize and manage them. Groups
can also be hierarchical, resulting in “trees” of resources. Apart from the characteristics of the
resources involved, such as assets or vulnerabilities, each group identity has certain properties you
can edit in the Group Editor.

Adding or Editing a Resource Group
To edit a resource group:
1. To add a group, right-click a resource group and choose New Group.
Or to edit an existing group, right click the group and choose Edit Group.
2. In the Group Editor, enter or change the group attributes you want to change.
Entering data in the Common and Assign sections is optional, depending on how your environment
is configured. For information about the Common and Assign attributes sections, as well as the
read-only attribute fields in Parent Groups and Creation Information, see " Common Resource
Attribute Fields" on page 685.

HP ESM (6.9.1c)

Page 44 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

3. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57.
4. Click Apply to put your changes into effect but leave the editor open. Click OK to apply your
changes and also close the editor.
Fields containing system information (like Creation Time) are not editable.
See "Reference Pages" on page 1017 for more about using the Group Page and Member's Page
fields.
See "Job Scheduler" on page 996 for information about scheduling tasks or “jobs” for reports
(individually or by group), rules, or Pattern Discovery snapshots.

Using the Categories Tab for Asset Groups
The Group Editor for groups in the Assets tab of the Assets resource tree has an additional Categories
tab. This tab has two sub panels: Local Asset Categories and Inherited Asset Categories. Local
shows assets that are explicitly assigned to categories. Inherited shows assets whose category
connections are presumptions based on a parent's group or a simple asset-range association.

Batch Editing
You can make common edits to multiple case or SmartConnector resources by selecting a set of either
type in the Navigator panel and changing their common fields in the Case or Connector Editor.

Batch-Editing Cases or Connectors
Where:
l

Navigator > Resources > Connectors, or

l

Navigator > Resources > Cases

To batch-edit cases or connectors:
1. Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in their respective
resource trees in the Navigator panel.
2. Right-click the selected items and choose Edit.
3. Make changes to the appropriate common fields, such as Description or Owner.
4. Click Apply to record your changes and leave the editor open, or click OK to save and close.
Saving affects only the fields you have changed, in each of the selected resources.

HP ESM (6.9.1c)

Page 45 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

Cases Reminder
Use the Lock Case check box to lock and unlock cases in batches.

SmartConnector Reminders
Batch changes affect only default configurations, not alternates. However, you can add new alternate
configurations by batch editing.
Note that if you make changes under the Filters tab, the entire tab's contents are saved to the selected
SmartConnectors.
You can batch-edit connectors only of the same version.

Reconnecting to the Manager
If your Console loses its connection to the Manager, a dialog box enables you to Retry the connection,
Relogin, or to Cancel the connection. Try these options in this order.
A connection to the Manager cannot be re-established if the Manager is restarted or if a network
problem prevents communication with the same Manager. In such cases, click Cancel and start the
Console again, using an appropriate Manager host name.

Viewing
This section provides information on using the Console Viewer Panel and choosing look-and-feel
options (skins) for the Console.
Topics include:
l

"The Viewer Panel" below

l

"Console Look-and-Feel" on page 48

The Viewer Panel
You see the products of security-event analyses in the Viewer panel, which can display several
different types of views. (See also "Using Views" on page 210.)
Although there are some views that display information about resources, most views are active
channels, which are continuously evaluated collections of security-event data. (See also "Monitoring
Active Channels" on page 210.)
Tip: Here are some Viewer Panel features you can use.

HP ESM (6.9.1c)

Page 46 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

l

l

l

To show a resource (like a particular dashboard or active channel) in the viewer, right-click it in
the Navigator tree and choose Show .
To close individual views quickly, Shift+click their name tabs. (You can also right-click a view
name tab and choose Close from the popup menu.)
To float the Viewer panel, click the Float icon at the top left of the Viewer.

The Viewer tabs in the Viewer panel have a live link at the top. You can click these links to open the
contents in an external, fully functional browser window.
For security reasons, HTML that might include JavaScript, plug-ins, or other embedded objects are
rendered in the default browser you specify through the Preferences dialog box. The default browser is
also used by PDF document files.

If your Console is not already displaying a default set of pre-defined views, or if you want to change the
views displayed, you can use these options:

HP ESM (6.9.1c)

Page 47 of 1106

ArcSight Console User's Guide
Chapter 2: Working in the Console

l

l

l

l

Choose Window > Viewer Panel to open the panel if it isn't open.
Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in the Navigator
panel to find analysis tools or results to view.
Right-click a resource in a tree and choose Show  to open it in the Viewer panel.
When multiple tabbed views are open in the panel, click the tabs at the top of the panel to choose
the active channel you want to see, and the tabs at the bottom of the panel to choose which view of
that active channel should be foremost.

To close an individual view, Shift+click its name tab. (You can also right-click a view name tab and
choose Close from the popup menu.)
Using active channels and the many types of views they offer is fully covered in the topics under these
headings:
l

"Monitoring Events" on page 210

l

"Selecting and Investigating Events in Active Channels" on page 274

l

"Using Dashboards" on page 238

Console Look-and-Feel
If you start the Console from the command line with the arcsight console command (in ARCSIGHT_
HOME/current/bin), use the -laf