ArcSight Console User's Guide ESM Arc Sight User 6.9.1
User Manual:
Open the PDF directly: View PDF .
Page Count: 1106
Download | ![]() |
Open PDF In Browser | View PDF |
HP ArcSight ESM Software Version: 6.9.1c ArcSight Console User's Guide February 17, 2016 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HP ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett-Packard Development Company, L.P. Follow this link to see a complete statement of copyrights and acknowledgements: http://www.hpenterprisesecurity.com/copyright Support Contact Information Phone A list of phone numbers is available on the HP ArcSight Technical Support Page: https://softwaresupport.hp.com/documents/10180/14684/esp-supportcontact-list Support Web Site https://softwaresupport.hp.com Protect 724 Community https://protect724.hp.com HP ESM (6.9.1c) Page 2 of 1106 Contents Chapter 1: Getting Started 38 Starting the Console 38 Quick Start Tools and Standard Content 38 Use Cases 39 Chapter 2: Working in the Console Navigating 40 40 Navigator Panel Resource Tree 41 Using SmartFolders 43 Using Resource Groups 44 Adding or Editing a Resource Group 44 Using the Categories Tab for Asset Groups 45 Batch Editing 45 Batch-Editing Cases or Connectors 45 Cases Reminder 46 SmartConnector Reminders 46 Reconnecting to the Manager Viewing 46 46 The Viewer Panel 46 Console Look-and-Feel 48 Inspecting and Editing Overview of Inspect/Edit Features and Utilities 48 49 Searching for Fields in Event Inspector, Resource Editors, or CCE 50 Getting More Help 51 Controlling the Console 51 Using the Network Tools 53 Running a Tools Command 53 Adding or Editing a Tool 54 Staying Informed 56 Acknowledging Notifications 56 Using Notes 57 License Tracking 58 HP ESM (6.9.1c) License Tracking Notifications 58 Standard Reports for License Status Tracking 58 Page 3 of 1106 ArcSight Console User's Guide Using the File Menu 59 Using the Edit Menu 59 Using the View Menu 60 Using the Window Menu 61 Using the Tools Menu 61 Using the System Menu 62 Using Right-Click Context Menus 63 Using the Help Menu 65 Keyboard Shortcuts (Hot Keys) 66 Printing from the Console 67 Printing Navigation Tree Views of Resources 68 Printing Resource Definitions 68 Printing Grid Views 69 Printing Conditions Tree Summary 70 Using Column Flip Limit to Format Grid View Printouts 71 Error and Warning Messages Chapter 3: Personalizing the Console 74 76 Changing the Console Display 76 Changing User Preferences 77 Changing Your Password 78 Changing Other Users' Passwords 78 Setting Default Editors and Viewers 78 Changing Global Options 79 Setting Dialog Options 81 Setting Grid Options for the Viewer Panel 83 Customizing the Default Selections for Active Lists 85 Setting Date and Time Formats 86 Setting Latitude and Longitude Options 86 Configuring Event Graphs 87 Setting Notification Popups 89 Managing Hot Keys 89 HP ESM (6.9.1c) Adding Shortcuts for Frequently Used Resources 90 Modifying a Custom Shortcut 92 Modifying Custom Shortcuts for Resources 94 Removing a Custom Shortcut 94 Removing Custom Shortcuts for Resources 95 Page 4 of 1106 ArcSight Console User's Guide Activating a New Shortcut Schema 96 Sharing Custom Shortcut Schemas 96 Saving and Sending Settings Chapter 4: Modeling the Network The Network Model Assets 97 98 99 100 Automatically-Created Assets 100 Asset Aging and Model Confidence 102 Asset Ranges 103 Zones 103 Dynamic and Static Zones 104 Networks 104 Asset Model 105 Locations 105 Vulnerabilities 105 Asset Categories 106 Asset Categories Assigned to Assets, Asset Ranges, and Asset Groups 106 Asset Categories Assigned to Zones 106 Populating the Network Model with Assets Console-Based Methods 107 Manually, Using Network Modeling Resources 108 In a Batch Using the Network Modeling Wizard 108 SmartConnector-Based Methods 109 Using the Asset Model Import FlexConnector 109 Automatically From a Vulnerability Scanner Report 109 ArcSight-Assisted Methods As an Archive File From an Existing Configuration Database Populating the Network Model Using the Wizard Specifying CSV Column Types 110 110 110 111 Specify the Column Type Using a Header 112 Specifying Multiple Categories in one Category Column 113 Assign the Column Type in the Wizard 113 Zones CSV File Format An Example of a Zones CSV File Assets CSV File Format 115 116 116 An Example of an Assets CSV File 118 Static Addressing in a Dynamic Zone 118 Asset Ranges CSV File Format HP ESM (6.9.1c) 107 119 Page 5 of 1106 ArcSight Console User's Guide An Example of an Asset Ranges CSV File 120 Increasing the Number of Displayed Rows 120 Summary of Data to Import 121 Network Data Imported into ArcSight Manager 121 Auto-Zoning of Imported Assets 122 Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories Managing Assets 122 123 Selecting Assets in the Common Conditions Editor 125 Auto Zoning an Asset 126 Managing Asset Groups 127 Managing Vulnerabilities 128 Selecting Vulnerabilities in the Common Conditions Editor 130 Working with Vulnerable Assets 131 Managing Vulnerability Groups 132 Showing Affected Assets 133 Reporting on Output from Vulnerability Scanners 134 Reporting on Asset Vulnerabilities 134 Managing Zones 135 Managing Networks 136 Managing Asset Categories 136 Managing Locations 137 Managing Customers 138 Chapter 5: Managing SmartConnectors Selecting and Setting SmartConnector Parameters 140 140 Configuring the SmartConnector 140 Connector Editor Tabs 142 Connector Tab Configuration Fields 143 Default Content Tab Configuration Fields 144 SmartConnector Processing Categories 157 SmartConnector Time Interval Options 158 Managing SmartConnector Filter Conditions 159 Adding SmartConnector Filter Conditions 159 Deleting SmartConnector Filter Conditions 160 Setting Special Severity Levels 161 Sending Model Mappings to SmartConnectors 163 Sending Control Commands to SmartConnectors 163 Getting Status Reports HP ESM (6.9.1c) 163 Page 6 of 1106 ArcSight Console User's Guide Sending Standard Flow-Control Commands 164 Tech Support Commands 166 Mapping Commands 168 Managing SmartConnector Groups 171 Importing and Exporting SmartConnector Configurations 173 Importing a SmartConnector Configuration 173 Exporting a SmartConnector Configuration 174 SmartConnector Filters 175 Using Additional Data Fields 175 Upgrading SmartConnectors 175 Overview of the Upgrade Process 176 SmartConnector Upgrade Procedure 177 Rolling back to a Previous Version 178 Troubleshooting 178 Getting Status and Versions on Installed SmartConnectors 179 Chapter 6: Managing Users 180 Managing User Groups 180 Managing Users 182 Creating or Editing a User 183 Resetting User Passwords 186 Moving or Linking a User 186 Deactivating and Reactivating a User 186 Deleting a User 187 Chapter 6: Managing Permissions 189 Editing Access Control Lists (ACLs) 189 Granting or Removing Resource Permissions 190 Granting or Removing Operations Permissions 192 Granting or Removing User Group Permissions 193 Adding or Removing Enforced Filters 196 Permissions for Sortable Field Sets 198 Sharing Resources 199 Controlling Who Has Permissions to Deploy Data Monitors 200 How Upgrades Affect Data Monitor Deploy Permissions 201 Deployment Permissions on Imported Data Monitors 201 HP ESM (6.9.1c) Page 7 of 1106 ArcSight Console User's Guide Chapter 7: Managing Notifications 203 Managing Received Notifications 203 Managing Notification Groups 204 Managing Notification Destinations 205 Changing Notification and Acknowledgment Settings 207 Testing Notification Groups and Destinations 208 Managing Escalation Levels 209 Chapter 8: Monitoring Events 210 Monitoring Active Channels 210 Using Views 210 Viewing and Using Channels 211 HP ESM (6.9.1c) Viewing an Active Channel 211 Sorting Events in an Active Channel 212 Creating or Editing an Active Channel 213 Applying a Field Set to an Active Channel 216 Using an Active Channel Header 216 Filtering an Active Channel 218 Defining Grid Fields Options 218 Saving Copies of Active Channels and Filters 219 Discovering Patterns in an Active Channel 219 Deleting an Active Channel 219 Adding a View Format 219 Changing View Layouts 219 Best Practices to Optimize Channel Performance 220 Active Channels or Reports? 220 Active Channels or Query Viewers? 220 Active Channel Query Time Ranges 220 Active Channel Filters 220 Filtering on Indexed Fields 221 Filtering on Join Fields 221 Continuously Updating Time Parameters 221 End Time or Manager Receipt Time 221 Sorting in Active Channels 221 Use of the “Live” Channel from Standard Content 222 Case Sensitive or Case-Insensitive Conditions? 222 I/O Subsystem Performance 222 Diagnostics: Start with Basic Channel Characteristics 222 Page 8 of 1106 ArcSight Console User's Guide Investigating Views Using an Event Attribute to Show a New Filtered View 223 Refining a Filter with an Event Attribute 224 Adding an Event Attribute to a Filtering Condition 224 Permanently Modifying an Active Channel 225 Showing an Exploited Vulnerability 225 Showing a Targeted Asset 225 Using Charts 226 Charting an Active Channel's Contents 226 Charting a Data Monitor's Contents 226 Exploring the Events Behind a Chart 227 Using Active Channels 228 Monitoring Events in the Active Channel 228 Sorting Columns in the Active Channel 228 Adding, Replacing, or Removing a Column 228 Sizing a Column in the Active Channel 230 Showing or Hiding Column Text and Icons 230 Exporting Events to a File 230 Choosing Active Channel Menu Commands 232 Filtering Active Channels with Inline Filters 234 Customizing Columns 236 Creating a Custom Column 236 Showing a Custom Column 237 Advanced Example: Creating a Custom Column with Velocity Template 237 Using Dashboards Monitoring Dashboards HP ESM (6.9.1c) 223 238 238 Loading Dashboards 238 Inspecting Events in Dashboards 239 Drilling Down to Other Resources 240 Displaying Dashboards 240 Displaying Dashboards in a Slide Show Rotation 240 Rearranging Elements in Dashboard Layouts 240 Using Dashboard Menu Options 241 Zooming In or Out of Dashboards 241 Fitting all Dashboard Elements 241 Saving Dashboard Layouts 241 Closing a Dashboard 241 Editing Dashboard Elements 241 Changing a Dashboard's Layout 241 Page 9 of 1106 ArcSight Console User's Guide Managing Dashboards 241 Creating or Editing a Dashboard 242 Adding a Data Monitor to a Dashboard 242 Adding a Query Viewer to a Dashboard 243 Display Formats 243 Deleting a Dashboard 244 Managing Dashboard Groups 244 Using Data Monitors 246 Creating a Data Monitor 246 Editing a Data Monitor 250 Adding a Drilldown 250 Editing a Drilldown 255 Changing the Default Drilldown 255 Sorting or Changing the Order of Drilldowns 256 Removing a Drilldown 257 Moving or Copying a Data Monitor 257 Deleting a Data Monitor 257 Enabling or Disabling a Data Monitor 257 Enabling or Disabling a Data Monitor from the Editor 258 Enabling or Disabling a Data Monitor in the Navigator 259 Overriding a Data Monitor's Last State 259 Managing Data Monitor Groups 259 Creating a Data Monitor Group 260 Renaming a Data Monitor Group 260 Editing a Data Monitor Group 260 Moving or Copying a Data Monitor Group 260 Deleting a Data Monitor Group 260 Enabling or Disabling Data Monitor Groups 261 Optimizing the Evaluation of Event Filters for Data Monitors 261 Requirement 261 Automating the Optimization of Filter Conditions 262 Tracing the Optimization 262 Disabling the Optimization Feature 264 Using Query Viewers 264 Using Custom View Dashboards 264 Displaying Custom View Dashboards HP ESM (6.9.1c) 264 Refreshing the Custom View Dashboard Layout 265 Custom View Dashboard Context Menu Options 265 Reverting to the Regular Dashboard View 266 Page 10 of 1106 ArcSight Console User's Guide Working with Custom View Dashboards To Select View Mode Arranging Custom View Dashboards 266 267 267 Selecting Arrange Mode 267 Loading a Background Image 267 Selecting a Previously Uploaded Background Image 268 Verifying the Background Image 268 Removing a Background Image 268 Monitoring Active Lists 269 Graphing Attacks 270 Creating Static Event Graphs 271 Creating Live Event Graphs 271 Event Graph Notes 272 Chapter 9: Selecting and Investigating Events in Active Channels 274 Selecting Events in the Active Channel 274 Showing Event Details and Rule Chains 274 Investigating Session Events 276 Collaborating on Events (Event Annotation) 277 Annotating an Event 278 Event Annotation Fields 278 Comments Field 279 Mark Similar Events Fields 279 Annotation Preservation 280 Viewing Annotations for an Event 280 Creating or Editing Stages 280 Working with Event Payloads 282 Exporting Data Fields to a CSV File 283 Getting Knowledge Base Articles 285 Chapter 10: Filtering Events Creating Filters 286 286 Creating or Editing a Filter 286 Creating and Editing an Inline Filter 288 Applying Filters 289 Moving or Copying Filters 291 Deleting Filters 291 HP ESM (6.9.1c) Page 11 of 1106 ArcSight Console User's Guide Debugging Filters to Match Events 291 Importing and Exporting filters 294 Managing Filter Groups 294 Investigating Views 296 Using an Event Attribute to Show a New Filtered View 297 Refining a Filter with an Event Attribute 297 Filtering Out ArcSight Events 298 Adding an Event Attribute to a Filtering Condition 298 Modifying Views Chapter 11: Building Queries 299 301 How Queries Work 301 Using Queries and Trends Together for Reports 301 Using Queries in Query Viewers 302 Building a Query 302 Navigating to Queries 302 Creating a New Query 303 Defining Query Settings 303 General Query Attributes 303 Query Fields 308 SELECT Query Fields 309 Query Structure (SELECT) 310 Applying Functions to SELECT Columns 310 GROUP BY Query Fields 311 Query Structure (GROUP BY) 312 Applying Time-Based Functions to GROUP BY Columns 313 ORDER BY Query Fields 314 Query Structure (ORDER BY) 315 Applying a Column Function to Order By 316 Sort Order 316 Query Conditions 316 Creating Conditions on a Field 317 Tips on Creating Conditions 318 Creating Group Conditions 318 Query Variables 318 Editing a Query 319 Example: Creating Asset-Related Conditions for Queries on Lists 320 HP ESM (6.9.1c) Page 12 of 1106 ArcSight Console User's Guide Chapter 12: Query Viewers 323 What are Query Viewers? 323 Pre-Built and Custom Query Viewers 325 Standard Content 325 Custom Query Viewers 326 Customizing Query Viewers as Needed 326 inActiveList Conditions for Queries 326 Creating or Editing a Query Viewer 326 Defining Query Viewer Settings 328 Query Viewer Attributes 328 Query Viewer Fields 331 Sort Options 333 Baselines 333 Query Viewer Variables 334 Deleting a Query Viewer 335 Defining and Using Baselines 335 Why Baselines are Useful 336 Planning for Baseline Comparisons 337 Adding a Baseline 337 Comparing Displayed Results to a Baseline 338 Show or Hide Baseline Columns 340 Sort Baseline Data 340 Filter Baseline Data 341 Removing a Baseline Managing Drilldowns from Query Viewers 341 342 Adding a Drilldown 342 Editing a Drilldown 346 Changing the Default Drilldown 346 Sorting or Changing the Order of Drilldowns 346 Removing a Drilldown 347 Running Queries and Viewing Results Working with Query Viewer Results 348 352 Results in Table Format 352 Investigate View Options 352 Column Sort, Display, and Edit Options 355 Results in Chart Formats 357 Filtering Query Viewer Results 359 Viewing an Event or Resource Directly from the Query Viewer 360 HP ESM (6.9.1c) Page 13 of 1106 ArcSight Console User's Guide Troubleshooting Query Viewers 360 Adding Query Viewers to Dashboards 360 Adding Query Viewers as Startup Views 361 Generating Reports from Query Viewers 362 Example Queries for Common Scenarios 363 Basic Analysis High Level Summaries 364 Analyst’s First View of Events 364 How the Events Query Viewer is Built 365 Drilldown Example How the Console Builds Drilldowns Non-Event Analysis Example 367 369 369 Baseline Analysis for Data Comparison 369 History Analysis Example 370 Chapter 13: Building Reports 371 Understanding the Reporting Workflow 371 Step 1 - Build a Query 372 Step 2 - Build a Trend Based on a Query 373 Step 3 - Build a Query Based on a Trend 373 Step 4 - Select or Design a Report Template 373 Step 5 - Create a Report 374 Step 6 - Run a Report 374 Step 7 - Archive and Maintain Reports 375 Managing Dependencies for Reports Resources 375 Using Report Templates 375 Applying a Template to an Existing Report 376 Creating a New Report Based on a Template 377 Copying a Template 378 Editing a Template 378 Creating Reports 379 How Reports Work 379 Creating or Editing a Report 379 Defining Report Settings 381 Report Attributes 381 Report Templates 382 HP ESM (6.9.1c) Report Template Selection 382 Text Attributes 383 Preview 385 Page 14 of 1106 ArcSight Console User's Guide Binding Data to the Report 385 Binding Data to Charts 386 Selecting Data for the X-Axis on a Chart 387 Selecting Data for the Y-Axis on a Chart 388 Selecting Data for the Z-Axis on a Chart (Optional) 391 Effect of Sorting on Bar Charts with Series Data 391 Specifying Top/Bottom Filters Aggregation Filters for a Chart (Optional) 394 Setting Display Options and Scale Formats for Charts 395 Binding Data to Tables 396 Specifying Fields for a Table 397 Enabling the Aggregation Tab for a Table 400 Setting Top/Bottom Counts in Table Aggregation Tab (Optional) 401 Setting Default and Custom Report Parameters 402 Adding Custom Parameters for Report Data 405 Displaying a Custom Parameter Prompt at Report Runtime 406 Defining the Prompt in the Query’s Condition Tab 406 Adding or Removing a Prompt for Custom Parameters in the Report 408 Generating Reports with Asian Fonts 410 Creating Focused Reports 411 End-to-End Reporting Examples 412 Example of Creating a Simple Report with the Wizard 413 Advanced Reporting Example Overview 415 Step 1 - Build the VPN Logins Outcome Query 415 Query Name and Other General Attributes 415 Fields to Include in Query Result 416 Query Conditions 417 Step 2 - Build the VPN Logins Outcome Hourly Trend 418 Step 3 - Filter the Trend Data (Login Attempts, Successes, Failures) 420 Step 4 - Create the VPN Logins Outcome Report on Trend Data 422 Choose a Template and Bind it to Result Data 422 Use Custom Parameters 423 Step 5 - Run the Report Chapter 14: Building Trends 425 427 How Trends Work 427 Snapshot Trend 428 Interval Trend 428 Query-Trend Relationships in Reporting 428 HP ESM (6.9.1c) Page 15 of 1106 ArcSight Console User's Guide Building a Trend 429 Navigating to Trends 430 Creating a Trend 430 Defining Trend Settings 431 Trend Attributes 431 Trend Schedule 436 Trend Parameters 437 Trend Actions (Add to Active List) 438 How Trend Actions are Useful (Summary Views and Rules) 438 Plan and Define Active Lists with Fields Mapped to Trend 439 Define a Trend Action 439 Example: Populating Active Lists with Trend Results 441 Notes on Trend Action Behavior 443 Editing a Trend Action 444 Removing a Trend Action 444 Testing a Trend 444 Viewing Trend Data 445 Refreshing Trend Data 446 Editing or Viewing a Trend Definition 447 Using a Trend in a Query or Report 447 Disabling or Enabling a Trend 447 Deleting a Trend 447 Chapter 15: Running and Managing Reports Running a New or Archived Report 448 449 Running a Defined Report 449 Displaying an Archived Report 453 Running a Delta Report 453 Running Reports from a Grid View 454 Running a Rule Context Report 454 Running an Event Context Report 455 Running a Channel Report 455 Running a Query Viewer Report 455 Running Large or Complex Reports 457 Moving or Copying a Report 458 Managing Report Groups 458 HP ESM (6.9.1c) Page 16 of 1106 ArcSight Console User's Guide Archiving and Scheduling Reports 460 Archiving a Report 460 Scheduling Report Tasks 463 Scheduling Individual-Report Archiving 463 Scheduling Report Archiving by Resource Group 465 Standard Time Transitions 465 Viewing an Archived Report 466 Editing a Report Archiving Schedule 466 Editing Report Archiving Parameters 467 Deleting a Report Archiving Schedule 467 Chapter 16: List Authoring 469 Required Settings for Large Lists 469 Creating an Active List 470 Editing Active Lists and Active List Entries 477 Using Rules to Populate an Active List 478 Example Active List 478 Example Rule to Populate Active List 479 Adding Events from a Channel to an Active List 482 Moving or Copying an Active List 483 Importing and Exporting an Active List 483 Deleting an Active List 484 Managing Active List Groups 484 Managing Session Lists 485 Creating a Session List 486 Using Rules to Populate a Session List 489 Editing Session Lists and List Entries 489 Moving or Copying a Session List 491 Exporting a Session List 491 Field Naming Restrictions Chapter 17: Rules Authoring 491 493 Designing Rules 493 Rule Types 494 Managing Rules 495 Creating or Editing Rules 495 Moving or Copying Rules 496 HP ESM (6.9.1c) Page 17 of 1106 ArcSight Console User's Guide Enabling and Disabling Rules 497 Deleting Rules 498 Specifying Rule Conditions 498 Creating Rule Conditions 498 Adding Filter Conditions 500 Adding Asset Conditions 500 Adding Vulnerability Conditions 501 Adding Active List (InActiveList) Conditions 502 Creating Matching or Join Conditions 504 Editing or Deleting Join Data Field Conditions 506 Negating Event Conditions 506 Optimizing the Evaluation of Event Conditions 508 Automating Condition Optimization 509 Tracing the Optimization 509 Disabling the Optimization Feature 511 Specifying Rule Thresholds and Aggregation 511 Setting or Changing Rule Thresholds 511 Examples of Grouping Unique or Identical Field Values 512 Aggregation Time Criteria 513 Deleting Aggregation from a Rule 515 Managing Rule Actions 515 Adding, Editing, or Removing a Rule Action 516 Activating or De-activating a Rule Trigger 517 Enabling or Disabling a Rule Action 517 Threshold Triggering Options 518 Rule Actions Reference 520 Applying Rule Actions on Cases 527 Using a Rule to Create a Case 527 Using a Rule to Add to an Existing Case 528 Converting Rule Types 530 Testing Rules 530 Testing a Rule from the Rule Editor 531 Showing Rule Errors 532 Verifying Rules with Events 532 Deploying Real-time Rules 536 Deploying a Rule 536 Removing or Un-deploying a Rule 537 Managing Rule Groups HP ESM (6.9.1c) 537 Page 18 of 1106 ArcSight Console User's Guide Importing and Exporting Rules 539 Scheduling Rules 539 Scenarios for Using Scheduled Rules 540 Scheduling a Rule Group 541 Example of a Scheduled Rule (Badge Swipes and Logins) 543 Chapter 18: Field Sets Creating and Using Field Sets Creating a Field Set 546 546 547 Field Set Editor: Attributes Tab 548 Field Set Editor: Fields Tab 548 Field Set Editor: Local Variables Tab 549 Using the Fields & Global Variables Subtab 549 Using the Field Sets Subtab 550 Using the Local Variables Subtab 551 Adding Custom Columns 552 Editing a Field Set 552 Sharing a Field Set 553 Deleting a Field Set 553 Resources That Use Field Sets 553 About Global Variables 553 Chapter 19: Global Variables 555 Remote Variables Processing 555 Global Variable Dependencies 555 Navigating to Global Variables 556 Creating or Editing a Global Variable 556 Global Variable Editor: Attributes Tab 557 Global Variable Editor: Parameters Tab 558 Global Variable Editor: Local Variables Tab 559 Managing Global Variables 559 Promoting a Local Variable to a Global Variable 559 Adding a Global Variable to a Resource 562 Accessing a Global Variable Using the CCE 562 Adding Global Variables to an Active Channel 563 Adding a Global Variable to a Data Monitor 564 Adding a Global Variable to a Field Set 566 HP ESM (6.9.1c) Page 19 of 1106 ArcSight Console User's Guide Chaining a Global Variable 567 Chapter 20: Identity Correlation 569 Understanding Session Correlation 569 Managing Session Lists 570 Creating a Session List Rule 571 Using the Session List Output 572 Creating a Variable 573 Example: Using Session Lists to Correlate Session Data on User Logins 574 Step 1 - Create a Session List to Store Windows Sessions 574 Step 2 - Create Rules to Populate the Session List with Windows Logins 576 Rule 1: Triggers on Windows Session Logins 577 Attributes 577 Conditions 577 Aggregation 578 Actions 579 Rule 2: Triggers on Termination of Windows Sessions 580 Step 3 - Verify Rules 582 Step 4 - Use the Session List in a Report 584 Example: Using Active Lists to Correlate Users 585 Example Overview 586 Step 1 - Build and Populate the Active List with User IDs 587 Populating an Active List with User Data Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs 588 590 Attributes 590 Variable 591 Conditions 592 Aggregation 594 Actions 594 Chapter 21: Case Management and Queries Creating or Editing a Case 596 596 Using the Initial - Attributes Tab 598 Using the Initial - Description Tab 599 Using the Initial - Security Classification Tab 600 Using the Follow Up Tab 600 Using the Final - Attack Mechanism Tab 601 Using the Final - Attack Agent Tab 601 Using the Final - Incident Information Tab 602 HP ESM (6.9.1c) Page 20 of 1106 ArcSight Console User's Guide Using the Final - Vulnerability Tab 602 Using the Final - Other Tab 603 Using the Events Tab 603 Using the Attachments Tab 604 Managing Cases 604 Finding Cases 604 Attaching a File to a Case 605 Best Practices on Attaching Files to a Case 605 Viewing a Case Attachment 606 Tracking Modifications to a Case 606 Viewing the Case’s Notes Tab 606 Creating an Event Viewer for Cases’ Internal Audit Events 607 Moving or Copying a Case to a Group 608 Granting Permission to Delete Cases 608 Deleting a Case 609 Working with Events in Cases 609 Viewing a Case's Events in a Channel 610 Including Base Events through a Rule 610 Creating or Updating a Case from Displayed Events 611 Copying Event Details from Case to Case 612 Deleting Events from a Case 612 Managing Case Groups 613 Viewing Group Cases in a Grid View 614 Running Case Queries 615 Creating a Report from a Case 615 Running Case Reports and Setting Default Parameters 616 Customizing the Case Report 619 Customize Selected Case Query 620 Customize Selected Case Report 621 Add a Server Property for the New Report URI 621 Using External Case Management Systems Chapter 22: Integration Commands 622 623 What are Integration Commands? 623 Supported Command Types 624 Out-of-the-Box Commands for ArcSight Appliances 624 Local Scripts and Commands to Other Applications 625 How It Works 625 HP ESM (6.9.1c) Page 21 of 1106 ArcSight Console User's Guide Planning Checklist and Workflow 626 Navigating to Integration Command Resources 627 Defining Commands 628 Command Types and Attributes 629 Script Commands 629 URL Commands 630 Connector Commands 631 Adding and Editing Command Parameters 633 Removing a Command Parameter 635 Using Configurations to Group Commands 635 Configurations Attributes 636 Configurations Contexts 637 Configurations Commands 639 Adding a Command to a Configuration 639 Editing Commands in a Configuration 640 Removing Commands from a Configuration 640 Configuration Targets 640 Adding a Target to a Configuration 640 Editing Targets in a Configuration 640 Removing Commands from a Configuration 641 Specifying Targets 641 Target Attributes 642 Target Integration Parameters 642 Authorization and Authentication Settings Setting User Login Parameters 643 643 Setting Login Credentials 643 Setting Login Credentials on Target Servers 644 Setting Logins and Other Parameters to Prompt for Values at Runtime 644 Running Integration Commands 645 Entering/Saving Command Parameters at Runtime 646 Ready-Made ArcSight Threat Response Manager (TRM) Commands 647 Prerequisites 647 Options for Up-Front or On-the-Fly Configuration 647 TRM Integration Commands 647 Enabling TRM Commands 649 HP ESM (6.9.1c) Step 1 - Set up the Command Targets 649 Step 2 - Set up the Command Configuration 650 Step 3 - Set up Users for TRM Access 650 Page 22 of 1106 ArcSight Console User's Guide Understanding NSP Authentication 651 How to Get an NSP Authentication Token 651 Examples of Running TRM URL Commands 653 Attacker-Target Network Map 653 Investigate Node 654 Going Further with TRM Command Results 654 ArcSight Logger Search Commands 655 Logger Integration Commands 655 Enabling Integrated Logger Searches 656 1. Set up Logger Command Targets 656 2. Set up the Logger Command Configuration 657 3. Set up Users for Logger Access 657 Example of Running a Logger Quick Search 658 Network Tools as Integration Commands 659 More Integration Examples 661 Chapter 23: Knowledge Base Authoring 665 Managing Knowledge Base Articles 665 Managing Knowledge Base Article Groups 667 Associating Knowledge Base Articles 669 Chapter 24: Managing Resources 670 Moving, Copying, Linking, and Deleting Resources 670 Managing File Resources 671 Uploading Files and Creating a File Resource 672 Working with Files 672 Locking and Unlocking Resources 674 ArcSight Standard Content 675 User-Created Content 675 Selecting Resources 676 Visualizing Resources 676 Graphing Resources 676 Using Graphs 677 Configuring Resource Graphs 678 Viewing Resources in Grids 679 Validating Resources About Valid and Invalid Resources HP ESM (6.9.1c) 679 679 Page 23 of 1106 ArcSight Console User's Guide Fixing and Validating Resources 680 Troubleshooting (Requirements for Valid Resources) 682 Automatic and Manual Validation 683 Resource Validation During Upgrade 683 Extending Audit Event Logging 684 Common Resource Attribute Fields 685 Common 685 Assign 686 Saving Copies of Read-Only Resources 686 Finding Resources 687 How Fields are Indexed 687 Using Text Search Syntax 688 Using the Search Field on the Console Tool Bar 690 Using the Search Result Columns 692 Locating Specific Resources 692 Chapter 25: Managing Packages 693 Creating or Editing Packages 694 Adding Resources to Packages 698 Supported Package Resources for Content Synchronization 699 Exporting Packages 700 Importing Packages 701 Best Practices for Importing Packages 701 Backing Up and Restoring with Packages 703 ID Checking During Import 703 Package Modifications 704 List Data 704 Backup and Restore Summary 704 Installing or Uninstalling Packages 705 Deleting Packages 707 Removing Resources from Packages 708 Resolving Package Conflicts 708 Chapter 26: Pattern Discovery Pattern Discovery Overview What Pattern Detection Provides HP ESM (6.9.1c) 710 710 710 Page 24 of 1106 ArcSight Console User's Guide Pattern Components 711 How Pattern Discovery Works 712 Pattern Discovery Life Cycle 713 Creating or Editing a Profile 713 Specifying Actions 718 Creating Local Variables 721 Adding Notes 722 Deleting a Profile 722 Taking a Snapshot 723 Exploring a Snapshot 724 Arranging Elements in Graphic View 726 Scheduling a Snapshot 727 Re-opening a Snapshot 728 Deleting a Snapshot 728 Investigating Patterns 729 Investigating Patterns in the Snapshots View 729 Investigating Patterns in the Patterns View 731 Viewing Patterns with Filter 732 Inspecting Patterns 733 Creating Rules from Patterns 735 Annotating Patterns 737 Deleting a Pattern 738 Usage Guidelines 738 Establishing a Baseline of Normal Patterns 738 Using Pattern Discovery in Routine Operations 738 Performance Considerations 739 Adjusting Pattern Discovery Memory 739 Chapter 27: Actors About Actors 740 740 How the Actors Feature Works 742 About the Actor Model Import Connectors 744 Troubleshooting Errors with Actor Model Imports 745 Configuring Actors 745 Permissions Required to Use Actor-Related Data 747 Viewing Actors on the Console 749 Viewing an Actor in the Actor Editor 750 HP ESM (6.9.1c) Page 25 of 1106 ArcSight Console User's Guide Viewing Actor Base Attributes 750 Viewing Actor Account Attributes 752 Viewing Actor Role Attributes 752 Viewing Actors in an Actor Channel 753 Sorting Fields in Actor Channels 754 Actor Channel Options 755 Filtering Actor Channels 756 Adding a Local Filter to the Actor Channel Resource 756 Creating an Inline Filter 757 Managing Actor Channels 758 Investigating Actors 758 Running Context Reports from an Actor Channel 759 Investigating an Actor from an Event Channel 761 Actor Context Reports in Standard Content 762 Creating and Editing Actors for Testing Purposes 762 Important Points to Consider About Making Manual Changes to Actors 763 Creating Actors for Testing Purposes 763 Editing Actors for Testing Purposes 765 Deleting Actors 766 Leveraging Actor Data Using Variables 766 Creating an Actor Global Variable 766 Creating an Actor-Based Variable in Another Resource 767 Creating and Using Category Models 768 Memory Recommendations for Using Category Models 768 Creating Category Models 769 Creating Actor-to-Actor Category Models 770 Creating Actor Attribute Category Models 773 Creating User-Defined Category Models 775 Managing Category Models 777 Viewing Category Models in Graphs 778 Leveraging Category Model Data Using Variables 781 Chapter 28: Reference Guide Access Control Lists Resource ACLs Active Channels 783 783 783 785 Active Channel Views 785 Active Channel Headers 786 HP ESM (6.9.1c) Page 26 of 1106 ArcSight Console User's Guide Comparisons 787 Active Channel Views for Assets and Cases 787 Active Lists 787 Uses of Active Lists 788 Active Lists for Long-Term State Retention 788 Optimize Data with Hash-Based Active Lists 788 Active List Audit Events 789 Active List Monitor Events 790 Active Lists with Values 790 Using Variables to Retrieve Data from Active Lists with Values 791 Example: Active List with Values to Store Directory Information 791 Create an Active List 791 Populate the Active List 792 Correlate Information Stored in UserRoles List 792 Administrator 794 Advanced Editor 794 Aggregation 796 ArcSight Console 797 Assets 797 Assets Tab 797 Zones Tab 798 Networks Tab 798 Categories Tab 799 Vulnerabilities Tab 799 Locations Tab 800 Asset Auto-Creation 800 Creating Assets from a Vulnerability Scan Report Creating Assets from a Vulnerability Scan Report for Static Zones 801 Creating Assets from a Vulnerability Scan Report for Dynamic Zones 801 Creating Assets for SmartConnectors 802 Creating Assets for SmartConnectors in Static Zones 803 Creating Assets for SmartConnectors in Dynamic Zones 804 Creating Assets for Network Devices 805 Creating Assets for Network Devices in Static Zones 806 Creating Assets for Network Devices in Dynamic Zones 806 Asset Names HP ESM (6.9.1c) 800 807 Naming Assets from Scanner Events 807 Naming SmartConnector and Device Assets 808 Page 27 of 1106 ArcSight Console User's Guide Asset Auto-Creation Advanced Configuration Options 808 Asset Auto-Creation from Scanners in Dynamic Zones 808 Create Asset with IP Address or Host Name 808 Preserve Previous Assets 810 Changing the Default Naming Scheme 811 Attack 812 Audit Events 812 Audit Events Common to Most Resources 813 Active Channel 814 Active List 814 Actor 815 Archive 815 Authentication 816 Authorization 817 Connector Connection 817 Connector Exceptions 818 Connector Login 819 Connector Registration and Configuration 819 Content Management 820 Dashboard 820 Data Monitors 821 Last State Data Monitors 821 Moving Average Data Monitor 821 Reconciliation Data Monitor 821 Statistical Data Monitor 822 Top Value Counts Data Monitor 822 Global Variables 822 Group Management 823 License Audit 823 Logger Component 824 HP ESM (6.9.1c) Alerts 825 Certificates 828 Archives 829 Filters 831 Peers 832 Saved Searches 833 Storage Groups 834 Storage Rules (Storage Mapping) 835 Storage Volume 836 Page 28 of 1106 ArcSight Console User's Guide Searches 836 Manager Activation 838 Manager External Event Flow Interruption 838 Notification 838 Notification Acknowledgement, Escalation, and Resolution 839 Notification Testing 839 Pattern Discovery 839 Query Viewers 839 Reports 840 Resource Quota 840 Rule Actions 840 Rule Activations 841 Rule Firings 841 Rule Warnings 842 Scheduler Execution 842 Scheduler Scheduling Tasks 842 Scheduler Skip 843 Session Lists 843 Stress 844 Trends 844 Trend Partitions 844 User Login 845 User Management 845 Base Queries for Query Viewers 846 Batching 846 Case Editor Tab Fields 846 Case Editor Initial - Attributes Tab 847 Case Editor Initial - Description Tab 848 Case Editor Initial - Security Classification Tab 849 Case Editor Follow-Up Tab 849 Case Editor Final - Attack Mechanism Tab 850 Case Editor Final - Attack Agent Tab 850 Case Editor Final - Incident Information Tab 851 Case Editor Final - Vulnerability Tab 851 Case Editor Final - Other Tab 851 Case Editor Events Tab 852 Case Editor Attachments Tab 852 Case Editor Notes Tab 852 Cases 853 HP ESM (6.9.1c) Page 29 of 1106 ArcSight Console User's Guide Case Groups Categories 853 854 Object Category 855 Behavior Category 857 Outcome Category 858 Device Group Category 859 Technique Category 859 Significance Category 862 Asset Categories 863 Event Categories 863 Collaboration 863 Common Conditions Editor (CCE) 864 Editor Features 864 Condition Tree Command Buttons 866 Condition Tree Context Menu Commands 868 Adding Conditions 872 Search Box to Find Fields in the List 873 Field Comparisons with Variable or Static Values 874 Matching or Join Rules 875 Using Field Sets 876 Adding or Removing Global Variables Using the CCE 877 Testing for Zone Relevance 878 Conditional Statements 879 Conditions 880 Parameterized Conditions Content 880 882 Content Packages 882 Custom Content 882 SmartConnector Content 882 CORR-Engine 883 Correlation 883 Correlation Rule 883 Customers 883 Dashboards 884 Dashboard Context Menu Commands 884 Data Fields 885 Connector Group HP ESM (6.9.1c) 886 Page 30 of 1106 ArcSight Console User's Guide Attacker Group 890 Category Group 895 Destination Group 896 Device Group 902 Device Custom Group 907 Event Group 911 Event Annotation Group 920 File Group 924 Final Device Group 925 Flex Group 928 Manager Group 929 Old File Group 929 Original Connector Group 929 Request Group 935 Source Group 936 Target Group 940 Threat Group 944 Resource Attributes 945 Geographical Attributes 945 Data Monitors 946 Asset Category Count Data Monitor 947 Event Correlation Data Monitor 948 Event Graph Data Monitor 950 Event Reconciliation Data Monitor 951 Correlation Event-Generating Fields 953 Geographic Event Graph Data Monitor 955 Hierarchy Map Data Monitor 956 Features 956 Use Cases 957 Defining a Hierarchy Map Data Monitor 957 Adding Variables 959 Specifying the Source Node Identifiers 959 Hierarchy Levels and Group Delimiters 960 Specifying Group Attributes 961 Hierarchy Map Display and Visualization Controls 962 Map Display and An Example 962 Labels, Size, and Color Controls 963 Selecting Colors for the Blocks 964 Hourly Counts Data Monitor HP ESM (6.9.1c) 965 Page 31 of 1106 ArcSight Console User's Guide Last N Events Data Monitor 966 Last State Data Monitor 967 Last State Data Monitor Parameters 968 Options for Table and Tile Views 969 Table View (Color Chooser and Remove Entry) 969 Tile View (Customize View) 969 Options for Table and Tile Views 972 Table View (Color Chooser and Remove Entry) 972 Tile View (Customize View) 972 Moving Average Data Monitor 974 Rules Partial Match Data Monitor 977 Session Reconciliation Data Monitor 978 Statistics Data Monitor 980 System Monitor Data Monitor 983 System Monitor Attribute Data Monitor 983 Top Value Counts Data Monitor 984 Data Monitor Expressions 986 Supported Data Monitor Expression Operators 987 Supported Data Monitor Expression Functions 987 Device 988 Event Inspector 988 Events 989 Event Categorization 990 Event Handling Stages 990 Field Sets 991 Filters 992 Filtering Options 992 Global Variables 993 Grid View 994 iDefense 994 Inspect/Edit Panel 995 Job Scheduler 996 To view all scheduled jobs 998 Troubleshooting Tips 998 Knowledge Base 998 Logical Operators 999 HP ESM (6.9.1c) Page 32 of 1106 ArcSight Console User's Guide Managed Security Service Providers (MSSPs) 1001 Manager 1001 Navigator Panel 1002 Notifications 1002 Notification Operation 1002 Testing Notification Escalations 1003 Notification Destinations 1003 Notification Acknowledgements 1004 Packages 1004 Pattern Discovery 1004 Pattern Concepts 1005 Discovering Patterns 1005 Pattern Analysis 1006 Initial Phase 1006 Routine Pattern Processing 1006 Workflow Management 1006 Pattern Analysis 1007 Pattern Disposition 1007 Pattern Discovery Expertise 1007 Workflow 1008 Visualization 1008 Applications 1008 Payload 1009 Prioritization Fields 1009 Priority Calculations and Ratings 1010 Priority Elements 1013 Priority Operators 1014 MaxValue Attribute 1014 Weight Attribute 1014 Priority Rating Queries 1015 1016 Queries and Trends 1016 Building and Running Queries 1016 Query Viewers 1016 Reference Pages 1017 Regex (Regular Expressions) 1017 Perl Constructs not Supported in Java HP ESM (6.9.1c) 1017 Page 33 of 1106 ArcSight Console User's Guide Java Constructs not Supported in Perl 1018 Notable Differences between Java and Perl 1018 Character Matches 1019 Reports 1019 Working with Report Templates, Queries, and Trends 1020 Viewing and Managing Reports 1020 Archived Reports 1020 Report Groups 1021 Delta Reports 1021 Report Parameters 1022 Running Reports 1022 ArcSight-Provided Reports 1022 Report Templates 1023 Resources 1024 Valid and Invalid Resources 1024 Fixing and Validating Resources 1024 Resource Attributes 1026 Rules 1029 Loading Rules 1029 Automatically Disabled Rules 1029 Rules Processing and Correlation 1032 Rule Groups 1033 Scheduled Rules 1034 Rule-triggering Timing 1034 Rule Chains 1035 Variables 1035 Rule Actions 1035 Active List Rule Actions 1035 Execute Connector Command Rule Actions 1035 Rule Conditions 1036 Rules Editor 1037 Schema 1037 Avoiding Field Naming Collisions Event Fields 1039 Precise Event Categorization 1039 Send Logs Guidelines for Using the Send Logs Utility HP ESM (6.9.1c) 1038 1040 1041 Page 34 of 1106 ArcSight Console User's Guide Options for Running Diagnostics and Sending Logs 1041 Starting the Send Logs Wizard on the ArcSight Console 1042 Session Correlation Why Session Correlation Matters 1042 1042 Session Lists 1043 SmartConnectors 1044 Operational Status 1044 Configuration 1045 Zones 1045 Upgrading 1046 Filtering 1046 SMTP 1046 Sortable Field Sets 1047 Sorting Columns in Grid Views Status Monitor Events 1048 1048 Active Channel Statistics 1049 Active List Statistics 1049 Asset Statistics 1050 Data Monitor Statistics 1052 Event Broker Statistics 1052 Filter Engine Statistics 1053 Main Flow Statistics 1053 Notification Statistics 1054 Pattern Discovery Statistics 1054 Report Statistics 1055 Resource Framework Statistics 1055 Rules Engine Statistics 1055 Session List Statistics 1057 Session Management Statistics 1058 SmartConnector Flow Statistics 1058 Threat 1060 Threat Evaluation 1060 Evaluation Process 1060 Evaluation Definitions 1061 Maintaining Model Confidence 1062 Using Threat Evaluation Information 1062 Limitations and Workarounds 1062 Thresholds HP ESM (6.9.1c) 1063 Page 35 of 1106 ArcSight Console User's Guide Time Error Correction 1063 Timestamps 1063 Timestamps for Security Events 1064 Timestamps for Resources 1064 Timestamp Variables 1065 Inclusive Timestamps 1065 Time Zone Correction 1066 Trends 1066 Understanding Trends and Queries 1066 Building Trends 1066 User Groups 1067 Users 1067 User Types 1068 Variables 1069 About Functions 1069 About Remote Variables 1070 Local and Global Variables 1070 Variable Definition Fields 1071 Alias Functions 1072 Arithmetic Functions 1073 Category Model Function 1075 Condition Functions 1076 Group Functions 1077 IP Address Functions 1079 List Functions 1079 String Functions 1080 Timestamp Functions 1081 Type Conversion Functions 1085 Value List Functions 1089 Using Functions: Examples with Lists 1090 Getting Login Session Data from a Session List 1090 Extracting a List Element from an Active List 1091 Variable Availability and Contexts 1092 Variable Functions for In-Memory Operations 1093 Velocity Templates 1093 Velocity Application Points 1094 Using Velocity Expressions to Retrieve Values from Event Fields or Variables 1095 Retrieving Values from Event Fields HP ESM (6.9.1c) 1095 Page 36 of 1106 ArcSight Console User's Guide Using Variables in a Velocity Expression 1095 Using Velocity Expressions in Rule Actions 1096 Example of Rule Action that Uses Velocity Expressions to Retrieve Values 1096 More Velocity Template Examples 1097 Velocity References for Reports 1097 Velocity Template Usage Tips 1101 Views 1101 View Types 1102 Dashboards 1103 Other Views 1103 Vulnerabilities 1103 Vulnerability Groups 1104 Standardized Vulnerability Tracking 1104 Web Browsers 1104 Browser Preferences for HTML Displays 1105 Browser Preference Overrides for Specific Features 1105 Send Documentation Feedback HP ESM (6.9.1c) 1106 Page 37 of 1106 Chapter 1: Getting Started Welcome to ESM and the ArcSight Console. ESM is a comprehensive software solution that combines traditional security event monitoring with network intelligence, context correlation, anomaly detection, historical analysis tools, and automated remediation. It consolidates and normalizes data from disparate devices across your enterprise network in a centralized view. Starting the Console Start the Console as you would any other application. The login mechanism varies according to the type of authentication you have set up during installation. Depending on the chosen shortcuts during installation, start the Console using any of these methods: l Using the Console desktop icon l Selecting from the system tray l Selecting from the Start menu Alternatively, open a command window in the Console’s bin directory and type arcsight console If you are using SSL authentication, set it up and import the certificate as described in the Administrator’s Guide’s “Configuration” chapter, in the section entitled “Understanding SSL Authentication.” After the certificate is imported, you can start the Console without entering a user ID or password. If you are using password authentication, see the Administrator’s Guide’s “Configuration” chapter, in the section entitled “Managing Password Configuration.” Log in with your user ID and password. Certificates are imported automatically. If you have selected “Password or SSL Authentication,” you choose which way to log in, each time. If you are using FIPS and using a browser, make sure that browser is configured for FIPS. See the Administrator’s Guide’s topic on “Configure Your Browser for FIPS.” Quick Start Tools and Standard Content The Console serves as the control point for administrators to configure ESM content and resources; and manage, monitor, and respond to network security issues across the enterprise. HP ESM (6.9.1c) Page 38 of 1106 ArcSight Console User's Guide Chapter 1: Getting Started A Network Model Wizard is provided to facilitate the process of describing network devices and assets in ESM. For more about the Network Model wizard and instructions how to use it, see "Populating the Network Model Using the Wizard" on page 110. A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address common security and management tasks. The set of standard content is designed to give you comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with minimal configuration required on the Console. For information about standard System or Administration content, refer to the Standard Content Guide — ArcSight Administration and ArcSight System. All ESM documentation is available on Protect 724 at (https://protect724.hp.com). Use Cases Use cases are special groupings of related ArcSight content that address specific security issues and business requirements. Use cases provide an integrated Console-based alternative for viewing and interacting with resources to the standard one-resource-at-a-time viewing method offered in the Resource tree of the Navigator panel. You can configure shared resources in a single operation, and export related resources in an ArcSight Resource Bundle (arb) for use in other ArcSight instances. HP provides use cases for some of the standard content that is installed with ESM and for additional content (Security Use Cases) provided through the Marketplace. The standard content use cases are described in the ArcSight Administration and ArcSight System Standard Content Guide. Each Security Use Case comes with its own documentation that provides information about how to install, configure, and use the use case. Tip: Use case configuration requires having a network model in place. Model your network first as part of the initial configuration of ESM. Follow instructions in "Modeling the Network" on page 98. HP ESM (6.9.1c) Page 39 of 1106 Chapter 2: Working in the Console In addition to the capabilities built into the Console, the Console itself is a tool with its own characteristics and specialized controls. The Help topics in this section describe the basics of using Console tools and controls to make the most of its features. Navigating Use the Navigator panel on the Console to locate and manage security resources, and the Viewer and Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources producing the data. The Navigator panel showing the Dashboards resource tree The resources available in the Navigator panel can be affected by permissions set for your user type. On the Navigator panel, you can: HP ESM (6.9.1c) Page 40 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console l l l Choose a resource tree from the drop-down list. Expand (+) and collapse (-) resource groups to locate particular subgroups or individual resources. You can also use the keyboard right arrow key to expand and left arrow key to collapse the Navigator resource trees. Right-click groups or individual resources to choose from their context menus. Use the Viewer or Inspect/Edit panels to see or act on the results of the context menu commands. Navigator Panel Resource Tree Resource Tree on the Console’s Navigator Panel Tree Icon Resource Active Channels Create, modify, and delete security-event views that actively and continuously evaluate the events they display, on the basis of time and other filter conditions. This view also includes the Field Sets resource tree for managing named field sets. See "Monitoring Events" on page 210. Actors Map humans or agents to activity in applications and on the network, and identify actors behind events. See "Actors" on page 740. Assets Security-sensitive devices and device groups installed in your enterprise, and the known exposures to potential threats those devices may represent. Assets also includes the related network, zone, location, category, and vulnerability information you use to manage network devices. See "Modeling the Network" on page 98. Cases Track enterprise security incident cases, by status and priority. See "Case Management and Queries" on page 596. Connectors Manage the SmartConnectors installed at your enterprise. See "Managing SmartConnectors" on page 140. Customers Manage resources that represent the security concerns of particular MSSP (Managed Security Services Provider) clients. See "Managing Customers" on page 138. Dashboards Various event data monitors and their library of supporting resources. See "Using Dashboards" on page 238. Field Sets Define subsets of available data fields so you can quickly focus a grid view, an Event Inspector, or other field arrays on a particular context. See "Field Sets" on page 546. HP ESM (6.9.1c) Page 41 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console Resource Tree on the Console’s Navigator Panel, continued Tree Icon Resource Files The Files resource tree, when populated, lists files saved as resources on the Manager. This makes them accessible to all users of the system who are authorized for such access. File resources include Case file attachments, templates, and general-purpose shared files. See " Managing File Resources" on page 671. Filters Event filtering definitions, organized in groups. See "Filtering Events" on page 286 and "Managing Filter Groups" on page 294. Integration Commands Application integration resources used to configure and launch commands, tools, and views in custom and third party applications and other ArcSight products from within the Console. Provides the ability to configure custom scripts, URLs, and Connector commands, and integrate them into the Console UI in various contexts. Leverages velocity expressions and the UI contexts for pulling the content of event data, for example, as command parameter values. Provides support for ArcSight Network Synergy Platform (NSP) and Threat Response Manager (TRM). See "Integration Commands " on page 623. Knowledge Base A database of articles and groups of articles that aid problem-solving, analysis, and operation. See "Getting Knowledge Base Articles" on page 285 and "Knowledge Base Authoring" on page 665. Lists Active Lists are lists of active source and target IP addresses of interest, as defined by enterprise rules. See "List Authoring" on page 469 for more information. Session Lists are similar to active lists, but are optimized for time-based queries and monitoring of rule-driven combinations of event attributes or custom fields. See "Identity Correlation" on page 569 for more information. Notifications Destinations and settings for the automatic messages that alert you to predefined situations or events. See " Acknowledging Notifications" on page 56 and "Managing Notifications" on page 203. Pattern Discovery Profiles to capture, and snapshots of, potentially threatening event patterns. See "Pattern Discovery" on page 710. Query Viewers A resource for defining and running SQL queries on other ESM resources (independent of reports), including trends, assets, cases, connectors, events, and so forth. Each query viewer contains an SQL query along with other logic for establishing and comparing baseline results, analyzing historical data to find patterns in network activity, and performing drill-down investigation on a particular aspect of the results. Query viewers can use the same queries as reports do, but can be run independently of them. See "Query Viewers" on page 323. HP ESM (6.9.1c) Page 42 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console Resource Tree on the Console’s Navigator Panel, continued Tree Icon Resource Reports Definitions for, and archived output from, various activity reports. See "Running and Managing Reports" on page 448 and "Building Reports" on page 371. Rules Rules and groups of rules created for isolating, analyzing, and responding to events. See "Rules Authoring" on page 493. Saved Searches Saved Searches are created on the ArcSight Command Center. Refer to the ArcSight Command Center User’s Guide for information on how to create and save searches. This resource is displayed on the ArcSight Console for packaging and content synchronization purposes. See "Managing Resources" on page 670 and "Managing Packages" on page 693. Search Filters Search Filters are created and used on the ArcSightCommand Center. Refer to the ArcSightCommand Center User’s Guide for information on how to create searches, then save them as filters. This resource is displayed on the ArcSight Console for packaging and content synchronization purposes. See "Managing Resources" on page 670 and "Managing Packages" on page 693. Stages Workflow and annotation features for real-time analyst collaboration on security events. Use Cases Resource collections that address common security issues and business requirements. When use cases are installed, a Use Case tab is displayed in the Navigator panel. A wizard is available for configuration of the use case resources. Instructions for using the wizard are provided in the documentation provided with the specific Use Case. Users ArcSight users and user groups. See "Managing Users" on page 180. Using SmartFolders ArcSight has special, automatically maintained folders to track the results of your case searches or to track your currently selected replay rules and currently running reports. When you create them, these folders appear just below the root of each resource type in the Navigator, prefixed with your ArcSight user name. HP ESM (6.9.1c) Page 43 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console To create a case-search SmartFolder: 1. Right-click a folder in the Cases tree and choose New Search Group in the context menu to open the Search Group Editor. 2. Use the Editor to define a search that updates dynamically each time a change occurs to one of your cases. A given group contains the result of this search when it is applied to those cases. Using Reports SmartFolders The Reports tree in the Navigator panel shows a folder for each user name and the suffix “Reports.” These folders list the reports that user is applying, and the right-click context menu offers the commands available for those reports. These folders are maintained automatically and you cannot change them. You can use this feature to control report runs. For example, if a report is running too long and you would like to end it, right-click it and choose Stop Report. Note: Reports you run using the Run button in the Report Editor are initiated outside the usual Console processes. These reports do not appear in, and are not controllable from, the Reports tree in the Navigator. Using Resource Groups You can group resource types in the Navigator panel to help you organize and manage them. Groups can also be hierarchical, resulting in “trees” of resources. Apart from the characteristics of the resources involved, such as assets or vulnerabilities, each group identity has certain properties you can edit in the Group Editor. Adding or Editing a Resource Group To edit a resource group: 1. To add a group, right-click a resource group and choose New Group. Or to edit an existing group, right click the group and choose Edit Group. 2. In the Group Editor, enter or change the group attributes you want to change. Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see " Common Resource Attribute Fields" on page 685. HP ESM (6.9.1c) Page 44 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console 3. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57. 4. Click Apply to put your changes into effect but leave the editor open. Click OK to apply your changes and also close the editor. Fields containing system information (like Creation Time) are not editable. See "Reference Pages" on page 1017 for more about using the Group Page and Member's Page fields. See "Job Scheduler" on page 996 for information about scheduling tasks or “jobs” for reports (individually or by group), rules, or Pattern Discovery snapshots. Using the Categories Tab for Asset Groups The Group Editor for groups in the Assets tab of the Assets resource tree has an additional Categories tab. This tab has two sub panels: Local Asset Categories and Inherited Asset Categories. Local shows assets that are explicitly assigned to categories. Inherited shows assets whose category connections are presumptions based on a parent's group or a simple asset-range association. Batch Editing You can make common edits to multiple case or SmartConnector resources by selecting a set of either type in the Navigator panel and changing their common fields in the Case or Connector Editor. Batch-Editing Cases or Connectors Where: l Navigator > Resources > Connectors, or l Navigator > Resources > Cases To batch-edit cases or connectors: 1. Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in their respective resource trees in the Navigator panel. 2. Right-click the selected items and choose Edit. 3. Make changes to the appropriate common fields, such as Description or Owner. 4. Click Apply to record your changes and leave the editor open, or click OK to save and close. Saving affects only the fields you have changed, in each of the selected resources. HP ESM (6.9.1c) Page 45 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console Cases Reminder Use the Lock Case check box to lock and unlock cases in batches. SmartConnector Reminders Batch changes affect only default configurations, not alternates. However, you can add new alternate configurations by batch editing. Note that if you make changes under the Filters tab, the entire tab's contents are saved to the selected SmartConnectors. You can batch-edit connectors only of the same version. Reconnecting to the Manager If your Console loses its connection to the Manager, a dialog box enables you to Retry the connection, Relogin, or to Cancel the connection. Try these options in this order. A connection to the Manager cannot be re-established if the Manager is restarted or if a network problem prevents communication with the same Manager. In such cases, click Cancel and start the Console again, using an appropriate Manager host name. Viewing This section provides information on using the Console Viewer Panel and choosing look-and-feel options (skins) for the Console. Topics include: l "The Viewer Panel" below l "Console Look-and-Feel" on page 48 The Viewer Panel You see the products of security-event analyses in the Viewer panel, which can display several different types of views. (See also "Using Views" on page 210.) Although there are some views that display information about resources, most views are active channels, which are continuously evaluated collections of security-event data. (See also "Monitoring Active Channels" on page 210.) Tip: Here are some Viewer Panel features you can use. HP ESM (6.9.1c) Page 46 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console l l l To show a resource (like a particular dashboard or active channel) in the viewer, right-click it in the Navigator tree and choose Show. To close individual views quickly, Shift+click their name tabs. (You can also right-click a view name tab and choose Close from the popup menu.) To float the Viewer panel, click the Float icon at the top left of the Viewer. The Viewer tabs in the Viewer panel have a live link at the top. You can click these links to open the contents in an external, fully functional browser window. For security reasons, HTML that might include JavaScript, plug-ins, or other embedded objects are rendered in the default browser you specify through the Preferences dialog box. The default browser is also used by PDF document files. If your Console is not already displaying a default set of pre-defined views, or if you want to change the views displayed, you can use these options: HP ESM (6.9.1c) Page 47 of 1106 ArcSight Console User's Guide Chapter 2: Working in the Console l l l l Choose Window > Viewer Panel to open the panel if it isn't open. Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in the Navigator panel to find analysis tools or results to view. Right-click a resource in a tree and choose Show to open it in the Viewer panel. When multiple tabbed views are open in the panel, click the tabs at the top of the panel to choose the active channel you want to see, and the tabs at the bottom of the panel to choose which view of that active channel should be foremost. To close an individual view, Shift+click its name tab. (You can also right-click a view name tab and choose Close from the popup menu.) Using active channels and the many types of views they offer is fully covered in the topics under these headings: l "Monitoring Events" on page 210 l "Selecting and Investigating Events in Active Channels" on page 274 l "Using Dashboards" on page 238 Console Look-and-Feel If you start the Console from the command line with the arcsight console command (in ARCSIGHT_ HOME/current/bin), use the -laf