ArcSight Console User's Guide ESM Arc Sight User 7.0
User Manual:
Open the PDF directly: View PDF
Page Count: 1037 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Chapter 1: Getting Started
- Chapter 2: Working in the Console
- Navigating
- Changing the Console Display
- Changing User Preferences
- Changing Your Password
- Setting Default Editors and Viewers
- Changing Global Options
- Setting Dialog Options
- Setting Grid Options for the Viewer Panel
- Customizing the Default Selections for Active Lists
- Setting Date and Time Formats
- Setting Latitude and Longitude Options
- Configuring Event Graphs
- Setting Notification Popups
- Managing Hot Keys
- Viewing
- Inspecting and Editing
- Controlling the Console
- Using the Network Tools
- Staying Informed
- Using the File Menu
- Using the Edit Menu
- Using the View Menu
- Using the Window Menu
- Using the Tools Menu
- Using the System Menu
- Using the Help Menu
- Using Right-Click Context Menus
- Using the Advanced Selector While Editing Resources
- Keyboard Shortcuts (Hot Keys)
- Creating Shortcuts for Resources
- Showing Recently Viewed Resources
- Adding Resources to the Favorites List
- Printing from the Console
- Saving and Sending Settings
- Error and Warning Messages
- Chapter 3: Managing Users and Groups
- Chapter 4: Managing Permissions
- Editing Access Control Lists (ACLs)
- Granting or Removing Resource Permissions
- Granting or Removing Operations Permissions
- Granting or Removing User Group Permissions
- Adding or Removing Enforced Filters
- Permissions for Sortable Field Sets
- Sharing Resources
- Controlling Who Has Permissions to Deploy Data Monitors
- Chapter 5: Modeling the Network
- The Network Model
- Asset Model
- Populating the Network Model with Assets
- Populating the Network Model Using the Wizard
- Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories
- Managing Assets
- Asset Auto-Creation
- Selecting Assets in the Common Conditions Editor
- Auto-Zoning an Asset
- Auto-Zoning Imported Assets
- Managing Asset Groups
- Managing Vulnerabilities
- Managing Zones
- Managing Networks
- Managing Asset Categories
- Managing Locations
- Managing Assets
- Managing Customers
- Chapter 6: Managing SmartConnectors
- Selecting and Setting SmartConnector Parameters
- Managing SmartConnector Filter Conditions
- Setting Special Severity Levels
- Sending Model Mappings to SmartConnectors
- Sending Control Commands to SmartConnectors
- Managing SmartConnector Groups
- Importing and Exporting SmartConnector Configurations
- Using Additional Data Fields
- Upgrading SmartConnectors
- Consuming Events from Event Broker
- Chapter 7: Managing Notifications
- Chapter 8: Monitoring Events
- Monitoring Active Channels
- Creating or Editing an Active Channel
- Viewing Active Channels
- Monitoring Events in the Active Channel
- Full Search and Event Search on ArcSight Command Center
- Using Views
- Investigating Views
- Filtering an Active Channel
- Filtering Active Channels with Inline Filters
- Applying a Field Set to an Active Channel
- Using an Active Channel Header
- Sorting Events in the Active Channel
- Adding, Replacing, or Removing a Column
- Sizing, Showing, or Hiding Column Elements
- Using Active Channel Menu Commands
- Exporting Events to a File
- Defining Grid Fields Options
- Saving Copies of Active Channels and Filters
- Best Practices to Optimize Channel Performance
- Active Channels or Reports?
- Active Channels or Query Viewers?
- Active Channel Query Time Ranges
- Active Channel Filters
- Filtering on Indexed Fields
- Filtering on Join Fields
- Continuously Updating Time Parameters
- Sorting by End Time or Manager Receipt Time
- Sorting in Active Channels
- Use of the “Live” Channel from Standard Content
- Case Sensitive or Case-Insensitive Conditions?
- I/O Subsystem Performance
- Diagnostics: Start with Basic Channel Characteristics
- Customizing Columns
- Using Dashboards
- Using Custom View Dashboards
- Using Data Monitors
- Creating a Data Monitor
- Editing a Data Monitor
- Deleting a Data Monitor
- Managing Drilldowns from Data Monitors
- Moving or Copying a Data Monitor
- Enabling or Disabling a Data Monitor
- Overriding a Data Monitor's Last State
- Managing Data Monitor Groups
- Optimizing the Evaluation of Event Filters for Data Monitors
- Using Charts
- Using Query Viewers
- Graphing Attacks
- Monitoring Active Channels
- Chapter 9: Selecting and Investigating Events in Active Channels
- Chapter 10: Filtering Events
- Chapter 11: Queries
- How Queries Work
- Using Queries and Trends Together for Reports
- Using Queries in Query Viewers
- Building a Query
- Query Settings
- Editing a Query
- Example: Creating Asset-Related Conditions for Queries on Lists
- Chapter 12: Query Viewers
- Pre-Built and Custom Query Viewers
- Managing Query Viewers
- Query Viewer Settings
- Deleting a Query Viewer
- Defining and Using Baselines
- Managing Drilldowns from Query Viewers
- Viewing Query Viewer Results
- Working with Query Viewer Results
- Troubleshooting Query Viewers
- Adding Query Viewers to Dashboards
- Adding Query Viewers as Startup Views
- Generating Reports from Query Viewers
- Example Queries for Common Scenarios
- Chapter 13: Building Reports
- Understanding the Reporting Workflow
- Creating or Editing a Report
- Defining Report Attributes
- Report Templates
- Binding Data to the Report
- Binding Data to Tables
- Setting Default and Custom Report Parameters
- Generating Reports with Central European, Cyrillic, or Asian Fonts
- Creating Focused Reports
- Using Report Templates
- End-to-End Reporting Examples
- Example of Creating a Simple Report with the Wizard
- Advanced Reporting Example Overview
- Chapter 14: Running and Managing Reports
- Running a Report
- Running a Delta Report
- Running Reports from a Grid View
- Running Large or Complex Reports
- Moving and Copying Reports
- Managing Report Groups
- Archiving and Scheduling Reports
- Chapter 15: Building Trends
- Chapter 16: List Authoring
- Required Settings for Large Lists
- Creating or Editing an Active List
- Viewing and Editing Active List Entries
- Using Rules to Populate an Active List
- Adding Events from a Channel to an Active List
- Moving or Copying an Active List
- Importing and Exporting an Active List
- Deleting an Active List
- Managing Active List Groups
- Managing Session Lists
- Field Naming Restrictions
- Chapter 17: Rules Authoring
- Designing Rules
- Rule Types
- Managing Rules
- Specifying Rule Conditions
- Specifying Rule Thresholds and Aggregation
- Managing Rule Actions
- Converting Rule Types
- Testing Rules
- Verifying Rules with Events
- Deploying Real-time Rules
- Managing Rule Groups
- Importing and Exporting Rules
- Scheduling Rules
- Chapter 18: Identity Correlation
- Understanding Session Correlation
- Creating a Session List Rule
- Using the Session List Output
- Creating a Variable to Get Session List Data
- Example: Using Session Lists to Correlate Session Data on User Logins
- Example: Using Active Lists to Correlate Users
- Chapter 19: Field Sets
- Chapter 20: Global Variables
- Chapter 21: Case Management and Queries
- Creating or Editing a Case
- Locking and Unlocking Cases
- Entering Case Attributes
- Entering Case Descriptions
- Entering the Case Security Classifications
- Entering Follow Up Items for the Case
- Entering Attack Mechanism Information
- Entering Attack Agent Information
- Entering Incident Information
- Entering Vulnerability Information
- Entering Miscellaneous Information
- Using the Case's History Panel
- Working with Events in Cases
- Attaching a File to a Case
- Closing a Case
- Deleting a Case
- Granting Permission to Delete Cases
- Moving or Copying a Case to a Group
- Finding Cases
- Viewing a Case’s Internal Audit Events
- Managing Case Groups
- Viewing Group Cases in a Grid View
- Running Case Queries
- Creating a Report from a Case
- Using External Case Management Systems
- Creating or Editing a Case
- Chapter 22: Integration Commands
- What are Integration Commands?
- Planning Checklist and Workflow
- Navigating to Integration Command Resources
- Defining Commands
- Adding and Editing Command Parameters
- Removing a Command Parameter
- Using Configurations to Group Commands
- Specifying Targets
- Authorization and Authentication Settings
- Running Integration Commands
- Entering/Saving Command Parameters at Runtime
- Using the ArcSight Investigate Integration Commands
- ArcSight Logger Search Commands
- Network Tools as Integration Commands
- More Integration Examples
- Chapter 23: Knowledge Base Authoring
- Chapter 24: Finding Resources
- Chapter 25: Managing Resources
- Chapter 26: Managing Packages
- Creating or Editing Packages
- Adding Resources from the Resource Navigator
- Supported Packages for Content Synchronization
- Exporting Packages
- Importing Packages
- Backing Up and Restoring with Packages
- Installing or Uninstalling Packages
- Deleting Packages
- Removing Resources from Packages
- Resolving Package Conflicts
- Chapter 27: Using Pattern Discovery
- Chapter 28: Actors
- Configuring Actors
- Permissions Required to Use Actor-Related Data
- Viewing Actors on the Console
- Viewing an Actor in the Actor Editor
- Viewing Actors in an Actor Channel
- Filtering Actor Channels
- Managing Actor Channels
- Investigating Actors
- Creating and Editing Actors for Testing Purposes
- Leveraging Actor Data Using Variables
- Creating and Using Category Models
- Chapter 29: Reference Guide
- Access Control Lists
- Active Channels
- About Actors
- Active Lists
- Administrator
- Advanced Editor
- Aggregation
- ArcSight Console
- Assets
- Attack
- Audit Events
- Audit Events Common to Most Resources
- Active Channel
- Active List
- Actor
- Archive
- Authentication
- Authorization
- Connector Connection
- Connector Exceptions
- Connector Login
- Connector Registration and Configuration
- Content Management
- Dashboard
- Data Monitors
- Distributed Correlation
- Event Broker
- Global Variables
- Group Management
- License Audit
- Logger Component
- Manager Activation
- Manager External Event Flow Interruption
- Status Monitor Events
- Active Channel Statistics
- Active List Statistics
- Asset Statistics
- Data Monitor Statistics
- Event Broker Statistics
- Filter Engine Statistics
- Main Flow Statistics
- Notification Statistics
- Pattern Discovery Statistics
- Report Statistics
- Resource Framework Statistics
- Rules Engine Statistics
- Session List Statistics
- Session Management Statistics
- SmartConnector Flow Statistics
- Notification
- Notification Acknowledgement, Escalation, and Resolution
- Notification Testing
- Pattern Discovery
- Query Viewers
- Reports
- Resource Quota
- Rule Actions
- Rule Activations
- Rule Firings
- Rule Warnings
- Rules Scheduled
- Scheduler Execution
- Scheduler Scheduling Tasks
- Scheduler Skip
- Session Lists
- Trends
- Trend Partitions
- User Login
- User Management
- Base Queries
- Batching
- Cases
- Case Groups
- Categories
- Collaboration
- Common Conditions Editor (CCE)
- Conditional Statements
- Conditions
- Content
- CORR-Engine
- Correlation
- Correlation Formula
- Correlation Rule
- Customers
- Dashboards
- Dashboard Context Menu Commands
- Data Fields
- Attacker Group
- Connector Group
- Category Group
- Destination Group
- Device Group
- Device Custom Group
- Event Group
- Event Annotation Group
- File Group
- Final Device Group
- Flex Group
- Geographical Attributes
- Manager Group
- Old File Group
- Original Connector Group
- Request Group
- Source Group
- Target Group
- Threat Group
- Resource Attributes
- Data Monitors
- Asset Category Count Data Monitor
- Event Correlation Data Monitor
- Event Graph Data Monitor
- Geographic Event Graph Data Monitor
- Hierarchy Map Data Monitor
- Hourly Counts Data Monitor
- Last N Events Data Monitor
- Last State Data Monitor
- Moving Average Data Monitor
- Rules Partial Match Data Monitor
- Statistics Data Monitor
- System Monitor Data Monitor
- System Monitor Attribute Data Monitor
- Top Value Counts Data Monitor
- Data Monitor Expressions
- Device
- Event Inspector
- Events
- Event Annotation Fields
- Event Categorization
- Event Handling Stages
- Field Sets
- Filters
- Filtering Options
- Global Variables
- Grid View
- IP Address Ranges
- Inspect/Edit Panel
- Job Scheduler
- Knowledge Base
- Logical Operators
- Managed Security Service Providers (MSSPs)
- Manager
- Navigator Panel
- Notifications
- Packages
- Pattern Discovery
- Payload
- Prioritization Fields
- Priority Calculations and Ratings
- Queries
- Query Viewers
- Reference Pages
- Reports
- Report Templates
- Resources
- Resource Attributes
- Rules
- Rule Actions
- Rule Conditions
- Rules Editor
- Saved Searches
- Schema
- Search Filters
- Send Logs
- Session Correlation
- Session Lists
- SmartConnectors
- SMTP
- Sortable Field Sets
- Threat
- Threat Evaluation
- Thresholds
- Time Error Correction
- Timestamps
- Timestamp Variables
- Time Zone Correction
- Understanding Trends and Queries
- User Groups
- Users
- User Types
- Variables
- About Remote Variables
- About Functions
- Local and Global Variables
- Variable Definition Fields
- Alias Functions
- Arithmetic Functions
- Category Model Function
- Condition Functions
- Group Functions
- IP Address Functions
- List Functions
- String Functions
- Timestamp Functions
- Type Conversion Functions
- Value List Functions
- Using Functions: Examples with Lists
- Variable Availability and Contexts
- Variable Functions for In-Memory Operations
- Velocity Templates
- Views
- Vulnerabilities
- Web Browsers
- Send Documentation Feedback