ArcSight Console User's Guide ESM Arc Sight User 7.0

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 1037

DownloadArcSight Console User's Guide ESM Arc Sight User 7.0
Open PDF In BrowserView PDF
HPE Security ArcSight ESM
Software Version: 7.0

ArcSight Console User's Guide

April 20, 2018

ArcSight Console User's Guide

Legal Notices
Warranty
The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
The network information used in the examples in this document (including IP addresses and hostnames) is for illustration
purposes only.
HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and
confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security
practices.
This document is confidential.

Restricted Rights Legend
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical
Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice
© Copyright 2018 Hewlett Packard Enterprise Development, LP
Follow this link to see a complete statement of copyrights and acknowledgements:
https://community.softwaregrp.com/t5/Discussions/Third-Party-Copyright-Notices-and-License-Terms/td-p/1589228

Support
Contact Information
Phone

A list of phone numbers is available on the Technical Support
Page: https://softwaresupport.softwaregrp.com/support-contact-information

Support Web Site

https://softwaresupport.softwaregrp.com/

ArcSight Product Documentation

https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ctp/productdocs

HPE ESM 7.0

Page 2 of 1037

Contents
Chapter 1: Getting Started

36

Starting the ArcSight Console

36

Quick Start Tools and Standard Content

37

Use Cases

37

Chapter 2: Working in the Console

38

Navigating
Navigator Panel Resource Tree
Batch Editing
Batch-Editing Cases or Connectors
Locking Case Groups
SmartConnector Reminders
Reconnecting to the Manager

38
39
41
41
41
41
42

Changing the Console Display

42

Changing User Preferences
Changing Your Password
Setting Default Editors and Viewers
Changing Global Options
Setting Dialog Options
Setting Grid Options for the Viewer Panel
Customizing the Default Selections for Active Lists
Setting Date and Time Formats
Setting Latitude and Longitude Options
Configuring Event Graphs
Setting Notification Popups
Managing Hot Keys
Adding Shortcuts for Frequently-Used Resources
Modifying a Custom Shortcut
Removing a Custom Shortcut
Activating a New Shortcut Schema
Sharing Custom Shortcut Schemas

43
43
44
44
46
47
49
50
51
52
53
53
54
57
59
60
61

Viewing
The Viewer Panel
Console Look-and-Feel

61
61
63

HPE ESM 7.0

Page 3 of 1037

ArcSight Console User's Guide

Inspecting and Editing
Overview of Inspect/Edit Features and Utilities
Searching for Fields in Event Inspector, Resource Editors, or CCE
Getting More Help

63
64
65
66

Controlling the Console

66

Using the Network Tools
Running a Tools Command
Adding or Editing a Tool

68
69
70

Staying Informed
Acknowledging Notifications
Checking the Status of the Distributed Correlation Cluster
Defining Message Lag Thresholds
Using Notes
License Tracking
License Tracking Notifications
Standard Reports for License Status Tracking

72
72
73
73
74
75
75
76

Using the File Menu

76

Using the Edit Menu

77

Using the View Menu

77

Using the Window Menu

78

Using the Tools Menu

79

Using the System Menu

80

Using the Help Menu

80

Using Right-Click Context Menus

80

Using the Advanced Selector While Editing Resources

83

Keyboard Shortcuts (Hot Keys)

84

Creating Shortcuts for Resources

86

Showing Recently Viewed Resources

86

Adding Resources to the Favorites List

87

Printing from the Console
Printing Navigation Tree Views of Resources
Printing Resource Definitions
Printing Grid Views
Printing Conditions Tree Summary
Using Column Flip Limit to Format Grid View Printouts

88
88
88
89
90
90

Saving and Sending Settings

92

HPE ESM 7.0

Page 4 of 1037

ArcSight Console User's Guide

Error and Warning Messages
Chapter 3: Managing Users and Groups
Managing User Groups
Managing Users
Creating or Editing a User
Resetting User Passwords
Moving or Linking a User
Deactivating and Reactivating a User
Deleting a User
Chapter 4: Managing Permissions

93
94
94
96
97
99
99
100
101
102

Editing Access Control Lists (ACLs)

102

Granting or Removing Resource Permissions

103

Granting or Removing Operations Permissions

104

Granting or Removing User Group Permissions

105

Adding or Removing Enforced Filters

107

Permissions for Sortable Field Sets

110

Sharing Resources

110

Controlling Who Has Permissions to Deploy Data Monitors
How Upgrades Affect Data Monitor Deploy Permissions
Deployment Permissions on Imported Data Monitors

111
112
112

Chapter 5: Modeling the Network

114

The Network Model
Assets
Automatically-Created Assets
Asset Aging and Model Confidence
Asset Ranges
Zones
Dynamic and Static Zones
Networks

114
115
115
117
118
118
119
120

Asset Model
Locations
Vulnerabilities
Asset Categories
Asset Categories Assigned to Assets, Asset Ranges, and Asset Groups

121
121
121
121
122

HPE ESM 7.0

Page 5 of 1037

ArcSight Console User's Guide

Asset Categories Assigned to Zones

122

Populating the Network Model with Assets
ArcSight Console-Based Methods
Manually, Using Network Modeling Resources
In a Batch Using the Network Modeling Wizard
SmartConnectorUsing the Asset Model Import FlexConnector
Automatically From a Vulnerability Scanner Report
ArcSight-Assisted Methods
As an Archive File From an Existing Configuration Database

122
123
123
124
124
125
125
125
126

Populating the Network Model Using the Wizard
Specifying CSV Column Types
Specify the Column Type Using a Header
Specifying Multiple Categories in one Category Column
Assign the Column Type in the Wizard
Zones CSV File Format
An Example of a Zones CSV File
Zones CSV File Format
An Example of a Zones CSV File
Assets CSV File Format
An Example of an Assets CSV File
Static Addressing in a Dynamic Zone
Asset Ranges CSV File Format
An Example of an Asset Ranges CSV File
Increasing the Number of Displayed Rows
Summary of Data to Import
Network Data Imported into ArcSight Manager

126
127
127
128
128
129
131
131
133
133
135
135
136
137
137
138
138

Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories
Managing Assets
Asset Auto-Creation
Creating Assets from a Vulnerability Scan Report
Creating Assets from a Vulnerability Scan Report for Static Zones
Creating Assets from a Vulnerability Scan Report for Dynamic Zones
Creating Assets for SmartConnectors
Creating Assets for SmartConnectors in Static Zones
Creating Assets for SmartConnectors in Dynamic Zones
Creating Assets for Network Devices
Creating Assets for Network Devices in Static Zones
Creating Assets for Network Devices in Dynamic Zones
Asset Auto-Creation from Scanners in Dynamic Zones

138
139
141
142
142
142
143
143
144
145
146
146
147

HPE ESM 7.0

Page 6 of 1037

ArcSight Console User's Guide

Create Asset with IP Address or Host Name
Preserve Previous Assets
Asset Names
Changing the Default Naming Scheme
Selecting Assets in the Common Conditions Editor
Auto-Zoning an Asset
Auto-Zoning Imported Assets
Managing Asset Groups
Managing Vulnerabilities
Selecting Vulnerabilities in the Common Conditions Editor
Working with Vulnerable Assets
Managing Vulnerability Groups
Showing Affected Assets
Reporting on Output from Vulnerability Scanners
Reporting on Asset Vulnerabilities
Managing Zones
Managing Networks
Managing Asset Categories
Managing Locations
Managing Customers
Chapter 6: Managing SmartConnectors

147
148
150
151
151
152
153
154
155
156
157
158
159
160
160
160
162
162
163
164
166

Selecting and Setting SmartConnector Parameters
Configuring the SmartConnector
Connector Editor Tabs
Connector Tab Configuration Fields
Default Content Tab Configuration Fields
SmartConnector Processing Categories
SmartConnector Time Interval Options

166
166
167
168
169
181
182

Managing SmartConnector Filter Conditions
Adding SmartConnector Filter Conditions
Deleting SmartConnector Filter Conditions

183
183
184

Setting Special Severity Levels

184

Sending Model Mappings to SmartConnectors

186

Sending Control Commands to SmartConnectors
Getting Connector Status
Sending Standard Flow-Control Commands
Tech Support Commands
Mapping Commands for Additional Data Fields

186
187
187
189
191

HPE ESM 7.0

Page 7 of 1037

ArcSight Console User's Guide

Managing SmartConnector Groups

194

Importing and Exporting SmartConnector Configurations
Importing a SmartConnector Configuration
Exporting a SmartConnector Configuration
SmartConnector Filters

196
196
196
197

Using Additional Data Fields

197

Upgrading SmartConnectors
Overview of the Upgrade Process
SmartConnector Upgrade Procedure
Rolling back to a Previous Version
Troubleshooting
Getting Status and Versions on Installed SmartConnectors

200
201
202
203
203
203

Consuming Events from Event Broker

204

Chapter 7: Managing Notifications

206

Managing Received Notifications

206

Managing Notification Groups

207

Managing Notification Destinations

209

Changing Notification and Acknowledgment Settings

210

Testing Notification Groups and Destinations

212

Managing Escalation Levels

212

Chapter 8: Monitoring Events
Monitoring Active Channels
Creating or Editing an Active Channel
Viewing Active Channels
Monitoring Events in the Active Channel
Full Search and Event Search on ArcSight Command Center
Using Views
Investigating Views
Viewing an Exploited Vulnerability
Viewing a Targeted Asset
Filtering an Active Channel
Filtering Active Channels with Inline Filters
Applying a Field Set to an Active Channel
Using an Active Channel Header
Sorting Events in the Active Channel

HPE ESM 7.0

213
213
213
217
218
218
220
221
222
222
222
222
224
225
227

Page 8 of 1037

ArcSight Console User's Guide

Adding, Replacing, or Removing a Column
Sizing, Showing, or Hiding Column Elements
Using Active Channel Menu Commands
Exporting Events to a File
Defining Grid Fields Options
Saving Copies of Active Channels and Filters
Best Practices to Optimize Channel Performance
Active Channels or Reports?
Active Channels or Query Viewers?
Active Channel Query Time Ranges
Active Channel Filters
Filtering on Indexed Fields
Filtering on Join Fields
Continuously Updating Time Parameters
Sorting by End Time or Manager Receipt Time
Sorting in Active Channels
Use of the “Live” Channel from Standard Content
Case Sensitive or Case-Insensitive Conditions?
I/O Subsystem Performance
Diagnostics: Start with Basic Channel Characteristics
Customizing Columns
Creating a Custom Column
Showing a Custom Column
Advanced Example: Creating a Custom Column with Velocity Template

228
229
230
231
233
234
234
234
234
235
235
235
235
235
235
236
236
237
237
237
237
238
239
239

Using Dashboards
Monitoring Dashboards
Creating or Editing a Dashboard
Adding a Data Monitor to a Dashboard
Adding a Query Viewer to a Dashboard
Dashboard Display Formats
Managing Dashboard Groups

239
240
242
244
245
246
247

Using Custom View Dashboards
Displaying Custom View Dashboards
Reverting to the Regular Dashboard View
Working with Custom View Dashboards
Arranging Custom View Dashboards
Loading a Background Image
Selecting a Previously Uploaded Background Image
Verifying the Background Image
Removing a Background Image

248
248
249
250
250
251
251
252
252

HPE ESM 7.0

Page 9 of 1037

ArcSight Console User's Guide

Custom View Dashboard Context Menu Options

252

Using Data Monitors
Creating a Data Monitor
Editing a Data Monitor
Deleting a Data Monitor
Managing Drilldowns from Data Monitors
Adding a Drilldown
Editing a Drilldown
Changing the Default Drilldown
Sorting or Changing the Order of Drilldowns
Removing a Drilldown
Moving or Copying a Data Monitor
Enabling or Disabling a Data Monitor
Overriding a Data Monitor's Last State
Managing Data Monitor Groups
Optimizing the Evaluation of Event Filters for Data Monitors
Requirement
Automating the Optimization of Filter Conditions
Tracing the Optimization
Disabling the Optimization Feature

253
253
256
257
257
257
262
262
263
264
264
264
266
266
268
268
269
269
271

Using Charts
Charting an Active Channel's Contents
Charting a Data Monitor's Contents
Exploring the Events Behind a Chart

271
271
272
273

Using Query Viewers

274

Graphing Attacks
Creating Static Event Graphs
Creating Live Event Graphs
Event Graph Notes

274
274
275
276

Chapter 9: Selecting and Investigating Events in Active Channels

277

Selecting Events in the Active Channel

277

Showing Event Details and Rule Chains

277

Running ArcSight Investigate Searches

279

Investigating Session Events

280

Collaborating on Events (Event Annotation)
Annotating an Event
Mark Similar Events Fields

281
282
283

HPE ESM 7.0

Page 10 of 1037

ArcSight Console User's Guide

Annotation Preservation
Viewing Annotations for an Event
Creating or Editing Stages

284
285
285

Working with Event Payloads

286

Exporting Data Fields to a CSV File

288

Getting Knowledge Base Articles

289

Chapter 10: Filtering Events

290

Creating or Editing a Filter

290

Creating and Editing an Inline Filter

291

Applying Filters

292

Moving or Copying Filters

293

Deleting Filters

294

Debugging Filters to Match Events

294

Importing and Exporting filters

296

Managing Filter Groups

296

Investigating Views
Using an Event Attribute to Show a New Filtered View
Refining a Filter with an Event Attribute
Filtering Out ArcSight Events
Adding an Event Attribute to a Filtering Condition

297
298
298
299
299

Modifying Views

300

Chapter 11: Queries

302

How Queries Work

302

Using Queries and Trends Together for Reports

302

Using Queries in Query Viewers

303

Building a Query

303

Query Settings
General Query Attributes
Query Fields
SELECT Query Fields
Query Structure (SELECT)
Applying Functions to SELECT Columns
GROUP BY Query Fields

304
304
307
308
309
310
311

HPE ESM 7.0

Page 11 of 1037

ArcSight Console User's Guide

Query Structure (GROUP BY)
Applying Time-Based Functions to GROUP BY Columns
ORDER BY Query Fields
Query Structure (ORDER BY)
Applying a Column Function to Order By
Sort Order
Query Conditions
Creating Conditions on a Field
Creating a Group Condition
Tips on Creating Conditions
Query Variables

312
313
314
315
315
315
315
316
317
317
317

Editing a Query

318

Example: Creating Asset-Related Conditions for Queries on Lists

319

Chapter 12: Query Viewers

321

Pre-Built and Custom Query Viewers
Standard Content
Custom Query Viewers
Customizing Query Viewers as Needed
inActiveList Conditions for Queries

321
321
321
322
322

Managing Query Viewers

322

Query Viewer Settings
Query Viewer Attributes
Query Viewer Fields
Sort Options
Baselines
Query Viewer Variables

324
324
326
328
328
329

Deleting a Query Viewer

330

Defining and Using Baselines
Why Baselines are Useful
Planning for Baseline Comparisons
Adding a Baseline
Comparing Displayed Results to a Baseline
Show or Hide Baseline Columns
Sort Baseline Data
Filter Baseline Data
Removing a Baseline

330
331
332
333
333
334
335
335
336

Managing Drilldowns from Query Viewers

337

HPE ESM 7.0

Page 12 of 1037

ArcSight Console User's Guide

Adding a Drilldown
Editing a Drilldown
Changing the Default Drilldown
Sorting or Changing the Order of Drilldowns
Removing a Drilldown

337
341
341
341
342

Viewing Query Viewer Results
Filtering Query Viewer Results
Viewing an Event or Resource Directly from the Query Viewer

343
346
348

Working with Query Viewer Results
Results in Table Format
"Analyze in Channel" Options on the Table View
Column Sort, Display, and Edit Options
Results in Chart Formats

348
349
349
350
352

Troubleshooting Query Viewers

353

Adding Query Viewers to Dashboards

353

Adding Query Viewers as Startup Views

354

Generating Reports from Query Viewers

354

Example Queries for Common Scenarios
Basic Analysis High Level Summaries
Analyst’s First View of Events
How the Events Query Viewer is Built
Analyst’s First View of Events
How the Events Query Viewer is Built
How the Events Query Viewer is Built
Drilldown Example
How the Console Builds Drilldowns
Non-Event Analysis Example
Baseline Analysis for Data Comparison
History Analysis Example

356
356
356
357
359
360
362
364
365
366
366
367

Chapter 13: Building Reports
Understanding the Reporting Workflow
Step 1 - Build a Query
Step 2 - Build a Trend Based on a Query
Step 3 - Build a Query Based on a Trend
Step 4 - Select or Design a Report Template
Step 5 - Create a Report
Step 6 - Run a Report

HPE ESM 7.0

368
368
369
370
370
370
371
371

Page 13 of 1037

ArcSight Console User's Guide

Step 7 - Archive and Maintain Reports
Managing Dependencies for Reports Resources

372
372

Creating or Editing a Report
Defining Report Attributes
Report Templates
Report Template Selection
Text Attributes
Preview
Binding Data to the Report
Binding Data to Charts
Selecting Data for the X-Axis on a Chart
Selecting Data for the X-Axis on a Chart
Selecting Data for the Y-Axis on a Chart
Selecting Data for the Z-Axis on a Chart (Optional)
Effect of Sorting on Bar Charts with Series Data
Specifying Top/Bottom Filters Aggregation Filters for a Chart (Optional)
Setting Display Options and Scale Formats for Charts
Binding Data to Tables
Specifying Fields for a Table
Enabling the Aggregation Tab for a Table
Setting Top/Bottom Counts in Table Aggregation Tab (Optional)
Setting Default and Custom Report Parameters
Adding Custom Parameters for Report Data
Displaying a Custom Parameter Prompt at Report Runtime
Adding or Removing a Prompt for Custom Parameters in the Report
Defining the Prompt in the Query’s Condition Tab
Generating Reports with Central European, Cyrillic, or Asian Fonts
Creating Focused Reports

372
374
375
375
376
378
378
378
379
381
382
384
384
387
388
389
390
393
393
394
398
399
399
401
403
404

Using Report Templates
Applying a Standard Template to an Existing Report
Creating a New Report Based on a Template
Copying a Standard Template
Managing Report Template Groups
Editing a Template

404
405
406
407
407
407

End-to-End Reporting Examples
Example of Creating a Simple Report with the Wizard
Advanced Reporting Example Overview
Step 1 - Build the VPN Logins Outcome Query
Query Name and Other General Attributes
Fields to Include in Query Result

408
408
410
411
411
411

HPE ESM 7.0

Page 14 of 1037

ArcSight Console User's Guide

Query Conditions
Step 2 - Build the VPN Logins Outcome Hourly Trend
Step 3 - Filter the Trend Data (Login Attempts, Successes, Failures)
Step 4 - Create the VPN Logins Outcome Report on Trend Data
Choose a Template and Bind it to Result Data
Use Custom Parameters
Step 5 - Run the Report
Chapter 14: Running and Managing Reports

413
413
415
417
417
418
420
422

Running a Report

422

Running a Delta Report

426

Running Reports from a Grid View
Running a Rule Context Report
Running an Event Context Report
Running a Channel Report
Running a Query Viewer Report

427
427
428
428
429

Running Large or Complex Reports

432

Moving and Copying Reports

433

Managing Report Groups

433

Archiving and Scheduling Reports
Archiving a Report
Displaying an Archived Report
Scheduling Report Tasks
Scheduling Individual-Report Archiving
Scheduling Report Archiving by Resource Group
Standard Time Transitions
Viewing an Archived Report
Editing a Report Archiving Schedule
Editing Report Archiving Parameters
Deleting a Report Archiving Schedule

435
435
437
437
437
439
439
440
440
441
441

Chapter 15: Building Trends

442

How Trends Work

442

Snapshot Trend

443

Interval Trend

443

Query-Trend Relationships in Reporting

443

Managing Trends

444

HPE ESM 7.0

Page 15 of 1037

ArcSight Console User's Guide

Creating or Editing a Trend
Defining Trend Settings
Trend Attributes
Trend Schedule
Trend Parameters
Trend Actions (Add to Active List)
How Trend Actions are Useful (Summary Views and Rules)
Plan and Define Active Lists with Fields Mapped to Trend
Working with Trend Actions
Example: Populating Active Lists with Trend Results
Notes on Trend Action Behavior

445
445
446
450
451
452
452
453
453
454
457

Testing a Trend

457

Viewing Trend Data

458

Refreshing Trend Data

459

Disabling or Enabling a Trend

459

Deleting a Trend

460

Chapter 16: List Authoring

461

Required Settings for Large Lists

461

Creating or Editing an Active List

461

Viewing and Editing Active List Entries

466

Using Rules to Populate an Active List
Example Active List
Example Rule to Populate the Active List

468
468
468

Adding Events from a Channel to an Active List

470

Moving or Copying an Active List

471

Importing and Exporting an Active List

472

Deleting an Active List

472

Managing Active List Groups

473

Managing Session Lists
Creating or Editing a Session List
Editing Session List Entries
Moving, Copying, or Deleting a Session List
Exporting a Session List

474
474
477
478
479

Field Naming Restrictions

479

HPE ESM 7.0

Page 16 of 1037

ArcSight Console User's Guide

Chapter 17: Rules Authoring

481

Designing Rules

481

Rule Types

482

Managing Rules
Creating or Editing Rules
Moving or Copying Rules
Enabling and Disabling Rules
Viewing Rules and Their Correlation Events
Deleting Rules

483
483
484
485
486
486

Specifying Rule Conditions
Creating Rule Conditions
Adding Filter Conditions
Adding Asset Conditions
Adding Vulnerability Conditions
Adding Active List (InActiveList) Conditions
Creating Matching or Join Conditions
Editing or Deleting Join Data Field Conditions
Negating Event Conditions
Optimizing the Evaluation of Event Conditions
Automating Condition Optimization
Disabling the Optimization Feature
Tracing the Optimization

486
487
488
489
489
490
492
494
495
497
497
498
498

Specifying Rule Thresholds and Aggregation
Setting or Changing Rule Thresholds
Examples of Grouping Unique or Identical Field Values
Examples of Grouping Unique or Identical Field Values
Aggregation Time Criteria
Deleting Aggregation from a Rule

500
500
501
502
503
505

Managing Rule Actions
Adding, Editing, or Removing a Rule Action
Activating or De-activating a Rule Trigger
Enabling or Disabling a Rule Action
Threshold Triggering Options
Rule Actions Best Practices
Rule Actions Reference
Applying Rule Actions on Cases
Using a Rule to Create a Case
Using a Rule to Add to an Existing Case

505
506
507
508
508
510
511
517
517
518

Converting Rule Types

520

HPE ESM 7.0

Page 17 of 1037

ArcSight Console User's Guide

Testing Rules

520

Verifying Rules with Events

522

Deploying Real-time Rules
Deploying a Rule
Removing or Un-deploying a Rule

524
524
525

Managing Rule Groups

525

Importing and Exporting Rules

527

Scheduling Rules
Scheduling a Rule Group
Scenarios for Using Scheduled Rules
Example of a Scheduled Rule (Badge Swipes and Logins)

527
528
529
530

Chapter 18: Identity Correlation

534

Understanding Session Correlation

534

Creating a Session List Rule

535

Using the Session List Output

537

Creating a Variable to Get Session List Data

537

Example: Using Session Lists to Correlate Session Data on User Logins
Step 1 - Create a Session List to Store Windows Sessions
Step 2 - Create Rules to Populate the Session List with Windows Logins
Rule 1: Triggers on Windows Session Logins
Attributes
Conditions
Aggregation
Actions
Rule 2: Triggers on Termination of Windows Sessions
Step 3 - Verify Rules
Step 4 - Use the Session List in a Report

538
539
540
541
541
541
542
542
544
545
547

Example: Using Active Lists to Correlate Users
Example Overview
Step 1 - Build and Populate the Active List with User IDs
Populating an Active List with User Data
Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs
Attributes
Variable
Conditions
Aggregation

549
550
550
551
553
553
553
555
556

HPE ESM 7.0

Page 18 of 1037

ArcSight Console User's Guide

Actions
Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs
Attributes
Variable
Conditions
Aggregation
Actions
Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs
Attributes
Variable
Conditions
Aggregation
Actions
Chapter 19: Field Sets

556
557
557
558
559
561
561
562
562
563
564
566
566
568

Creating a Field Set
Field Set Editor: Attributes Tab
Field Set Editor: Fields Tab
Using the Fields & Global Variables Subtab
Using the Field Sets Subtab
Using the Local Variables Subtab
Field Set Editor: Local Variables Tab
Adding Custom Columns to the Field Set
Renaming a Column Using an Alias
Editing a Field Set
Sharing a Field Set
Deleting a Field Set

569
570
570
571
571
572
572
573
574
574
575
576

Resources That Use Field Sets

576

Chapter 20: Global Variables

577

Remote Variables Processing

577

Global Variable Dependencies

577

Navigating to Global Variables

578

Creating or Editing a Global Variable
Global Variable Editor: Attributes Tab
Global Variable Editor: Parameters Tab
Global Variable Editor: Local Variables Tab

578
580
580
581

Moving, Linking, or Deleting Global Variables

581

HPE ESM 7.0

Page 19 of 1037

ArcSight Console User's Guide

Promoting a Local Variable to a Global Variable

582

Adding a Global Variable to a Resource
Accessing a Global Variable Using the CCE
Adding Global Variables to an Active Channel
Adding a Global Variable to a Data Monitor
Adding a Global Variable to a Field Set

584
585
586
587
588

Chaining a Global Variable

589

Chapter 21: Case Management and Queries

591

Creating or Editing a Case
Locking and Unlocking Cases
Entering Case Attributes
Entering Case Descriptions
Entering the Case Security Classifications
Entering Follow Up Items for the Case
Entering Attack Mechanism Information
Entering Attack Agent Information
Entering Incident Information
Entering Vulnerability Information
Entering Miscellaneous Information

592
594
594
598
598
599
600
601
601
602
603

Using the Case's History Panel

603

Working with Events in Cases
Creating or Updating a Case from Displayed Events
Using the Case Events Panel
Viewing a Case's Events in a Channel
Including Base Events Through a Rule
Copying Event Details from Case to Case
Deleting Events from a Case

606
606
608
609
609
609
610

Attaching a File to a Case
Attaching a Data Monitor, Dashboard, or Query Viewer to a Case
Viewing a Case Attachment
Editing a Case Attachment
Best Practices on Attaching Files to a Case

610
612
613
613
614

Closing a Case

615

Deleting a Case

615

Granting Permission to Delete Cases

616

Moving or Copying a Case to a Group

617

HPE ESM 7.0

Page 20 of 1037

ArcSight Console User's Guide

Finding Cases

617

Viewing a Case’s Internal Audit Events

618

Managing Case Groups

619

Viewing Group Cases in a Grid View

620

Running Case Queries

621

Creating a Report from a Case
Running Case Reports and Setting Default Parameters
Customizing the Case Report
Customize Selected Case Query
Customize Selected Case Report
Add a Server Property for the New Report URI

621
622
625
625
626
627

Using External Case Management Systems
Exporting Cases to ServiceNow® IT Service Management (ITSM)

627
628

Chapter 22: Integration Commands

630

What are Integration Commands?
Supported Command Types
Local Scripts and Commands to Other Applications
How Integration Commands Work

630
630
631
632

Planning Checklist and Workflow

632

Navigating to Integration Command Resources

633

Defining Commands
Script Commands
URL Commands
Connector Commands

634
636
637
637

Adding and Editing Command Parameters

638

Removing a Command Parameter

640

Using Configurations to Group Commands
Configurations Attributes
Configurations Contexts
Configurations Commands
Configuration Targets
Adding a Target to a Configuration
Editing Targets in a Configuration
Removing Commands from a Configuration

641
642
643
644
645
645
645
646

Specifying Targets
Target Attribute

646
646

HPE ESM 7.0

Page 21 of 1037

ArcSight Console User's Guide

Target Integration Parameters

647

Authorization and Authentication Settings
Setting User Login Parameters
Setting Login Credentials
Setting Login Credentials on Target Servers
Setting Logins and Other Parameters to Prompt for Values at Runtime

647
648
648
649
649

Running Integration Commands

650

Entering/Saving Command Parameters at Runtime

650

Using the ArcSight Investigate Integration Commands

651

ArcSight Logger Search Commands
Logger Integration Commands
Enabling Integrated Logger Searches
1. Set Up Logger Command Targets
2. Set Up the Logger Command Configuration
3. Set Up Users for Logger Access
Example of Running a Logger Quick Search

653
653
654
655
655
655
656

Network Tools as Integration Commands

657

More Integration Examples

659

Chapter 23: Knowledge Base Authoring

662

Managing Knowledge Base Articles

662

Managing Knowledge Base Article Groups

665

Associating Knowledge Base Articles

666

Chapter 24: Finding Resources

667

How Fields are Indexed

667

Using Text Search Syntax

668

Using the Search Field on the Console Tool Bar

671

Using the Search Result Columns

673

Locating Resources on the Navigator Tree

673

Chapter 25: Managing Resources
Working with Resource Groups
Adding or Editing a Resource Group
Using the Categories Tab for Asset Groups

HPE ESM 7.0

674
674
674
675

Page 22 of 1037

ArcSight Console User's Guide

Moving, Copying, Linking, and Deleting Resources

675

Locking and Unlocking Resources

676

Selecting Resources

677

Visualizing Resources
Graphing Resources
Using Graphs
Configuring Resource Graphs
Viewing Resources in Grids

677
677
678
679
680

Validating Resources
About Valid and Invalid Resources
Fixing and Validating Resources
Troubleshooting Requirements for Valid Resources
Resource Validation During Upgrade or Package Import

680
680
681
683
685

Extending Audit Event Logging

685

Common Resource Attribute Fields
Common
Assign

687
687
688

Saving Copies of Read-Only Resources

688

Managing File Resources
Uploading Files and Creating a File Resource
Working with Files

688
689
689

Chapter 26: Managing Packages

692

Creating or Editing Packages
About Locked Packages

693
697

Adding Resources from the Resource Navigator

697

Supported Packages for Content Synchronization

697

Exporting Packages

698

Importing Packages
Best Practices for Importing Packages
Importing Packages Created by Other Users

699
700
701

Backing Up and Restoring with Packages
ID Checking During Import
Package Modifications
List Data
Backup and Restore Summary

702
702
702
703
703

HPE ESM 7.0

Page 23 of 1037

ArcSight Console User's Guide

Installing or Uninstalling Packages

704

Deleting Packages

705

Removing Resources from Packages

706

Resolving Package Conflicts

706

Chapter 27: Using Pattern Discovery
Pattern Discovery Overview
What Pattern Detection Provides
Pattern Components
How Pattern Discovery Works

708
708
708
709
710

Pattern Discovery Life Cycle

711

Creating or Editing a Profile
Specifying Actions
Creating Local Variables
Adding Notes
Deleting a Profile

711
714
716
717
718

Taking a Snapshot
Analyzing Snapshots
Exploring a Snapshot
Arranging Elements in Graphic View
Scheduling a Snapshot
Re-opening a Snapshot
Deleting a Snapshot

718
720
720
722
723
724
724

Investigating Patterns
Investigating Patterns in the Snapshots View
Investigating Patterns in the Patterns View
Viewing Patterns with Filter
Inspecting Patterns
Creating Rules from Patterns
Annotating Patterns
Deleting a Pattern

725
725
727
728
728
730
732
733

Pattern Discovery Usage Guidelines
Establishing a Baseline of Normal Patterns
Using Pattern Discovery in Routine Operations
Performance Considerations
Adjusting Pattern Discovery Memory

733
733
733
734
734

Chapter 28: Actors
HPE ESM 7.0

735
Page 24 of 1037

ArcSight Console User's Guide

Configuring Actors

735

Permissions Required to Use Actor-Related Data

737

Viewing Actors on the Console

738

Viewing an Actor in the Actor Editor
Viewing Actor Account Attributes
Viewing Actor Role Attributes

739
740
740

Viewing Actors in an Actor Channel
Sorting Fields in Actor Channels
Actor Channel Options

741
742
743

Filtering Actor Channels
Adding a Local Filter to the Actor Channel Resource
Creating an Inline Filter

743
743
745

Managing Actor Channels

745

Investigating Actors
Running Context Reports from an Actor Channel
Investigating an Actor from an Event Channel
Actor Context Reports in Standard Content

746
746
748
749

Creating and Editing Actors for Testing Purposes
Important Points to Consider About Making Manual Changes to Actors
Creating Actors for Testing Purposes
Editing Actors for Testing Purposes
Deleting Actors

750
750
750
752
753

Leveraging Actor Data Using Variables
Creating an Actor Global Variable
Creating an Actor-Based Variable in Another Resource

753
753
754

Creating and Using Category Models
Memory Recommendations for Using Category Models
Creating Category Models
Creating Actor-to-Actor Category Models
Creating Actor Attribute Category Models
Creating User-Defined Category Models
Managing Category Models
Viewing Category Models in Graphs
Leveraging Category Model Data Using Variables

755
755
756
757
759
761
763
764
766

Chapter 29: Reference Guide
Access Control Lists

HPE ESM 7.0

768
768

Page 25 of 1037

ArcSight Console User's Guide

Resource ACLs

768

Active Channels
Active Channel Views
Active Channel Headers
Comparisons
Active Channel Views for Assets and Cases

770
770
771
772
772

About Actors
How the Actors Feature Works
About the Actor Model Import Connector
Troubleshooting Errors with Actor Model Imports

772
774
775
777

Active Lists
Uses of Active Lists
Active Lists for Long-Term State Retention
Optimize Data with Hash-Based Active Lists
Active List Monitor Events
Active Lists with Values
Using Variables to Retrieve Data from Active Lists with Values
Example: Active List with Values to Store Directory Information
Create an Active List
Populate the Active List
Correlate Information Stored in UserRoles List

777
778
778
779
779
780
780
781
781
781
782

Administrator

784

Advanced Editor

785

Aggregation

786

ArcSight Console

786

Assets
Assets Tab
Zones Tab
Networks Tab
Categories Tab
Vulnerabilities Tab
Locations Tab

787
787
788
788
788
789
789

Attack

789

Audit Events
Audit Events Common to Most Resources
Active Channel
Active List
Actor

790
790
791
792
792

HPE ESM 7.0

Page 26 of 1037

ArcSight Console User's Guide

Archive
Authentication
Authorization
Connector Connection
Connector Exceptions
Connector Login
Connector Registration and Configuration
Content Management
Dashboard
Data Monitors
Distributed Correlation
Aggregator Audit Events
Correlator Audit Events
DCache (Distributed Cache) Audit Events
MBus (Message Bus) Audit Events
Persistor Audit Events
Event Broker
Global Variables
Group Management
License Audit
Logger Component
Alerts
Archives
Certificates
Peers
Saved Searches
Searches
Search Filters
Storage Groups
Storage Volume
Manager Activation
Manager External Event Flow Interruption
Status Monitor Events
Active Channel Statistics
Active List Statistics
Asset Statistics
Data Monitor Statistics
Event Broker Statistics
Filter Engine Statistics
Main Flow Statistics
Notification Statistics
HPE ESM 7.0

792
793
794
794
795
796
796
797
798
798
799
800
800
800
800
801
801
801
802
802
803
804
807
808
809
810
811
812
812
813
813
813
813
814
814
815
815
816
816
816
817
Page 27 of 1037

ArcSight Console User's Guide

Pattern Discovery Statistics
Report Statistics
Resource Framework Statistics
Rules Engine Statistics
Session List Statistics
Session Management Statistics
SmartConnector Flow Statistics
Notification
Notification Acknowledgement, Escalation, and Resolution
Notification Testing
Pattern Discovery
Query Viewers
Reports
Resource Quota
Rule Actions
Rule Activations
Rule Firings
Rule Warnings
Rules Scheduled
Scheduler Execution
Scheduler Scheduling Tasks
Scheduler Skip
Session Lists
Trends
Trend Partitions
User Login
User Management

817
817
817
818
819
819
820
820
821
821
821
822
822
822
823
823
824
824
824
824
825
825
825
826
827
827
827

Base Queries

828

Batching

828

Cases

828

Case Groups

829

Categories
Object Category
Behavior Category
Outcome Category
Device Group Category
Significance Category
Technique Category
Asset Categories

829
830
832
833
834
834
835
837

HPE ESM 7.0

Page 28 of 1037

ArcSight Console User's Guide

Event Categories

837

Collaboration

837

Common Conditions Editor (CCE)
Editor Features
Condition Tree Command Buttons
Condition Tree Context Menu Commands
Adding Conditions
Search Box to Find Fields in the List
Field Comparisons with Variable or Static Values
Using Field Sets
Adding or Removing Global Variables Using the CCE
Testing for Zone Relevance

838
839
841
843
846
848
849
850
851
853

Conditional Statements

853

Conditions
Parameterized Conditions

855
855

Content
Content Packages
Custom Content
SmartConnector Content

856
856
857
857

CORR-Engine

857

Correlation

857

Correlation Formula

858

Correlation Rule

859

Customers

859

Dashboards

860

Dashboard Context Menu Commands

860

Data Fields
Attacker Group
Connector Group
Category Group
Destination Group
Device Group
Device Custom Group
Event Group
Event Annotation Group
File Group
Final Device Group

861
862
865
868
869
872
876
879
884
887
887

HPE ESM 7.0

Page 29 of 1037

ArcSight Console User's Guide

Flex Group
Geographical Attributes
Manager Group
Old File Group
Original Connector Group
Request Group
Source Group
Target Group
Threat Group
Resource Attributes
Data Monitors
Asset Category Count Data Monitor
Event Correlation Data Monitor
Event Graph Data Monitor
Geographic Event Graph Data Monitor
Hierarchy Map Data Monitor
Hierarchy Map Features
Use Cases
Defining a Hierarchy Map Data Monitor
Adding Variables
Specifying the Source Node Identifiers
Hierarchy Levels and Group Delimiters
Specifying Group Attributes
Hierarchy Map Display and Visualization Controls
Map Display and An Example
Labels, Size, and Color Controls
Selecting Colors for the Blocks
Hourly Counts Data Monitor
Last N Events Data Monitor
Last State Data Monitor
Last State Data Monitor Parameters
Options for Table and Tile Views
Table View (Color Chooser and Remove Entry)
Tile View (Customize View)
Moving Average Data Monitor
Rules Partial Match Data Monitor
Statistics Data Monitor
System Monitor Data Monitor
System Monitor Attribute Data Monitor
Top Value Counts Data Monitor

HPE ESM 7.0

890
890
891
891
892
895
896
899
902
903
903
904
905
908
909
909
910
910
911
912
913
913
914
915
915
916
918
919
920
921
921
922
923
923
925
927
928
930
931
932

Page 30 of 1037

ArcSight Console User's Guide

Troubleshooting
Data Monitor Expressions
Supported Data Monitor Expression Operators
Supported Data Monitor Expression Functions

934
934
934
935

Device

935

Event Inspector

936

Events

936

Event Annotation Fields

938

Event Categorization

939

Event Handling Stages

939

Field Sets

940

Filters

940

Filtering Options

941

Global Variables

942

Grid View

943

IP Address Ranges

943

Inspect/Edit Panel

943

Job Scheduler
Viewing all scheduled jobs
Troubleshooting Tips

944
945
945

Knowledge Base

946

Logical Operators

946

Managed Security Service Providers (MSSPs)

949

Manager

950

Navigator Panel

950

Notifications
Notification Operation
Testing Notification Escalations
Notification Destinations
Notification Acknowledgements

950
950
951
952
952

Packages

952

Pattern Discovery
Pattern Concepts
Discovering Patterns

953
953
954

HPE ESM 7.0

Page 31 of 1037

ArcSight Console User's Guide

Pattern Analysis
Initial Phase
Routine Pattern Processing
Workflow Management
Pattern Analysis
Pattern Disposition
Pattern Discovery Expertise
Workflow
Visualization
Applications

954
954
955
955
955
955
956
956
956
957

Payload

957

Prioritization Fields

958

Priority Calculations and Ratings
Priority Elements
Priority Operators
Priority Rating

958
961
962
963

Queries
Queries and Trends
Building and Running Queries

964
964
964

Query Viewers

965

Reference Pages

966

Reports
Working with Report Templates, Queries, and Trends
Viewing and Managing Reports
Archived Reports
Report Groups
Delta Reports
Report Parameters
ArcSight-Provided Reports

967
967
968
968
968
969
969
970

Report Templates

970

Resources

971

Resource Attributes

971

Rules
Loading Rules
Automatically Disabled Rules
Rules Processing and Correlation
Rule Groups
Scheduled Rules

973
973
974
975
977
978

HPE ESM 7.0

Page 32 of 1037

ArcSight Console User's Guide

Rule-triggering Timing
Rule Chains
Variables

978
979
979

Rule Actions

979

Rule Conditions

979

Rules Editor

980

Saved Searches

981

Schema
Avoiding Field Naming Collisions
Event Fields
Precise Event Categorization

981
981
983
983

Search Filters

984

Send Logs
Guidelines for Using the Send Logs Utility
Options for Running Diagnostics and Sending Logs
Starting the Send Logs Wizard on the ArcSight Console

984
985
985
986

Session Correlation
Why Session Correlation Matters

986
986

Session Lists

987

SmartConnectors
Operational Status
Configuration
Zones
Upgrading
Filtering

988
988
989
990
990
990

SMTP

991

Sortable Field Sets
Sorting Columns in Grid Views

991
992

Threat

993

Threat Evaluation
Evaluation Process
Evaluation Definitions
Maintaining Model Confidence
Using Threat Evaluation Information
Limitations and Workarounds

993
993
993
994
994
995

Thresholds

995

HPE ESM 7.0

Page 33 of 1037

ArcSight Console User's Guide

Time Error Correction

996

Timestamps
Timestamps for Security Events
Timestamps for Resources

996
996
997

Timestamp Variables
Inclusive Timestamps

997
998

Time Zone Correction

998

Understanding Trends and Queries

998

User Groups

999

Users

1000

User Types

1000

Variables
About Remote Variables
About Functions
Local and Global Variables
Variable Definition Fields
Alias Functions
Arithmetic Functions
Category Model Function
Condition Functions
Group Functions
IP Address Functions
List Functions
String Functions
Timestamp Functions
Type Conversion Functions
Value List Functions
Using Functions: Examples with Lists
Getting Login Session Data from a Session List
Extracting a List Element from an Active List
Variable Availability and Contexts
Variable Functions for In-Memory Operations

1001
1001
1002
1002
1003
1004
1004
1007
1009
1010
1011
1012
1013
1014
1017
1021
1022
1022
1023
1023
1024

Velocity Templates
Velocity Application Points
Using Velocity Expressions to Retrieve Values from Event Fields or Variables
Retrieving Values from Event Fields
Using Variables in a Velocity Expression
Using Velocity Expressions in Rule Actions

1024
1025
1026
1026
1027
1027

HPE ESM 7.0

Page 34 of 1037

ArcSight Console User's Guide

Example of Rule Action that Uses Velocity Expressions to Retrieve Values
Velocity References for Reports
More Velocity Template Examples
Velocity Template Usage Tips

1027
1028
1031
1032

Views
View Types
Dashboards
Other Views

1033
1033
1034
1034

Vulnerabilities
Vulnerability Groups
Standardized Vulnerability Tracking

1034
1035
1035

Web Browsers
Browser Preferences for HTML Displays
Browser Preference Overrides for Specific Features

1035
1036
1036

Send Documentation Feedback

HPE ESM 7.0

1037

Page 35 of 1037

Chapter 1: Getting Started
Welcome to ESM and the ArcSight Console.
ESM is a comprehensive software solution that combines traditional security event monitoring with
network intelligence, context correlation, anomaly detection, historical analysis tools, and automated
remediation. It consolidates and normalizes data from disparate devices across your enterprise network
in a centralized view.

Starting the ArcSight Console
Start the Console as you would any other application.

Start the Console:
Depending on the chosen shortcuts during installation, start the Console using any of these methods:
l

Using the Console desktop icon

l

Selecting from the system tray

l

Selecting from the Start menu

Alternatively, open a command window in the Console’s bin directory and type
arcsight console

Log in:
The login mechanism varies according to the type of authentication you have set up during Console
installation.
l

l

l
l

If you are using SSL authentication, set it up and import the certificate as described in the ESM
Administrator’s Guide’s “SSL Authentication” section, the topic "Setting Up SSL Client-Side
Authentication on ArcSight Console." After the certificate is imported, you can start the Console
without entering a user ID or password.
If you are using password authentication, log in with your user ID and password. Certificates are
imported automatically. See the ESM Administrator’s Guide’s “Configuration” section, in the topic
“Managing Password Configuration” for more information.
If you have selected “Password or SSL Authentication,” you choose which way to log in, each time.
If you are using FIPS and using a browser, make sure that browser is configured for FIPS. See the
ESM Administrator’s Guide’s topic on “Configure Your Browser for FIPS.”

HPE ESM 7.0

Page 36 of 1037

ArcSight Console User's Guide
Chapter 1: Getting Started

Quick Start Tools and Standard Content
The Console serves as the control point for administrators to:
l

Configure ESM content and resources

l

Manage, monitor, and respond to network security issues across the enterprise

A Network Model Wizard is provided to facilitate the process of describing network devices and assets
in ESM. For more about the Network Model wizard and instructions on how to use it, see "Populating
the Network Model Using the Wizard" on page 126.
A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address
common security and management tasks. The set of standard content is designed to give you
comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with
minimal configuration required on the Console.
For information about standard ArcSight administration or system content, refer to the ArcSight
Administration and ArcSight System Standard Content Guide. All ESM documentation is available on
Protect 724 at (https://community.saas.hpe.com/t5/ArcSight/ct-p/arcsight).

Use Cases
Use cases are special groupings of related ArcSight content that address specific security issues and
business requirements.
Use cases provide an integrated Console-based alternative for viewing and interacting with resources to
the standard one-resource-at-a-time viewing method offered in the Resource tree of the Navigator
panel. You can configure shared resources in a single operation, and export related resources in an
ArcSight Resource Bundle (arb) for use in other ArcSight instances.
HPE provides use cases for some of the standard content that is installed with ESM and for additional
content (Security Use Cases) provided through the Marketplace. Each Security Use Case comes with its
own documentation that provides information about how to install, configure, and use the use case.
Use case configuration requires having a network model in place. Model your network first as part of
the initial configuration of ESM. Follow instructions in "Modeling the Network" on page 114.

HPE ESM 7.0

Page 37 of 1037

Chapter 2: Working in the Console
In addition to the capabilities built into the Console, the Console itself is a tool with its own
characteristics and specialized controls. The Help topics in this section describe the basics of using
Console tools and controls to make the most of its features.

Navigating
Use the Navigator panel on the Console to locate and manage security resources, and the Viewer and
Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources
producing the data.
The Navigator panel showing the Dashboards resource tree

The resources available in the Navigator panel can be affected by permissions set for your user type.
On the Navigator panel, you can:
l
l

Choose a group or a specific resource from the resource tree.
Expand (+) and collapse (-) resource groups to locate particular subgroups or individual resources.
You can also use the keyboard right arrow key to expand and left arrow key to collapse the

HPE ESM 7.0

Page 38 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Navigator resource trees.
l

Right-click groups or individual resources to choose from their context menus.

l

See a list of the last 10 resources you have recently viewed and add resources to your favorites list

Use the Viewer or Inspect/Edit panels to see or act on the results of the context menu commands.

Navigator Panel Resource Tree
Resource Tree on the Console’s Navigator Panel
Tree

Icon

Resource

Active
Channels

Create, modify, and delete security-event views that actively and continuously evaluate the
events they display, on the basis of time and other filter conditions. This view also includes the
Field Sets resource tree for managing named field sets. See "Monitoring Events" on page 213.

Actors

Map humans or agents to activity in applications and on the network, and identify actors behind
events. See "Actors" on page 735.

Assets

Security-sensitive devices and device groups installed in your enterprise, and the known
exposures to potential threats those devices may represent. Assets also includes the related
network, zone, location, category, and vulnerability information you use to manage network
devices. See "Modeling the Network" on page 114.

Cases

Track enterprise security incident cases, by status and priority. See "Case Management and
Queries" on page 591.

Connectors

Manage the SmartConnectors installed at your enterprise. See "Managing SmartConnectors" on
page 166.

Customers

Manage resources that represent the security concerns of particular MSSP (Managed Security
Services Provider) clients. See "Managing Customers" on page 164.

Dashboards

Various event data monitors and their library of supporting resources. See "Using Dashboards" on
page 239.

Field Sets

Define subsets of available data fields so you can quickly focus a grid view, an Event Inspector, or
other field arrays on a particular context. See "Field Sets" on page 568.

Files

The Files resource tree, when populated, lists files saved as resources on the Manager. This makes
them accessible to all users of the system who are authorized for such access. File resources
include Case file attachments, templates, and general-purpose shared files. See "Managing File
Resources" on page 688.

Filters

Event filtering definitions, organized in groups. See "Filtering Events" on page 290 and
"Managing Filter Groups" on page 296.

Integration
Commands

Application integration resources used to configure and launch commands, tools, and views in
custom and third party applications and other ArcSight products from within the Console.
Provides the ability to configure custom scripts, URLs, and Connector commands, and integrate
them into the Console UI in various contexts. Leverages velocity expressions and the UI contexts
for pulling the content of event data, for example, as command parameter values.

HPE ESM 7.0

Page 39 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console
Resource Tree on the Console’s Navigator Panel, continued
Tree

Icon

Resource

Knowledge
Base

A database of articles and groups of articles that aid problem-solving, analysis, and operation.
See "Getting Knowledge Base Articles" on page 289 and "Knowledge Base Authoring" on
page 662.

Lists

Active Lists are lists of active source and target IP addresses of interest, as defined by enterprise
rules. See "List Authoring" on page 461 for more information.
Session Lists are similar to active lists, but are optimized for time-based queries and monitoring
of rule-driven combinations of event attributes or custom fields. See "Identity Correlation" on
page 534 for more information.

Notifications

Destinations and settings for the automatic messages that alert you to pre-defined situations or
events. See "Acknowledging Notifications" on page 72 and "Managing Notifications" on page 206.

Pattern
Discovery

Profiles to capture, and snapshots of, potentially threatening event patterns. See "Using Pattern
Discovery" on page 708.

Query
Viewers

A resource for defining and running SQL queries on other ESM resources (independent of
reports), including trends, assets, cases, connectors, events, and so forth. Each query viewer
contains an SQL query along with other logic for establishing and comparing baseline results,
analyzing historical data to find patterns in network activity, and performing drill-down
investigation on a particular aspect of the results. Query viewers can use the same queries as
reports do, but can be run independently of them. See "Query Viewers" on page 321.

Reports

Definitions for, and archived output from, various activity reports. See"Building Reports" on
page 368 and "Running and Managing Reports" on page 422.

Rules

Rules and groups of rules created for isolating, analyzing, and responding to events. See "Rules
Authoring" on page 481.

Saved
Searches

Saved Searches are created on the ArcSight Command Center. Refer to the ArcSight Command
Center User’s Guide for information on how to create and save searches.
This resource is displayed on the ArcSight Console for packaging and content synchronization
purposes. See "Managing Resources" on page 674 and "Managing Packages" on page 692.

Search
Filters

Search Filters are created and used on the ArcSightCommand Center. Refer to the
ArcSightCommand Center User’s Guide for information on how to create searches, then save
them as filters.
This resource is displayed on the ArcSight Console for packaging and content synchronization
purposes. See "Managing Resources" on page 674 and "Managing Packages" on page 692.

Stages

Workflow and annotation features for real-time analyst collaboration on security events.

Use Cases

Resource collections that address common security issues and business requirements.
When use cases are installed, a Use Case tab is displayed in the Navigator panel. A wizard is
available for configuration of the use case resources. Instructions for using the wizard are
provided in the documentation provided with the specific Use Case.

Users

HPE ESM 7.0

ArcSight users and user groups. See "Managing Users and Groups" on page 94 and "Managing
Permissions" on page 102.

Page 40 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Batch Editing
You can make common edits to multiple case or SmartConnector resources by selecting a set of either
type in the Navigator panel and changing their common fields in the Case or Connector Editor.

Batch-Editing Cases or Connectors
Where:
l

Navigator > Resources > Connectors, or

l

Navigator > Resources > Cases

To batch-edit cases or connectors:
1. Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in their respective
resource trees.
2. Right-click the selected items and choose Edit.
3. Make changes to the appropriate common fields, such as Description or Owner.
4. Click Apply to record your changes and leave the editor open, or click OK to save and close. Saving
affects only the fields you have changed, in each of the selected resources.

Locking Case Groups
Use the Lock Case check box to lock and unlock cases in batches. See "Viewing Group Cases in a Grid
View" on page 620.
Note: If a rule action is configured to update a case, and the case is locked at the time the rule
triggers, then the case will not be updated. See "Applying Rule Actions on Cases" on page 517.

SmartConnector Reminders
Batch changes affect only default configurations, not alternates. However, you can add new alternate
configurations by batch editing.
Note that if you make changes under the Filters tab, the entire tab's contents are saved to the selected
SmartConnectors.
You can batch-edit connectors only of the same version.

HPE ESM 7.0

Page 41 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Reconnecting to the Manager
If your Console loses its connection to the Manager, a dialog popup enables you to Retry the
connection, Relogin, or to Cancel the connection. Try these options in this order.
A connection to the Manager cannot be re-established if the Manager is restarted or if a network
problem prevents communication with the same Manager. In such cases, click Cancel and start the
Console again, using an appropriate Manager host name.

Changing the Console Display
You can change the look and feel of the Console to better display information, focus on particular
panels, or hide information not of interest. You can switch to a dark theme, resize the Console, float or
dock Console panels, apply translucency to a floating panel, and show or hide the menu bars, tool bars,
and various displays.
What do you want to do?

Here's how:

Switch from default to dark theme

From the View menu, select Themes. You have two options:
l

Default is the daylight theme appropriate for a lighted room.

l

Dark theme is appropriate for a dark room environment to reduce glare.

If you switch the theme, log off, then log back in.
Note: After you have used the dark theme for a while, you may notice that the
labels on the tabs are no longer legible. If so, exit the Console and log back in.
Resize the Console

l

l

l

To expand to the whole screen, click the Maximize icon at the top-right
corner of the window.
To collapse the Console, click the Minimize button or drag the corners of the
Console to resize it.
To resize any panels, drag and drop any panel dividers.

Show or hide menu bars and tools

Right-click the Menu bar area of the Console and use the context menu to
enable (check) or disable (clear) each component.

Show or hide the status bar

Click the Status Bar button on the toolbar, or on the Window menu, choose
Status Bar.

Show or hide the Navigator panel

Click the Navigator button on the toolbar, or on the Window menu, choose
Navigator Panel.

Show or hide the Viewer panel

Click the Viewer button on the toolbar, or on the Window menu, choose Viewer
Panel.

HPE ESM 7.0

Page 42 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

What do you want to do?

Here's how:

Show or hide the Inspect/Edit panel

Click the Inspector button on the toolbar, or on the Window menu, choose
Inspect/Edit Panel.

Float a Console panel

Click the Float/Dock button on the panel header, or right-click the panel
header and choose Float Panel.
You can apply translucency once a panel is floated.

Apply translucency to a floating
Console panel

Float the panel first before applying translucency. Move the Translucency
slider on the panel header.

Dock a Console panel

Click the Float/Dock button on the panel header, or right-click the panel
header and choose Dock Panel.

Close a Console panel

Click the Close button on the panel header, or right-click the panel header and
choose Close Panel.

Changing User Preferences
You can change several Console characteristics to suit your security needs, working style, or personal
preferences. You reach the Preferences dialog box through the Edit>Preferences menu command.

Changing Your Password
Administrators create users and assign passwords. After logging in with your administrator-created
password, you must change it for security reasons.
Note: You can change your password only if your ArcSight installation is configured to use built-in
password authentication. Contact your system administrator for instructions on how to change
passwords on ArcSight systems that use RADIUS SecurID or SSL authentication.
Where: Edit > Preferences > Password
1. Enter your old password, new password, and confirm the new password.
2. Click OK.
By default, passwords require a minimum of 6 characters, can contain a maximum of 20 characters, and
can contain numbers and/or letters. Ask your system administrator about any special requirements for
your site. For information on password restrictions, see the "Managing Password Configuration" topic
and its subtopics in the Administrator's Guide.

HPE ESM 7.0

Page 43 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Note: If you are an administrator, you can change other ESM users' passwords. See "Resetting User
Passwords" on page 99.

Setting Default Editors and Viewers
You can set the default editors and viewers to use for text, HTML, and packet payloads. For example,
use the HTML editor when editing the Knowledge Base and the Web browser for reports.
Where: Edit > Preferences > Programs
Program Preferences
Program
Preference

Value

Preferred
Enter the complete path to your preferred text or HTML editor, or click the Browse button to locate the
Text/HTML editor.
Editor
Preferred
Web
Browser

Enter the complete path to the preferred Web browser or click Browse to locate the executable. Use your
preferred Web browser to display HTML files such as custom view dashboards, reports, knowledge base
articles, and so on.
For an updated list of supported products, refer to the ArcSight ESM Support Matrix in Protect 724. This
matrix includes the supported Web browsers for all currently-supported ESM versions.

Preferred
Payload
Viewer

Enter the complete path to your preferred packet-payload viewer or click the Browse button to locate
one.

Text to
PCAP
Converter

Enter the complete path to your preferred packet-payload PCAP converter or click the Browse button to
locate one.

Changing Global Options
You can make the Inspect/Edit panel open as a docked window inside, or as a floating window outside,
the Console. You can do the same with all child windows as a class.
Where: Edit > Preferences > Global Options

HPE ESM 7.0

Page 44 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console
Refer to the following table for available settings:
Global Options for Console
Global Option Description
Font

Set global preference for font face, size, and style used throughout the Console, except on windows or
views where you can set fonts specific to those Console elements. (For example, you can set fonts
specific to Grid views as detailed in the next topic.)
Click into the Font field to get the drop-down menu arrow.

Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style.
Launch editors Open all editors in a floating window. If deselected, all editors appear in the Inspect/Edit panel. If you
in a floating
select this option, you can still float or dock the windows.
window
Allow multiple
editors of the
same type

Permit more than one resource editor to be opened simultaneously for a given resource type (for
example, opening three instances of the Filter Editor at once). Enabling this option is very useful for
analysts and persons implementing security solutions, but may inappropriate for operators or other
persons who should have less-extensive editing access.

Allow multiple
event
inspectors

Display details of multiple events in their respective Event Inspector tabs on the Inspect/Edit panel. If
de-selected (the default), you can only view event details one event at a time.

Allow Bulk
Delete

Delete multiple resources without any dependency warnings. If de-selected, you can still delete
multiple resources but you see a warning if there are any resource dependencies.

Create
independent
floating
windows

Independently float new windows that are children of another window such as the Viewer panel. This
is the default. When enabled, you can choose a window's name from the list at the Window>Floating
command, or toolbar button to bring it forward:

Auto Relogin

Automatically log in again after logging out of the Console.

HPE ESM 7.0

For more information about the Event Inspector, see "Inspecting and Editing" on page 63 and "Event
Inspector" on page 936.

Page 45 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Global Options for Console, continued
Global Option Description
Use system
defaults for
dashboard
background

When this option is selected, your system defaults are used for all Dashboard backgrounds.

Show print
preview dialog

Display a preview of the printable page when you choose to print a resource definition, for example, a
rule definition. This preference is selected by default.

You can customize views for dashboards for display on the Web browser. See "Using Custom View
Dashboards" on page 248.

Print preview options include Print, view each printable page (as applicable), and zoom in or out of
the previewed page. For more information about printing, see "Printing from the Console" on page 88.
Set Help
The Help display window defaults to width of 910 x length of 650 pixels.
dialog size
(Width,Height)
You can specify a different default Help window display size here. To do this, enter a new window size
(for example: 750,900), then press the Enter key.
Note: Press Enter after setting the new display size, and then also click Apply or OK to save all
preference settings. If you do not press Enter, the new window size setting cannot be saved even if
you click Apply or OK.

Note: For descriptions of settings in the Dialog Options section, see "Setting Dialog Options" below.

Setting Dialog Options
Purpose: Part of Global Options, Dialog Options is where you define the behavior of dialog boxes for
system messages. System messages are classified into error and informational or warning messages.
Where: Edit > Preferences > Global Options

HPE ESM 7.0

Page 46 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Tip: If necessary, expand the Preferences window to expose the subtabs under Dialog Options.
Refer to the following table for available settings. The information in the table applies to both error and
informational or warning messages.
Dialog Options for Console
Dialog Option

Description

Show message
in popup
dialog

Display message in a popup with an option to save the message to the clipboard. Selected by default.
Clear the checkbox if if you don’t want system messages in a popup.
Note: ESM also maintains system logs containing some audit information and details of any issues
that occur. Refer to the ArcSight Command Center User Guide’s Administration and Configuration
section and read the topic, “Log Retrieval.”

Dialog Type:
l

Classic

Display the dialog in the front center of the ArcSight Console. The dialog remains on this position
until you click OK to dismiss it.

l

Animated

Animation defines the display duration, the dialog’s direction of movement when it appears, and the
direction of movement after the dialog times out.
l

l

Location: Position the dialog on one of the nine available locations on the screen and keep it
displayed for the duration specified in Dialog Timeout.
For Entrance Animation:
Dialog Timeout: Display the message in the number of milliseconds. The default is 3,000.
Effect: For Fly, move the dialog from Direction and stops at Location. For Zoom, start the dialog at
a small size and resize to its optimal size when it reaches Location. For Fade, make the dialog
gradually appear at Location (ignore Direction).
Direction: Move the dialog from one of eight origination points on the edge of the screen to
Location. Direction works only with Fly and Zoom effects. Direction for Entrance Animation can be
different from Exit Animation’s.

l

For Exit Animation:
Effect: For Fly, move the dialog from Location to Direction. For Zoom, shrink the dialog as it
reaches the destination. For Fade, make the dialog gradually disappear at the same location when
Dialog Timeout is reached (Direction is ignored).
Direction: When Dialog Timeout is reached and if Effect is not Fade, move the dialog from
Location to one of eight origination points on the edge of the screen. Direction works only with Fly
and Zoom effects. Exit Animation and Entrance Animation can have different settings for
Direction.

Setting Grid Options for the Viewer Panel
These options are for data displayed on the viewer panel's grid.
Where: Edit > Preferences > Grid View Options

HPE ESM 7.0

Page 47 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console
Refer to the following table for available settings:
Grid View Options for Console
Grid View
Option

Description

Font

Set global preference for font face, size, and style used in Grid views.
Click into the Font field to get the drop-down menu arrow.

Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style.
Color text by
priority in grid

Apply distinguishing colors to the event rows in Viewer panel grid displays, based on their threatpriority levels. Note that this option can be overridden by the Color text by filter in grid option if
conflicts occur. When these options are not selected, the text in grid rows defaults to black.

Color text by
filter in grid

Apply distinguishing colors to the event rows in Viewer panel grid displays, based on the filters that
selected them. You set these colors through the Configure button, described below. Note that this
option, when selected, overrides the Color text by priority in grid option if conflicts occur. When
these options are not selected, the text in grid rows defaults to black.

Pause the
By default, selecting an event pauses the event flow to avoid scrolling. Clear this checkbox to allow
current channel the flow to continue regardless of a selection.
on event
selection
Do not prompt
on verifying
rule channel's
timestamp
change

Toggles on or off the option to have the system generate a prompt when the timestamp changes on
an active channel populated by correlation events.

Do not prompt
on channel
restart

Toggles on or off the option to have the system generate a prompt when an active channel is
restarted.

Check available
database
partitions on
Active Channel
start

This option applies to Oracle-based ESM and does not apply to ESM with CORR-Engine.

Print Column
Flip Limit

Determines the print format for Grid Views (channels, lists, and so forth). Grid views with the same or
fewer columns than the Column Flip Limit print as a table, the same as is shown in the UI on the
Console grid view. Grid views with the more columns than the Column Flip Limit print details per row
rather in a normal table like that shown on the Console grid view.

If selected, this option causes the ArcSight Manager to recheck the status of available Oracle
database partitions before starting an active channel. This does have a performance effect and is
used only for certain historical analysis purposes.

The default setting for Column Flip Limit is "10" columns. (Tables with more than 10 columns print
details per row.)
See also "Printing from the Console" on page 88.
Filter Coloring
Preferences

HPE ESM 7.0

Click Configure to assign identifying colors to as many as five filters in the Configure Filter Colors
dialog box.

Page 48 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Note: For instructions on customizing the grid's right-click option, InActiveList, see "Customizing
the Default Selections for Active Lists" below.

Customizing the Default Selections for Active Lists
If you are viewing events on an active channel, you have the ability to add selected events to existing
active lists. By default, the Console's viewer panel enables you to browse to the resource locator so you
can locate then select the desired list. These lists might be assigned to different list groups and might
also be nested in a hierarchy.
If adding events from the event grid to existing lists is a frequent task for you, you can configure the
grid's right-click option to display your top three frequently-used lists so that these lists are immediately
available for selection.
Where: Edit > Preferences > Grid View Options
1. On the Grid View ActiveList Options area, click Configure. The ActiveLists resource selector is
displayed.
2. Expand a group to locate your first preferred active list.
a. Select an active list and click Add.
b. Repeat to add up to a total of three lists.
c. Change a list's position by clicking the up or down arrow.
d. Remove lists from the selection as required.

HPE ESM 7.0

Page 49 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console
Following is an example configuration for a selection of preferred active lists:

Following is the resulting default list selections when you open an event channel, right-click an event,
and select Active List > Add To:

Note: This feature does not apply to the Remove From option from the grid view. If you are using
the Remove From option, the Console displays an Active List selector dialog. You then navigate
through the resource tree for active lists to select the list.

Setting Date and Time Formats
Purpose: Use the Date/Time option to choose a formatting style for the date and time strings displayed
throughout the Console. You can also customize the details of any style you pick.
Where: Edit > Preferences > Date & Time
1. Click the Formats buttons and choose a date/time style from the lists for Date & Time Format
and Short Date & Time Format options.
2. Select Express all times as GMT to universally show time values in GMT rather than local times.
3. Click Apply to put your changes into effect and leave the Preferences dialog box open, or OK to
save your changes and close the dialog box.
If you want, you can customize the selected format string. Edit the Format string using the Java-style
date options described in the Format Help window.

HPE ESM 7.0

Page 50 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Setting Latitude and Longitude Options
Purpose: To define formats for latitude and longitude expressions in the Asset > Locations resource.
Where: Edit > Preferences > Latitude & Longitude
Choose from one of the available formats to express longitude and latitude.
Following is an example configuration for latitude and longitude format preferences:

The options for latitude and longitude format vary from more exact to less so. Latitude and longitude
can be shown in degrees, minutes, and seconds; degrees and minutes; or decimal degrees only.
Additionally, an indicator of compass direction for the specified location can be shown or hidden in the
editor.

To view the effects of your preference settings:
1. Choose Assets in the Navigator, click Locations
2. Create new location or edit an existing one to open up the Location Editor. (See "Managing
Locations" on page 163.)
Following is an example of how the Location Editor displays the preferred formats for Latitude and
Longitude attributes:

HPE ESM 7.0

Page 51 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Configuring Event Graphs
Purpose: You can modify the way graphs plot events, choosing to keep the source-event-target visual
relationships compact; or to emphasize unique sources, targets; or both, in order to clarify the nature of
attacks or situations.
Where: Edit > Preferences > Event Graph
Click the Value fields of the graph attributes to choose appropriate options:
l

Show Event Nodes: Choose a basis for visually expanding or aggregating event nodes, relative to
their source and target node instances.
Choice

Description

Once
Graph only one instance of a given event node, regardless of the number of unique sources and targets
per
that have it in common. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3,
common there may be visual instances for each source and target, but only one of the event node.
event

l

l

l

Once
per
unique
source

Graph one instance of a given event node per unique source, regardless of the commonality of associated
targets. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are two
visual instances of the event in support of the two distinct sources.

Once
per
unique
target

Graph one instance of a given event node per unique target, regardless of the commonality of associated
sources. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are three
visual instances of the event in support of the three distinct targets.

Once
per
unique
source
or target

Graph one instance of a given event node per unique source-target pair, regardless of the commonality
of the events involved. For example, if sources 1 and 2 are directing a given event at targets 1, 2, and 3;
and as a chain, targets 1, 2, and 3 are sourcing the same events on to targets 4, 5, and 6; then there are six
visual instances of the event in support of six distinct targets.

Show Source/Target IP Addresses as: In cases where one source-event-target chains to another,
you can choose to graph a source/target IP address as a single node, or to graph both the source and
target instances of such an IP address.
Choice

Description

Distinct nodes

Visually plot both the source and target instances of a chained IP address.

Simple nodes

Visually plot a single node for an IP address that represents both source and target.

Source Node Identifier: Choose a different event attribute to use as the identifier for source nodes.
The default attribute is Source Address. Note that while all attributes are available, not all are
appropriate choices for this purpose.
Event Node Identifier: Choose a different event attribute to use as the identifier for event nodes.

HPE ESM 7.0

Page 52 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

The default attribute is ArcSight Category. Note that while all attributes are available, not all are
appropriate choices for this purpose.
l

l

Target Node Identifier: Choose a different event attribute to use as the identifier for target nodes.
The default attribute is Target Address. Note that while all attributes are available, not all are
appropriate choices for this purpose.
Graph Layout: Set the layout for all event graphs.
Note: You can override this default layout setting when you are actually viewing an event graph.
For more details, refer to the topic, "Event Graphs as an Investigation and Analysis Tool" in ESM
101.

l

Hierarchical Layout

Display the event graph in tree-like nodes to show a related, sequential
flow.

Organic Layout

The default layout.

Circular Layout

Display the source node as the center and the destination nodes arranged
in a circle around the source.

Orthogonal Layout

Display the edges of the graph to run horizontally or vertically, parallel to
the layout's X and Y axes.

Default Field Set: Choose from the ArcSight-provided field sets to supply the data points in the
graph. The default field set is from /All Field Sets/ArcSight System/Event Field
Sets/Active Channels/Standard.

Setting Notification Popups
Purpose: You can manage received notifications from within the Console. In the Preferences dialog
box, you can set a severity threshold for notification popups and optionally play a sound when
notifications arrive.
Where: Edit > Preferences > Notifications
For the Severity threshold for notification popup, increase or decrease the integer value to a priority
value that is based on the level at which you want to be alerted.
Select Play a sound when a notification message is received to also emit a sound when the alert
threshold is met. Browse to the file of your preferred audio alert.

Managing Hot Keys
The Console provides schemas for configuring keyboard shortcuts to common actions. These schemas
come with the Console:

HPE ESM 7.0

Page 53 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

l

$default

l

Schemas for users
Tip: Keep these reminders in mind:
o

o

Schemas for users other than administrators are listed only for users who have set up custom
shortcuts on this Console under their own logins.
Custom shortcuts are available only locally. See "Sharing Custom Shortcut Schemas" on
page 61 for more information.

Note: If this Console does not use UTF-8 encoding, refer to the “Installing ArcSight Console”
section of the ESMInstallation and Configuration Guide, and read the topic “Character Set
Encoding” under “Installing the Console.”
Schemas for users are all based on the $default schema. That is, user schemas inherit all $default schema
shortcuts. The $default schema.
Where: Edit > Preferences > Manage Hot Keys
Under Available shortcut schemas, the schema in use shows as “(active)” next to its name.
You can define a keyboard shortcut for each listed command. Each command can have a different (or
the same) keyboard shortcut depending on which schema you have selected.
Keyboard shortcuts are pre-defined for common commands. For example, the pre-defined keyboard
shortcut for the Select All command (edit.selectAll) is Ctrl+A.
You cannot edit commands shown in red on the Preferences dialog: for example, edit.delete,
edit.redo, edit.cut, edit.copy, edit.paste, and so forth. The flyover tooltips on these
commands also indicates they are not editable.
There are many commands listed for which no shortcut is provided (for example, file.new.Report,
file.new.Rule, navigator.reports, navigator.queryViewers, and so forth).

Adding Shortcuts for Frequently-Used Resources
This first task is not initiated on the Edit > Preferences dialog, but rather from various resource
contexts in the Console. But the results of setting up shortcut keys on selected resources are shown on
the Edit > Preferences > Managing Hot Keys dialog, as described here.
Where: Navigator > 
For example, choose Active Channels in the Navigator, and select an active channel such as /All
Active Channels/ArcSight Administration/System Events Last Hour.

HPE ESM 7.0

Page 54 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

To add a shortcut to a resource:
1. Navigate to and select the resource for which you want to add a shortcut.
2. Right-click and choose Manage Hot Keys from the context menu to open the shortcut setup
dialog for this resource.
3. Select the action you want to take with regard to the resource. Each resource has its own set of
action, such as Edit  and Show .
4. In the Press new shortcut field:
l

l

Optionally, click the button (
) to display a drop-down menu where you can set the type of
shortcut to add (mouse, tab, and so forth) and set limits on keystrokes. For example, if you want
to set the shortcut on this channel to Ctrl+C+H, change the keystroke limit from the default of 1,
to 2 keystrokes.
Type the keyboard sequence you want to associate with the command.
If the keyboard sequence you typed is not in use, a light gray no conflicts message is shown
in the Shortcuts currently used by field. For example, if you selected navigator.rules,
placed the cursor in the Press new shortcut field, and typed Ctrl+Alt+X, you would get the
no conflicts message.
If you type a sequence that is already used by another shortcut, you get a message in the
Shortcuts currently used by field stating which resource is currently using the shortcut.
For example, the default shortcut for navigator.rules is Ctrl+Alt+L. If you typed Ctrl+Alt+R
in the Press new shortcut field, the message states that this sequence is already in use for
navigator.reports.)
If you continue with the assignment, you get a prompt asking whether you want to remove the
shortcut from the other resource and add it to this new one.

5. Click Assign to associate the shortcut with the resource.

HPE ESM 7.0

Page 55 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

6. Click OK to save your changes and close the dialog.
7. Confirm your setting by selecting Edit > Preferences > Managing Hot Keys dialog.
8. On the list of commands, locate the resource for which you created the shortcut. Resources are
shown by their URIs.
9. Select the URI to display the associated shortcut, as in the following example:

HPE ESM 7.0

Page 56 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Modifying a Custom Shortcut
Shortcuts are associated with schemas based on the user.
Where: Edit > Preferences > Manage Hot Keys

To modify a custom shortcut:
1. On the Edit Preferences > Manage Hotkeys dialog, select a shortcut schema (the
associated user) in which you want to modify shortcuts for commands.
In this example, the schema for the user called admin is selected. Note, however, that the schema
selected for modifying a hot key need not be the “active” schema; as it happens to be in this
example.

2. Select the command for which you want to modify the hot key.
You can filter for commands containing a given string (for example, navigator to find all navigator
commands).

HPE ESM 7.0

Page 57 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

3. In the Press new shortcut field:
l

l

Optionally click the button (
) to display a drop-down menu where you can set the type of
shortcut to add (mouse, tab, and so on) and limits on keystrokes. The default keystroke limit is 1.
If you set it to 2 or 3, you have more combinations of keystrokes available to use for custom
settings.
Enter the keyboard sequence you want to associate with the command.
If the keyboard sequence you entered is not in use, a light gray no conflicts message is
shown in the Shortcuts currently used by field. For example, if you select
navigator.rules, place the cursor in the Press new shortcut field, and press
Ctrl+Alt+X, you get the no conflicts message.
If you enter a sequence that is already used by another shortcut, you get a message in the
Shortcuts currently used by field telling you which resource is currently using the
shortcut. For example, the default shortcut for navigator.rules is Ctrl+Alt+L. If you enter
Ctrl+Alt+R in the Press new shortcut field, you get a message noting that this sequence is
already in use for navigator.reports.)
If you continue with the assignment, you see a prompt asking whether you want to remove the
shortcut from the other resource and add it to this new one.

4. Click Assign to apply the new shortcut to the command.
Tip: An asterisk is displayed next to commands for which the pre-defined shortcuts have been
modified or overwritten. These customized commands are also displayed in blue text, rather
than the usual black.

5. Click Apply or OK.
HPE ESM 7.0

Page 58 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

To modify a custom shortcut directly from the resource:
You can modify a custom shortcut for a resource in either of these ways:
l
l

Directly from the right-click Manage Hot Keys dialog on that resource
From the Edit > Preferences > Manage Hot Keys dialog as described above
1. Navigate to and select the resource from which you want to remove the shortcut.
2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the context
menu to bring up the shortcut setup dialog for this resource.
3. Select the action (for example, Show or Edit) associated with the shortcut.
The shortcut is shown in the Press new shortcut field.
4. Modify it as needed. See the previous procedure.
5. Click OK to save your changes and close the dialog.

Removing a Custom Shortcut
Where: Edit > Preferences > Manage Hot Keys

To remove a custom shortcut (key sequence) for any command:
1. Select the schema in which you want to modify the command.
2. Select the command for which you want to modify the hot key.
3. Select one of the customized commands (customized commands are shown in blue text with an
asterisk).

The current key sequence associated with this command is shown in the Shortcuts for selected
command field.
4. Click the Remove button next to the Shortcuts for selected command field.
The custom shortcut (key sequence) is removed, and replaced by the default key sequence (if there
was one).
Caution: As soon as you remove the shortcut by clicking Remove, the changes are saved.
Even if you click Cancel to close the Preferences dialog at this point, the original shortcut is not
saved.
For example, if navigator.rules was modified to be associated with Ctrl+Alt+X, then after you
remove this shortcut, navigator.rules would again be associated with its default shortcut of

HPE ESM 7.0

Page 59 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Ctrl+Alt+L.
Tip: You can only remove custom shortcuts, but not default shortcuts.

To remove a custom shortcut directly from the resource:
You can remove a custom shortcut for a resource in either of these ways:
l
l

Directly from the right-click Manage Hot Keys dialog on that resource
From the Edit > Preferences > Manage Hot Keys dialog as described above.
1. Navigate to and select the resource from which you want to remove the shortcut.
2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the context
menu to bring up the shortcut setup dialog for this resource.
3. Select the action (for example, Show or Edit) associated with the shortcut.
The shortcut, if any, is shown in the Press new shortcut field.
4. Click Remove.
5. Click OK or Cancel to close the dialog.
Caution: As soon as you remove the shortcut by clicking Remove, the changes are saved.
Even if you click Cancel to close the Preferences dialog at this point, the original shortcut is not
saved.

Activating a New Shortcut Schema
For more information on schemas, see the introduction to the shortcut key management at "Managing
Hot Keys" on page 53.
Where: Edit > Preferences > Manage Hot Keys

To activate a new schema:
1. Select the schema you want to activate.
2. Click Set Active.
Tip: To get an enabled Set Active button, select a schema that is not currently applied. If you
select a schema that is already active, the Set Active button is disabled.
3. Click Apply to apply the new schema, or click OK to apply the new schema and close the
Preferences dialog.

HPE ESM 7.0

Page 60 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

Sharing Custom Shortcut Schemas
Shortcut schemas are available only to the local Console. That is, if schemas for several different users
are configured on a Console running on a particular machine, those shortcut setups (schemas) are not
available for the same Console user logins on other machines.
This means that if you want the same shortcuts to exist in other Console installations, you must
manually set these up in those installations.

Viewing
This section provides information on using the Console Viewer Panel and choosing look-and-feel
options (skins) for the Console.

The Viewer Panel
You see the results of security-event analyses in the Viewer panel, which can display several different
types of views. (See also "Using Views" on page 220.)
Although there are some views that display information about resources, most views are active
channels, which are continuously evaluated collections of security-event data. (See also "Monitoring
Active Channels" on page 213.)
Tip: Here are some Viewer Panel features you can use.
l

l

l

To show a resource (like a particular dashboard or active channel) in the viewer, right-click it in
the Navigator tree and select Show .
To close individual views quickly, Shift+click their name tabs. (You can also right-click a view's
name tab and select Close from the popup menu.)
To float the Viewer panel, click the Float icon at the top left of the Viewer.

The Viewer tabs in the Viewer panel have a live link at the top. You can click these links to open the
contents in an external, fully functional browser window.
For security reasons, HTML that might include JavaScript, plug-ins, or other embedded objects are
rendered in the default browser you specify through the Preferences dialog box. The default browser is
also used by PDF document files.

HPE ESM 7.0

Page 61 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

If your Console is not already displaying a default set of pre-defined views, or if you want to change the
views displayed, you can use these options:
l
l

l
l

Choose Window > Viewer Panel to open the panel if it isn't open.
Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in the Navigator
panel to find analysis tools or results to view.
Right-click a resource in a tree and choose Show  to open it in the Viewer panel.
When multiple tabbed views are open in the panel, click the tabs at the top of the panel to choose the
active channel you want to see, and the tabs at the bottom of the panel to choose which view of that
active channel should be foremost.

To close an individual view, Shift+click its name tab. (You can also right-click a view name tab and
choose Close from the popup menu.)
Using active channels and the many types of views they offer is fully covered in the topics under these
headings:
l

"Monitoring Events" on page 213

l

"Selecting and Investigating Events in Active Channels" on page 277

HPE ESM 7.0

Page 62 of 1037

ArcSight Console User's Guide
Chapter 2: Working in the Console

l

"Using Dashboards" on page 239

Console Look-and-Feel
If you start the Console from the command line with the arcsight console command (in ARCSIGHT_
HOME/current/bin), use the -laf