ArcSight Console User's Guide ESM Arc Sight User 7.0
User Manual:
Open the PDF directly: View PDF .
Page Count: 1037
Download | ![]() |
Open PDF In Browser | View PDF |
HPE Security ArcSight ESM Software Version: 7.0 ArcSight Console User's Guide April 20, 2018 ArcSight Console User's Guide Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2018 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: https://community.softwaregrp.com/t5/Discussions/Third-Party-Copyright-Notices-and-License-Terms/td-p/1589228 Support Contact Information Phone A list of phone numbers is available on the Technical Support Page: https://softwaresupport.softwaregrp.com/support-contact-information Support Web Site https://softwaresupport.softwaregrp.com/ ArcSight Product Documentation https://community.softwaregrp.com/t5/ArcSight-Product-Documentation/ctp/productdocs HPE ESM 7.0 Page 2 of 1037 Contents Chapter 1: Getting Started 36 Starting the ArcSight Console 36 Quick Start Tools and Standard Content 37 Use Cases 37 Chapter 2: Working in the Console 38 Navigating Navigator Panel Resource Tree Batch Editing Batch-Editing Cases or Connectors Locking Case Groups SmartConnector Reminders Reconnecting to the Manager 38 39 41 41 41 41 42 Changing the Console Display 42 Changing User Preferences Changing Your Password Setting Default Editors and Viewers Changing Global Options Setting Dialog Options Setting Grid Options for the Viewer Panel Customizing the Default Selections for Active Lists Setting Date and Time Formats Setting Latitude and Longitude Options Configuring Event Graphs Setting Notification Popups Managing Hot Keys Adding Shortcuts for Frequently-Used Resources Modifying a Custom Shortcut Removing a Custom Shortcut Activating a New Shortcut Schema Sharing Custom Shortcut Schemas 43 43 44 44 46 47 49 50 51 52 53 53 54 57 59 60 61 Viewing The Viewer Panel Console Look-and-Feel 61 61 63 HPE ESM 7.0 Page 3 of 1037 ArcSight Console User's Guide Inspecting and Editing Overview of Inspect/Edit Features and Utilities Searching for Fields in Event Inspector, Resource Editors, or CCE Getting More Help 63 64 65 66 Controlling the Console 66 Using the Network Tools Running a Tools Command Adding or Editing a Tool 68 69 70 Staying Informed Acknowledging Notifications Checking the Status of the Distributed Correlation Cluster Defining Message Lag Thresholds Using Notes License Tracking License Tracking Notifications Standard Reports for License Status Tracking 72 72 73 73 74 75 75 76 Using the File Menu 76 Using the Edit Menu 77 Using the View Menu 77 Using the Window Menu 78 Using the Tools Menu 79 Using the System Menu 80 Using the Help Menu 80 Using Right-Click Context Menus 80 Using the Advanced Selector While Editing Resources 83 Keyboard Shortcuts (Hot Keys) 84 Creating Shortcuts for Resources 86 Showing Recently Viewed Resources 86 Adding Resources to the Favorites List 87 Printing from the Console Printing Navigation Tree Views of Resources Printing Resource Definitions Printing Grid Views Printing Conditions Tree Summary Using Column Flip Limit to Format Grid View Printouts 88 88 88 89 90 90 Saving and Sending Settings 92 HPE ESM 7.0 Page 4 of 1037 ArcSight Console User's Guide Error and Warning Messages Chapter 3: Managing Users and Groups Managing User Groups Managing Users Creating or Editing a User Resetting User Passwords Moving or Linking a User Deactivating and Reactivating a User Deleting a User Chapter 4: Managing Permissions 93 94 94 96 97 99 99 100 101 102 Editing Access Control Lists (ACLs) 102 Granting or Removing Resource Permissions 103 Granting or Removing Operations Permissions 104 Granting or Removing User Group Permissions 105 Adding or Removing Enforced Filters 107 Permissions for Sortable Field Sets 110 Sharing Resources 110 Controlling Who Has Permissions to Deploy Data Monitors How Upgrades Affect Data Monitor Deploy Permissions Deployment Permissions on Imported Data Monitors 111 112 112 Chapter 5: Modeling the Network 114 The Network Model Assets Automatically-Created Assets Asset Aging and Model Confidence Asset Ranges Zones Dynamic and Static Zones Networks 114 115 115 117 118 118 119 120 Asset Model Locations Vulnerabilities Asset Categories Asset Categories Assigned to Assets, Asset Ranges, and Asset Groups 121 121 121 121 122 HPE ESM 7.0 Page 5 of 1037 ArcSight Console User's Guide Asset Categories Assigned to Zones 122 Populating the Network Model with Assets ArcSight Console-Based Methods Manually, Using Network Modeling Resources In a Batch Using the Network Modeling Wizard SmartConnectorUsing the Asset Model Import FlexConnector Automatically From a Vulnerability Scanner Report ArcSight-Assisted Methods As an Archive File From an Existing Configuration Database 122 123 123 124 124 125 125 125 126 Populating the Network Model Using the Wizard Specifying CSV Column Types Specify the Column Type Using a Header Specifying Multiple Categories in one Category Column Assign the Column Type in the Wizard Zones CSV File Format An Example of a Zones CSV File Zones CSV File Format An Example of a Zones CSV File Assets CSV File Format An Example of an Assets CSV File Static Addressing in a Dynamic Zone Asset Ranges CSV File Format An Example of an Asset Ranges CSV File Increasing the Number of Displayed Rows Summary of Data to Import Network Data Imported into ArcSight Manager 126 127 127 128 128 129 131 131 133 133 135 135 136 137 137 138 138 Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories Managing Assets Asset Auto-Creation Creating Assets from a Vulnerability Scan Report Creating Assets from a Vulnerability Scan Report for Static Zones Creating Assets from a Vulnerability Scan Report for Dynamic Zones Creating Assets for SmartConnectors Creating Assets for SmartConnectors in Static Zones Creating Assets for SmartConnectors in Dynamic Zones Creating Assets for Network Devices Creating Assets for Network Devices in Static Zones Creating Assets for Network Devices in Dynamic Zones Asset Auto-Creation from Scanners in Dynamic Zones 138 139 141 142 142 142 143 143 144 145 146 146 147 HPE ESM 7.0 Page 6 of 1037 ArcSight Console User's Guide Create Asset with IP Address or Host Name Preserve Previous Assets Asset Names Changing the Default Naming Scheme Selecting Assets in the Common Conditions Editor Auto-Zoning an Asset Auto-Zoning Imported Assets Managing Asset Groups Managing Vulnerabilities Selecting Vulnerabilities in the Common Conditions Editor Working with Vulnerable Assets Managing Vulnerability Groups Showing Affected Assets Reporting on Output from Vulnerability Scanners Reporting on Asset Vulnerabilities Managing Zones Managing Networks Managing Asset Categories Managing Locations Managing Customers Chapter 6: Managing SmartConnectors 147 148 150 151 151 152 153 154 155 156 157 158 159 160 160 160 162 162 163 164 166 Selecting and Setting SmartConnector Parameters Configuring the SmartConnector Connector Editor Tabs Connector Tab Configuration Fields Default Content Tab Configuration Fields SmartConnector Processing Categories SmartConnector Time Interval Options 166 166 167 168 169 181 182 Managing SmartConnector Filter Conditions Adding SmartConnector Filter Conditions Deleting SmartConnector Filter Conditions 183 183 184 Setting Special Severity Levels 184 Sending Model Mappings to SmartConnectors 186 Sending Control Commands to SmartConnectors Getting Connector Status Sending Standard Flow-Control Commands Tech Support Commands Mapping Commands for Additional Data Fields 186 187 187 189 191 HPE ESM 7.0 Page 7 of 1037 ArcSight Console User's Guide Managing SmartConnector Groups 194 Importing and Exporting SmartConnector Configurations Importing a SmartConnector Configuration Exporting a SmartConnector Configuration SmartConnector Filters 196 196 196 197 Using Additional Data Fields 197 Upgrading SmartConnectors Overview of the Upgrade Process SmartConnector Upgrade Procedure Rolling back to a Previous Version Troubleshooting Getting Status and Versions on Installed SmartConnectors 200 201 202 203 203 203 Consuming Events from Event Broker 204 Chapter 7: Managing Notifications 206 Managing Received Notifications 206 Managing Notification Groups 207 Managing Notification Destinations 209 Changing Notification and Acknowledgment Settings 210 Testing Notification Groups and Destinations 212 Managing Escalation Levels 212 Chapter 8: Monitoring Events Monitoring Active Channels Creating or Editing an Active Channel Viewing Active Channels Monitoring Events in the Active Channel Full Search and Event Search on ArcSight Command Center Using Views Investigating Views Viewing an Exploited Vulnerability Viewing a Targeted Asset Filtering an Active Channel Filtering Active Channels with Inline Filters Applying a Field Set to an Active Channel Using an Active Channel Header Sorting Events in the Active Channel HPE ESM 7.0 213 213 213 217 218 218 220 221 222 222 222 222 224 225 227 Page 8 of 1037 ArcSight Console User's Guide Adding, Replacing, or Removing a Column Sizing, Showing, or Hiding Column Elements Using Active Channel Menu Commands Exporting Events to a File Defining Grid Fields Options Saving Copies of Active Channels and Filters Best Practices to Optimize Channel Performance Active Channels or Reports? Active Channels or Query Viewers? Active Channel Query Time Ranges Active Channel Filters Filtering on Indexed Fields Filtering on Join Fields Continuously Updating Time Parameters Sorting by End Time or Manager Receipt Time Sorting in Active Channels Use of the “Live” Channel from Standard Content Case Sensitive or Case-Insensitive Conditions? I/O Subsystem Performance Diagnostics: Start with Basic Channel Characteristics Customizing Columns Creating a Custom Column Showing a Custom Column Advanced Example: Creating a Custom Column with Velocity Template 228 229 230 231 233 234 234 234 234 235 235 235 235 235 235 236 236 237 237 237 237 238 239 239 Using Dashboards Monitoring Dashboards Creating or Editing a Dashboard Adding a Data Monitor to a Dashboard Adding a Query Viewer to a Dashboard Dashboard Display Formats Managing Dashboard Groups 239 240 242 244 245 246 247 Using Custom View Dashboards Displaying Custom View Dashboards Reverting to the Regular Dashboard View Working with Custom View Dashboards Arranging Custom View Dashboards Loading a Background Image Selecting a Previously Uploaded Background Image Verifying the Background Image Removing a Background Image 248 248 249 250 250 251 251 252 252 HPE ESM 7.0 Page 9 of 1037 ArcSight Console User's Guide Custom View Dashboard Context Menu Options 252 Using Data Monitors Creating a Data Monitor Editing a Data Monitor Deleting a Data Monitor Managing Drilldowns from Data Monitors Adding a Drilldown Editing a Drilldown Changing the Default Drilldown Sorting or Changing the Order of Drilldowns Removing a Drilldown Moving or Copying a Data Monitor Enabling or Disabling a Data Monitor Overriding a Data Monitor's Last State Managing Data Monitor Groups Optimizing the Evaluation of Event Filters for Data Monitors Requirement Automating the Optimization of Filter Conditions Tracing the Optimization Disabling the Optimization Feature 253 253 256 257 257 257 262 262 263 264 264 264 266 266 268 268 269 269 271 Using Charts Charting an Active Channel's Contents Charting a Data Monitor's Contents Exploring the Events Behind a Chart 271 271 272 273 Using Query Viewers 274 Graphing Attacks Creating Static Event Graphs Creating Live Event Graphs Event Graph Notes 274 274 275 276 Chapter 9: Selecting and Investigating Events in Active Channels 277 Selecting Events in the Active Channel 277 Showing Event Details and Rule Chains 277 Running ArcSight Investigate Searches 279 Investigating Session Events 280 Collaborating on Events (Event Annotation) Annotating an Event Mark Similar Events Fields 281 282 283 HPE ESM 7.0 Page 10 of 1037 ArcSight Console User's Guide Annotation Preservation Viewing Annotations for an Event Creating or Editing Stages 284 285 285 Working with Event Payloads 286 Exporting Data Fields to a CSV File 288 Getting Knowledge Base Articles 289 Chapter 10: Filtering Events 290 Creating or Editing a Filter 290 Creating and Editing an Inline Filter 291 Applying Filters 292 Moving or Copying Filters 293 Deleting Filters 294 Debugging Filters to Match Events 294 Importing and Exporting filters 296 Managing Filter Groups 296 Investigating Views Using an Event Attribute to Show a New Filtered View Refining a Filter with an Event Attribute Filtering Out ArcSight Events Adding an Event Attribute to a Filtering Condition 297 298 298 299 299 Modifying Views 300 Chapter 11: Queries 302 How Queries Work 302 Using Queries and Trends Together for Reports 302 Using Queries in Query Viewers 303 Building a Query 303 Query Settings General Query Attributes Query Fields SELECT Query Fields Query Structure (SELECT) Applying Functions to SELECT Columns GROUP BY Query Fields 304 304 307 308 309 310 311 HPE ESM 7.0 Page 11 of 1037 ArcSight Console User's Guide Query Structure (GROUP BY) Applying Time-Based Functions to GROUP BY Columns ORDER BY Query Fields Query Structure (ORDER BY) Applying a Column Function to Order By Sort Order Query Conditions Creating Conditions on a Field Creating a Group Condition Tips on Creating Conditions Query Variables 312 313 314 315 315 315 315 316 317 317 317 Editing a Query 318 Example: Creating Asset-Related Conditions for Queries on Lists 319 Chapter 12: Query Viewers 321 Pre-Built and Custom Query Viewers Standard Content Custom Query Viewers Customizing Query Viewers as Needed inActiveList Conditions for Queries 321 321 321 322 322 Managing Query Viewers 322 Query Viewer Settings Query Viewer Attributes Query Viewer Fields Sort Options Baselines Query Viewer Variables 324 324 326 328 328 329 Deleting a Query Viewer 330 Defining and Using Baselines Why Baselines are Useful Planning for Baseline Comparisons Adding a Baseline Comparing Displayed Results to a Baseline Show or Hide Baseline Columns Sort Baseline Data Filter Baseline Data Removing a Baseline 330 331 332 333 333 334 335 335 336 Managing Drilldowns from Query Viewers 337 HPE ESM 7.0 Page 12 of 1037 ArcSight Console User's Guide Adding a Drilldown Editing a Drilldown Changing the Default Drilldown Sorting or Changing the Order of Drilldowns Removing a Drilldown 337 341 341 341 342 Viewing Query Viewer Results Filtering Query Viewer Results Viewing an Event or Resource Directly from the Query Viewer 343 346 348 Working with Query Viewer Results Results in Table Format "Analyze in Channel" Options on the Table View Column Sort, Display, and Edit Options Results in Chart Formats 348 349 349 350 352 Troubleshooting Query Viewers 353 Adding Query Viewers to Dashboards 353 Adding Query Viewers as Startup Views 354 Generating Reports from Query Viewers 354 Example Queries for Common Scenarios Basic Analysis High Level Summaries Analyst’s First View of Events How the Events Query Viewer is Built Analyst’s First View of Events How the Events Query Viewer is Built How the Events Query Viewer is Built Drilldown Example How the Console Builds Drilldowns Non-Event Analysis Example Baseline Analysis for Data Comparison History Analysis Example 356 356 356 357 359 360 362 364 365 366 366 367 Chapter 13: Building Reports Understanding the Reporting Workflow Step 1 - Build a Query Step 2 - Build a Trend Based on a Query Step 3 - Build a Query Based on a Trend Step 4 - Select or Design a Report Template Step 5 - Create a Report Step 6 - Run a Report HPE ESM 7.0 368 368 369 370 370 370 371 371 Page 13 of 1037 ArcSight Console User's Guide Step 7 - Archive and Maintain Reports Managing Dependencies for Reports Resources 372 372 Creating or Editing a Report Defining Report Attributes Report Templates Report Template Selection Text Attributes Preview Binding Data to the Report Binding Data to Charts Selecting Data for the X-Axis on a Chart Selecting Data for the X-Axis on a Chart Selecting Data for the Y-Axis on a Chart Selecting Data for the Z-Axis on a Chart (Optional) Effect of Sorting on Bar Charts with Series Data Specifying Top/Bottom Filters Aggregation Filters for a Chart (Optional) Setting Display Options and Scale Formats for Charts Binding Data to Tables Specifying Fields for a Table Enabling the Aggregation Tab for a Table Setting Top/Bottom Counts in Table Aggregation Tab (Optional) Setting Default and Custom Report Parameters Adding Custom Parameters for Report Data Displaying a Custom Parameter Prompt at Report Runtime Adding or Removing a Prompt for Custom Parameters in the Report Defining the Prompt in the Query’s Condition Tab Generating Reports with Central European, Cyrillic, or Asian Fonts Creating Focused Reports 372 374 375 375 376 378 378 378 379 381 382 384 384 387 388 389 390 393 393 394 398 399 399 401 403 404 Using Report Templates Applying a Standard Template to an Existing Report Creating a New Report Based on a Template Copying a Standard Template Managing Report Template Groups Editing a Template 404 405 406 407 407 407 End-to-End Reporting Examples Example of Creating a Simple Report with the Wizard Advanced Reporting Example Overview Step 1 - Build the VPN Logins Outcome Query Query Name and Other General Attributes Fields to Include in Query Result 408 408 410 411 411 411 HPE ESM 7.0 Page 14 of 1037 ArcSight Console User's Guide Query Conditions Step 2 - Build the VPN Logins Outcome Hourly Trend Step 3 - Filter the Trend Data (Login Attempts, Successes, Failures) Step 4 - Create the VPN Logins Outcome Report on Trend Data Choose a Template and Bind it to Result Data Use Custom Parameters Step 5 - Run the Report Chapter 14: Running and Managing Reports 413 413 415 417 417 418 420 422 Running a Report 422 Running a Delta Report 426 Running Reports from a Grid View Running a Rule Context Report Running an Event Context Report Running a Channel Report Running a Query Viewer Report 427 427 428 428 429 Running Large or Complex Reports 432 Moving and Copying Reports 433 Managing Report Groups 433 Archiving and Scheduling Reports Archiving a Report Displaying an Archived Report Scheduling Report Tasks Scheduling Individual-Report Archiving Scheduling Report Archiving by Resource Group Standard Time Transitions Viewing an Archived Report Editing a Report Archiving Schedule Editing Report Archiving Parameters Deleting a Report Archiving Schedule 435 435 437 437 437 439 439 440 440 441 441 Chapter 15: Building Trends 442 How Trends Work 442 Snapshot Trend 443 Interval Trend 443 Query-Trend Relationships in Reporting 443 Managing Trends 444 HPE ESM 7.0 Page 15 of 1037 ArcSight Console User's Guide Creating or Editing a Trend Defining Trend Settings Trend Attributes Trend Schedule Trend Parameters Trend Actions (Add to Active List) How Trend Actions are Useful (Summary Views and Rules) Plan and Define Active Lists with Fields Mapped to Trend Working with Trend Actions Example: Populating Active Lists with Trend Results Notes on Trend Action Behavior 445 445 446 450 451 452 452 453 453 454 457 Testing a Trend 457 Viewing Trend Data 458 Refreshing Trend Data 459 Disabling or Enabling a Trend 459 Deleting a Trend 460 Chapter 16: List Authoring 461 Required Settings for Large Lists 461 Creating or Editing an Active List 461 Viewing and Editing Active List Entries 466 Using Rules to Populate an Active List Example Active List Example Rule to Populate the Active List 468 468 468 Adding Events from a Channel to an Active List 470 Moving or Copying an Active List 471 Importing and Exporting an Active List 472 Deleting an Active List 472 Managing Active List Groups 473 Managing Session Lists Creating or Editing a Session List Editing Session List Entries Moving, Copying, or Deleting a Session List Exporting a Session List 474 474 477 478 479 Field Naming Restrictions 479 HPE ESM 7.0 Page 16 of 1037 ArcSight Console User's Guide Chapter 17: Rules Authoring 481 Designing Rules 481 Rule Types 482 Managing Rules Creating or Editing Rules Moving or Copying Rules Enabling and Disabling Rules Viewing Rules and Their Correlation Events Deleting Rules 483 483 484 485 486 486 Specifying Rule Conditions Creating Rule Conditions Adding Filter Conditions Adding Asset Conditions Adding Vulnerability Conditions Adding Active List (InActiveList) Conditions Creating Matching or Join Conditions Editing or Deleting Join Data Field Conditions Negating Event Conditions Optimizing the Evaluation of Event Conditions Automating Condition Optimization Disabling the Optimization Feature Tracing the Optimization 486 487 488 489 489 490 492 494 495 497 497 498 498 Specifying Rule Thresholds and Aggregation Setting or Changing Rule Thresholds Examples of Grouping Unique or Identical Field Values Examples of Grouping Unique or Identical Field Values Aggregation Time Criteria Deleting Aggregation from a Rule 500 500 501 502 503 505 Managing Rule Actions Adding, Editing, or Removing a Rule Action Activating or De-activating a Rule Trigger Enabling or Disabling a Rule Action Threshold Triggering Options Rule Actions Best Practices Rule Actions Reference Applying Rule Actions on Cases Using a Rule to Create a Case Using a Rule to Add to an Existing Case 505 506 507 508 508 510 511 517 517 518 Converting Rule Types 520 HPE ESM 7.0 Page 17 of 1037 ArcSight Console User's Guide Testing Rules 520 Verifying Rules with Events 522 Deploying Real-time Rules Deploying a Rule Removing or Un-deploying a Rule 524 524 525 Managing Rule Groups 525 Importing and Exporting Rules 527 Scheduling Rules Scheduling a Rule Group Scenarios for Using Scheduled Rules Example of a Scheduled Rule (Badge Swipes and Logins) 527 528 529 530 Chapter 18: Identity Correlation 534 Understanding Session Correlation 534 Creating a Session List Rule 535 Using the Session List Output 537 Creating a Variable to Get Session List Data 537 Example: Using Session Lists to Correlate Session Data on User Logins Step 1 - Create a Session List to Store Windows Sessions Step 2 - Create Rules to Populate the Session List with Windows Logins Rule 1: Triggers on Windows Session Logins Attributes Conditions Aggregation Actions Rule 2: Triggers on Termination of Windows Sessions Step 3 - Verify Rules Step 4 - Use the Session List in a Report 538 539 540 541 541 541 542 542 544 545 547 Example: Using Active Lists to Correlate Users Example Overview Step 1 - Build and Populate the Active List with User IDs Populating an Active List with User Data Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs Attributes Variable Conditions Aggregation 549 550 550 551 553 553 553 555 556 HPE ESM 7.0 Page 18 of 1037 ArcSight Console User's Guide Actions Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs Attributes Variable Conditions Aggregation Actions Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs Attributes Variable Conditions Aggregation Actions Chapter 19: Field Sets 556 557 557 558 559 561 561 562 562 563 564 566 566 568 Creating a Field Set Field Set Editor: Attributes Tab Field Set Editor: Fields Tab Using the Fields & Global Variables Subtab Using the Field Sets Subtab Using the Local Variables Subtab Field Set Editor: Local Variables Tab Adding Custom Columns to the Field Set Renaming a Column Using an Alias Editing a Field Set Sharing a Field Set Deleting a Field Set 569 570 570 571 571 572 572 573 574 574 575 576 Resources That Use Field Sets 576 Chapter 20: Global Variables 577 Remote Variables Processing 577 Global Variable Dependencies 577 Navigating to Global Variables 578 Creating or Editing a Global Variable Global Variable Editor: Attributes Tab Global Variable Editor: Parameters Tab Global Variable Editor: Local Variables Tab 578 580 580 581 Moving, Linking, or Deleting Global Variables 581 HPE ESM 7.0 Page 19 of 1037 ArcSight Console User's Guide Promoting a Local Variable to a Global Variable 582 Adding a Global Variable to a Resource Accessing a Global Variable Using the CCE Adding Global Variables to an Active Channel Adding a Global Variable to a Data Monitor Adding a Global Variable to a Field Set 584 585 586 587 588 Chaining a Global Variable 589 Chapter 21: Case Management and Queries 591 Creating or Editing a Case Locking and Unlocking Cases Entering Case Attributes Entering Case Descriptions Entering the Case Security Classifications Entering Follow Up Items for the Case Entering Attack Mechanism Information Entering Attack Agent Information Entering Incident Information Entering Vulnerability Information Entering Miscellaneous Information 592 594 594 598 598 599 600 601 601 602 603 Using the Case's History Panel 603 Working with Events in Cases Creating or Updating a Case from Displayed Events Using the Case Events Panel Viewing a Case's Events in a Channel Including Base Events Through a Rule Copying Event Details from Case to Case Deleting Events from a Case 606 606 608 609 609 609 610 Attaching a File to a Case Attaching a Data Monitor, Dashboard, or Query Viewer to a Case Viewing a Case Attachment Editing a Case Attachment Best Practices on Attaching Files to a Case 610 612 613 613 614 Closing a Case 615 Deleting a Case 615 Granting Permission to Delete Cases 616 Moving or Copying a Case to a Group 617 HPE ESM 7.0 Page 20 of 1037 ArcSight Console User's Guide Finding Cases 617 Viewing a Case’s Internal Audit Events 618 Managing Case Groups 619 Viewing Group Cases in a Grid View 620 Running Case Queries 621 Creating a Report from a Case Running Case Reports and Setting Default Parameters Customizing the Case Report Customize Selected Case Query Customize Selected Case Report Add a Server Property for the New Report URI 621 622 625 625 626 627 Using External Case Management Systems Exporting Cases to ServiceNow® IT Service Management (ITSM) 627 628 Chapter 22: Integration Commands 630 What are Integration Commands? Supported Command Types Local Scripts and Commands to Other Applications How Integration Commands Work 630 630 631 632 Planning Checklist and Workflow 632 Navigating to Integration Command Resources 633 Defining Commands Script Commands URL Commands Connector Commands 634 636 637 637 Adding and Editing Command Parameters 638 Removing a Command Parameter 640 Using Configurations to Group Commands Configurations Attributes Configurations Contexts Configurations Commands Configuration Targets Adding a Target to a Configuration Editing Targets in a Configuration Removing Commands from a Configuration 641 642 643 644 645 645 645 646 Specifying Targets Target Attribute 646 646 HPE ESM 7.0 Page 21 of 1037 ArcSight Console User's Guide Target Integration Parameters 647 Authorization and Authentication Settings Setting User Login Parameters Setting Login Credentials Setting Login Credentials on Target Servers Setting Logins and Other Parameters to Prompt for Values at Runtime 647 648 648 649 649 Running Integration Commands 650 Entering/Saving Command Parameters at Runtime 650 Using the ArcSight Investigate Integration Commands 651 ArcSight Logger Search Commands Logger Integration Commands Enabling Integrated Logger Searches 1. Set Up Logger Command Targets 2. Set Up the Logger Command Configuration 3. Set Up Users for Logger Access Example of Running a Logger Quick Search 653 653 654 655 655 655 656 Network Tools as Integration Commands 657 More Integration Examples 659 Chapter 23: Knowledge Base Authoring 662 Managing Knowledge Base Articles 662 Managing Knowledge Base Article Groups 665 Associating Knowledge Base Articles 666 Chapter 24: Finding Resources 667 How Fields are Indexed 667 Using Text Search Syntax 668 Using the Search Field on the Console Tool Bar 671 Using the Search Result Columns 673 Locating Resources on the Navigator Tree 673 Chapter 25: Managing Resources Working with Resource Groups Adding or Editing a Resource Group Using the Categories Tab for Asset Groups HPE ESM 7.0 674 674 674 675 Page 22 of 1037 ArcSight Console User's Guide Moving, Copying, Linking, and Deleting Resources 675 Locking and Unlocking Resources 676 Selecting Resources 677 Visualizing Resources Graphing Resources Using Graphs Configuring Resource Graphs Viewing Resources in Grids 677 677 678 679 680 Validating Resources About Valid and Invalid Resources Fixing and Validating Resources Troubleshooting Requirements for Valid Resources Resource Validation During Upgrade or Package Import 680 680 681 683 685 Extending Audit Event Logging 685 Common Resource Attribute Fields Common Assign 687 687 688 Saving Copies of Read-Only Resources 688 Managing File Resources Uploading Files and Creating a File Resource Working with Files 688 689 689 Chapter 26: Managing Packages 692 Creating or Editing Packages About Locked Packages 693 697 Adding Resources from the Resource Navigator 697 Supported Packages for Content Synchronization 697 Exporting Packages 698 Importing Packages Best Practices for Importing Packages Importing Packages Created by Other Users 699 700 701 Backing Up and Restoring with Packages ID Checking During Import Package Modifications List Data Backup and Restore Summary 702 702 702 703 703 HPE ESM 7.0 Page 23 of 1037 ArcSight Console User's Guide Installing or Uninstalling Packages 704 Deleting Packages 705 Removing Resources from Packages 706 Resolving Package Conflicts 706 Chapter 27: Using Pattern Discovery Pattern Discovery Overview What Pattern Detection Provides Pattern Components How Pattern Discovery Works 708 708 708 709 710 Pattern Discovery Life Cycle 711 Creating or Editing a Profile Specifying Actions Creating Local Variables Adding Notes Deleting a Profile 711 714 716 717 718 Taking a Snapshot Analyzing Snapshots Exploring a Snapshot Arranging Elements in Graphic View Scheduling a Snapshot Re-opening a Snapshot Deleting a Snapshot 718 720 720 722 723 724 724 Investigating Patterns Investigating Patterns in the Snapshots View Investigating Patterns in the Patterns View Viewing Patterns with Filter Inspecting Patterns Creating Rules from Patterns Annotating Patterns Deleting a Pattern 725 725 727 728 728 730 732 733 Pattern Discovery Usage Guidelines Establishing a Baseline of Normal Patterns Using Pattern Discovery in Routine Operations Performance Considerations Adjusting Pattern Discovery Memory 733 733 733 734 734 Chapter 28: Actors HPE ESM 7.0 735 Page 24 of 1037 ArcSight Console User's Guide Configuring Actors 735 Permissions Required to Use Actor-Related Data 737 Viewing Actors on the Console 738 Viewing an Actor in the Actor Editor Viewing Actor Account Attributes Viewing Actor Role Attributes 739 740 740 Viewing Actors in an Actor Channel Sorting Fields in Actor Channels Actor Channel Options 741 742 743 Filtering Actor Channels Adding a Local Filter to the Actor Channel Resource Creating an Inline Filter 743 743 745 Managing Actor Channels 745 Investigating Actors Running Context Reports from an Actor Channel Investigating an Actor from an Event Channel Actor Context Reports in Standard Content 746 746 748 749 Creating and Editing Actors for Testing Purposes Important Points to Consider About Making Manual Changes to Actors Creating Actors for Testing Purposes Editing Actors for Testing Purposes Deleting Actors 750 750 750 752 753 Leveraging Actor Data Using Variables Creating an Actor Global Variable Creating an Actor-Based Variable in Another Resource 753 753 754 Creating and Using Category Models Memory Recommendations for Using Category Models Creating Category Models Creating Actor-to-Actor Category Models Creating Actor Attribute Category Models Creating User-Defined Category Models Managing Category Models Viewing Category Models in Graphs Leveraging Category Model Data Using Variables 755 755 756 757 759 761 763 764 766 Chapter 29: Reference Guide Access Control Lists HPE ESM 7.0 768 768 Page 25 of 1037 ArcSight Console User's Guide Resource ACLs 768 Active Channels Active Channel Views Active Channel Headers Comparisons Active Channel Views for Assets and Cases 770 770 771 772 772 About Actors How the Actors Feature Works About the Actor Model Import Connector Troubleshooting Errors with Actor Model Imports 772 774 775 777 Active Lists Uses of Active Lists Active Lists for Long-Term State Retention Optimize Data with Hash-Based Active Lists Active List Monitor Events Active Lists with Values Using Variables to Retrieve Data from Active Lists with Values Example: Active List with Values to Store Directory Information Create an Active List Populate the Active List Correlate Information Stored in UserRoles List 777 778 778 779 779 780 780 781 781 781 782 Administrator 784 Advanced Editor 785 Aggregation 786 ArcSight Console 786 Assets Assets Tab Zones Tab Networks Tab Categories Tab Vulnerabilities Tab Locations Tab 787 787 788 788 788 789 789 Attack 789 Audit Events Audit Events Common to Most Resources Active Channel Active List Actor 790 790 791 792 792 HPE ESM 7.0 Page 26 of 1037 ArcSight Console User's Guide Archive Authentication Authorization Connector Connection Connector Exceptions Connector Login Connector Registration and Configuration Content Management Dashboard Data Monitors Distributed Correlation Aggregator Audit Events Correlator Audit Events DCache (Distributed Cache) Audit Events MBus (Message Bus) Audit Events Persistor Audit Events Event Broker Global Variables Group Management License Audit Logger Component Alerts Archives Certificates Peers Saved Searches Searches Search Filters Storage Groups Storage Volume Manager Activation Manager External Event Flow Interruption Status Monitor Events Active Channel Statistics Active List Statistics Asset Statistics Data Monitor Statistics Event Broker Statistics Filter Engine Statistics Main Flow Statistics Notification Statistics HPE ESM 7.0 792 793 794 794 795 796 796 797 798 798 799 800 800 800 800 801 801 801 802 802 803 804 807 808 809 810 811 812 812 813 813 813 813 814 814 815 815 816 816 816 817 Page 27 of 1037 ArcSight Console User's Guide Pattern Discovery Statistics Report Statistics Resource Framework Statistics Rules Engine Statistics Session List Statistics Session Management Statistics SmartConnector Flow Statistics Notification Notification Acknowledgement, Escalation, and Resolution Notification Testing Pattern Discovery Query Viewers Reports Resource Quota Rule Actions Rule Activations Rule Firings Rule Warnings Rules Scheduled Scheduler Execution Scheduler Scheduling Tasks Scheduler Skip Session Lists Trends Trend Partitions User Login User Management 817 817 817 818 819 819 820 820 821 821 821 822 822 822 823 823 824 824 824 824 825 825 825 826 827 827 827 Base Queries 828 Batching 828 Cases 828 Case Groups 829 Categories Object Category Behavior Category Outcome Category Device Group Category Significance Category Technique Category Asset Categories 829 830 832 833 834 834 835 837 HPE ESM 7.0 Page 28 of 1037 ArcSight Console User's Guide Event Categories 837 Collaboration 837 Common Conditions Editor (CCE) Editor Features Condition Tree Command Buttons Condition Tree Context Menu Commands Adding Conditions Search Box to Find Fields in the List Field Comparisons with Variable or Static Values Using Field Sets Adding or Removing Global Variables Using the CCE Testing for Zone Relevance 838 839 841 843 846 848 849 850 851 853 Conditional Statements 853 Conditions Parameterized Conditions 855 855 Content Content Packages Custom Content SmartConnector Content 856 856 857 857 CORR-Engine 857 Correlation 857 Correlation Formula 858 Correlation Rule 859 Customers 859 Dashboards 860 Dashboard Context Menu Commands 860 Data Fields Attacker Group Connector Group Category Group Destination Group Device Group Device Custom Group Event Group Event Annotation Group File Group Final Device Group 861 862 865 868 869 872 876 879 884 887 887 HPE ESM 7.0 Page 29 of 1037 ArcSight Console User's Guide Flex Group Geographical Attributes Manager Group Old File Group Original Connector Group Request Group Source Group Target Group Threat Group Resource Attributes Data Monitors Asset Category Count Data Monitor Event Correlation Data Monitor Event Graph Data Monitor Geographic Event Graph Data Monitor Hierarchy Map Data Monitor Hierarchy Map Features Use Cases Defining a Hierarchy Map Data Monitor Adding Variables Specifying the Source Node Identifiers Hierarchy Levels and Group Delimiters Specifying Group Attributes Hierarchy Map Display and Visualization Controls Map Display and An Example Labels, Size, and Color Controls Selecting Colors for the Blocks Hourly Counts Data Monitor Last N Events Data Monitor Last State Data Monitor Last State Data Monitor Parameters Options for Table and Tile Views Table View (Color Chooser and Remove Entry) Tile View (Customize View) Moving Average Data Monitor Rules Partial Match Data Monitor Statistics Data Monitor System Monitor Data Monitor System Monitor Attribute Data Monitor Top Value Counts Data Monitor HPE ESM 7.0 890 890 891 891 892 895 896 899 902 903 903 904 905 908 909 909 910 910 911 912 913 913 914 915 915 916 918 919 920 921 921 922 923 923 925 927 928 930 931 932 Page 30 of 1037 ArcSight Console User's Guide Troubleshooting Data Monitor Expressions Supported Data Monitor Expression Operators Supported Data Monitor Expression Functions 934 934 934 935 Device 935 Event Inspector 936 Events 936 Event Annotation Fields 938 Event Categorization 939 Event Handling Stages 939 Field Sets 940 Filters 940 Filtering Options 941 Global Variables 942 Grid View 943 IP Address Ranges 943 Inspect/Edit Panel 943 Job Scheduler Viewing all scheduled jobs Troubleshooting Tips 944 945 945 Knowledge Base 946 Logical Operators 946 Managed Security Service Providers (MSSPs) 949 Manager 950 Navigator Panel 950 Notifications Notification Operation Testing Notification Escalations Notification Destinations Notification Acknowledgements 950 950 951 952 952 Packages 952 Pattern Discovery Pattern Concepts Discovering Patterns 953 953 954 HPE ESM 7.0 Page 31 of 1037 ArcSight Console User's Guide Pattern Analysis Initial Phase Routine Pattern Processing Workflow Management Pattern Analysis Pattern Disposition Pattern Discovery Expertise Workflow Visualization Applications 954 954 955 955 955 955 956 956 956 957 Payload 957 Prioritization Fields 958 Priority Calculations and Ratings Priority Elements Priority Operators Priority Rating 958 961 962 963 Queries Queries and Trends Building and Running Queries 964 964 964 Query Viewers 965 Reference Pages 966 Reports Working with Report Templates, Queries, and Trends Viewing and Managing Reports Archived Reports Report Groups Delta Reports Report Parameters ArcSight-Provided Reports 967 967 968 968 968 969 969 970 Report Templates 970 Resources 971 Resource Attributes 971 Rules Loading Rules Automatically Disabled Rules Rules Processing and Correlation Rule Groups Scheduled Rules 973 973 974 975 977 978 HPE ESM 7.0 Page 32 of 1037 ArcSight Console User's Guide Rule-triggering Timing Rule Chains Variables 978 979 979 Rule Actions 979 Rule Conditions 979 Rules Editor 980 Saved Searches 981 Schema Avoiding Field Naming Collisions Event Fields Precise Event Categorization 981 981 983 983 Search Filters 984 Send Logs Guidelines for Using the Send Logs Utility Options for Running Diagnostics and Sending Logs Starting the Send Logs Wizard on the ArcSight Console 984 985 985 986 Session Correlation Why Session Correlation Matters 986 986 Session Lists 987 SmartConnectors Operational Status Configuration Zones Upgrading Filtering 988 988 989 990 990 990 SMTP 991 Sortable Field Sets Sorting Columns in Grid Views 991 992 Threat 993 Threat Evaluation Evaluation Process Evaluation Definitions Maintaining Model Confidence Using Threat Evaluation Information Limitations and Workarounds 993 993 993 994 994 995 Thresholds 995 HPE ESM 7.0 Page 33 of 1037 ArcSight Console User's Guide Time Error Correction 996 Timestamps Timestamps for Security Events Timestamps for Resources 996 996 997 Timestamp Variables Inclusive Timestamps 997 998 Time Zone Correction 998 Understanding Trends and Queries 998 User Groups 999 Users 1000 User Types 1000 Variables About Remote Variables About Functions Local and Global Variables Variable Definition Fields Alias Functions Arithmetic Functions Category Model Function Condition Functions Group Functions IP Address Functions List Functions String Functions Timestamp Functions Type Conversion Functions Value List Functions Using Functions: Examples with Lists Getting Login Session Data from a Session List Extracting a List Element from an Active List Variable Availability and Contexts Variable Functions for In-Memory Operations 1001 1001 1002 1002 1003 1004 1004 1007 1009 1010 1011 1012 1013 1014 1017 1021 1022 1022 1023 1023 1024 Velocity Templates Velocity Application Points Using Velocity Expressions to Retrieve Values from Event Fields or Variables Retrieving Values from Event Fields Using Variables in a Velocity Expression Using Velocity Expressions in Rule Actions 1024 1025 1026 1026 1027 1027 HPE ESM 7.0 Page 34 of 1037 ArcSight Console User's Guide Example of Rule Action that Uses Velocity Expressions to Retrieve Values Velocity References for Reports More Velocity Template Examples Velocity Template Usage Tips 1027 1028 1031 1032 Views View Types Dashboards Other Views 1033 1033 1034 1034 Vulnerabilities Vulnerability Groups Standardized Vulnerability Tracking 1034 1035 1035 Web Browsers Browser Preferences for HTML Displays Browser Preference Overrides for Specific Features 1035 1036 1036 Send Documentation Feedback HPE ESM 7.0 1037 Page 35 of 1037 Chapter 1: Getting Started Welcome to ESM and the ArcSight Console. ESM is a comprehensive software solution that combines traditional security event monitoring with network intelligence, context correlation, anomaly detection, historical analysis tools, and automated remediation. It consolidates and normalizes data from disparate devices across your enterprise network in a centralized view. Starting the ArcSight Console Start the Console as you would any other application. Start the Console: Depending on the chosen shortcuts during installation, start the Console using any of these methods: l Using the Console desktop icon l Selecting from the system tray l Selecting from the Start menu Alternatively, open a command window in the Console’s bin directory and type arcsight console Log in: The login mechanism varies according to the type of authentication you have set up during Console installation. l l l l If you are using SSL authentication, set it up and import the certificate as described in the ESM Administrator’s Guide’s “SSL Authentication” section, the topic "Setting Up SSL Client-Side Authentication on ArcSight Console." After the certificate is imported, you can start the Console without entering a user ID or password. If you are using password authentication, log in with your user ID and password. Certificates are imported automatically. See the ESM Administrator’s Guide’s “Configuration” section, in the topic “Managing Password Configuration” for more information. If you have selected “Password or SSL Authentication,” you choose which way to log in, each time. If you are using FIPS and using a browser, make sure that browser is configured for FIPS. See the ESM Administrator’s Guide’s topic on “Configure Your Browser for FIPS.” HPE ESM 7.0 Page 36 of 1037 ArcSight Console User's Guide Chapter 1: Getting Started Quick Start Tools and Standard Content The Console serves as the control point for administrators to: l Configure ESM content and resources l Manage, monitor, and respond to network security issues across the enterprise A Network Model Wizard is provided to facilitate the process of describing network devices and assets in ESM. For more about the Network Model wizard and instructions on how to use it, see "Populating the Network Model Using the Wizard" on page 126. A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address common security and management tasks. The set of standard content is designed to give you comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with minimal configuration required on the Console. For information about standard ArcSight administration or system content, refer to the ArcSight Administration and ArcSight System Standard Content Guide. All ESM documentation is available on Protect 724 at (https://community.saas.hpe.com/t5/ArcSight/ct-p/arcsight). Use Cases Use cases are special groupings of related ArcSight content that address specific security issues and business requirements. Use cases provide an integrated Console-based alternative for viewing and interacting with resources to the standard one-resource-at-a-time viewing method offered in the Resource tree of the Navigator panel. You can configure shared resources in a single operation, and export related resources in an ArcSight Resource Bundle (arb) for use in other ArcSight instances. HPE provides use cases for some of the standard content that is installed with ESM and for additional content (Security Use Cases) provided through the Marketplace. Each Security Use Case comes with its own documentation that provides information about how to install, configure, and use the use case. Use case configuration requires having a network model in place. Model your network first as part of the initial configuration of ESM. Follow instructions in "Modeling the Network" on page 114. HPE ESM 7.0 Page 37 of 1037 Chapter 2: Working in the Console In addition to the capabilities built into the Console, the Console itself is a tool with its own characteristics and specialized controls. The Help topics in this section describe the basics of using Console tools and controls to make the most of its features. Navigating Use the Navigator panel on the Console to locate and manage security resources, and the Viewer and Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources producing the data. The Navigator panel showing the Dashboards resource tree The resources available in the Navigator panel can be affected by permissions set for your user type. On the Navigator panel, you can: l l Choose a group or a specific resource from the resource tree. Expand (+) and collapse (-) resource groups to locate particular subgroups or individual resources. You can also use the keyboard right arrow key to expand and left arrow key to collapse the HPE ESM 7.0 Page 38 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Navigator resource trees. l Right-click groups or individual resources to choose from their context menus. l See a list of the last 10 resources you have recently viewed and add resources to your favorites list Use the Viewer or Inspect/Edit panels to see or act on the results of the context menu commands. Navigator Panel Resource Tree Resource Tree on the Console’s Navigator Panel Tree Icon Resource Active Channels Create, modify, and delete security-event views that actively and continuously evaluate the events they display, on the basis of time and other filter conditions. This view also includes the Field Sets resource tree for managing named field sets. See "Monitoring Events" on page 213. Actors Map humans or agents to activity in applications and on the network, and identify actors behind events. See "Actors" on page 735. Assets Security-sensitive devices and device groups installed in your enterprise, and the known exposures to potential threats those devices may represent. Assets also includes the related network, zone, location, category, and vulnerability information you use to manage network devices. See "Modeling the Network" on page 114. Cases Track enterprise security incident cases, by status and priority. See "Case Management and Queries" on page 591. Connectors Manage the SmartConnectors installed at your enterprise. See "Managing SmartConnectors" on page 166. Customers Manage resources that represent the security concerns of particular MSSP (Managed Security Services Provider) clients. See "Managing Customers" on page 164. Dashboards Various event data monitors and their library of supporting resources. See "Using Dashboards" on page 239. Field Sets Define subsets of available data fields so you can quickly focus a grid view, an Event Inspector, or other field arrays on a particular context. See "Field Sets" on page 568. Files The Files resource tree, when populated, lists files saved as resources on the Manager. This makes them accessible to all users of the system who are authorized for such access. File resources include Case file attachments, templates, and general-purpose shared files. See "Managing File Resources" on page 688. Filters Event filtering definitions, organized in groups. See "Filtering Events" on page 290 and "Managing Filter Groups" on page 296. Integration Commands Application integration resources used to configure and launch commands, tools, and views in custom and third party applications and other ArcSight products from within the Console. Provides the ability to configure custom scripts, URLs, and Connector commands, and integrate them into the Console UI in various contexts. Leverages velocity expressions and the UI contexts for pulling the content of event data, for example, as command parameter values. HPE ESM 7.0 Page 39 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Resource Tree on the Console’s Navigator Panel, continued Tree Icon Resource Knowledge Base A database of articles and groups of articles that aid problem-solving, analysis, and operation. See "Getting Knowledge Base Articles" on page 289 and "Knowledge Base Authoring" on page 662. Lists Active Lists are lists of active source and target IP addresses of interest, as defined by enterprise rules. See "List Authoring" on page 461 for more information. Session Lists are similar to active lists, but are optimized for time-based queries and monitoring of rule-driven combinations of event attributes or custom fields. See "Identity Correlation" on page 534 for more information. Notifications Destinations and settings for the automatic messages that alert you to pre-defined situations or events. See "Acknowledging Notifications" on page 72 and "Managing Notifications" on page 206. Pattern Discovery Profiles to capture, and snapshots of, potentially threatening event patterns. See "Using Pattern Discovery" on page 708. Query Viewers A resource for defining and running SQL queries on other ESM resources (independent of reports), including trends, assets, cases, connectors, events, and so forth. Each query viewer contains an SQL query along with other logic for establishing and comparing baseline results, analyzing historical data to find patterns in network activity, and performing drill-down investigation on a particular aspect of the results. Query viewers can use the same queries as reports do, but can be run independently of them. See "Query Viewers" on page 321. Reports Definitions for, and archived output from, various activity reports. See"Building Reports" on page 368 and "Running and Managing Reports" on page 422. Rules Rules and groups of rules created for isolating, analyzing, and responding to events. See "Rules Authoring" on page 481. Saved Searches Saved Searches are created on the ArcSight Command Center. Refer to the ArcSight Command Center User’s Guide for information on how to create and save searches. This resource is displayed on the ArcSight Console for packaging and content synchronization purposes. See "Managing Resources" on page 674 and "Managing Packages" on page 692. Search Filters Search Filters are created and used on the ArcSightCommand Center. Refer to the ArcSightCommand Center User’s Guide for information on how to create searches, then save them as filters. This resource is displayed on the ArcSight Console for packaging and content synchronization purposes. See "Managing Resources" on page 674 and "Managing Packages" on page 692. Stages Workflow and annotation features for real-time analyst collaboration on security events. Use Cases Resource collections that address common security issues and business requirements. When use cases are installed, a Use Case tab is displayed in the Navigator panel. A wizard is available for configuration of the use case resources. Instructions for using the wizard are provided in the documentation provided with the specific Use Case. Users HPE ESM 7.0 ArcSight users and user groups. See "Managing Users and Groups" on page 94 and "Managing Permissions" on page 102. Page 40 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Batch Editing You can make common edits to multiple case or SmartConnector resources by selecting a set of either type in the Navigator panel and changing their common fields in the Case or Connector Editor. Batch-Editing Cases or Connectors Where: l Navigator > Resources > Connectors, or l Navigator > Resources > Cases To batch-edit cases or connectors: 1. Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in their respective resource trees. 2. Right-click the selected items and choose Edit. 3. Make changes to the appropriate common fields, such as Description or Owner. 4. Click Apply to record your changes and leave the editor open, or click OK to save and close. Saving affects only the fields you have changed, in each of the selected resources. Locking Case Groups Use the Lock Case check box to lock and unlock cases in batches. See "Viewing Group Cases in a Grid View" on page 620. Note: If a rule action is configured to update a case, and the case is locked at the time the rule triggers, then the case will not be updated. See "Applying Rule Actions on Cases" on page 517. SmartConnector Reminders Batch changes affect only default configurations, not alternates. However, you can add new alternate configurations by batch editing. Note that if you make changes under the Filters tab, the entire tab's contents are saved to the selected SmartConnectors. You can batch-edit connectors only of the same version. HPE ESM 7.0 Page 41 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Reconnecting to the Manager If your Console loses its connection to the Manager, a dialog popup enables you to Retry the connection, Relogin, or to Cancel the connection. Try these options in this order. A connection to the Manager cannot be re-established if the Manager is restarted or if a network problem prevents communication with the same Manager. In such cases, click Cancel and start the Console again, using an appropriate Manager host name. Changing the Console Display You can change the look and feel of the Console to better display information, focus on particular panels, or hide information not of interest. You can switch to a dark theme, resize the Console, float or dock Console panels, apply translucency to a floating panel, and show or hide the menu bars, tool bars, and various displays. What do you want to do? Here's how: Switch from default to dark theme From the View menu, select Themes. You have two options: l Default is the daylight theme appropriate for a lighted room. l Dark theme is appropriate for a dark room environment to reduce glare. If you switch the theme, log off, then log back in. Note: After you have used the dark theme for a while, you may notice that the labels on the tabs are no longer legible. If so, exit the Console and log back in. Resize the Console l l l To expand to the whole screen, click the Maximize icon at the top-right corner of the window. To collapse the Console, click the Minimize button or drag the corners of the Console to resize it. To resize any panels, drag and drop any panel dividers. Show or hide menu bars and tools Right-click the Menu bar area of the Console and use the context menu to enable (check) or disable (clear) each component. Show or hide the status bar Click the Status Bar button on the toolbar, or on the Window menu, choose Status Bar. Show or hide the Navigator panel Click the Navigator button on the toolbar, or on the Window menu, choose Navigator Panel. Show or hide the Viewer panel Click the Viewer button on the toolbar, or on the Window menu, choose Viewer Panel. HPE ESM 7.0 Page 42 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console What do you want to do? Here's how: Show or hide the Inspect/Edit panel Click the Inspector button on the toolbar, or on the Window menu, choose Inspect/Edit Panel. Float a Console panel Click the Float/Dock button on the panel header, or right-click the panel header and choose Float Panel. You can apply translucency once a panel is floated. Apply translucency to a floating Console panel Float the panel first before applying translucency. Move the Translucency slider on the panel header. Dock a Console panel Click the Float/Dock button on the panel header, or right-click the panel header and choose Dock Panel. Close a Console panel Click the Close button on the panel header, or right-click the panel header and choose Close Panel. Changing User Preferences You can change several Console characteristics to suit your security needs, working style, or personal preferences. You reach the Preferences dialog box through the Edit>Preferences menu command. Changing Your Password Administrators create users and assign passwords. After logging in with your administrator-created password, you must change it for security reasons. Note: You can change your password only if your ArcSight installation is configured to use built-in password authentication. Contact your system administrator for instructions on how to change passwords on ArcSight systems that use RADIUS SecurID or SSL authentication. Where: Edit > Preferences > Password 1. Enter your old password, new password, and confirm the new password. 2. Click OK. By default, passwords require a minimum of 6 characters, can contain a maximum of 20 characters, and can contain numbers and/or letters. Ask your system administrator about any special requirements for your site. For information on password restrictions, see the "Managing Password Configuration" topic and its subtopics in the Administrator's Guide. HPE ESM 7.0 Page 43 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Note: If you are an administrator, you can change other ESM users' passwords. See "Resetting User Passwords" on page 99. Setting Default Editors and Viewers You can set the default editors and viewers to use for text, HTML, and packet payloads. For example, use the HTML editor when editing the Knowledge Base and the Web browser for reports. Where: Edit > Preferences > Programs Program Preferences Program Preference Value Preferred Enter the complete path to your preferred text or HTML editor, or click the Browse button to locate the Text/HTML editor. Editor Preferred Web Browser Enter the complete path to the preferred Web browser or click Browse to locate the executable. Use your preferred Web browser to display HTML files such as custom view dashboards, reports, knowledge base articles, and so on. For an updated list of supported products, refer to the ArcSight ESM Support Matrix in Protect 724. This matrix includes the supported Web browsers for all currently-supported ESM versions. Preferred Payload Viewer Enter the complete path to your preferred packet-payload viewer or click the Browse button to locate one. Text to PCAP Converter Enter the complete path to your preferred packet-payload PCAP converter or click the Browse button to locate one. Changing Global Options You can make the Inspect/Edit panel open as a docked window inside, or as a floating window outside, the Console. You can do the same with all child windows as a class. Where: Edit > Preferences > Global Options HPE ESM 7.0 Page 44 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Refer to the following table for available settings: Global Options for Console Global Option Description Font Set global preference for font face, size, and style used throughout the Console, except on windows or views where you can set fonts specific to those Console elements. (For example, you can set fonts specific to Grid views as detailed in the next topic.) Click into the Font field to get the drop-down menu arrow. Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style. Launch editors Open all editors in a floating window. If deselected, all editors appear in the Inspect/Edit panel. If you in a floating select this option, you can still float or dock the windows. window Allow multiple editors of the same type Permit more than one resource editor to be opened simultaneously for a given resource type (for example, opening three instances of the Filter Editor at once). Enabling this option is very useful for analysts and persons implementing security solutions, but may inappropriate for operators or other persons who should have less-extensive editing access. Allow multiple event inspectors Display details of multiple events in their respective Event Inspector tabs on the Inspect/Edit panel. If de-selected (the default), you can only view event details one event at a time. Allow Bulk Delete Delete multiple resources without any dependency warnings. If de-selected, you can still delete multiple resources but you see a warning if there are any resource dependencies. Create independent floating windows Independently float new windows that are children of another window such as the Viewer panel. This is the default. When enabled, you can choose a window's name from the list at the Window>Floating command, or toolbar button to bring it forward: Auto Relogin Automatically log in again after logging out of the Console. HPE ESM 7.0 For more information about the Event Inspector, see "Inspecting and Editing" on page 63 and "Event Inspector" on page 936. Page 45 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Global Options for Console, continued Global Option Description Use system defaults for dashboard background When this option is selected, your system defaults are used for all Dashboard backgrounds. Show print preview dialog Display a preview of the printable page when you choose to print a resource definition, for example, a rule definition. This preference is selected by default. You can customize views for dashboards for display on the Web browser. See "Using Custom View Dashboards" on page 248. Print preview options include Print, view each printable page (as applicable), and zoom in or out of the previewed page. For more information about printing, see "Printing from the Console" on page 88. Set Help The Help display window defaults to width of 910 x length of 650 pixels. dialog size (Width,Height) You can specify a different default Help window display size here. To do this, enter a new window size (for example: 750,900), then press the Enter key. Note: Press Enter after setting the new display size, and then also click Apply or OK to save all preference settings. If you do not press Enter, the new window size setting cannot be saved even if you click Apply or OK. Note: For descriptions of settings in the Dialog Options section, see "Setting Dialog Options" below. Setting Dialog Options Purpose: Part of Global Options, Dialog Options is where you define the behavior of dialog boxes for system messages. System messages are classified into error and informational or warning messages. Where: Edit > Preferences > Global Options HPE ESM 7.0 Page 46 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Tip: If necessary, expand the Preferences window to expose the subtabs under Dialog Options. Refer to the following table for available settings. The information in the table applies to both error and informational or warning messages. Dialog Options for Console Dialog Option Description Show message in popup dialog Display message in a popup with an option to save the message to the clipboard. Selected by default. Clear the checkbox if if you don’t want system messages in a popup. Note: ESM also maintains system logs containing some audit information and details of any issues that occur. Refer to the ArcSight Command Center User Guide’s Administration and Configuration section and read the topic, “Log Retrieval.” Dialog Type: l Classic Display the dialog in the front center of the ArcSight Console. The dialog remains on this position until you click OK to dismiss it. l Animated Animation defines the display duration, the dialog’s direction of movement when it appears, and the direction of movement after the dialog times out. l l Location: Position the dialog on one of the nine available locations on the screen and keep it displayed for the duration specified in Dialog Timeout. For Entrance Animation: Dialog Timeout: Display the message in the number of milliseconds. The default is 3,000. Effect: For Fly, move the dialog from Direction and stops at Location. For Zoom, start the dialog at a small size and resize to its optimal size when it reaches Location. For Fade, make the dialog gradually appear at Location (ignore Direction). Direction: Move the dialog from one of eight origination points on the edge of the screen to Location. Direction works only with Fly and Zoom effects. Direction for Entrance Animation can be different from Exit Animation’s. l For Exit Animation: Effect: For Fly, move the dialog from Location to Direction. For Zoom, shrink the dialog as it reaches the destination. For Fade, make the dialog gradually disappear at the same location when Dialog Timeout is reached (Direction is ignored). Direction: When Dialog Timeout is reached and if Effect is not Fade, move the dialog from Location to one of eight origination points on the edge of the screen. Direction works only with Fly and Zoom effects. Exit Animation and Entrance Animation can have different settings for Direction. Setting Grid Options for the Viewer Panel These options are for data displayed on the viewer panel's grid. Where: Edit > Preferences > Grid View Options HPE ESM 7.0 Page 47 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Refer to the following table for available settings: Grid View Options for Console Grid View Option Description Font Set global preference for font face, size, and style used in Grid views. Click into the Font field to get the drop-down menu arrow. Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style. Color text by priority in grid Apply distinguishing colors to the event rows in Viewer panel grid displays, based on their threatpriority levels. Note that this option can be overridden by the Color text by filter in grid option if conflicts occur. When these options are not selected, the text in grid rows defaults to black. Color text by filter in grid Apply distinguishing colors to the event rows in Viewer panel grid displays, based on the filters that selected them. You set these colors through the Configure button, described below. Note that this option, when selected, overrides the Color text by priority in grid option if conflicts occur. When these options are not selected, the text in grid rows defaults to black. Pause the By default, selecting an event pauses the event flow to avoid scrolling. Clear this checkbox to allow current channel the flow to continue regardless of a selection. on event selection Do not prompt on verifying rule channel's timestamp change Toggles on or off the option to have the system generate a prompt when the timestamp changes on an active channel populated by correlation events. Do not prompt on channel restart Toggles on or off the option to have the system generate a prompt when an active channel is restarted. Check available database partitions on Active Channel start This option applies to Oracle-based ESM and does not apply to ESM with CORR-Engine. Print Column Flip Limit Determines the print format for Grid Views (channels, lists, and so forth). Grid views with the same or fewer columns than the Column Flip Limit print as a table, the same as is shown in the UI on the Console grid view. Grid views with the more columns than the Column Flip Limit print details per row rather in a normal table like that shown on the Console grid view. If selected, this option causes the ArcSight Manager to recheck the status of available Oracle database partitions before starting an active channel. This does have a performance effect and is used only for certain historical analysis purposes. The default setting for Column Flip Limit is "10" columns. (Tables with more than 10 columns print details per row.) See also "Printing from the Console" on page 88. Filter Coloring Preferences HPE ESM 7.0 Click Configure to assign identifying colors to as many as five filters in the Configure Filter Colors dialog box. Page 48 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Note: For instructions on customizing the grid's right-click option, InActiveList, see "Customizing the Default Selections for Active Lists" below. Customizing the Default Selections for Active Lists If you are viewing events on an active channel, you have the ability to add selected events to existing active lists. By default, the Console's viewer panel enables you to browse to the resource locator so you can locate then select the desired list. These lists might be assigned to different list groups and might also be nested in a hierarchy. If adding events from the event grid to existing lists is a frequent task for you, you can configure the grid's right-click option to display your top three frequently-used lists so that these lists are immediately available for selection. Where: Edit > Preferences > Grid View Options 1. On the Grid View ActiveList Options area, click Configure. The ActiveLists resource selector is displayed. 2. Expand a group to locate your first preferred active list. a. Select an active list and click Add. b. Repeat to add up to a total of three lists. c. Change a list's position by clicking the up or down arrow. d. Remove lists from the selection as required. HPE ESM 7.0 Page 49 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Following is an example configuration for a selection of preferred active lists: Following is the resulting default list selections when you open an event channel, right-click an event, and select Active List > Add To: Note: This feature does not apply to the Remove From option from the grid view. If you are using the Remove From option, the Console displays an Active List selector dialog. You then navigate through the resource tree for active lists to select the list. Setting Date and Time Formats Purpose: Use the Date/Time option to choose a formatting style for the date and time strings displayed throughout the Console. You can also customize the details of any style you pick. Where: Edit > Preferences > Date & Time 1. Click the Formats buttons and choose a date/time style from the lists for Date & Time Format and Short Date & Time Format options. 2. Select Express all times as GMT to universally show time values in GMT rather than local times. 3. Click Apply to put your changes into effect and leave the Preferences dialog box open, or OK to save your changes and close the dialog box. If you want, you can customize the selected format string. Edit the Format string using the Java-style date options described in the Format Help window. HPE ESM 7.0 Page 50 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Setting Latitude and Longitude Options Purpose: To define formats for latitude and longitude expressions in the Asset > Locations resource. Where: Edit > Preferences > Latitude & Longitude Choose from one of the available formats to express longitude and latitude. Following is an example configuration for latitude and longitude format preferences: The options for latitude and longitude format vary from more exact to less so. Latitude and longitude can be shown in degrees, minutes, and seconds; degrees and minutes; or decimal degrees only. Additionally, an indicator of compass direction for the specified location can be shown or hidden in the editor. To view the effects of your preference settings: 1. Choose Assets in the Navigator, click Locations 2. Create new location or edit an existing one to open up the Location Editor. (See "Managing Locations" on page 163.) Following is an example of how the Location Editor displays the preferred formats for Latitude and Longitude attributes: HPE ESM 7.0 Page 51 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Configuring Event Graphs Purpose: You can modify the way graphs plot events, choosing to keep the source-event-target visual relationships compact; or to emphasize unique sources, targets; or both, in order to clarify the nature of attacks or situations. Where: Edit > Preferences > Event Graph Click the Value fields of the graph attributes to choose appropriate options: l Show Event Nodes: Choose a basis for visually expanding or aggregating event nodes, relative to their source and target node instances. Choice Description Once Graph only one instance of a given event node, regardless of the number of unique sources and targets per that have it in common. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, common there may be visual instances for each source and target, but only one of the event node. event l l l Once per unique source Graph one instance of a given event node per unique source, regardless of the commonality of associated targets. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are two visual instances of the event in support of the two distinct sources. Once per unique target Graph one instance of a given event node per unique target, regardless of the commonality of associated sources. For example, if sources 1 and 2 are directing the same event at targets 1, 2, and 3, there are three visual instances of the event in support of the three distinct targets. Once per unique source or target Graph one instance of a given event node per unique source-target pair, regardless of the commonality of the events involved. For example, if sources 1 and 2 are directing a given event at targets 1, 2, and 3; and as a chain, targets 1, 2, and 3 are sourcing the same events on to targets 4, 5, and 6; then there are six visual instances of the event in support of six distinct targets. Show Source/Target IP Addresses as: In cases where one source-event-target chains to another, you can choose to graph a source/target IP address as a single node, or to graph both the source and target instances of such an IP address. Choice Description Distinct nodes Visually plot both the source and target instances of a chained IP address. Simple nodes Visually plot a single node for an IP address that represents both source and target. Source Node Identifier: Choose a different event attribute to use as the identifier for source nodes. The default attribute is Source Address. Note that while all attributes are available, not all are appropriate choices for this purpose. Event Node Identifier: Choose a different event attribute to use as the identifier for event nodes. HPE ESM 7.0 Page 52 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console The default attribute is ArcSight Category. Note that while all attributes are available, not all are appropriate choices for this purpose. l l Target Node Identifier: Choose a different event attribute to use as the identifier for target nodes. The default attribute is Target Address. Note that while all attributes are available, not all are appropriate choices for this purpose. Graph Layout: Set the layout for all event graphs. Note: You can override this default layout setting when you are actually viewing an event graph. For more details, refer to the topic, "Event Graphs as an Investigation and Analysis Tool" in ESM 101. l Hierarchical Layout Display the event graph in tree-like nodes to show a related, sequential flow. Organic Layout The default layout. Circular Layout Display the source node as the center and the destination nodes arranged in a circle around the source. Orthogonal Layout Display the edges of the graph to run horizontally or vertically, parallel to the layout's X and Y axes. Default Field Set: Choose from the ArcSight-provided field sets to supply the data points in the graph. The default field set is from /All Field Sets/ArcSight System/Event Field Sets/Active Channels/Standard. Setting Notification Popups Purpose: You can manage received notifications from within the Console. In the Preferences dialog box, you can set a severity threshold for notification popups and optionally play a sound when notifications arrive. Where: Edit > Preferences > Notifications For the Severity threshold for notification popup, increase or decrease the integer value to a priority value that is based on the level at which you want to be alerted. Select Play a sound when a notification message is received to also emit a sound when the alert threshold is met. Browse to the file of your preferred audio alert. Managing Hot Keys The Console provides schemas for configuring keyboard shortcuts to common actions. These schemas come with the Console: HPE ESM 7.0 Page 53 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console l $default l Schemas for users Tip: Keep these reminders in mind: o o Schemas for users other than administrators are listed only for users who have set up custom shortcuts on this Console under their own logins. Custom shortcuts are available only locally. See "Sharing Custom Shortcut Schemas" on page 61 for more information. Note: If this Console does not use UTF-8 encoding, refer to the “Installing ArcSight Console” section of the ESMInstallation and Configuration Guide, and read the topic “Character Set Encoding” under “Installing the Console.” Schemas for users are all based on the $default schema. That is, user schemas inherit all $default schema shortcuts. The $default schema. Where: Edit > Preferences > Manage Hot Keys Under Available shortcut schemas, the schema in use shows as “(active)” next to its name. You can define a keyboard shortcut for each listed command. Each command can have a different (or the same) keyboard shortcut depending on which schema you have selected. Keyboard shortcuts are pre-defined for common commands. For example, the pre-defined keyboard shortcut for the Select All command (edit.selectAll) is Ctrl+A. You cannot edit commands shown in red on the Preferences dialog: for example, edit.delete, edit.redo, edit.cut, edit.copy, edit.paste, and so forth. The flyover tooltips on these commands also indicates they are not editable. There are many commands listed for which no shortcut is provided (for example, file.new.Report, file.new.Rule, navigator.reports, navigator.queryViewers, and so forth). Adding Shortcuts for Frequently-Used Resources This first task is not initiated on the Edit > Preferences dialog, but rather from various resource contexts in the Console. But the results of setting up shortcut keys on selected resources are shown on the Edit > Preferences > Managing Hot Keys dialog, as described here. Where: Navigator >For example, choose Active Channels in the Navigator, and select an active channel such as /All Active Channels/ArcSight Administration/System Events Last Hour. HPE ESM 7.0 Page 54 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console To add a shortcut to a resource: 1. Navigate to and select the resource for which you want to add a shortcut. 2. Right-click and choose Manage Hot Keys from the context menu to open the shortcut setup dialog for this resource. 3. Select the action you want to take with regard to the resource. Each resource has its own set of action, such as Edit and Show . 4. In the Press new shortcut field: l l Optionally, click the button ( ) to display a drop-down menu where you can set the type of shortcut to add (mouse, tab, and so forth) and set limits on keystrokes. For example, if you want to set the shortcut on this channel to Ctrl+C+H, change the keystroke limit from the default of 1, to 2 keystrokes. Type the keyboard sequence you want to associate with the command. If the keyboard sequence you typed is not in use, a light gray no conflicts message is shown in the Shortcuts currently used by field. For example, if you selected navigator.rules, placed the cursor in the Press new shortcut field, and typed Ctrl+Alt+X, you would get the no conflicts message. If you type a sequence that is already used by another shortcut, you get a message in the Shortcuts currently used by field stating which resource is currently using the shortcut. For example, the default shortcut for navigator.rules is Ctrl+Alt+L. If you typed Ctrl+Alt+R in the Press new shortcut field, the message states that this sequence is already in use for navigator.reports.) If you continue with the assignment, you get a prompt asking whether you want to remove the shortcut from the other resource and add it to this new one. 5. Click Assign to associate the shortcut with the resource. HPE ESM 7.0 Page 55 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console 6. Click OK to save your changes and close the dialog. 7. Confirm your setting by selecting Edit > Preferences > Managing Hot Keys dialog. 8. On the list of commands, locate the resource for which you created the shortcut. Resources are shown by their URIs. 9. Select the URI to display the associated shortcut, as in the following example: HPE ESM 7.0 Page 56 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Modifying a Custom Shortcut Shortcuts are associated with schemas based on the user. Where: Edit > Preferences > Manage Hot Keys To modify a custom shortcut: 1. On the Edit Preferences > Manage Hotkeys dialog, select a shortcut schema (the associated user) in which you want to modify shortcuts for commands. In this example, the schema for the user called admin is selected. Note, however, that the schema selected for modifying a hot key need not be the “active” schema; as it happens to be in this example. 2. Select the command for which you want to modify the hot key. You can filter for commands containing a given string (for example, navigator to find all navigator commands). HPE ESM 7.0 Page 57 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console 3. In the Press new shortcut field: l l Optionally click the button ( ) to display a drop-down menu where you can set the type of shortcut to add (mouse, tab, and so on) and limits on keystrokes. The default keystroke limit is 1. If you set it to 2 or 3, you have more combinations of keystrokes available to use for custom settings. Enter the keyboard sequence you want to associate with the command. If the keyboard sequence you entered is not in use, a light gray no conflicts message is shown in the Shortcuts currently used by field. For example, if you select navigator.rules, place the cursor in the Press new shortcut field, and press Ctrl+Alt+X, you get the no conflicts message. If you enter a sequence that is already used by another shortcut, you get a message in the Shortcuts currently used by field telling you which resource is currently using the shortcut. For example, the default shortcut for navigator.rules is Ctrl+Alt+L. If you enter Ctrl+Alt+R in the Press new shortcut field, you get a message noting that this sequence is already in use for navigator.reports.) If you continue with the assignment, you see a prompt asking whether you want to remove the shortcut from the other resource and add it to this new one. 4. Click Assign to apply the new shortcut to the command. Tip: An asterisk is displayed next to commands for which the pre-defined shortcuts have been modified or overwritten. These customized commands are also displayed in blue text, rather than the usual black. 5. Click Apply or OK. HPE ESM 7.0 Page 58 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console To modify a custom shortcut directly from the resource: You can modify a custom shortcut for a resource in either of these ways: l l Directly from the right-click Manage Hot Keys dialog on that resource From the Edit > Preferences > Manage Hot Keys dialog as described above 1. Navigate to and select the resource from which you want to remove the shortcut. 2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the context menu to bring up the shortcut setup dialog for this resource. 3. Select the action (for example, Show or Edit) associated with the shortcut. The shortcut is shown in the Press new shortcut field. 4. Modify it as needed. See the previous procedure. 5. Click OK to save your changes and close the dialog. Removing a Custom Shortcut Where: Edit > Preferences > Manage Hot Keys To remove a custom shortcut (key sequence) for any command: 1. Select the schema in which you want to modify the command. 2. Select the command for which you want to modify the hot key. 3. Select one of the customized commands (customized commands are shown in blue text with an asterisk). The current key sequence associated with this command is shown in the Shortcuts for selected command field. 4. Click the Remove button next to the Shortcuts for selected command field. The custom shortcut (key sequence) is removed, and replaced by the default key sequence (if there was one). Caution: As soon as you remove the shortcut by clicking Remove, the changes are saved. Even if you click Cancel to close the Preferences dialog at this point, the original shortcut is not saved. For example, if navigator.rules was modified to be associated with Ctrl+Alt+X, then after you remove this shortcut, navigator.rules would again be associated with its default shortcut of HPE ESM 7.0 Page 59 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Ctrl+Alt+L. Tip: You can only remove custom shortcuts, but not default shortcuts. To remove a custom shortcut directly from the resource: You can remove a custom shortcut for a resource in either of these ways: l l Directly from the right-click Manage Hot Keys dialog on that resource From the Edit > Preferences > Manage Hot Keys dialog as described above. 1. Navigate to and select the resource from which you want to remove the shortcut. 2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the context menu to bring up the shortcut setup dialog for this resource. 3. Select the action (for example, Show or Edit) associated with the shortcut. The shortcut, if any, is shown in the Press new shortcut field. 4. Click Remove. 5. Click OK or Cancel to close the dialog. Caution: As soon as you remove the shortcut by clicking Remove, the changes are saved. Even if you click Cancel to close the Preferences dialog at this point, the original shortcut is not saved. Activating a New Shortcut Schema For more information on schemas, see the introduction to the shortcut key management at "Managing Hot Keys" on page 53. Where: Edit > Preferences > Manage Hot Keys To activate a new schema: 1. Select the schema you want to activate. 2. Click Set Active. Tip: To get an enabled Set Active button, select a schema that is not currently applied. If you select a schema that is already active, the Set Active button is disabled. 3. Click Apply to apply the new schema, or click OK to apply the new schema and close the Preferences dialog. HPE ESM 7.0 Page 60 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console Sharing Custom Shortcut Schemas Shortcut schemas are available only to the local Console. That is, if schemas for several different users are configured on a Console running on a particular machine, those shortcut setups (schemas) are not available for the same Console user logins on other machines. This means that if you want the same shortcuts to exist in other Console installations, you must manually set these up in those installations. Viewing This section provides information on using the Console Viewer Panel and choosing look-and-feel options (skins) for the Console. The Viewer Panel You see the results of security-event analyses in the Viewer panel, which can display several different types of views. (See also "Using Views" on page 220.) Although there are some views that display information about resources, most views are active channels, which are continuously evaluated collections of security-event data. (See also "Monitoring Active Channels" on page 213.) Tip: Here are some Viewer Panel features you can use. l l l To show a resource (like a particular dashboard or active channel) in the viewer, right-click it in the Navigator tree and select Show . To close individual views quickly, Shift+click their name tabs. (You can also right-click a view's name tab and select Close from the popup menu.) To float the Viewer panel, click the Float icon at the top left of the Viewer. The Viewer tabs in the Viewer panel have a live link at the top. You can click these links to open the contents in an external, fully functional browser window. For security reasons, HTML that might include JavaScript, plug-ins, or other embedded objects are rendered in the default browser you specify through the Preferences dialog box. The default browser is also used by PDF document files. HPE ESM 7.0 Page 61 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console If your Console is not already displaying a default set of pre-defined views, or if you want to change the views displayed, you can use these options: l l l l Choose Window > Viewer Panel to open the panel if it isn't open. Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in the Navigator panel to find analysis tools or results to view. Right-click a resource in a tree and choose Show to open it in the Viewer panel. When multiple tabbed views are open in the panel, click the tabs at the top of the panel to choose the active channel you want to see, and the tabs at the bottom of the panel to choose which view of that active channel should be foremost. To close an individual view, Shift+click its name tab. (You can also right-click a view name tab and choose Close from the popup menu.) Using active channels and the many types of views they offer is fully covered in the topics under these headings: l "Monitoring Events" on page 213 l "Selecting and Investigating Events in Active Channels" on page 277 HPE ESM 7.0 Page 62 of 1037 ArcSight Console User's Guide Chapter 2: Working in the Console l "Using Dashboards" on page 239 Console Look-and-Feel If you start the Console from the command line with the arcsight console command (in ARCSIGHT_ HOME/current/bin), use the -laf