ArcSight Console User'

ArcSight Console
User’s Guide
for ArcSight ESM™ 6.0c
with CORR Engine
September 20, 2012
ArcSight Console User’s Guide for ESM 6.0c
Copyright © 2012 Hewlett-Packard Development Company, LP. All rights reserved.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.hpenterprisesecurity.com/copyright
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is confidential.
Revision History
Date
Product Version
Description
09/20/12
ESM 6.0c
ArcSight Console for ArcSight ESM with CORRE.
Contact Information
Phone
1-866-535-3285 (North America)
+44 203-564-1189 (EMEA)
+49 69380789455 (Germany)
Support Web Site
http://support.openview.hp.com
Protect 724 Community
https://protect724.arcsight.com
Contents
Chapter 1: What’s New ..................................................................................................... 39
CORR-Engine Storage and Archive Management .......................................................... 39
Management Console Interface ................................................................................. 39
Resource Migration .................................................................................................. 40
Chapter 2: Getting Started ................................................................................................ 41
Starting the ArcSight Console ......................................................................................... 41
Quick Start Tools and Content ......................................................................................... 41
Network Model Wizard ................................................................................................... 42
Configuration and Using Standard Content ........................................................................ 42
ArcSight Web ................................................................................................................ 42
Chapter 3: Working in the ArcSight Console ...................................................................... 43
Navigating .................................................................................................................... 44
Navigator Panel Resource Tree .................................................................................. 45
Using SmartFolders ................................................................................................. 46
Creating a Case-Search SmartFolder ................................................................... 47
Creating a Reports SmartFolder .......................................................................... 47
Editing Groups ........................................................................................................ 47
Editing a Group ................................................................................................ 47
Categories Tab ................................................................................................. 47
Viewing Group Cases in a Grid View ........................................................................... 48
Batch Editing .......................................................................................................... 48
Batch-Editing Cases or Connectors ...................................................................... 48
Cases Reminder ................................................................................................ 48
SmartConnector Reminders ................................................................................ 49
Reconnecting to the Manager .................................................................................... 49
Viewing ........................................................................................................................ 49
Viewer Panel .......................................................................................................... 49
ArcSight Console Look-and-Feel ................................................................................ 51
Inspecting and Editing ................................................................................................... 52
Overview of Inspect/Edit Features and Utilities ............................................................ 52
Searching for Fields in Event Inspector, Resource Editors or CCE ............................. 53
Controlling the ArcSight Console ..................................................................................... 54
Confidential
ArcSight Console User’s Guide 3
Error and Warning Messages .................................................................................... 55
Using the Network Tools ................................................................................................ 55
Running a Tools Command ....................................................................................... 56
Network Tool Default Options ................................................................................... 56
Adding a Tool ......................................................................................................... 57
Configure (Edit) a Tool ............................................................................................. 57
Deleting a Tool ....................................................................................................... 58
Staying Informed .......................................................................................................... 58
Acknowledging Notifications ..................................................................................... 59
Acknowledging a Page ....................................................................................... 59
Acknowledge a Cell Phone Message ..................................................................... 59
Acknowledge an E-mail Message ......................................................................... 59
Acknowledge Notifications at the ArcSight Console ................................................ 59
Using Notes ........................................................................................................... 59
Adding a Note .................................................................................................. 59
Viewing a Note ................................................................................................. 60
Deleting a Note ................................................................................................ 60
License Tracking ..................................................................................................... 60
License Tracking Notifications ............................................................................. 61
Standard Reports for License Status Tracking ....................................................... 61
Using the Menus ........................................................................................................... 62
File Menu ............................................................................................................... 62
Edit Menu .............................................................................................................. 62
View Menu ............................................................................................................. 63
Window Menu ......................................................................................................... 64
Tools Menu ............................................................................................................ 64
System Menu ......................................................................................................... 65
Help Menu ............................................................................................................. 65
Using Right-Click Context Menus ..................................................................................... 66
Right-Click Menu Options in the Navigator Panel .......................................................... 66
Keyboard Shortcuts (Hot Keys) ....................................................................................... 68
Moving Copying, Linking, and Deleting Resources .............................................................. 69
Move, Copy, or Link a Resource ................................................................................ 69
Delete a Resource ................................................................................................... 69
Printing from the Console ............................................................................................... 69
Printing Navigation Tree Views of Resources ............................................................... 70
Printing Resource Definitions .................................................................................... 71
Saving as an HTML File ...................................................................................... 72
Printing Grid Views .................................................................................................. 72
Printing Conditions Tree Summary ............................................................................ 72
Using Column Flip Limit to Format Grid View Printouts ................................................. 74
4
ArcSight Console User’s Guide
Confidential
Chapter 4: Monitoring Events ............................................................................................ 77
Monitoring Active Channels ............................................................................................. 77
Using Views ........................................................................................................... 77
Selecting a View ............................................................................................... 77
Changing View Layouts ...................................................................................... 78
Floating a View ................................................................................................. 78
Closing One or All Views .................................................................................... 78
Closing all Views Except the Current One ............................................................. 78
Viewing and Using Channels ..................................................................................... 78
Viewing an Active Channel ................................................................................. 78
Sorting Events in an Active Channel .................................................................... 79
Creating an Active Channel ................................................................................ 79
Applying a Field Set to an Active Channel ............................................................. 80
Adding a Column to the Channel ......................................................................... 81
Using an Active Channel Header .......................................................................... 82
Filtering an Active Channel ................................................................................. 82
Saving Copies of Active Channels and Filters ........................................................ 83
Editing an Active Channel ................................................................................... 83
Defining Grid Fields Options ............................................................................... 85
Discovering Patterns in an Active Channel ............................................................ 85
Deleting an Active Channel ................................................................................. 85
Adding a View Format ....................................................................................... 86
Changing View Layouts ...................................................................................... 86
Best Practices to Optimize Active Channel Performance .......................................... 86
Investigating Views ................................................................................................. 88
Using an Event Attribute to Show a New Filtered View ........................................... 89
Refining a Filter with an Event Attribute ............................................................... 89
Adding an Event Attribute to a Filtering Condition .................................................. 90
Permanently Modifying an Active Channel ............................................................ 90
Showing an Exploited Vulnerability ...................................................................... 91
Showing a Targeted Asset .................................................................................. 91
Using Charts .......................................................................................................... 91
Charting an Active Channel's Contents ................................................................. 91
Charting a Data Monitor's Contents ..................................................................... 91
Exploring the Events Behind a Chart .................................................................... 92
Using Active Channels ............................................................................................. 93
Monitoring Events in the Active Channel ............................................................... 93
Sorting Columns in the Active Channel ................................................................. 93
Adding, Replacing, or Removing a Columns .......................................................... 93
Sizing a Column in the Active Channel ................................................................. 94
Showing or Hiding Column Text and Icons ............................................................ 95
Exporting Events to a File
................................................................................. 95
Choosing Active Channel Menu Commands ........................................................... 96
Confidential
ArcSight Console User’s Guide 5
Filtering Active Channels with Inline Filters .......................................................... 98
Customizing Columns .............................................................................................100
Creating a Custom Column ................................................................................100
Showing a Custom Column ................................................................................101
Advanced Example: Creating a Custom Column with Velocity .................................101
Using Dashboards ........................................................................................................102
Monitoring Dashboards ...........................................................................................102
Loading Dashboards .........................................................................................102
Inspecting Events in Dashboards .......................................................................102
Drilling Down to Other Resources .......................................................................103
Displaying Dashboards .....................................................................................104
Displaying Dashboards in a Slide Show Rotation ...................................................104
Rearranging Elements in Dashboard Layouts .......................................................104
Using Dashboard Menu Options .........................................................................104
Zooming In or Out of Dashboards ......................................................................104
Fitting all Dashboard Elements ..........................................................................104
Saving Dashboard Layouts ................................................................................104
Closing a Dashboard ........................................................................................104
Editing Dashboard Elements ..............................................................................104
Changing a Dashboard's Layout .........................................................................104
Managing Dashboards ............................................................................................105
Creating a Dashboard .......................................................................................105
Adding a Data Monitor to a Dashboard ................................................................105
Adding a Query Viewer to a Dashboard ...............................................................105
Display Formats ...............................................................................................106
Editing a Dashboard .........................................................................................107
Deleting a Dashboard .......................................................................................107
Managing Dashboard Groups ...................................................................................107
Creating a Dashboard Group .............................................................................107
Renaming a Dashboard Group ...........................................................................107
Editing a Dashboard Group ...............................................................................107
Moving or Copying a Dashboard Group ...............................................................108
Deleting a Dashboard Group ..............................................................................108
Using Data Monitors .....................................................................................................108
Creating a Data Monitor ..........................................................................................108
Editing a Data Monitor ............................................................................................109
Adding a Drilldown .................................................................................................110
Moving or Copying a Data Monitor ............................................................................111
Deleting a Data Monitor ..........................................................................................111
Enabling or Disabling a Data Monitor ........................................................................111
Enabling or Disabling a Data Monitor from the Editor ............................................112
Enabling or Disabling a Data Monitor in the Navigator ...........................................112
Overriding a Data Monitor's Last State ......................................................................113
6
ArcSight Console User’s Guide
Confidential
Data Monitor Types ................................................................................................113
Managing Data Monitor Groups ................................................................................115
Creating a Data Monitor Group ..........................................................................115
Renaming a Data Monitor Group ........................................................................115
Editing a Data Monitor Group .............................................................................115
Moving or Copying a Data Monitor Group ............................................................116
Deleting a Data Monitor Group ...........................................................................116
Enabling or Disabling Data Monitor Groups ..........................................................116
Using Query Viewers .....................................................................................................116
Using Custom View Dashboards .....................................................................................116
Browser Environments for Custom View Dashboards ...................................................117
Displaying Custom View Dashboards .........................................................................117
To Launch the Custom View Dashboard in a Separate Browser Window ...................118
To Refresh the Custom View Dashboard Layout ....................................................118
Custom View Dashboard Context Menu Options ...................................................118
To Revert to the Regular Dashboard View ...........................................................119
Working with Custom View Dashboards .....................................................................119
To Select View Mode ........................................................................................120
To Show Events in an Active Channel View ..........................................................120
Arranging Custom View Dashboards .........................................................................120
To Select Arrange Mode ....................................................................................120
To Load a Background Image ............................................................................120
To Select a Previously Uploaded Background Image ..............................................121
Using Resource Graphs to Verify that a Background Image is Attached ....................121
Removing a Background Image .........................................................................122
To Relocate, Resize, and Reshape Data Monitors ..................................................122
To Select Which Data Monitors to Display and How ...............................................122
Monitoring Active Lists ..................................................................................................123
Viewing Active List Contents ....................................................................................123
Refreshing Active List Views ....................................................................................123
Adding to or Subtracting from an Active List ..............................................................123
Filtering Active Lists ...............................................................................................123
Editing Active Lists .................................................................................................123
Clearing Active List Views ........................................................................................124
Customizing Active View Grid Columns ......................................................................124
Active List Grid Context Menu Commands ..................................................................124
Graphing Attacks .........................................................................................................124
Creating Static Event Graphs ...................................................................................124
Creating Live Event Graphs .....................................................................................125
Event Graph Notes .................................................................................................126
Chapter 5: Pattern Discovery .......................................................................................... 127
Pattern Discovery Overview ...........................................................................................127
Confidential
ArcSight Console User’s Guide 7
What Pattern Detection Provides ..............................................................................127
Pattern Components ...............................................................................................128
How Pattern Discovery Works ..................................................................................129
Installing Pattern Discovery ...........................................................................................129
Pattern Discovery Life Cycle ...........................................................................................130
Creating or Editing a Profile ...........................................................................................130
Editing Profile Attributes .........................................................................................131
Specifying Actions ..................................................................................................134
Creating Local Variables ..........................................................................................136
Adding Notes .........................................................................................................137
Deleting a Profile ...................................................................................................137
Taking a Snapshot ........................................................................................................137
Exploring a Snapshot ..............................................................................................139
Arranging Elements in Graphic View .........................................................................140
Scheduling a Snapshot ...........................................................................................141
Re-opening a Snapshot ...........................................................................................142
Deleting a Snapshot ...............................................................................................142
Investigating Patterns ...................................................................................................142
Investigating Patterns in the Snapshots View .............................................................143
Investigating Patterns in the Patterns View ................................................................145
Viewing Patterns with Filter .....................................................................................145
Inspecting Patterns ................................................................................................146
Creating Rules from Patterns ...................................................................................147
Annotating Patterns ................................................................................................149
Deleting a Pattern ..................................................................................................150
Usage Guidelines .........................................................................................................150
Establishing a Baseline of Normal Patterns ................................................................150
Using Pattern Discovery in Routine Operations ...........................................................150
Performance Considerations ....................................................................................151
Adjusting Pattern Discovery Memory .........................................................................151
Chapter 6: Field Sets ....................................................................................................... 153
Field Sets ....................................................................................................................154
Navigating to Field Sets ................................................................................................154
Creating and Using Field Sets ........................................................................................154
Creating a Field Set ................................................................................................154
Field Set Editor: Attributes Tab ..........................................................................155
Field Set Editor: Fields Tab ................................................................................155
Field Set Editor: Local Variables Tab ...................................................................159
Editing a Field Set ..................................................................................................159
Sharing a Field Set .................................................................................................160
Deleting a Field Set ................................................................................................161
Where Field Sets can be Selected ...................................................................................161
8
ArcSight Console User’s Guide
Confidential
About Global Variables ..................................................................................................161
Chapter 7: Selecting and Investigating Events ................................................................ 163
Investigating Events in Active Channels ...........................................................................163
Selecting Events to Investigate ................................................................................163
Inverting Event Selections .......................................................................................163
Selecting Events with Matching Cells .........................................................................163
Exporting Data Fields to a CSV File ...........................................................................163
Showing Event Details and Rule Chains ...........................................................................164
Displaying Event Details ..........................................................................................164
Displaying Simple Event Rule Chains ........................................................................164
Displaying Detailed Event Rule Chains .......................................................................165
Displaying Correlation-Event Rules ...........................................................................165
Executing or Clearing Rule Actions ............................................................................165
Launching Event Details in a Browser ........................................................................165
Hiding Empty Rows in the Event Inspector .................................................................165
Investigating Session Events .........................................................................................165
Investigating a Session Event ..................................................................................165
Collaborating on Events ................................................................................................166
Viewing Annotations for an Event .............................................................................166
Annotating an Event ...............................................................................................167
Event Annotation Fields ....................................................................................167
Comments Field ...............................................................................................167
Annotation Preservation ....................................................................................167
Mark Similar Events Fields ................................................................................167
Creating New Stages ..............................................................................................168
Stage Editor Fields ...........................................................................................168
Editing Stages .......................................................................................................169
Showing Event Payloads ................................................................................................169
Finding Payloads ....................................................................................................170
Retrieving Payloads ................................................................................................170
Preserving Payloads ...............................................................................................170
Discarding Payloads ...............................................................................................170
Saving Payloads to Files ..........................................................................................170
Viewing Payloads in Other Viewers ...........................................................................170
Getting Knowledge Base Articles ....................................................................................171
Displaying Articles from the Knowledge Base Window .................................................171
Displaying Articles from an active channel .................................................................171
Displaying Articles from the Event Inspector ..............................................................171
Chapter 8: Filtering Events .............................................................................................. 173
Creating Filters ............................................................................................................173
Creating a New Filter ..............................................................................................173
Confidential
ArcSight Console User’s Guide 9
Changing or Editing a Filter .....................................................................................174
Creating an Inline Filter ..........................................................................................175
Moving or Copying Filters ..............................................................................................176
Deleting Filters ............................................................................................................177
Debugging Filters to Match Events ..................................................................................177
Applying Filters ............................................................................................................181
Adding Filters to Resources .....................................................................................181
Applying Resources as Filters to Active Channels ........................................................181
Removing a Filter Condition or Resource ...................................................................181
Importing and Exporting filters ......................................................................................182
Using Filter Groups .......................................................................................................182
Creating Filter Groups .............................................................................................182
Renaming Filter Groups ..........................................................................................182
Editing Filter Groups ...............................................................................................182
Moving or Copying Filter Groups ...............................................................................183
Deleting Filter Groups .............................................................................................183
Investigating Views ......................................................................................................183
Using an Event Attribute to Show a New Filtered View .................................................184
Refining a Filter with an Event Attribute ....................................................................184
Filtering Out ArcSight Events or Other Customizations ................................................185
Adding an Event Attribute to a Filtering Condition .......................................................185
Permanently Modifying an Active Channel ..................................................................186
Showing an Exploited Vulnerability ...........................................................................186
Showing a Targeted Asset .......................................................................................186
Modifying Views ...........................................................................................................186
Modifying a View Inline ...........................................................................................187
Undoing an Inline Filter ...........................................................................................187
Permanently Modifying a View .................................................................................187
Chapter 9: Actors ............................................................................................................ 189
About Actors ...............................................................................................................189
How the Actors Feature Works .................................................................................191
About the Actor Model Import Connectors .................................................................193
Troubleshooting Errors with Actor Model Imports ........................................................194
Navigating to Actors .....................................................................................................195
Viewing Actors in the ArcSight Console ............................................................................195
Viewing Actors in the Navigator Panel .......................................................................196
Viewing Actors in the Actor Editor ............................................................................197
Viewing Actor Base Attributes ............................................................................197
Viewing Actor Account Attributes .......................................................................199
Viewing Actor Role Attributes ............................................................................199
Viewing Actors in an Actor Channel ..........................................................................199
About the Actor Channel UI .....................................................................................201
10
ArcSight Console User’s Guide
Confidential
Sorting Fields in Actor Channels ...............................................................................201
Actor Channel Options ............................................................................................201
Right-Click Options from the Grid View ...............................................................202
Filtering Actor Channels ..........................................................................................202
Adding a Local Filter to the Actor Channel Resource ..............................................202
Creating an Inline Filter ....................................................................................203
Saving Actor Channels ............................................................................................204
Editing Saved Actor Channels ..................................................................................204
Viewing Saved Actor Channels .................................................................................204
Investigating Actors ......................................................................................................204
Running Context Reports from an Actor Channel ........................................................204
Investigating an Actor from an Event Channel ............................................................206
Actor Context Reports in Standard Content ................................................................207
Creating and Editing Actors for Testing Purposes ..............................................................208
Creating Actors for Testing Purposes .........................................................................209
Editing Actors for Testing Purposes ...........................................................................210
Deleting Actors ......................................................................................................211
Leveraging Actor Data Using Variables ............................................................................211
Creating an Actor Global Variable .............................................................................211
Creating an Actor-Based Variable in Another Resource ................................................212
Creating and Using Category Models ...............................................................................212
Memory Recommendations for Using Category Models ................................................213
Creating Category Models .......................................................................................213
Creating Actor-to-Actor Category Models .............................................................214
Creating Actor Attribute Category Models ............................................................216
Creating User-Defined Category Models ..............................................................218
Editing a Category Model ........................................................................................220
Moving or Copying a Category Model ........................................................................220
Deleting a Category Model .......................................................................................221
Viewing Category Models in Graphs ..........................................................................221
Working with Category Model Graphs .................................................................221
Leveraging Category Model Data Using Variables ........................................................223
Actor-Related Resources Provided in Standard Content ......................................................224
Actor Resource Framework Global Variables ...............................................................224
Tracking Actor Configuration Changes Using Standard Content .....................................227
Actor Configuration Changes: Monitoring ............................................................227
Actor Configuration Changes: Query Viewers .......................................................228
Actor Configuration Changes: Reports ................................................................229
Actor Configuration Changes: Global Variables .....................................................230
Chapter 10: Query Viewers ............................................................................................. 233
What are Query Viewers? ..............................................................................................233
Navigating to Query Viewers ..........................................................................................235
Confidential
ArcSight Console User’s Guide 11
Pre-Built and Custom Query Viewers ...............................................................................235
Standard Content ...................................................................................................235
Custom Query Viewers ...........................................................................................236
Customizing Query Viewers as Needed ......................................................................236
inActiveList Conditions for Queries .....................................................................236
Query Viewers Need Base Queries ............................................................................236
Running Queries and Viewing Results ..............................................................................237
Working with Query Viewer Results ..........................................................................241
Results in Table Format ....................................................................................241
Results in Chart Formats ...................................................................................245
Filtering Query Viewer Results .................................................................................246
Adding a Filter .................................................................................................246
Viewing an Event or Resource Directly from the Query Viewer ......................................247
Troubleshooting Query Viewers ................................................................................248
Adding Query Viewers to Dashboards ..............................................................................248
Making Query Viewer Results Available to ArcSight Web ....................................................248
Adding Query Viewers as Startup Views ..........................................................................248
Generating Reports from Query Viewers ..........................................................................249
Defining and Using Baselines .........................................................................................250
Why Baselines are Useful ........................................................................................251
Planning for Baseline Comparisons ...........................................................................252
Adding a Baseline ..................................................................................................252
Comparing Displayed Results to a Baseline ................................................................253
Show or Hide Baseline Columns .........................................................................255
Sort Baseline Data ...........................................................................................255
Filter Baseline Data ..........................................................................................256
Removing a Baseline ..............................................................................................256
Customizing Query Viewers ...........................................................................................257
Creating a New Query Viewer ..................................................................................257
Defining Query Viewer Settings ................................................................................258
Query Viewer Attributes ....................................................................................258
Query Viewer Fields .........................................................................................262
Query Viewer Variables .....................................................................................264
Query Viewer Drilldowns ...................................................................................265
Editing a Query Viewer .................................................................................................270
Deleting a Query Viewer ................................................................................................271
Example Queries for Common Scenarios .........................................................................271
Basic Analysis High Level Summaries ........................................................................271
Analyst’s First View of Events ............................................................................272
Drilldown Example .................................................................................................274
How the Drilldowns are Built .............................................................................276
Non-Event Analysis Example ...................................................................................276
Baseline Analysis for Data Comparison ......................................................................276
12 ArcSight Console User’s Guide
Confidential
History Analysis Example ........................................................................................277
Chapter 11: Building Reports .......................................................................................... 279
Understanding Reporting Workflow .................................................................................279
Step 1 - Build a Query ............................................................................................280
Step 2 - Build a Trend (Based on a Query) ................................................................280
Step 3 - Build a Query (Based on a Trend) ................................................................281
Step 4 - Select or Design a Report Template ..............................................................281
Step 5 - Create a Report .........................................................................................281
Step 7 - Run a Report .............................................................................................282
Step 8 - Archive and Maintain Reports ......................................................................282
Managing Dependencies for Reports Resources ..........................................................283
Using Report Templates ................................................................................................283
Navigating to Templates .........................................................................................283
Using Standard Templates .......................................................................................284
Applying a Template to an Existing Report ...........................................................284
Creating a New Report Based on a Template .......................................................285
Copying a Template .........................................................................................285
Opening the Designer to Edit a Template ............................................................286
Designing Custom Templates ...................................................................................286
Opening the Template Designer to Edit Existing Templates ....................................286
Creating a New Template ..................................................................................286
Template Designer User Interface ......................................................................287
Setting Report Page Options ..............................................................................294
Designing Report Flow Layout ............................................................................295
Designing Report Tabular Layout ........................................................................296
Building Report Elements into a Template ...........................................................297
Building Queries ...........................................................................................................302
How Queries Work .................................................................................................303
Using Queries and Trends Together for Reports ..........................................................303
Using Queries in Query Viewers ...............................................................................303
Building a Query ....................................................................................................304
Creating a New Query ......................................................................................304
Defining Query Settings ..........................................................................................305
General Query Attributes ..................................................................................305
Query Fields ....................................................................................................307
SELECT Query Fields ........................................................................................309
GROUP BY Query Fields ....................................................................................311
ORDER BY Query Fields ....................................................................................313
Query Conditions .............................................................................................315
Creating Conditions on a Field ...........................................................................316
Creating Group Conditions ................................................................................316
Query Variables ...............................................................................................317
Confidential
ArcSight Console User’s Guide 13
Editing a Query ......................................................................................................317
Building Trends ............................................................................................................318
How Trends Work ...................................................................................................318
Snapshot Trend .....................................................................................................318
Interval Trend .......................................................................................................319
Query-Trend Relationships in Reporting ....................................................................319
Building a Trend ....................................................................................................320
Navigating to Trends ........................................................................................320
Creating a New Trend .......................................................................................320
Defining Trend Settings ..........................................................................................321
Trend Attributes ..............................................................................................321
Trend Schedule ...............................................................................................325
Trend Parameters ............................................................................................326
Trend Actions (Add to Active List) ......................................................................326
Testing a Trend .....................................................................................................332
Viewing Trend Data ................................................................................................332
Refreshing Trend Data ............................................................................................333
Editing or Viewing a Trend Definition ........................................................................334
Using a Trend in a Query or Report ..........................................................................334
Creating Reports ..........................................................................................................335
How Reports Work .................................................................................................335
Building a Report ...................................................................................................336
Navigating to Reports .......................................................................................336
Creating a New Report .....................................................................................336
Defining Report Settings .........................................................................................337
Report Attributes .............................................................................................337
Report Templates ............................................................................................337
Report Data ....................................................................................................340
Report Parameters: Default and Custom .............................................................351
Displaying a Custom Parameter Prompt at Report Runtime ....................................355
Running Large or Complex Reports ....................................................................358
Setup to Generate Reports with Asian Fonts ........................................................360
Editing a Report .....................................................................................................360
End-to-End Reporting Examples .....................................................................................361
Example of Creating a Simple Report with the Wizard .................................................361
Advanced Reporting Example Overview .....................................................................364
Step 1 - Build the VPN Logins Outcome Query .....................................................365
Step 2 - Build the VPN Logins Outcome Hourly Trend ............................................367
Step 3 - Filter the Trend Data (Login Attempts, Successes, Failures) .......................369
Step 4 - Create the VPN Logins Outcome Report on Trend Data .............................370
Step 5 - Run the Report ....................................................................................374
14
ArcSight Console User’s Guide
Confidential
Chapter 12: Running and Managing Reports ................................................................... 377
Running Reports ..........................................................................................................377
Running a New or Archived Report ...........................................................................377
Running a Defined Report .................................................................................378
Run-Report Options ..........................................................................................379
Report Parameters ...........................................................................................379
Displaying an Archived Report ...........................................................................379
Running a Delta Report ...........................................................................................379
Running Reports from a Grid View ............................................................................380
Running a Rule-Context Report from a Grid View .................................................380
Running an Event Context Report from a Grid View ..............................................380
Running a Channel Report from a Grid View ........................................................381
Managing Reports ........................................................................................................381
Editing a Report .....................................................................................................381
Creating Focused Reports ........................................................................................381
Importing and Exporting Reports .............................................................................382
Importing Reports ............................................................................................382
Exporting Reports ............................................................................................382
Moving or Copying a Report .....................................................................................382
Managing Report Groups .........................................................................................383
Creating a Report Group ...................................................................................383
Renaming a Report Group .................................................................................383
Editing a Report Group .....................................................................................383
Moving or Copying a Report Group .....................................................................383
Deleting a Report Group ...................................................................................384
Archiving and Scheduling Reports ...................................................................................384
Archiving a Report .................................................................................................384
Parameterized Report Entries ............................................................................386
Viewing an Archived Report .....................................................................................387
Scheduling Report Tasks .........................................................................................387
Scheduling Individual-Report Archiving ...............................................................387
Scheduling Report Archiving by Resource Group ...................................................389
Standard Time Transitions ................................................................................390
Editing a Report Archiving Schedule ..........................................................................390
Editing Report Archiving Parameters .........................................................................390
Deleting a Report Archiving Schedule ........................................................................391
Chapter 13: Rules Authoring ........................................................................................... 393
Designing Rules ...........................................................................................................393
Managing Rules ............................................................................................................394
Creating Rules .......................................................................................................394
Editing Rules .........................................................................................................395
Moving or Copying Rules .........................................................................................395
Confidential
ArcSight Console User’s Guide 15
Converting Standard and Lightweight Rules ...............................................................395
Deleting Rules .......................................................................................................396
Managing Rule Groups ..................................................................................................396
Creating Rule Groups .............................................................................................396
Renaming Rule Groups ...........................................................................................396
Editing Rule Groups ................................................................................................397
Moving or Copying Rule Groups ...............................................................................397
Deleting Rule Groups ..............................................................................................397
Specifying Rule Conditions .............................................................................................397
Creating New Rule Conditions ..................................................................................397
Adding Filter Conditions ..........................................................................................398
Adding Asset Conditions ..........................................................................................399
Adding Vulnerability Conditions ................................................................................399
Adding Active List (InActiveList) Conditions ...............................................................400
Creating Matching or Join Conditions ........................................................................402
Editing or Deleting Join Data Field Conditions .............................................................404
Negating Event Conditions ......................................................................................404
Specifying Rule Thresholds and Aggregation ....................................................................405
Setting or Changing Rule Thresholds ........................................................................405
Aggregation Time Criteria .......................................................................................406
Deleting Aggregation from a Rule .............................................................................407
Creating Rule Actions ....................................................................................................408
Adding a Rule Action ..............................................................................................408
Editing a Rule Action ..............................................................................................409
Removing a Rule Action ..........................................................................................409
Activating or De-activating a Rule Trigger ..................................................................409
Enabling or Disabling a Rule Action ...........................................................................410
Threshold Triggering Options ...................................................................................410
Rule Actions Reference ...........................................................................................412
Applying Rule Actions ...................................................................................................418
More Rule Actions ..................................................................................................418
Enabling and Disabling Rules .........................................................................................419
Enabling Rules .......................................................................................................419
Disabling Rules ......................................................................................................420
Automatically and Manually Disabled Rules ................................................................420
Disabling Rule Components .....................................................................................421
Importing and Exporting Rules .......................................................................................421
Scheduling Rules ..........................................................................................................421
Scenarios for Using Scheduled Rules .........................................................................422
Scheduling a Rule Group .........................................................................................422
Example of a Scheduled Rule (Badge Swipes and Logins) ............................................424
Testing Rules ........................................................................................................426
Testing a Rule from the Rule Editor ....................................................................427
16 ArcSight Console User’s Guide
Confidential
Showing Rule Errors .........................................................................................428
Verifying Rule(s) with Events .........................................................................................428
Verify Rule(s) from the Resource Tree .......................................................................429
Deploying Real-time Rules .............................................................................................431
Deploying a Rule ....................................................................................................432
Removing or Un-deploying a Rule .............................................................................432
Loading Rules ..............................................................................................................432
Automatic Disabling ................................................................................................433
Chapter 14: Global Variables ........................................................................................... 435
About Global Variables ..................................................................................................435
Creating a Global Variable .............................................................................................436
Global Variable Editor: Attributes Tab .......................................................................437
Global Variable Editor: Parameters Tab .....................................................................437
Global Variable Editor: Local Variables Tab ................................................................437
Promoting a Local Variable to a Global Variable ................................................................438
Editing a Global Variable ...............................................................................................441
Moving or Linking a Global Variable ..........................................................................441
Deleting a Global Variable .......................................................................................441
Navigating to Global Variables ........................................................................................442
Adding a Global Variable to a Resource ...........................................................................442
Accessing a Global Variable Using the CCE .................................................................443
Adding a Global Variable to a Data Monitor ................................................................443
Adding a Global Variable to a Field Set ......................................................................445
Adding Global Variables to an Active Channel .............................................................446
Chaining a Global Variable .............................................................................................446
Global Variables in Standard Content ..............................................................................447
Actors Global Variables ...........................................................................................447
Variables Library ....................................................................................................448
Device, Protocol, and Total Bytes Global Variables ................................................448
Asset Information Global Variables .....................................................................448
Host Information Global Variables ......................................................................448
Timestamp Formats Global Variables ..................................................................448
User Information Global Variables ......................................................................448
Remote Variables ...................................................................................................448
Chapter 15: Use Cases .................................................................................................... 449
About Use Cases ..........................................................................................................449
Navigating to Use Cases ................................................................................................451
Master Use Cases .........................................................................................................451
How Master Use Cases Work ....................................................................................452
Standard Use Cases ......................................................................................................452
Installing Use Cases .....................................................................................................453
Confidential
ArcSight Console User’s Guide 17
Viewing and Using Use Cases .........................................................................................454
Accessing Resources from the Viewer Panel ...............................................................455
Configuring Use Cases ..................................................................................................455
Navigating the Use Case Configuration Wizard ...........................................................456
Step 1 - Model Your Network ...................................................................................456
Step 2 - Install Use Case Package Bundles ................................................................457
Step 3 - Launch the Use Case Wizard .......................................................................457
Step 4 - Introduction Panel .....................................................................................457
Step 5 - Prerequisites Panel .....................................................................................458
Step 6 - Confirm Event Sources Panel .......................................................................458
Step 7 - Configuration Panels ..................................................................................459
Step 8 - Summary of Settings to Apply Panel .............................................................460
Step 9 - Configuration Complete Panel ......................................................................462
Configuration Panels .....................................................................................................462
Categorize Assets/Zones Panels ...............................................................................463
Populate Active List ............................................................................................... 464
Specify the Notification E-mail Address Panel .............................................................466
Set the Inactivity Time Period Panel .........................................................................468
Set the Notification Rate Panel .................................................................................468
Schedule Daily Report Panels ...................................................................................469
Schedule Weekly Report Panels ............................................................................... 471
Schedule Monthly Report Panels .............................................................................. 473
Schedule Yearly Report Panels .................................................................................475
Enable Rules Panel .................................................................................................476
Enable Rule Actions Panel .......................................................................................477
Set Session List Entry Expiry Panel ...........................................................................478
Chapter 16: Identity Correlation ..................................................................................... 481
Understanding Session Correlation .................................................................................481
How Session Correlation Works ................................................................................481
Creating a Session List Rule ..............................................................................482
Creating a Variable ..........................................................................................484
Managing Session Lists .................................................................................................485
Creating a Session List ...........................................................................................485
Editing Session Lists ...............................................................................................487
Moving or Copying Session Lists ...............................................................................487
Exporting Session Lists ...........................................................................................488
Deleting Session Lists .............................................................................................488
Adding a Session List Entry .....................................................................................488
Adding a Session List Entry Based on an Existing Entry ...............................................488
Deleting a Session List Entry ...................................................................................488
Terminating a Session List Entry ..............................................................................489
Using Session Lists to Correlate Session Data on User Logins (Example) ..............................489
18 ArcSight Console User’s Guide
Confidential
Example Overview .................................................................................................489
Step 1 - Create a Session List to Store Windows Sessions ............................................490
Step 2 - Create Rules to Populate the Session List with Windows Logins ........................491
Rule 1: Triggers on Windows Session Logins ........................................................492
Rule 2: Triggers on Termination of Windows Sessions ...........................................494
Step 3 - Verify Rules ..............................................................................................496
Step 4 - Use the Session List in a Report ...................................................................498
Using Active Lists to Correlate Users (Example) ................................................................499
Example Overview .................................................................................................500
Step 1 - Build and Populate the Active List with User IDs .............................................500
Populating an Active List with User Data .............................................................501
Step 2 - Create a Rule that Uses Active List Values to Correlate User IDs .......................503
Chapter 17: List Authoring .............................................................................................. 509
Managing Active Lists ...................................................................................................509
Creating an Active List ............................................................................................509
Case-Insensitive Lookup in Active Lists .....................................................................513
Using Rules to Populate an Active List .......................................................................514
Example .........................................................................................................514
Editing an Active List ..............................................................................................517
Editing Active List Entries ........................................................................................517
Move or Copy an Active List .....................................................................................517
Importing an Active List ..........................................................................................518
Exporting an Active List ..........................................................................................518
Deleting an Active List ............................................................................................518
Managing Active List Groups ..........................................................................................518
Navigating to Active Lists ........................................................................................519
Creating an Active List Group ...................................................................................519
Renaming Active List Groups ...................................................................................519
Editing Active List Groups ........................................................................................519
Moving or Copying Active List Groups .......................................................................519
Deleting Active List Groups ......................................................................................519
Managing Session Lists .................................................................................................520
Creating a Session List ............................................................................................520
Using Rules to Populate a Session List .......................................................................522
Editing a Session List ..............................................................................................522
Moving or Copying a Session List .............................................................................522
Exporting a Session List ..........................................................................................523
Deleting a Session List ............................................................................................523
Adding a Session List Entry .....................................................................................523
Adding a Session List Entry Based on an Existing Entry .........................................523
Adding a New Session List Entry ........................................................................523
Deleting a Session List Entry ...................................................................................524
Confidential
ArcSight Console User’s Guide 19
Terminating a Session List Entry ..............................................................................524
Field Naming Restrictions ..............................................................................................524
Chapter 18: Case Management and Queries .................................................................... 527
Managing Cases ...........................................................................................................527
Create a New Case .................................................................................................528
Case Properties ...............................................................................................528
Creating a Case from Displayed Events .....................................................................529
Editing a Case .......................................................................................................529
Finding Cases ........................................................................................................530
Attaching a File to a Case ........................................................................................530
Viewing a Case Attachment ....................................................................................531
Adding Events to a Case .........................................................................................531
Showing Event Details for Cases in Channels .............................................................532
Deleting Events from a Case ....................................................................................532
Creating a Channel for a Case ..................................................................................532
Exporting a Case to an External System ....................................................................533
Moving or Copying a Case .......................................................................................533
Deleting a Case .....................................................................................................533
Managing Case Groups .................................................................................................533
Creating a Case Group ............................................................................................533
Renaming a Case Group ..........................................................................................534
Editing a Case Group ..............................................................................................534
Moving or Copying a Case Group ..............................................................................534
Deleting a Case Group ............................................................................................534
Running Case Queries ...................................................................................................534
Setting Up an Automatic Case Query Group ...............................................................534
Setting Up a Case Search Group ..............................................................................535
Chapter 19: Integration Commands ............................................................................... 537
What are Integration Commands? ..................................................................................537
Supported Command Types .....................................................................................538
Out-of-the-Box Commands for ArcSight Logger™ and ArcSight™ NSP (ArcSight™ TRM Component) ....................................................................................................................538
Local Scripts and Commands to Other Applications .....................................................539
How it Works .........................................................................................................539
Planning Checklist and Workflow ....................................................................................540
Navigating to Integration Command Resources ................................................................541
Quick Example .............................................................................................................541
Defining Commands .....................................................................................................544
Command Types and Attributes ...............................................................................545
Script Commands ............................................................................................545
URL Commands ...............................................................................................546
Connector Commands ......................................................................................547
20
ArcSight Console User’s Guide
Confidential
Adding and Editing Command Parameters ...........................................................548
TRM Connector Command Example ....................................................................550
Using Configurations to Group Commands .......................................................................552
Configurations Attributes .........................................................................................554
Configurations Contexts ..........................................................................................555
How to Set Up Command Contexts .....................................................................555
Configurations Commands .......................................................................................556
Adding a Command to a Configuration ................................................................557
Editing Commands in a Configuration .................................................................557
Removing Commands from a Configuration .........................................................557
Configuration Targets .............................................................................................557
Adding a Target to a Configuration .....................................................................558
Editing Targets in a Configuration ......................................................................558
Removing Commands from a Configuration .........................................................558
Specifying Targets ........................................................................................................559
Target Attributes .............................................................................................559
Target Integration Parameters ...........................................................................560
Authorization and Authentication Settings ........................................................................560
Setting User Login Parameters .................................................................................561
Setting Login Credentials ..................................................................................561
Setting Login Credentials on Target Servers ........................................................561
Setting Logins and Other Parameters to Prompt for Values at Runtime ..........................562
Access Control Lists (ACLs) on Integration Commands ................................................563
Running Integration Commands .....................................................................................564
Entering/Saving Command Parameters at Runtime .....................................................564
Creating New Configurations On-the-Fly ....................................................................565
Ready-Made ArcSight Threat Response Manager (TRM) Commands .....................................565
Prerequisites .........................................................................................................565
Options for Up-Front or On-the-Fly Configuration .......................................................566
TRM Integration Commands ....................................................................................566
Enabling TRM Commands ........................................................................................567
Step 1 - Set up the Command Targets ................................................................567
Step 2 - Set up the Command Configuration ........................................................568
Step 3 - Set up Users for TRM Access .................................................................568
Understanding NSP Authentication ...........................................................................569
How to Get an NSP Authentication Token ............................................................569
Examples of Running TRM URL Commands ................................................................570
Attacker-Target Network Map ............................................................................571
Investigate Node .............................................................................................571
Going Further with TRM Command Results ..........................................................572
ArcSight Logger Search Commands ...............................................................................572
Logger Integration Commands .................................................................................573
Enabling Integrated Logger Searches ........................................................................573
Confidential
ArcSight Console User’s Guide 21
1. Set up Logger Command Targets ...................................................................573
2. Set up the Logger Command Configuration ......................................................574
3. Set up Users for Logger Access ......................................................................574
Example of Running a Logger Quick Search ...............................................................575
Network Tools as Integration Commands .........................................................................576
Chapter 20: Knowledge Base Authoring .......................................................................... 579
Managing Knowledge Base Articles .................................................................................579
Creating Knowledge Base Articles .............................................................................579
Showing a Knowledge Base Article ...........................................................................580
Editing a Knowledge Base Article ..............................................................................581
Moving or Copying a Knowledge Base Article .............................................................581
Deleting a Knowledge Base Article ............................................................................581
Managing Knowledge Base Article Groups ........................................................................581
Creating a Knowledge Base Article Group ..................................................................581
Renaming a Knowledge Base Article Group ................................................................582
Editing a Knowledge Base Article Group ....................................................................582
Moving or Copying a Knowledge Base Article Group ....................................................582
Deleting a Knowledge Base Article Group ..................................................................582
Getting Knowledge Base Updates ...................................................................................582
Refreshing the Knowledge Base Tree ........................................................................582
Associating Knowledge Base Articles ...............................................................................582
Associating Resources with Knowledge Base Groups or Articles ....................................583
Associating Grid View Elements with Knowledge Base Articles ......................................583
Chapter 21: Managing Users and Permissions ................................................................. 585
Managing Users ...........................................................................................................585
Handling Users ......................................................................................................585
Creating a User ...............................................................................................585
Editing a User .................................................................................................587
Resetting User Passwords .................................................................................587
Moving or Linking a User ...................................................................................588
Deleting a User ................................................................................................588
About the System User ...........................................................................................589
Handling User Groups .............................................................................................590
Creating User Groups .......................................................................................590
Renaming User Groups .....................................................................................590
Editing User Groups .........................................................................................590
Moving or Linking User Groups ..........................................................................590
Deleting User Groups .......................................................................................591
Setting Startup Views .......................................................................................591
Managing Permissions and Resources .............................................................................591
Editing Access Control Lists (ACLs) ...........................................................................591
22
ArcSight Console User’s Guide
Confidential
Granting or Removing Resource Permissions .......................................................592
Granting or Removing Operations Permissions .....................................................594
Granting or Removing User Group Permissions ....................................................596
Granting or Removing Event Permissions ............................................................597
Granting or Removing Sortable Field Sets Permissions ..........................................599
Sharing Resources .................................................................................................601
Controlling Who Has Permissions to Deploy Data Monitors ...........................................601
How Upgrades Affect Data Monitor Deploy Permissions .........................................603
Deployment Permissions on Imported Data Monitors ............................................603
Managing Notifications ..................................................................................................603
Managing Received Notifications ..............................................................................603
Managing Notification Groups and Levels ...................................................................604
Creating Notification Groups ..............................................................................604
Renaming Notification Groups ............................................................................605
Editing Notification Groups ................................................................................605
Deleting Notification Groups ..............................................................................605
Adding Escalation Levels ...................................................................................605
Deleting Escalation Levels .................................................................................605
Managing Notification Destinations ...........................................................................605
Creating Destinations .......................................................................................605
Editing Destinations .........................................................................................606
Moving or Copying Destinations .........................................................................606
Deleting Destinations .......................................................................................606
Changing Notification and Acknowledgement Settings .................................................607
Changing E-mail Settings ..................................................................................607
Adding New Pager Service Providers ...................................................................608
Editing Pager Service Provider Settings ...............................................................608
Deleting Pager Service Providers ........................................................................608
Changing Wait Time Settings .............................................................................608
Testing Notification Groups and Destinations ..............................................................608
Testing Group Notifications ...............................................................................609
Testing Destination Notifications ........................................................................609
Chapter 22: Managing Resources .................................................................................... 611
Managing File Resources ...............................................................................................611
Uploading Files and Creating a File Resource ..............................................................612
Viewing Files .........................................................................................................614
Downloading Files Locally ........................................................................................614
Editing File Resource Attributes ................................................................................614
Replacing File Resource Contents .............................................................................614
Deleting File Resources ...........................................................................................614
Adding a File or Folder to a Package .........................................................................615
Finding Files ..........................................................................................................615
Confidential
ArcSight Console User’s Guide 23
Locking and Unlocking Resources ...................................................................................615
System Core Content .............................................................................................615
User Created Content .............................................................................................616
Unlocking a User-locked Resource ......................................................................616
Selecting Resources ......................................................................................................616
Finding Resources ........................................................................................................617
Searching for System Resources ..............................................................................617
Search Field on Console Tool Bar .......................................................................617
Query Options .................................................................................................619
Result Columns ...............................................................................................620
Locating Specific Resources ...............................................................................620
Visualizing Resources ....................................................................................................620
Graphing Resources ...............................................................................................620
Using Graphs .........................................................................................................621
Configuring Resource Graphs ...................................................................................622
Viewing Resources in Grids ............................................................................................623
Validating Resources ....................................................................................................623
Valid and Invalid Resources .....................................................................................624
Fixing and Validating Resources ...............................................................................624
Troubleshooting (Requirements for Valid Resources) ...................................................626
Automatic and Manual Validation ..............................................................................628
Resource Validation During Upgrade .........................................................................629
Extending Audit Event Logging .......................................................................................629
Saving Copies of Read-Only Resources ............................................................................630
Common Resource Attribute Fields .................................................................................630
Common ...............................................................................................................631
Assign ..................................................................................................................631
Parent Groups .......................................................................................................632
Creation Information ..............................................................................................632
Last Update Information .........................................................................................632
Managing Packages ......................................................................................................633
Creating Packages ..................................................................................................633
Exporting Packages ................................................................................................636
Importing Packages ................................................................................................636
Backing Up and Restoring with Packages ...................................................................637
ID Checking During Import ...............................................................................637
Package Modifications .......................................................................................638
List Data .........................................................................................................638
Backup and Restore Summary ...........................................................................639
Installing Packages ................................................................................................639
Uninstalling Packages .............................................................................................640
Deleting Packages ..................................................................................................640
Editing Packages ....................................................................................................641
24 ArcSight Console User’s Guide
Confidential
Adding Resources to Packages .................................................................................641
Removing Resources from Packages .........................................................................641
Resolving Package Conflicts .....................................................................................641
Chapter 23: Managing SmartConnectors ......................................................................... 643
Selecting and Setting SmartConnector Parameters ...........................................................643
Configuring the SmartConnector ..............................................................................643
Connector Editor Option Tabs ..................................................................................644
Connector Tab Configuration Fields ...........................................................................645
Default Content Tab Configuration Fields ...................................................................646
SmartConnector Processing Categories .....................................................................659
SmartConnector Time Interval Options ......................................................................659
Managing SmartConnector Filter Conditions .....................................................................660
Creating SmartConnector Filters ...............................................................................660
Adding SmartConnector Filter Conditions ...................................................................660
Deleting SmartConnector Filter Conditions .................................................................661
Setting Special Severity Levels .......................................................................................661
Configuring a Conditional or Custom Severity Level ....................................................661
Sending Model Mappings to SmartConnectors ..................................................................663
Sending Model Mappings to a Connector ...................................................................663
Sending Control Commands to SmartConnectors ..............................................................663
Getting Status Reports ............................................................................................663
Sending Flow-Control Commands .............................................................................663
Managing SmartConnector Groups ..................................................................................670
Creating SmartConnector Groups .............................................................................670
Renaming SmartConnector Groups ...........................................................................670
Editing SmartConnector Groups ...............................................................................671
Moving or Copying SmartConnector Groups ...............................................................671
Deleting SmartConnector Groups .............................................................................671
Managing SmartConnector Resources .............................................................................671
Moving or Copying a SmartConnector Group ..............................................................671
Deleting a SmartConnector Group ............................................................................672
Importing and Exporting SmartConnector Configurations ...................................................672
Importing a SmartConnector Configuration ................................................................672
Exporting a SmartConnector Configuration ................................................................673
SmartConnector Filters ...........................................................................................674
Using Additional Data Fields ...........................................................................................674
Upgrading SmartConnectors ..........................................................................................674
Overview of the Upgrade Process .............................................................................674
Upgrading SmartConnectors ....................................................................................676
Rolling back to a Previous Version ...........................................................................677
Troubleshooting .....................................................................................................677
Getting Status and Versions on Installed SmartConnectors ..........................................677
Confidential
ArcSight Console User’s Guide 25
Getting Status on a SmartConnector ..................................................................677
SmartConnector Dashboards .............................................................................678
Chapter 24: Modeling the Network .................................................................................. 679
About the Network Model ..............................................................................................679
Network Model ......................................................................................................680
Assets ............................................................................................................681
Asset Ranges ..................................................................................................683
Zones ............................................................................................................684
Networks ........................................................................................................685
Asset Model ..........................................................................................................685
Locations ........................................................................................................685
Vulnerabilities .................................................................................................686
Asset Categories ..............................................................................................686
Populating the Network Model with Assets .......................................................................687
ArcSight Console-Based Methods .............................................................................687
Individually Using Network Modeling Resources ...................................................688
In a Batch Using the Network Modeling Wizard ....................................................688
SmartConnector-Based Methods ..............................................................................688
Using the Asset Model Import FlexConnector .......................................................689
Automatically From a Vulnerability Scanner Report ...............................................689
ArcSight-Assisted Methods ......................................................................................690
As an Archive File From an Existing Configuration Database ...................................690
Populating the Network Model Using the Wizard ...............................................................690
Specifying CSV Column Types ..................................................................................691
Specify the Column Type Using a Header ............................................................691
Specifying Multiple Categories in one Category Column .........................................692
Assign the Column Type in the Wizard ................................................................692
Zones CSV File Format ...........................................................................................694
An Example of a Zones CSV File .........................................................................695
Assets CSV File Format ...........................................................................................695
An Example of an Assets CSV File ......................................................................697
Static Addressing in a Dynamic Zone ..................................................................697
Asset Ranges CSV File Format .................................................................................697
An Example of an Asset Ranges CSV File .............................................................698
Increasing the Number of Rows Displayed .................................................................698
Summary of Data to Import ....................................................................................699
Network Data Imported into Manager .......................................................................699
Auto-Zoning of Imported Assets ........................................................................699
Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories .................700
Managing Assets ..........................................................................................................700
Creating an Asset ...................................................................................................701
Editing an Asset .....................................................................................................701
26
ArcSight Console User’s Guide
Confidential
Moving or Copying an Asset .....................................................................................702
Deleting an Asset ..................................................................................................702
Showing Assets in a Channel ...................................................................................702
Auto Zoning an Asset .............................................................................................702
Managing Asset Groups ...........................................................................................703
Creating an Asset Group ...................................................................................703
Renaming an Asset Group .................................................................................703
Editing an Asset Group .....................................................................................703
Moving or Copying an Asset Group .....................................................................703
Deleting an Asset Group ...................................................................................704
Asset Scalability .....................................................................................................704
Viewing Assets in Active Channels ......................................................................704
Finding Assets .................................................................................................704
Selecting Assets in the Common Conditions Editor .....................................................704
Managing Vulnerabilities ................................................................................................705
Vulnerability Editor .................................................................................................706
Creating a Vulnerability ...........................................................................................706
Editing a Vulnerability .............................................................................................706
Moving or Copying a Vulnerability .............................................................................707
Retrieving Vulnerable Assets ....................................................................................707
Adding an Asset to a Vulnerability ............................................................................707
Deleting an Asset From a Vulnerability ......................................................................707
Deleting a Vulnerability ...........................................................................................707
Managing Vulnerability Groups .................................................................................708
Creating a Vulnerability Group ...........................................................................708
Renaming a Vulnerability Group .........................................................................708
Editing a Vulnerability Group .............................................................................708
Moving or Copying a Vulnerability Group .............................................................708
Deleting a Vulnerability Group ...........................................................................708
Selecting Vulnerabilities in the Common Conditions Editor ...........................................708
Reporting on Output from Vulnerability Scanners ........................................................709
Reporting on Asset Vulnerabilities ............................................................................710
Managing Zones ...........................................................................................................710
Managing Networks ......................................................................................................711
Managing Asset Categories ............................................................................................711
Managing Locations ......................................................................................................712
Managing Customers ....................................................................................................713
Creating Customers ................................................................................................713
Editing Customers ..................................................................................................713
Deleting Customers ................................................................................................713
Chapter 25: Personalizing the ArcSight Console .............................................................. 715
Changing the Console Display ........................................................................................715
Confidential
ArcSight Console User’s Guide 27
Resizing the Console ..............................................................................................715
Showing or Hiding Menu Bars and Tools ....................................................................715
Showing or Hiding the Status Bar .............................................................................715
Showing or Hiding the Navigator Panel ......................................................................715
Showing or Hiding the Viewer Panel ..........................................................................716
Showing or Hiding the Inspect/Edit Panel ..................................................................716
Floating a Console Panel .........................................................................................716
Applying Translucency to a Console Panel ..................................................................716
Docking a Console Panel .........................................................................................716
Closing a Console Panel ..........................................................................................716
Changing User Preferences ............................................................................................716
Changing Your Password .........................................................................................717
Changing Other Users' Passwords .............................................................................717
Setting Program Preferences ...................................................................................717
Changing Global Options Like Panel and Editor Characteristics .....................................718
Setting Grid View Options .......................................................................................719
Setting Date and Time Formats ................................................................................720
Configuring Event Graphs ........................................................................................721
Latitude and Longitude Options ................................................................................721
Event Graph Options ..............................................................................................722
Setting Notification Popups ......................................................................................723
Managing Hot Keys ................................................................................................723
Adding Shortcuts for Frequently Used Resources ..................................................723
Modifying a Custom Shortcut .............................................................................725
Removing a Custom Shortcut ............................................................................727
Activating a New Shortcut Schema .....................................................................728
Sharing Custom Shortcut Schemas .....................................................................729
Saving and Sending Settings .........................................................................................729
Saving a File .........................................................................................................729
Saving a File to the ArcSight Manager .......................................................................729
Loading a File From the ArcSight Manager .................................................................729
Sending a File by E-mail .........................................................................................730
Chapter 26: Reference Guide .......................................................................................... 731
Access Control Lists ......................................................................................................731
Resource ACLs .......................................................................................................731
Actions .......................................................................................................................732
Active Channels ...........................................................................................................733
Active Channel Views ..............................................................................................733
Active Channel Headers ..........................................................................................734
Comparisons .........................................................................................................734
Active Channel Views for Assets and Cases ................................................................734
Active Lists ..................................................................................................................735
28
ArcSight Console User’s Guide
Confidential
Uses of Active Lists ................................................................................................735
Active Lists for Long-Term State Retention ................................................................736
Optimize Data with Hash-Based Active Lists ...............................................................736
Active List Audit Events ...........................................................................................736
Active List Monitor Events .......................................................................................737
Active Lists with Values ...........................................................................................737
Using Variables to Retrieve Data from Active Lists with Values ...............................738
Example: Active List with Values to Store Directory Information .............................738
Working with Active Lists ........................................................................................741
Administrator ..............................................................................................................741
Advanced Editor ...........................................................................................................741
Aggregation .................................................................................................................742
ArcSight Web ...............................................................................................................743
Assets ........................................................................................................................743
Assets Tab ............................................................................................................743
Zones Tab .............................................................................................................744
Networks Tab ........................................................................................................744
Categories Tab ......................................................................................................744
Vulnerabilities Tab ..................................................................................................745
Locations Tab ........................................................................................................745
Asset Auto-Creation ......................................................................................................745
Creating Assets from a Vulnerability Scan Report .......................................................746
Creating Assets from a Vulnerability Scan Report for Static Zones ..........................746
Creating Assets from a Vulnerability Scan Report for Dynamic Zones ......................746
Creating Assets for SmartConnectors ........................................................................747
Creating Assets for SmartConnectors in Static Zones ............................................748
Creating Assets for SmartConnectors in Dynamic Zones ........................................749
Creating Assets for Network Devices .........................................................................750
Creating Assets for Network Devices in Static Zones .............................................751
Creating Assets for Network Devices in Dynamic Zones .........................................751
Asset Names .........................................................................................................752
Naming Assets from Scanner Events ...................................................................752
Naming SmartConnector and Device Assets .........................................................752
Asset Auto-Creation Advanced Configuration Options ..................................................752
Asset Auto-Creation from Scanners in Dynamic Zones ..........................................753
Changing the Default Naming Scheme ................................................................755
Attack ........................................................................................................................756
Audit Events ................................................................................................................756
Resources (Configuration Events Common to Most Resources) .....................................756
Active Channel .......................................................................................................758
Active List .............................................................................................................758
Actor ....................................................................................................................758
Authentication .......................................................................................................758
Confidential
ArcSight Console User’s Guide 29
Archive .................................................................................................................760
Authorization .........................................................................................................760
Connectors ...........................................................................................................760
Connector Connection ......................................................................................760
Connector Exceptions .......................................................................................761
Connector Login ..............................................................................................762
Connector Registration and Configuration ............................................................762
Dashboard ............................................................................................................763
Data Monitors ........................................................................................................763
Last State Data Monitors ...................................................................................763
Moving Average Data Monitor ............................................................................763
Reconciliation Data Monitor ...............................................................................764
Statistical Data Monitor ....................................................................................764
Top Value Counts Data Monitor ..........................................................................764
Global Variables .....................................................................................................764
Group Management ................................................................................................765
License Audit .........................................................................................................765
Manager Activation ................................................................................................766
Manager Database Error Conditions ..........................................................................766
Manager External Event Flow Interruption .................................................................766
Notifications ..........................................................................................................766
Notification .....................................................................................................766
Notification Acknowledgement, Escalation, and Resolution .....................................767
Notification Testing ..........................................................................................767
Pattern Discovery ...................................................................................................768
Query Viewers .......................................................................................................768
Reports ................................................................................................................768
Resource Quota .....................................................................................................768
Rules ....................................................................................................................769
Rule Actions ...................................................................................................769
Rule Activations ...............................................................................................769
Rules Scheduled ..............................................................................................769
Rule Firings .....................................................................................................770
Rule Warnings .................................................................................................770
Scheduler .............................................................................................................770
Scheduler Execution .........................................................................................770
Scheduler Scheduling Tasks ..............................................................................771
Scheduler Skip ................................................................................................771
Session Lists .........................................................................................................772
Stress ..................................................................................................................772
Trends ..................................................................................................................772
Trends ...........................................................................................................772
Trend Partitions ...............................................................................................773
30
ArcSight Console User’s Guide
Confidential
User Login ............................................................................................................774
User Management ..................................................................................................774
Batching .....................................................................................................................774
Case Editor Tab Fields ...................................................................................................774
Case Editor Events Tab ...........................................................................................776
Case Editor Attachments Tab ...................................................................................776
Case Editor Final - Attack Agent Tab .........................................................................776
Case Editor Final - Attack Mechanism Tab ..................................................................776
Case Editor Final - Incident Information Tab ..............................................................777
Case Editor Final - Other Tab ...................................................................................777
Case Editor Final - Vulnerability Tab .........................................................................777
Case Editor Follow-Up Tab .......................................................................................778
Case Editor Initial - Attributes Tab ............................................................................778
Case Editor Initial - Description Tab ..........................................................................779
Case Editor Initial - Security Classification Tab ...........................................................779
Case Editor Notes Tab ............................................................................................780
Cases .........................................................................................................................780
Case Groups ..........................................................................................................781
Categories ...................................................................................................................781
Event Categories ....................................................................................................781
Asset Categories ....................................................................................................781
Collaboration ...............................................................................................................782
Common Conditions Editor (CCE) ...................................................................................782
Editor Features ......................................................................................................783
Condition Tree Command Buttons ............................................................................784
Condition Tree Context Menu Commands ..................................................................785
Adding Conditions ..................................................................................................789
Search Box to Find Fields in the List ...................................................................790
Field Comparisons with Variable or Static Values ..................................................792
Using Field Sets .....................................................................................................792
Adding or Removing Global Variables Using the CCE ...................................................793
Testing for Zone Relevance .....................................................................................795
How to Create a Matching or Join Rule ......................................................................795
Conditional Statements .................................................................................................796
ArcSight Variables ..................................................................................................797
Conditions ...................................................................................................................797
Parameterized Conditions ........................................................................................797
ArcSight Console ..........................................................................................................799
Content ......................................................................................................................799
Content Packages ..................................................................................................799
Custom Content .....................................................................................................800
SmartConnector Content .........................................................................................800
CORR Engine ...............................................................................................................800
Confidential
ArcSight Console User’s Guide 31
Correlation ..................................................................................................................801
Correlation Rule ...........................................................................................................801
Customers ..................................................................................................................802
Dashboards .................................................................................................................802
Dashboard Context Menu Commands ........................................................................802
Data Fields ..................................................................................................................803
Connector Group ....................................................................................................804
Attacker Group ......................................................................................................807
Category Group .....................................................................................................810
Destination Group ..................................................................................................811
Device Group ........................................................................................................814
Device Custom Group ............................................................................................817
Event Group ..........................................................................................................819
Event Annotation Group ..........................................................................................823
File Group .............................................................................................................826
Final Device Group .................................................................................................827
Flex Group ............................................................................................................829
Manager Group ......................................................................................................830
Old File Group .......................................................................................................830
Original Connector Group ........................................................................................831
Request Group ......................................................................................................833
Source Group ........................................................................................................834
Target Group .........................................................................................................838
Threat Group .........................................................................................................841
Resource Attributes ................................................................................................841
Geographical Attributes ..........................................................................................842
Data Monitors ..............................................................................................................842
Asset Category Count Data Monitor ..........................................................................843
Event Correlation Data Monitor ................................................................................844
Event Graph Data Monitor .......................................................................................846
Event Reconciliation Data Monitor ............................................................................847
Correlation-Event-Generating Fields ...................................................................849
Geographic Event Graph Data Monitor ......................................................................850
Hierarchy Map Data Monitor ....................................................................................850
Feature Enhancements .....................................................................................851
Use Cases .......................................................................................................851
Defining a Hierarchy Map Data Monitor ...............................................................852
Adding Variables ..............................................................................................853
Specifying the Source Node Identifiers ................................................................853
Specifying Group Attributes ...............................................................................855
Hierarchy Map Display and Visualization Controls .................................................856
Hourly Counts Data Monitor .....................................................................................859
Last N Events Data Monitor .....................................................................................860
32
ArcSight Console User’s Guide
Confidential
Last State Data Monitor ..........................................................................................861
Options for Table and Tile Views ........................................................................863
Moving Average Data Monitor ..................................................................................865
Rules Partial Match Data Monitor ..............................................................................867
Session Reconciliation Data Monitor ..........................................................................868
Statistics Data Monitor ............................................................................................870
System Monitor Data Monitor ...................................................................................872
System Monitor Attribute Data Monitor .....................................................................873
Top Value Counts Data Monitor ................................................................................874
Data Monitor Expressions ........................................................................................875
Supported Data Monitor Expression Operators .....................................................876
Supported Data Monitor Expression Functions ......................................................876
Device ........................................................................................................................876
Event Inspector ...........................................................................................................877
Field Sets ..............................................................................................................877
Events ........................................................................................................................877
Base Events ..........................................................................................................877
Event Categorization ..............................................................................................878
Field Sets ....................................................................................................................879
Filters .........................................................................................................................880
Filtering Options ....................................................................................................880
Global Variables ...........................................................................................................881
Grid View ....................................................................................................................882
iDefense .....................................................................................................................882
Inspect/Edit Panel ........................................................................................................883
Job Scheduler ..............................................................................................................883
Knowledge Base ...........................................................................................................884
Logical Operators .........................................................................................................884
Managed Security Service Providers (MSSPs) ...................................................................886
Manager .....................................................................................................................886
Navigator Panel ...........................................................................................................886
Notifications ................................................................................................................886
Notification Operation .............................................................................................887
Testing Notification Escalations ................................................................................888
Notification Destinations .........................................................................................888
Notification Acknowledgements ................................................................................888
Packages ....................................................................................................................889
Pattern Discovery .........................................................................................................889
Pattern Concepts ...................................................................................................890
Discovering Patterns ...............................................................................................890
Pattern Analysis .....................................................................................................890
Initial Phase ....................................................................................................891
Routine Pattern Processing ................................................................................891
Confidential
ArcSight Console User’s Guide 33
Workflow Management .....................................................................................891
Pattern Analysis ...............................................................................................891
Pattern Disposition ...........................................................................................891
Pattern Expertise ...................................................................................................892
Workflow ........................................................................................................892
Visualization ....................................................................................................892
Applications ....................................................................................................893
Payload ......................................................................................................................893
Prioritization Fields .......................................................................................................893
Priority Calculations and Ratings ....................................................................................894
Priority Elements ...................................................................................................897
Priority Operators ..................................................................................................898
MaxValue Attribute ..........................................................................................898
Weight Attribute ..............................................................................................898
Priority Rating .......................................................................................................898
Queries .......................................................................................................................899
Queries and Trends ................................................................................................899
Building and Running Queries ..................................................................................899
Query Viewers .............................................................................................................900
Reference Pages ..........................................................................................................900
Regex (Regular Expressions) .........................................................................................900
Perl Constructs not Supported in Java .......................................................................901
Java Constructs not Supported in Perl .......................................................................901
Notable Differences from Perl ..................................................................................901
Character Matches .................................................................................................902
Reports .......................................................................................................................902
Working with Report Templates, Queries, and Trends ..................................................903
Viewing and Managing Reports ................................................................................903
Archived Reports .............................................................................................903
Report Groups .................................................................................................903
Delta Reports ..................................................................................................904
Report Parameters ...........................................................................................904
Running Reports ....................................................................................................905
ArcSight-Provided Reports .......................................................................................905
Report Templates .........................................................................................................906
Resources ...................................................................................................................906
Valid and Invalid Resources .....................................................................................906
Fixing and Validating Resources ...............................................................................907
Troubleshooting (Requirements for Valid Resources) ...................................................909
Automatic and Manual Validation ..............................................................................909
Resource Attributes ......................................................................................................909
Rule Actions ................................................................................................................911
Active List Rule Actions ...........................................................................................911
34
ArcSight Console User’s Guide
Confidential
Execute Connector Command Rule Actions ................................................................912
Rule Conditions ............................................................................................................912
Rules ..........................................................................................................................913
Rules Processing and Correlation ..............................................................................913
Rule Groups ..........................................................................................................915
Scheduled Rules ....................................................................................................915
Rule-triggering Timing ............................................................................................916
Rule Chains ...........................................................................................................916
ArcSight Variables ..................................................................................................916
Rules Editor .................................................................................................................916
Scheduling Jobs ...........................................................................................................916
To schedule a job ...................................................................................................917
To view all scheduled jobs .......................................................................................918
Troubleshooting Tips ..............................................................................................919
Schema ......................................................................................................................919
Avoiding Field Naming Collisions ..............................................................................919
Event Fields ....................................................................................................920
Precise Event Categorization .............................................................................920
Send Logs ...................................................................................................................921
Guidelines for Using the Send Logs Utility ..................................................................921
Options for Running Diagnostics and Sending Logs .....................................................922
Starting the Send Logs Wizard on the ArcSight Console ...............................................922
Session Correlation .......................................................................................................923
Why Session Correlation Matters ..............................................................................923
Session Lists ................................................................................................................923
SmartConnectors .........................................................................................................924
Operational Status .................................................................................................924
Configuration ........................................................................................................925
Zones ...................................................................................................................925
Upgrading .............................................................................................................926
Filtering ................................................................................................................926
SMTP ..........................................................................................................................926
Sortable Field Sets .......................................................................................................927
Using Sortable Columns in Grid Views .......................................................................928
Status Monitor Events ...................................................................................................928
Active Channel Statistics .........................................................................................928
Active List Statistics ...............................................................................................929
Asset Statistics ......................................................................................................930
Data Monitor Statistics ............................................................................................931
Event Broker Statistics ............................................................................................931
Filter Engine Statistics ............................................................................................932
Main Flow Statistics ................................................................................................932
Notification Statistics ..............................................................................................932
Confidential
ArcSight Console User’s Guide 35
Pattern Discovery Statistics .....................................................................................933
Report Statistics ....................................................................................................933
Resource Framework Statistics ................................................................................933
Rules Engine Statistics ............................................................................................934
Session List Statistics .............................................................................................935
Session Management Statistics ................................................................................936
Side Table Statistics ...............................................................................................936
SmartConnector Flow Statistics ................................................................................938
Templates ...................................................................................................................939
Threat ........................................................................................................................939
Threat Evaluation .........................................................................................................939
Evaluation Process .................................................................................................939
Evaluation Definitions .............................................................................................940
Maintaining Model Confidence ..................................................................................940
Using Threat Evaluation Information .........................................................................941
Limitations and Workarounds ...................................................................................941
Thresholds ..................................................................................................................941
Time Error Correction ...................................................................................................942
Timestamps ................................................................................................................942
Security Events .....................................................................................................942
Resources .............................................................................................................942
General Information ...............................................................................................942
Timestamp Variables ....................................................................................................943
Inclusive Timestamps .............................................................................................943
Time Zone Correction ...................................................................................................944
Trends ........................................................................................................................944
Understanding Trends and Queries ...........................................................................944
Building Trends ......................................................................................................945
Upgrade SmartConnectors .............................................................................................945
User Groups ................................................................................................................945
Users .........................................................................................................................946
User Types ............................................................................................................946
Variables .....................................................................................................................947
Local and Global Variables .......................................................................................948
Variable Definition Fields .........................................................................................950
Variable Functions ..................................................................................................950
Alias Functions ................................................................................................951
Arithmetic Functions ........................................................................................951
Category Model Functions .................................................................................953
Condition Functions ..........................................................................................953
Group Functions ..............................................................................................954
IP Address Functions ........................................................................................955
List Functions ..................................................................................................955
36
ArcSight Console User’s Guide
Confidential
String Functions ..............................................................................................956
Timestamp Functions .......................................................................................957
Type Conversion Functions ................................................................................959
Variable Availability and Contexts .............................................................................962
Velocity Templates .......................................................................................................962
Velocity Application Points .......................................................................................963
Using Velocity Expressions to Retrieve Values from Event Fields or Variables ..................964
Retrieving Values from Event Fields ....................................................................964
Using Variables in a Velocity Expression ..............................................................964
Using Velocity Expressions in Rule Actions .................................................................965
Example of Rule Action that Uses Velocity Expressions to Retrieve Values ................965
Examples ..............................................................................................................965
Usage Tips ............................................................................................................966
Velocity References for Reports ................................................................................966
Views .........................................................................................................................971
View Types ...........................................................................................................971
Other Views ..........................................................................................................972
Dashboards ...........................................................................................................972
Vulnerabilities ..............................................................................................................972
Vulnerability Groups ...............................................................................................972
Standardized Vulnerability Tracking ..........................................................................973
Web Browsers ..............................................................................................................973
Browser Preferences for HTML Displays .....................................................................973
Browser Preference Overrides for Specific Features .....................................................973
External Browser Display Requirements ....................................................................974
Internal Web Browser Support .................................................................................974
Advantages and Limitations ...............................................................................974
Flash Plug-in and Setup Requirements for Internal Browser ...................................975
Index .................................................................................................................................................... 977
Confidential
ArcSight Console User’s Guide 37
38
ArcSight Console User’s Guide
Confidential
Chapter 1
What’s New
ArcSight ESM™ consolidates and normalizes data from devices and applications across your
enterprise network in a centralized view. ESM provides a comprehensive view of the
security status of all relevant IT systems, and integrates security into your existing
management processes and work flows to provide “forensics on the fly.” ESM provides
solutions for compliance automation, identity monitoring, event collection and
management, multi-variable correlation and pattern-matching, historical reporting, alert
and frequency threshold notification, and more.
This topic describes the new features and enhancements added in this release.
CORR-Engine Storage and Archive Management
Management Console Interface
Resource Migration
CORR-Engine Storage and Archive Management
ESM 6.0c introduces the Correlation Optimized Retention and Retrieval
Engine (CORR-Engine), a proprietary data storage and retrieval framework
that replaces Oracle. CORR-Engine is optimized to run on systems with a
large number of cores and:

Provides significant performance improvements over Oracle storage

Reduces storage size significantly for online and archived data

Receives and processes events at high rates, and performs high-speed searches

Provides streamlined archive compression, storage, and management
Refer to the Management Console User’s Guide for details.
Management Console Interface
ESM 6.0c's new Management Console is a streamlined interface for:
Confidential

Monitoring and investigating events using dashboards and drill-downs

Managing users, storage, and event data

Updating licenses and setting up storage notifications
ArcSight Console User’s Guide 39
1 What’s New
The Management Console is based on Web 2.0 technologies and uses an HTML5 charting
engine.
Refer to the Management Console User’s Guide for details.
Resource Migration
ESM 6.0c supports the migration of customer-created resources from Oracle
storage to the CORR-Engine with a simple engagement from ArcSight
Professional Services.
40 ArcSight Console User’s Guide
Confidential
Chapter 2
Getting Started
ArcSight ESM is a comprehensive software solution that combines traditional security event
monitoring with network intelligence, context correlation, anomaly detection, historical
analysis tools, and automated remediation. It consolidates and normalizes data from
disparate devices across your enterprise network in a centralized view.
“Starting the ArcSight Console” on page 41
“Quick Start Tools and Content” on page 41
“Network Model Wizard” on page 42
“Configuration and Using Standard Content” on page 42
“ArcSight Web” on page 42
Starting the ArcSight Console
Start the ArcSight Console as you would any other application. The login mechanism varies
according to the type of authentication you have set up.
If you are using SSL authentication, set it up and import the certificate as described in the
Administrator’s Guide. See the “Configuration” chapter, in the section entitled
“Understanding SSL Authentication.” After the certificate is imported, you can start the
console without entering a user ID or password.
If you are using password authentication, see the Administrator’s Guide, “Configuration”
chapter, in the section entitled “Managing Password Configuration.” You specify your user
ID and password when you log in. Certificates are imported automatically.
If you have selected “Password or SSL Authentication,” you get to choose which way you
log in, each time.
If you are using FIPS, Make sure your browser is configured for FIPS, if you are using the
external browser. See the Administrator’s Guide, “TLS Configuration to Support FIPS Mode”
appendix.
Quick Start Tools and Content
The ArcSight Console serves as the control point for administrators to configure content
and resources, set up ArcSight Web access for Web users, and manage, monitor, and
respond to network security issues across the enterprise.
A Network Model Wizard is provided to facilitate the process of describing network devices
and assets.
Confidential
ArcSight Console User’s Guide
41
2 Getting Started
Also, a set of coordinated Resources (filters, rules, dashboards, reports, and so on) is
provided to address common security and management tasks. the set of standard content
is designed to give you comprehensive correlation, monitoring, reporting, alerting, and
case management out of the box, with minimal configuration required on the ArcSight
Console.
To get started, see “Configuration and Using Standard Content” on page 42.
Network Model Wizard
The Network Model wizard enables you to quickly populate the network model by loading
asset and zone information from Comma Separated Values (CSV) files. The following data
can be imported into a Manager from CSV files:

Zones define functional parts of a network, such as a wireless LAN, an engineering
network, a VPN or a DMZ.

Assets represent individual nodes on the network, such as servers and routers.

Asset ranges represent sets of network nodes addressable as a contiguous block of
IP addresses. Asset ranges are useful when you have many network nodes that would
be impractical to track individually, or that may come and go from the network, such
as laptops.
For more about the Network Model wizard and instructions how to use it, see “Populating
the Network Model Using the Wizard” on page 690.
Configuration and Using Standard Content
For information about standard System or Administration content, refer to the Standard
Content Guide — ArcSight System and ArcSight Administration. For information about an
optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation.
ESM documentation is available on Protect 724 at (https://protect724.arcsight.com).
ArcSight Web
ArcSight Web provides full event monitoring and drill-down capabilities in a streamlined
interface. The Web server is pre-installed on the appliance.
The ArcSight Web interface can also be branded with your company logo.
You can start the ArcSight Web user interface from the ArcSight Management Console.
42 ArcSight Console User’s Guide
Confidential
Chapter 3
Working in the ArcSight Console
In addition to all the security analysis, forensic, response, and reporting capabilities built
into the ArcSight Console, the Console itself is a tool with its own characteristics and
specialized controls. The Help topics in this section describe the basics of using ArcSight
Console tools and controls to make the most of its features.
“Navigating” on page 44
“Viewing” on page 49
“Inspecting and Editing” on page 52
“Controlling the ArcSight Console” on page 54
“Using the Network Tools” on page 55
“Staying Informed” on page 58
“Using the Menus” on page 62
“Keyboard Shortcuts (Hot Keys)” on page 68
“Moving Copying, Linking, and Deleting Resources” on page 69
“Printing from the Console” on page 69
For information on the Management Console, refer to the ArcSight Management Console
User’s Guide.
Confidential
ArcSight Console User’s Guide 43
3 Working in the ArcSight Console
Navigating
The primary principle of navigating in the ArcSight Console is to use the Navigator panel to
locate and manage security resources, and the Viewer and Inspect/Edit panels to analyze
resource data and view or adjust the attributes of the resources producing the data.
Figure 3-1
The Navigator panel showing the Dashboards resource tree
Using the Navigator panel consists of:

Choosing a resource tree from the drop-down list.

Expanding (+) and collapsing (-) resource groups to locate particular subgroups or
individual resources. (You can also use the keyboard right arrow key to expand
and left arrow key to collapse the Navigator resource trees.)

Right-clicking groups or individual resources to choose from their context menus.

Using the Viewer or Inspect/Edit panels to see or act on the results of the context
menu commands.
The resources available to you in the Navigator panel can be affected by your user type.
As a suggestion, browsing the resource trees established for your enterprise is a very good
way to become familiar with both your environment and the ArcSight Console's capabilities.
44 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Navigator Panel Resource Tree
Tree
Icon
Resource
Active Channels
Create, modify, and delete security-event views that actively
and continuously evaluate the events they display, on the basis
of time and other filter conditions. This view also includes the
Field Sets resource tree for managing named field sets. See
Chapter 4‚ Monitoring Events‚ on page 77.
Assets
Security-sensitive devices and device groups installed in your
enterprise, and the known exposures to potential threats those
devices may represent. Assets also includes the related
network, zone, location, category, and vulnerability information
you use to manage network devices. See “About the Network
Model” on page 679.
Cases
Enterprise security incident cases, by status and priority. See
Chapter 18‚ Case Management and Queries‚ on page 527.
Connectors
The SmartConnectors currently installed at your enterprise. See
Chapter 23‚ Managing SmartConnectors‚ on page 643.
Customers
Manage resources that represent the security concerns of
particular MSSP (Managed Security Services Provider) clients.
See “Managing Customers” on page 713.
Dashboards
Various event data monitors and their containing dashboards.
See “Using Dashboards” on page 102.
Files
The Files resource tree, when populated, lists files saved as
resources on the Manager. This makes them accessible to all
users of the system who are authorized for such access. File
resources include Case file attachments, templates, and
general-purpose shared files. See “Managing File Resources” on
page 611.
Filters
Event filtering definitions, organized in groups. See Chapter 8‚
Filtering Events‚ on page 173 and “Using Filter Groups” on
page 182.
Knowledge Base
A database of articles and groups of articles that aid problemsolving, analysis, and operation. See “Getting Knowledge Base
Articles” on page 171 and Chapter 20‚ Knowledge Base
Authoring‚ on page 579.
Integrations
Application integration resources used to configure and launch
commands, tools, and views in custom and third party
applications and other ArcSight products from within the
ArcSight Console. Provides the ability to configure custom
scripts, URLs, and Connector commands, and integrate them
into the Console UI in various contexts. Leverages velocity
expressions and the UI contexts for pulling the content of event
data, for example, as command parameter values. Provides
support for ArcSight Network Synergy Platform (NSP) and
Threat Response Manager (TRM). See Chapter 19‚ Integration
Commands‚ on page 537.
Confidential
ArcSight Console User’s Guide 45
3 Working in the ArcSight Console
Tree
Icon
Lists
Resource
Active Lists are lists of active source and target IP addresses of
interest, as defined by enterprise rules. See “Managing Active
Lists” on page 509 for more information.
Session Lists are similar to active lists, but are optimized for
time-based queries and monitoring of rule-driven combinations
of event attributes or custom fields. See Chapter 16‚ Identity
Correlation‚ on page 481 for more information.
Notifications
Destinations and settings for the automatic messages that alert
you to pre-defined situations or events. See “Acknowledging
Notifications” on page 59 and “Managing Notifications” on
page 603.
Pattern Discovery
Profiles to capture, and snapshots of, potentially threatening
event patterns. See “Pattern Discovery” on page 127.
Query Viewers
A resource for defining and running SQL queries on other ESM
resources (independent of reports), including trends, assets,
cases, connectors, events, and so forth. Each query viewer
contains an SQL query along with other logic for establishing
and comparing baseline results, analyzing historical data to find
patterns in network activity, and performing drill-down
investigation on a particular aspect of the results. Query
viewers can use the same queries as reports do, but can be run
independently of them. See Chapter 10‚ Query Viewers‚ on page
233.
Reports
Definitions for, and archived output from, various activity
reports. See Chapter 12‚ Running and Managing Reports‚ on
page 377 and Chapter 11‚ Building Reports‚ on page 279.
Rules
Rules and groups of rules created for isolating, analyzing, and
responding to events. See Chapter 13‚ Rules Authoring‚ on page
393.
Stages
Workflow and annotation features for real-time analyst
collaboration on security events.
Use Cases
Resource collections that address common security issues and
business requirements. When use cases are installed, a Use
Case tab is displayed in the Navigator panel. A wizard is
available for configuration of the use case resources. See “Use
Cases” on page 449.
Users
ArcSight users and user groups. See Chapter 21‚ Managing
Users and Permissions‚ on page 585.
Using SmartFolders
ArcSight has special, automatically maintained folders to track the results of your case
searches or to track your currently selected replay rules and currently running reports.
When you create them, these folders appear just below the root of each resource type in
the Navigator, prefixed with your ArcSight user name.
46 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Creating a Case-Search SmartFolder
To create a case-search SmartFolder:
1
Right-click a folder in the Cases tree and choose New Search Group in the context
menu to open the Search Group Editor.
2
Use the Editor to define a search that updates dynamically each time a change occurs
to one of your cases.
A given group contains the result of this search when it is applied to those cases.
Creating a Reports SmartFolder
The Reports tree in the Navigator panel shows a folder for each user name and the suffix
“Reports.” These folders list the reports that user is applying, and the right-click context
menu offers the commands available for those reports. These folders are maintained
automatically and you cannot change them.
You can use this feature to control report runs. For example, if a report is running too long
and you would like to end it, right-click it and choose Stop Report.
Reports you run using the Run button in the Report Editor are initiated
outside the usual Console processes and do not appear in, and are not
controllable from, the Reports tree in the Navigator.
Editing Groups
You can group resource types in the Navigator panel to help you organize and manage
them. Groups can also be hierarchical, resulting in “trees” of resources. Apart from the
characteristics of the resources involved, such as assets or vulnerabilities, each group
identity has certain properties you can edit in the Group Editor.
Editing a Group
To edit a group:
1
In the Navigator panel, right-click a resource group and choose Edit Group.
2
In the Group Editor, click the Value fields for the group attributes you want to change.
3
Click Apply to put your changes into effect but leave the editor open. Click OK to
apply your changes and also close the editor.
Fields containing system information (like Creation Time) are not editable.
See “Reference Pages” on page 900 for more about using the Group Page and Member's
Page fields.
See “Scheduling Jobs” on page 916 for information about scheduling tasks or “jobs” for
reports (individually or by group), rules, or pattern discovery snapshots.
Categories Tab
The Group Editor for groups in the Assets tab of the Assets resource tree has an additional
Categories tab. This tab has two sub panels: Local Asset Categories and Inherited Asset
Categories. “Local” shows assets that are explicitly assigned to categories. “Inherited”
shows assets whose category connections are presumptions based on a parent's group or a
simple asset-range association.
Confidential
ArcSight Console User’s Guide 47
3 Working in the ArcSight Console
Viewing Group Cases in a Grid View
When you right-click a case group in the Cases resource tree in the Navigator panel, and
choose View in Grid, you see that group's cases listed in a Case Details view in the Viewer
panel. Click any case in the grid to work with it individually. You can also:

Right-click any column heading to get a menu of column configuration options.

Right-click any individual case's fields to get a menu of case handling options,
described below.
Option
Description
New
Create a new case.
Edit
Open a case in the Inspect/Edit panel for editing.
Delete
Delete the selected case.
Export to external system
Export the case to an external tracking system.
Edit case by ID
Find a case by its Display ID value.
Select rows with matching cell
Select cases where all values in a particular
column have the same value or entry.
Invert selection
Reverse selection and highlighting of a previous
selected group of cases.
Close
Clear the Case Details view.
Refresh
Refresh the Case Details view to reflect new or
deleted cases and information updated in existing
cases.
Knowledge Base
Show Knowledge Base information associated with
cases.
Batch Editing
You can make common edits to multiple case or SmartConnector resources by selecting a
set of either type in the Navigator panel and changing their common fields in the Case or
Connector Editor.
Batch-Editing Cases or Connectors
To batch-edit cases or connectors:
1
Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in
their respective resource trees in the Navigator panel.
2
Right-click the selected items and choose Edit.
3
Make changes to the appropriate common fields, such as Description or Owner.
4
Click Apply to record your changes and leave the editor open, or click OK to save and
close. Saving affects only the fields you have changed, in each of the selected
resources.
Cases Reminder
You can also lock and unlock cases in batches, using the Lock Case check box.
48 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
SmartConnector Reminders
Batch changes affect only default configurations, not alternates. However, you can add new
alternate configurations by batch editing.
Note that if you make changes under the Filters tab, the entire tab's contents are saved to
the selected SmartConnectors.
Only connectors of the same version can be batch-edited. Version is indicated by the color
of the connector icons in the resource tree: blue for pre-v2.5 and green for v2.5 or later.
Reconnecting to the Manager
If your ArcSight Console loses its connection to the Manager, a dialog box enables you to
Retry the connection, Relogin, or to Cancel the connection. Try these options in this
order.
A connection to the Manager can't be re-established when the Manager has to be restarted
or when a network problem prevents communication with the same Manager. In such
cases click Cancel and start the Console again, using an appropriate Manager host name.
Viewing
This section provides information on using the Console Viewer Panel and choosing lookand-feel options (skins) for the ArcSight Console.
Viewer Panel
You see the products of security-event analyses in the Viewer panel, which can display
several different types of views. (See also, “Using Views” on page 77.)
Although there are some views that display information about resources, most views are
active channels, which are continuously evaluated collections of security-event data. (See
also, “Monitoring Active Channels” on page 77.)
Tips:
•
To show a resource (like a particular dashboard or active channel) in the
viewer, right-click it in the Navigator tree and choose Show <resource>.
•
To close individual views quickly, Shift+click their name tabs. (You can
also right-click a view name tab and choose Close from the popup menu.)
•
To float the Viewer panel, click the Float icon at the top left of the Viewer.
The Viewer panel can also internally render basic HTML, meaning that it automatically
shows HTML-based reports, reference pages, results for the Web Search tool, and
notification acknowledgements. More complex HTML that might include JavaScript, plugins, or other embedded objects is, for security reasons, still rendered in the external
browser you specify through the Preferences dialog box. The external browser is also used
by PDF document files.
The Web Viewer tabs in the Viewer panel have a live link at the top. You can click these
links to open the contents in an external, fully functional browser window. You can also
right-click the contents of a Web Viewer and use the standard browser commands to do
basic functions such as going back or forward or reloading.
Confidential
ArcSight Console User’s Guide 49
3 Working in the ArcSight Console
If your Console is not already displaying a default set of pre-defined views, or you want to
change the views displayed, you can use these options:

Choose Window > Viewer Panel to open the panel if it isn't open.

Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in
the Navigator panel to find analysis tools or results to view.

Right-click a resource in a tree and choose Show <resource> to open it in the
Viewer panel.

When multiple tabbed views are open in the panel, click the tabs at the top of the
panel to choose the active channel you want to see, and the tabs at the bottom of
the panel to choose which view of that active channel should be foremost.
To close an individual view, Shift+click its name tab. (You can also right-click a view
name tab and choose Close from the popup menu.)
Using active channels and the many types of views they offer is fully covered in the topics
under these headings:

Monitoring Events

Selecting and Investigating Events

Using Dashboards
50 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
ArcSight Console Look-and-Feel
If you start the ArcSight Console from the command line with the arcsight console
command (in ARCSIGHT_HOME/current/bin), use the -laf <style> flag to specify
a look-and-feel style. For example, the following command starts the Console with a
“metal” look-and-feel:
arcsight console -laf metal
These styles modify the Console display and associated online help. The figure below
shows what the ArcSight Console looks like when started with the default and metal styles.
The screen captures and illustrations used throughout the ArcSight Console online help
show various look-and-feel styles. For more information about arcsight console
command options, including -laf, see the “ArcSight Commands” appendix in the
Administrator's Guide.
Confidential
ArcSight Console User’s Guide 51
3 Working in the ArcSight Console
Inspecting and Editing
ESM provides the Inspect/Edit panel to examine the details of events that appear in active
channels in the Viewer panel, or to modify the resource attributes in the Navigator panel.
You can examine security events through the Inspect/Edit panel's Event Inspector, and edit
resources using specialized editors, one for each specific resource type.
Press Enter to register edits made in editors and channel columns
To ensure that ESM registers a change you make to a field in editor and
channel columns, press the Enter key before clicking Apply or OK.
See also:

“Hiding Empty Rows in the Event Inspector” on page 165

“Displaying Articles from the Event Inspector” on page 171

“Retrieving Payloads” on page 170

“Event Inspector” on page 877.
Overview of Inspect/Edit Features and Utilities
Each editor has its own controls and attributes, described in the Help for its resource.
52 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
The Inspect/Edit panel opens automatically when you double-click an event in a grid view
or choose to edit a resource in the Navigator panel. You can also right-click an event in a
grid view and choose Show Event Details. To explore the Inspect/Edit panel, you can:

Choose Window > Inspect/Edit Panel to open or restore the panel, if it already
has inspectors or editors in it. If no inspectors or editors are open, the panel isn't
available.

When no editors or inspectors are open, or to work with different ones, double-click an
event in a grid view or right-click an item in a Navigator panel resource tree and
choose Show <resource>.

To clear an editor from the Inspect/Edit panel, right-click it's tab and choose Close.

Click the Hide Empty Rows button (
) beside the Select a Field Set menu to
see only populated fields.

Click the New Field Set button (

Click the icon toggle button (
) to create a new field set.
) to show/hide icons next to each field entry.
Searching for Fields in Event Inspector, Resource Editors or CCE
To find an item in a list of fields on the Event Inspector, any Resource Editor, or the
Common Conditions Editor (CCE), start typing the search string in the Search for field at
the bottom of the panel. The search is predictive in that it will navigate to and select
matching fields as you type. The Search utility works essentially the same way in the Event
Inspector and in resource editors that use field sets and filters (and, by association, the
CCE).
Start typing in the
Search for field to
highlight the first match.
If you start to type a term that is not in the field list, the search text turns red. If you
backspace and start deleting text, the text will change from red to black when a matching
field is found. Resume typing to find another matching term.
To exit the Search, press the Return key.
Confidential
ArcSight Console User’s Guide 53
3 Working in the ArcSight Console
Getting More Help
The best way to learn more about the Event Inspector and each of the many resource
editors is to click the question mark button (
Inspect/Edit panel or Help button (
) in the upper-right corner of the
) in the lower right of a resource editor.
Controlling the ArcSight Console
The ArcSight Console has certain common controls that you might use at any time to do
basic tasks like copying and pasting, and showing or hiding panels or the status bar.
The controls you use the most are the toolbar buttons. There are four toolbars under the
menus at the top of the Console. Each button has an identifying tool tip, but the full
descriptions are as follows.
To show or hide toolbar components, right-click the toolbar and select or deselect the
sections you want to change.
Tree
Icons
Resource
Standard
application
functions
The Save, Open, Cut, Copy, and Paste
buttons operate as they do in any application.
Saving and opening applies to ArcSight
Console settings (.ast) files. Cutting, copying,
and pasting applies to text and resources.
(There is also a File > Save to Manager option
available from the menus.)
Show or hide
UI elements
Click the Show/Hide buttons to open/close
the Navigator, Viewer, and Inspect/Edit panels
and status or menu bars. Click the Floating
button to bring floating windows forward.
Replay
controls
The Replay buttons have essentially the same
functions in certain views in the Viewer panel
as their counterparts do on VCRs or CD
players. From left to right, the buttons are:
Rewind to Start, Rewind Incrementally,
Pause, Play, Stop, Go Forward
Incrementally, and Go Forward to End.
You use the Replay buttons when working
with channels configured for this mode.
Network tools
These buttons run standard IP-based network
analysis tools as described in “Using the
Network Tools” on page 55.
Notifications
The Acknowledge Notifications button in
the toolbar line tells you when you have
messages to acknowledge. Click the button to
open the Notifications manager in the Viewer
panel so you can acknowledge the notification
and resolve the issue.
54 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Tree
Icons
Status Bar
Resource
You can show or hide the status bar at the
bottom of the Console window with this
toolbar button, or use the Window > Status
Bar menu command. When the status bar is
showing, it displays Console operation
messages. Normal status messages appear in
blue and error messages are red.
To view details on a message, click the
message in the status bar. The ArcSight
Messages dialog is displayed with the current
message highlighted. From this dialog, you
can access console messages, system
messages and user notifications.
To copy any message from the Messages
dialog, highlight it and click Copy. The
message is copied to the clipboard along with
associated date and time. You can then paste
the message into any other window, mail
program, or editor that accepts ASCII text.
Menu Bar
You use the menus in the menu bar as
described in “Using the Menus” on page 62.
Error and Warning Messages
Certain error messages, warnings, and notifications appear in a small dialog. To capture
the error message and supporting data, click the Copy button or check Copy message to
system clipboard to copy the entire message to the Clipboard. You can then paste the
error message in text fields in the ArcSight Console, into the body of an e-mail message, or
other applications.
Using the Network Tools
The network tools are the right-most set of buttons on the toolbar and are also available
from the Tools menu. ArcSight provides Ping, Traceroute, Nslookup, PortInfo, Whois,
WebSearch, and Send Logs as default utilities. Most of these tools are utilities you use to
investigate events in grid views. In a grid view, you right-click an event to access these
tools from a context menu. A new wizard-based utility called Send Logs gathers logs and
diagnostic information for review or which you can email to customer support.
Confidential
ArcSight Console User’s Guide 55
3 Working in the ArcSight Console
You can add, copy, edit, or delete network tools using the Tools menu in the menu bar. The
toolbar buttons and menu commands adjust automatically to such changes.
The Network Tools are also available as integration commands (see “Network
Tools as Integration Commands” on page 576 in Integration Commands).
These tools are available in both places on the Console UI, but for future
releases the legacy “network tools” feature described here will be phased out
in favor of the integrations commands. The same, customizable tools and
commands will be available (ping, whois, and so on), along with other new
commands and a full set of application integration features.
To configure these tools, choose menu option Tools > Local Commands >
Configure, as described in the following topics.
Running a Tools Command
To run a tools command:
1
In a grid view, select an IP address.
2
Right-click and select Tools, then one of the tool options described in “Network Tool
Default Options” on page 56.
3
Based on the tool selected, a window appears with the information.
4
In the window, click Close.
Network Tool Default Options
Tree
Icon
Resource
Nslookup
Resolve an IP address to a host or domain name or vice versa.
Ping
Determine whether a particular IP address is online and/or it
tests and debugs a network by sending a packet and waiting for
a response.
PortInfo
List standard usage, for example, WWW, FTP, and so on for a
specified port number.
Traceroute
Show the path from the ArcSight Console to the IP address
selected in the grid view, reporting the IP addresses of all
routers in between.
WebSearch
Search the Web through Google to find links to the keywords
present in currently selected active channel grid view cells.
Whois
Look up who is behind a given domain name; information might
include addresses and telephone numbers.
Send Logs
Start the Send Logs wizard to gather logs and diagnostic
information. Logs and diagnostics can be collected for all or a
selected set of ArcSight components. (See “Send Logs” on
page 921.)
56 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Adding a Tool
To add a tool:
1
Choose Tools > Local Commands > Configure.
2
In the Configure Tools window, click New.
3
In the Tool window, edit the Name, Program, Working Directory, Icon, and Program
Parameters (command line parameters to be used for the program) text fields.
4
Click OK, then Done.
Configure (Edit) a Tool
To configure (edit) a tool:
Confidential
1
Choose menu command Tools > Local Commands > Configure.
2
In the Configure Tools window, select an existing tool and click Edit.
3
In the Tool window, set these parameters and options:
Option
Description
Name
User-friendly name for this tool.
Program
Path to the executable file.
ArcSight Console User’s Guide 57
3 Working in the ArcSight Console
Option
Working Directory
Description
Default location assumed for arguments to the command.
For example, to create a command (for example, delete
<file>.ast) that acts on a file type that always resides in
the same directory, specify the location here to save users
from having to provide the full path to the file each time
they use the command.
Icon
Path to the icon image file used to represent the tool.
Program
Parameters
Provide any parameters needed for the command.
button
You can type parameters in the field, or click the
to get a pull-out menu where you can select Event
Attributes to use as parameters, or add the selected cell
or selected row as parameters to the command.
Show in toolbar
When Show in toolbar is on, the tool icon is shown in the
Console toolbar. By default, this option is selected.
Use with data
export
The purpose of this option is to separate tools that are run
against events in channels and tools used as a destinations
for event export.
By default this option is not selected (off).
If this tool is to be used as a destination for event export,
select Use with data export.
If this tool contains a command that will run against events
in a channel, leave Use with data export off.
4
Name, Program, Working Directory, Icon, and Program Parameters
(command line parameters to be used for the program) text fields. Also select whether
you an the tool to show in the toolbar
5
Click OK, then Done.
Deleting a Tool
To delete a tool:
1
Choose menu command Tools >Local Commands > Configure.
2
In the Configure Tools window, select an existing tool and click Delete.
3
In the dialog box, click Yes.
4
Click Done.
Staying Informed
This topic discusses ways by which the Console helps you stay informed about developing
situations involving events, and critical system status.
In addition to the security-event information ArcSight collects and analyzes, you can get,
record, and pass other types of working information. This additional information falls into
categories described in this topic.
58 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Acknowledging Notifications
To be informed when certain defined events or circumstances occur. You might receive
notifications by pager, or e-mail or similar means, but you can be sure to see an indicator in
the Notifications button in the toolbar line of the Console.
Notifications can be sent as a result of a rule action, or by another user monitoring events
in a grid. Clearing a notification requires that you acknowledge it. Whether or not you need
to take other action depends on the circumstances. Acknowledgements are described
briefly here, but for full detail, see “Managing Notifications” on page 603.
Acknowledging a Page
Acknowledge a page by replying to it through your pager. All pagers must be configured to
send replies. Your reply is sent to the pager service provider and then to ArcSight.
Acknowledge a Cell Phone Message
Acknowledge a call by replying to the e-mail sent through your cell phone. An e-mail
enabled cell phone is required for receiving notifications and replying to them.
Acknowledge an E-mail Message
Acknowledge an e-mail by replying to the message. Reply to the e-mail address from which
the notification was sent.
Acknowledge Notifications at the ArcSight Console
The ArcSight Console automatically alerts you of pending acknowledgements. The
Acknowledge Notifications button is automatically enabled when you have one or more
notification messages to be acknowledged. When you click the Acknowledge
Notifications button, the Notifications manager opens in the Viewer panel so you can
acknowledge and resolve the notification.
Using Notes
Each resource and resource group in the Navigator panel has an editor, and each editor has
a Notes tab. The Notes tab retains all the text that you and others add to the resource.
Notes tabs have Table and List sub-tabs to show you tabular or text layouts of the notes
accumulated for a resource. Notes are stored chronologically and you can sort them by
clicking the Date, Owner, and Text headers.
Adding a Note
To add a note:
Confidential
1
Choose a resource tree in the Navigator panel.
2
Select a resource group or individual resource.
3
Right-click an item in the tree. If it is a group, choose Edit Group. If it is a resource,
choose Edit <resource>.
4
In the Inspect/Edit panel, click the editor's Notes tab.
5
In the Notes space, type a note.
6
Click Save and then OK.
ArcSight Console User’s Guide 59
3 Working in the ArcSight Console
Viewing a Note
To view a note:
1
Choose a resource tree in the Navigator panel.
2
Select a resource group or individual resource.
3
Right-click an item in the tree. If it is a group, choose Edit Group. If it is a resource,
choose Edit <resource>.
4
In the Inspect/Edit panel, click the editor's Notes tab.
5
Right-click a note and choose View.
Deleting a Note
To delete a note:
1
Choose a resource tree in the Navigator panel.
2
Select a resource group or individual resource.
3
Right-click an item in the tree. If it is a group, choose Edit Group. If it is a resource,
choose Edit <resource>.
4
In the Inspect/Edit panel, click the editor's Notes tab.
5
Right-click a note and choose Delete.
License Tracking
The product tracks the status of licenses for features you use, including actors, ArcSight
Console user limits, ArcSight Web user limits, device number limit, actor and asset number
limit, and events-per-second limit.
Licenses for the features available to you are installed and configured at setup time. For
details about setting up licenses during the installation and configuration process, see the
ESM Installation and Configuration Guide.
License tracking includes disabled and deleted actors
The ESM license tracking feature includes actors that are still in the ESM actor
model with the status Disabled or Deleted in IDM. ESM’s identity
management feature preserves disabled and deleted actors in the actor
model to track any unauthorized activity related to disabled or deleted actors.
If you do not want the ESM license tracking feature to evaluate actors with
the status Disabled or Deleted in IDM, you can manually remove them
from the ESM actor model. Manually removing disabled or deleted actors also
removes the ability for ESM to track unauthorized activity related to these
accounts. For details, see “Deleting Actors” on page 211.
60 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
License Tracking Notifications
If your feature usage is close to or has exceeded the license agreements for your
organization, you see a notification dialog when starting up the ArcSight Console, for
example:
Your access to these features remains in place, even if the license limit has been exceeded.
Standard Reports for License Status Tracking
You can check on the status of your ESM feature licenses using the following reports and
focused reports (All Reports/ArcSight Administration/ESM/Licensing):
Report
Confidential
Type
Description
Licensing Report
This report shows the licensing history for one of the
license types, and is the source report for the
individual license focused reports. The chart shows the
current count and the count limit in a chart. The
licensing history is over the last 7 days, by default.
Licensing Report
(All)
This report shows the licensing history for all the
license types. The 6 charts show the current count and
the count limit for each of the license types. The
licensing history is over the last 7 days, by default.
Actors Licensing
Report
This focused report shows the licensing history for
actors. The chart shows the current count and the
count limit in a chart. The licensing history is over the
last 7 days, by default.
Assets Licensing
Report
This focused report shows the licensing history for
assets. The chart shows the current count and the
count limit in a chart. The licensing history is over the
last 7 days, by default.
Console Users
Licensing Report
This focused report shows the licensing history for
console users. The chart shows the current count and
the count limit in a chart. The licensing history is over
the last 7 days, by default.
Devices Licensing
Report
This focused report shows the licensing history for
devices. The chart shows the current count and the
count limit in a chart. The licensing history is over the
last 7 days, by default.
EPS Licensing
Report
This focused report shows the licensing history for EPS.
The chart shows the current count and the count limit
in a chart. The licensing history is over the last 7 days,
by default.
ArcSight Console User’s Guide 61
3 Working in the ArcSight Console
Report
Type
Web Users
Licensing Report
Description
This focused report shows the licensing history for web
users. The chart shows the current count and the count
limit in a chart. The licensing history is over the last 7
days, by default.
For details about running reports, see “Running Reports” on page 377.
Using the Menus
This section briefly describes the Console's menus and sub-menus.
File Menu
Keyboard shortcut Alt+F opens the File menu. Keyboard shortcuts for File menu options
are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Icon
Resource
Shortcut
New
Create a new resource from the available
submenu.
Open
Open an existing Console settings file to use
that configuration.
Ctrl-O
Save
Save your latest Console settings in the
current configuration file.
Ctrl-S
Save As
None
Save your current Console settings in a
different configuration file.
Save to
Manager
Save your current Console settings at the
ArcSight Manager rather than locally, so you
can get these settings at a different Console.
Load From
Manager
Load a preferred Console configuration file
from the ArcSight Manager, so you can use it
at this Console.
Send To
Send a local Console configuration (.ast) file
to an e-mail address so another user can save
and use it at their Console.
Log Out
None
Log out of the Console with your current user
ID, without exiting, so someone else can log
in.
Exit
None
Log out of the Console and exit.
Alt-F4
Edit Menu
Keyboard shortcut Alt+E opens the Edit menu. Keyboard shortcuts for Edit menu options
are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Cut
62 ArcSight Console User’s Guide
Icon
Resource
Shortcut
Cut selected text.
Ctrl-X
Confidential
3 Working in the ArcSight Console
Option
Icon
Resource
Shortcut
Copy
Copy selected text or resources.
Ctrl-C
Paste
Paste text or resources from the clipboard.
Ctrl-V
Delete
Delete selected text or resources.
Delete
Select All
Select all text.
Ctrl-A
Preferences
Open the Preferences dialog box to make
personal configuration changes.
Find Resource
Use the Find Resource query editor to search
for resources and review their details.
Ctrl-F
View Menu
Keyboard shortcut Alt+V opens the View menu. Keyboard shortcuts for View menu
options are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Confidential
Icon
Resource
Shortcut
New Active
Channel
Open the New Active Channel dialog box so
you can set up and start a new active channel
in the Viewer panel.
Ctrl+ShiftD
Show Active
Channel
Open the Active Channel Selector dialog box
so you can choose an active channel to
display in the Viewer panel.
Ctrl+ShiftS
Recent Active
Channels
Choose a recently opened active channel to
display in the Viewer panel again, if available.
Resource
Hotkeys
Shows currently programmed keyboard
shortcuts for actions on the Console. These
keyboard shortcuts are defined via in the
Console Preferences dialog (Edit >
Preferences > Manage Hotkeys). For more
information, see “Keyboard Shortcuts (Hot
Keys)” on page 68.
New
Dashboard
Create a new, untitled and empty dashboard
to populate with data monitors.
Ctrl+ShiftB
Show
Dashboard
Open the Load Dashboards dialog box so you
can select dashboards to open in the Viewer
panel.
Ctrl+ShiftW
Recent
Dashboards
Choose a recently opened dashboard to
display in the Viewer panel again, if available.
Notification
Acknowledge
ment
Show all Notifications for the current user
(pending, undeliverable, not acknowledged,
acknowledged, and resolved)
Ctrl-N
ArcSight Console User’s Guide 63
3 Working in the ArcSight Console
Option
Icon
Resource
Shortcut
Show
Messages
Show all console messages, system
messages, and user notifications in the
ArcSight Messages dialog.
Ctrl-M
Next View
Take you to the next open view or tab in the
Viewer.
Ctrl+ShiftN
Previous View
Take you to the previous open view in the
Viewer.
Ctrl+ShiftP
Close All
Views
Close all views that are open in the Viewer
panel.
Slide Show
Show a continuous slide show of all open
channels and dashboards.
F11 (Toggle
to start or
stop)
Window Menu
Keyboard shortcut Alt+W opens the Window menu. Keyboard shortcuts for Window
menu options are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Icon
Resource
Shortcut
Navigator Panel
Show or hide the Navigator panel.
Ctrl-1
Viewer Panel
Show or hide the Viewer panel.
Ctrl-2
Inspect/Edit
Panel
Show or hide the Inspect/Edit panel.
Ctrl-3
Status Bar
Show or hide the status bar.
Ctrl-4
Floating
Bring to the front one of the listed floating
(undocked) windows, if available.
Tools Menu
Keyboard shortcut Alt+T opens the Tools menu. Keyboard shortcuts for Tools menu
options are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Sub-menu
Local
Commands
64 ArcSight Console User’s Guide
Icon
Resource
Shortcut
Configure
Add, copy, edit, or delete
Network Tools.
Alt-C
Results
Display the Tool Results dialog
box.
Ctrl+Shift
-R
Nslookup
Resolve an IP address to a
host name.
Ping
Determine whether an IP
address is online.
Confidential
3 Working in the ArcSight Console
Option
Sub-menu
Icon
Resource
Shortcut
PortInfo
List the default protocol usage
for a specified port number
(e.g., WWW, FTP, SMTP).
Traceroute
Show the path to an IP
address.
WebSearch
Use Google to search the web
for event-related keywords.
Whois
Find the registered owner of a
given domain name.
Network Model
Launch the Network Model
wizard. See “Populating the
Network Model Using the
Wizard” on page 690.
Use Case
Launch the Use Case wizard.
See “Configuring Use Cases”
on page 455.
Send Logs
Launch the Send Logs wizard.
See “Send Logs” on
page 921.
System Menu
Keyboard shortcut Alt+S opens the System menu. See also “Keyboard Shortcuts (Hot
Keys)” on page 68.
Option
Icon
Resource
Scheduled
Jobs
Open the Job Scheduler. For more information, see “Scheduling
Jobs” on page 916.
Categorize
Event
Select a non ArcSight event in the grid, then select System >
Categorize Event menu option to apply a category.
Help Menu
Keyboard shortcut Alt+H opens the Help menu. Keyboard shortcuts for Help menu
options are included below. See also “Keyboard Shortcuts (Hot Keys)” on page 68.
Option
Confidential
Icon
Resource
Shortcut
Help Contents
Open the ArcSight Console Online Help. See
FAQs about Online Help for details about using
the Help, including navigating, printing, getting
PDFs, and more.
F1
What’s New
Open the ArcSight Console Online Help’s
“What’s New” topic. See also Chapter 1‚ What’s
New‚ on page 39.
ArcSight Console User’s Guide 65
3 Working in the ArcSight Console
Option
Icon
Resource
Browse
ArcSight
Documentation
Open an index page that offers pointers and
links to other PDF-formatted documents
concerning subjects such as SmartConnectors
or upgrading.
HP Software
Support Online
Open a browser window that displays the HP
SSO login page, so you can sign in and access
the case manager, downloads, communities,
and other features.
About
Show your ArcSight installation's legal notices
and version information.
Shortcut
Using Right-Click Context Menus
Right-click context menus appear throughout the Console. This section describes common
options available from right-click menus in different contexts. Context menus in different
resources can offer other options specific to that resource. To understand all the options
available for a particular resource, see the topic related to that resource.
Right-Click Menu Options in the Navigator Panel
The Navigator panel presents individual resources and groups that help organize them.
Here are the common options available from the right-click context menus in the Navigator
panel. Not all options are available in all contexts; those that are not available will appear
in grey text. The details of many of these options, such as creating a new resource, are
described in the topics dedicated to that resource.
Option
Applies to
Description
New <resource>
Resources
Open the editor for the selected resource to allow you
to create a new one.
Edit <resource>
Resources
Open the editor for the selected resource to allow you
to edit an existing one.
Delete <resource>
Resources
Initiate a delete sequence for the selected resource. A
confirmation step is required before the resource is
permanently deleted.
Integration Commands
Resources and
Channels
From Console, link to other ArcSight applications and
tools. For more information, see “Integration
Commands” on page 537.
Add to Package
Resources
Add the selected resource to an existing package. For
more about packages, see “Managing Packages” on
page 633.
Show <resource>
Resources
Display results gathered by the resource in the Viewer
panel.
Graph View
Resources
Display a graphical view of the resource in relation to
other associated resources. For more about resource
graphs, see “Visualizing Resources” on page 620.
New Group
Groups and
Resources
Add a new group. The group’s attributes are defined in
the Inspect/Edit panel.
66 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Option
Applies to
Description
Edit Group
Groups and
Resources
Edit an existing group through the Inspect/Edit panel.
You can edit a variety of group attributes such as the
name, description, owner, and so on. Available in all
resources.
Delete Group
Groups and
Resources
Delete a group.
Rename
Groups and
Resources
Change a group’s name directly on the Navigator pane
without going through the group’s Inspect/Edit panel.
Edit Access Control
Groups and
Resources
Launch the Access Control Editor. For more about the
Access Control Editor, see “Editing Access Control Lists
(ACLs)” on page 591.
Show Invalid Reason
Groups and
Resources
For a group or resource shown as invalid (improperly
constructed), display the explanation for the invalidity.
Validate <group or
resource>
Groups and
Resources
Validate the group or resource that is shown to be
invalid because the group or resource was not
constructed properly. For more information, see
“Validating Resources” on page 623.
Lock <group or
resource>
Groups and
Resources
Prevent a group or resource from being edited by users
other than the creator of the information.
Unlock <group or
resource>
Groups and
Resources
Allow edits to the group or resource.
Set deprecated flag
Groups and
Resources
Set the Deprecated check box on the group or
resource’s Attributes tab as seen in the Inspect/Edit
panel.
Remove deprecated
flag
Groups and
Resources
Remove flag (clear the Deprecated check box) from a
previously-deprecated group or resource.
Refresh
All
Updates the Console with the latest changes.
Knowledge Base
Groups and
Resources
•
Show Article–Display the associated Knowledge
Base article for the resource or group. The
associated article is displayed in the Viewer panel.
•
Associate With–Select a Knowledge Base article
from the Knowledge Base Article Selector to be
associated with the resource or group.
•
Association Help–Display the Help window for
associating a resource with a knowledge base
article.
For more information about knowledge bases, see
“Knowledge Base Authoring” on page 579.
Reference Pages
Groups and
Resources;
certain events
Print <resource> Tree
Help
Confidential
Display pointers to additional reference information, if
such information is available for the group or resource.
For more information, see “Reference Pages” on
page 900.
Print a selected resource’s tree view. For more about
using this printing feature, see “Printing Navigation
Tree Views of Resources” on page 70.
Groups and
Resources
Launch Console Help topic for the selected resource.
ArcSight Console User’s Guide 67
3 Working in the ArcSight Console
Keyboard Shortcuts (Hot Keys)
You can accomplish many actions in the ArcSight Console by using the default keyboard
shortcuts or hot keys, instead of menus and mouse navigation. The standard keyboard
shortcuts and their associated actions is listed in the table below. Keyboard shortcuts
associated with menu options are included here and also shown in “Using the Menus” on
page 62.
You can view the default keyboard shortcut schemas and set up custom
shortcuts on the Hot Key tab in the Console Preferences dialog (Console
menu option Edit > Preferences, click Manage Hot Keys). For information
on how to view or configure Console keyboard shortcuts, see “Managing Hot
Keys” on page 723 in Chapter 25‚ Personalizing the ArcSight Console‚ on page
715.
Task
Keyboard
Shortcut
Annotate event s
Ctrl-T
Select one or more events in any grid view, and
use Ctrl-T keyboard command (as an alternative
to the right-click Annotate Events menu option).
See “Annotating an Event” on page 167.
Mark events reviewed
Ctrl-R
Select one or more events in any grid view, and
use Ctrl-R keyboard command (as an alternative
to right-click Mark as reviewed menu option).
See “Collaborating on Events” on page 166.
Copy
Ctrl-C
See “Edit Menu” on page 62
Cut
Ctrl-X
See “Edit Menu” on page 62
Delete
Delete key
See “Edit Menu” on page 62
Find
Ctrl-F
See “Edit Menu” on page 62
Open the Edit menu
Alt-E
See “Edit Menu” on page 62
Paste
Ctrl-V
See “Edit Menu” on page 62
Redo
Ctrl-Y
Re-do any text edit operation.
Select All
Ctrl-A
See “Edit Menu” on page 62
Undo
Ctrl-Z
Undo any text edit operation.
Exit/shut down the Console
Alt-F4
See “File Menu” on page 62
Open the File menu
Alt-F
See “File Menu” on page 62
Open the Edit menu
Alt-E
See “Edit Menu” on page 62
Open the View menu
Alt-V
See “View Menu” on page 63
Open the Window menu
Alt-W
See “Window Menu” on page 64
Open the Tools menu
Alt-T
See “Tools Menu” on page 64
Open the System menu
Alt-S
See “System Menu” on page 65
Open the Help menu
Alt-H
See “Help Menu” on page 65 a
Open the Help directly
F1
See “Help Menu” on page 65
68 ArcSight Console User’s Guide
Description
Confidential
3 Working in the ArcSight Console
Moving Copying, Linking, and Deleting Resources
You may need to move or duplicate a resource to better organize your work or to make
editable copies. You may also need to delete resource definitions you no longer need.
These tasks are described here. For more information, see all topics in Chapter 3‚ Working
in the ArcSight Console‚ on page 43.
Move, Copy, or Link a Resource
To move, copy, or link a resource:
1
Choose the resource type you want to work with in the Navigator (Active Channels,
Filters, Rules, and so on).
2
Navigate to and select a resource instance in the tree, and drag and drop it into
another group of the same resource type. The system displays a dialog that provides
options to move, copy, or link the resource.
Select Move to move the resource, Copy to make a separate copy of it, or Link to create
a copy of the resource that is linked to the original.
If you select Copy, you create a separate copy of the resource definition that will not be
affected when the original is edited. If you select Link, you create a copy of the resource
definition that is linked to the original. Therefore, if you edit a linked resource definition,
whether it be the original or the copy, all links are edited as well. When deleting linked
resource definitions, you can either delete only the selected one or the selected one and all
linked copies.
Delete a Resource
To delete a resource:
1
Navigate to the resource type you want to work with.
2
Select a resource instance in the tree, right-click and choose Delete <Resource>
from the context menu.
Printing from the Console
You can print Navigator trees for all resources. You can print resource definitions for rules,
filters, and cases, as well as conditions from the Common Conditions Editor (CCE) (for all
resources with filters). You can print from all grid or channel views.
As you would expect, you can also print any item for which the Console calls
a Web browser, such as graphs, charts, and reports. This topic deals
specifically with printing directly from the Console those resources or
elements of resources that are not displayed in a web browser by default.
Confidential
ArcSight Console User’s Guide 69
3 Working in the ArcSight Console
Printing Navigation Tree Views of Resources
To print the Navigation tree for a resource:
1
In the Navigator, choose the resource you want to print.
2
Click items in the tree to expand or collapse folders in the tree depending on what you
want to see in the printout.
A printout of the Navigation tree for a resource will show the tree exactly
as it is displayed on the Console. Folders that are expanded or collapsed
on the Console will show the same way in the printout. To print the tree
showing the items contained in a particular folder, expand the folder in
the Navigation tree before selecting the Print option.
3
Right-click any element in the Navigation tree for that resource and choose Print
<ResourceName> Tree. (For example, Print Rule Tree.) Regardless of which item
you select to access the right-click menu, the whole tree prints.
4
The system displays a print preview such as the preview of a Rules tree, as shown.
5
Click Print to bring up a standard Print dialog, and set these properties (which printer,
page layout, and so on).
6
Click OK to print.
70 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Printing Resource Definitions
You can print resource definitions for rules, filters, and cases. You can print a resource
definition from the Navigator tree or from within the resource editor.
To print a resource definition:
1
In the Navigator, choose the type of resource you want to print.
2
Right-click an instance of that resource (a rule, filter, or case), and choose Print
<ResourceName> Definition (for example, Print Rule Definition).
Or
Double-click a resource to open its editor in the Inspect/Edit panel, then right-click the
topmost tab in the editor and choose Print <ResourceName> Definition.
The system displays a print preview such as the preview of a Rules definition.
Confidential
3
Click Print to bring up a standard Print dialog, and set these properties (which printer,
page layout, and so on).
4
Click OK to print.
ArcSight Console User’s Guide 71
3 Working in the ArcSight Console
Saving as an HTML File
From the Print Preview dialog for a Resource Definition, you can save the definition as an
HTML file.
1
On the Print Preview dialog, click the Save (
) tool button.
2
In the file browser, navigate to the location where you want to save the HTML file.
3
Enter a name for the file in the File Name field. The File Type is Web Page (*.html)
by default.
4
Click Save.
Printing Grid Views
To print items from a grid view, (such as an active channel or active list):
1
Select one or more items in the grid. To select multiple, adjacent items, use the Shift
key and mouse click, or click and drag. To select non-adjacent items, use the Alt key
in combination with mouse clicks.
2
Right-click and choose Print Selected Rows.
The system displays a preview of the printout. (For examples, see “Using Column Flip
Limit to Format Grid View Printouts” on page 74.)
3
Click Print to open the Print dialog, and set these properties (which printer, page
layout, and so on).
4
Click OK to print.
The format of a grid view printout is determined by the number of columns in
the table and the configuration of the Column Flip Limit, which is set in the
Console Preferences dialog. For more information, see “Using Column Flip
Limit to Format Grid View Printouts” on page 74.
Printing Conditions Tree Summary
You can print Conditions for any resource with filters.
1
Open the resource in the Editor.
2
Click the Conditions tab.
72 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
3
Right-click anywhere on the Edit tab in the Common Conditions Editor (CCE).
4
Choose Print Conditions Tree and Summary from the context menu.
The system displays a preview of the printout. For example, here is a Print Preview of
the filter for a stock rule called Excessive Rule Recursion.
Confidential
5
Click Print to bring up a standard Print dialog, and set these properties (which printer,
page layout, and so on).
6
Click OK to print.
ArcSight Console User’s Guide 73
3 Working in the ArcSight Console
Using Column Flip Limit to Format Grid View Printouts
For printing tables from Grid Views (channels, lists, and so forth), you can configure the
Column Flip Limit in the Console Preferences.
Choose Edit > Preferences, and click Grid View Options. The default is 10 columns.
74 ArcSight Console User’s Guide
Confidential
3 Working in the ArcSight Console
Grid views with the same or fewer columns than the Column Flip Limit print as a table, the
same as that shown in the UI on the Console grid view.
Confidential
ArcSight Console User’s Guide 75
3 Working in the ArcSight Console
Grid views with more columns than the Column Flip Limit print details per-row rather in a
normal table like that shown on the Console grid view.
Instructions for setting the Column Flip Limit for grid views is also summarized in Setting
Grid View Options in the “Changing User Preferences” on page 716, along with information
about how to set other Console preferences.
76 ArcSight Console User’s Guide
Confidential
Chapter 4
Monitoring Events
This topic describes how to monitor events coming from SmartConnectors using tools that
are displayed in the Viewer panel.
“Monitoring Active Channels” on page 77
“Using Dashboards” on page 102
“Using Data Monitors” on page 108
“Using Query Viewers” on page 116
“Using Custom View Dashboards” on page 116
“Monitoring Active Lists” on page 123
“Graphing Attacks” on page 124
You can monitor events through a rich set of views, including active channel and grids,
dashboard graphics and tables, and active lists, as described in the following topics.
Monitoring Active Channels
Active channels provide a streaming view of events coming into your system that can be
viewed numerous ways using numerous types of filters and field sets.
Using Views
Views can vary in scope and scale, from broad to narrow, and from graphic to detailed,
depending on how your enterprise is organized and monitored.
Selecting a View
In the Viewer panel, click a tab at the top to choose an active channel by name. When
you've chosen a channel, you can select various instances of that channel (such as a grid
view and bar chart of the same data) by clicking its tile, or its tab at the bottom of the
panel.
Alternately, to quickly advance through each of the tabs in the Viewer panel, press
Ctrl+Shift+N (next) or Ctrl+Shift+P (previous) to jump forward or backward. This
applies to any type of view in the Viewer panel.
Confidential
ArcSight Console User’s Guide
77
4 Monitoring Events
Changing View Layouts
You change individual view layouts with the Layout menu available from the blue icon at
the lower-right corner of the Viewer panel. Click this icon to choose:
Layout
Option
Result
Tab
Fill the active channel display with the current view and make other
open views selectable by tabs at the lower border.
Tile Best Fit
Display all views in the active channel as variously shaped tiles,
giving each a proportional amount of space.
Tile
Horizontally
Display all views in the active channel horizontally, giving each a
proportional amount of space.
Tile Vertically
Display all views in the active channel vertically, giving each a
proportional amount of space.
Floating a View
In the active channel's name tab, right-click and choose Float.
Closing One or All Views
In the active channel's name tab, right-click and choose Close or Close All.
To close an individual view Shift+click its name tab. You can also right-click a view name
tab and choose Close from the popup menu.
Closing all Views Except the Current One
In the active channel's name tab, right-click and choose Close All But Current.
Viewing and Using Channels
Viewing and using active channels includes creating them, filtering them, customizing
contents, changing presentation formats or layouts, and deleting them.
Also, an action from a triggered rule can create a new active channel.
Press Enter to register edits made in editors and channel columns
To ensure that ESM registers a change you make to a field in editor and
channel columns, hit the Enter key before clicking Apply or OK.
Viewing an Active Channel
To view an active channel:
1
Choose Active Channels in the Navigator.
2
Right-click a channel and choose Show Active Channel. The selected channel is
displayed in the Viewer.
If a channel is open when Daylight Savings Time goes into or out of effect,
the live channel will not reflect the correct start and end times until it is
stopped and re-started.
78 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Sorting Events in an Active Channel
The names of sortable fields in column headers are indicated with a double-arrow icon
If a field is already sorted, an up
or down
.
arrow indicates the direction of the sort.
To sort events in an active channel:

To sort the list by a column, right-click over the column and select Sort Column.

To reverse the sort order, select Sort Column again on an already-sorted column.
This makes the column the primary sort column.

To remove a sort, right-click over a sorted column and select Remove Sort.
For more information, see “Applying a Field Set to an Active Channel” on page 80 and
“Using Sortable Columns in Grid Views” on page 928. For information about how to create
field sets that use sortable field sets, see “Creating and Using Field Sets” on page 154.
Primary and secondary sort columns
When you select Sort Column, it becomes the primary sort column and the number 1
appears next to the sort arrow. The previous column by which the report was sorted
becomes the secondary sort column and the number 2 appears next to the sort arrow.
This numbering applies to every column on which you sort, the newest sort is always 1
and the others change accordingly.
Sorting by primary and secondary time columns
When your primary and secondary sort columns are both time columns (such as
Create Time and Modification Time), milliseconds become a factor in sort order.
Milliseconds are not displayed. This can create a situation where a number of items
with the same primary time appear to show the secondary sort as in the wrong order.
In reality the primary times are off by milliseconds, so they are not the same, and
these milliseconds affect sort order before the secondary time is taken into account.
Creating an Active Channel
To create an active channel:
Confidential
1
Choose the File>New>Active Channel menu command to open the New Active
Channel dialog box, or right-click a group in the Active Channel resource tree and
choose New Active Channel.
2
In the dialog box, name the channel and choose from the options described in “To
change an active channel's operating parameters, click the Attributes tab.” on page 83.
3
Click the Examples button to see how to specify commonly used channel values.
ArcSight Console User’s Guide 79
4 Monitoring Events
4
Click OK to save the new channel in your group in the Active Channels resource tree,
and to open and run it in the Viewer panel.
Viewing Resources in Active Channels
You can view certain resources (in addition to events) in active channels,
including Assets, Vulnerabilities, Asset Categories, Scanner Reports,
Cases, and Stages. In the Navigator, right-click a resource or group, and
choose Show <ResourceName>. The resources are displayed in an
active channel view.
Using slightly different menu options, you can view the results of
triggered Rules in channels as well. (For information on creating active
channels for Rules, see “Verifying Rule(s) with Events” on page 428.)
You can also create active channels from filters. In the Filters resource
tree, right-click a filter and choose Create Channel with Filter. Many
resources that have filters also provide this option. For example, you can
right-click Connectors in the Navigator, and choose Create Channel
with Filter to create a channel with the filter used by that connector.
You can do the same with Assets (Vulnerabilities, Zones, Categories,
Assets), Cases, and Stages. (For Cases, choose Case Details Channel as
described in “Creating a Channel for a Case” on page 532. The case must
include some events.)
Applying a Field Set to an Active Channel
To apply a field set to an active channel:
1
Right-click over any field header and choose Field Set >Select a Field Set to open
the Field Sets Selector dialog.
80 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
2
In the Field Sets Selector dialog, select a field set (or a domain field set you created)
and click OK.
The active channel is displayed with the selected field set.
About ArcSight System Sortable Field Sets
The Sortable Field Sets under ArcSight System are not available for
selecting in active channels. The ArcSight System sortable field sets are
a special set marked for internal use to provide the sortable functionality
and maintain consistency between the Console user interface, field sets,
and database indexes.
For more information about sorting, see “Sorting Events in an Active
Channel” on page 79.
See “Variable Availability and Contexts” on page 962 for information about using variables
in active channels.
Adding a Column to the Channel
You can add another column to the channel display to show additional fields.
Confidential
ArcSight Console User’s Guide 81
4 Monitoring Events
Using an Active Channel Header
Each active channel has a header section with several features you can use to understand
and manipulate what the channel displays.
Active Channel Header Features:
Feature
Usage
Name and Total
The top line of the header shows the channel's name and how
many events it contains. You can also use the Plus (+) and
Minus (-) buttons at the right end to open and close the header.
Note: The event count function on Active Channels only reports
live events, not replay events. For a count of all events coming
through during a particular period, you should create a query
viewer or report. If you want a count of only replay events, the
event count in a replay channel will provide an accurate count of
all replay events within a specific time window.
Priority Indicators
On the right border of the header is a column of event-priority
statistic indicators. The numbers beside the Priority categories
are the number of events in those categories. Click these
indicators to filter the channel to show only the selected priority.
Time Span
The Start Time and End Time show the chronological range of
the channel.
Filter status
This describes the filter that limits what the channel shows.
Click a filter status name, such as <No Filter>, to open the
Active Channel Editor and its Filters tab, where you can add,
edit, or delete contents as described in “Creating Filters” on
page 173. You can also right-click the current filter status and
choose to edit, save, or remove it.
Radar display
button
Open and close the display with the Plus (+) and Minus (-)
button at the right end of the Filter line.
Radar display
operation
Click, Shift+click, Ctrl+click, or drag to select bars in the
display. You can also drag a selection's borders left or right. The
grid then shows just the events the selection represents.
The display shows “This channel is active but temporarily
empty” at any time, no matter how briefly, if there are no
qualifying events. This also might show when a channel first
opens.
Filtering an Active Channel
You can filter active channels through the Filter tab of the Active Channel Editor or inline
using the blank fields in the top row of each grid view. Right-click the filter name in the
header and choose Edit Filter to open the editor and create a filter as described in
82 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
“Creating Filters” on page 173. To use inline filters, see “Using Active Channels” on
page 93.
Understanding how to use the Common Conditions Editor (CCE) is integral to
creating and editing filters. Please “Common Conditions Editor (CCE)” on
page 782 for more information.
Saving Copies of Active Channels and Filters
You can save copies of active channels or their filters to modify them later. This is useful to
retain an original channel or filter as is, but use a copy of it for a new resource.
To save a copy of an active channel under a new name, right-click the filter name in the
header, and choose Save Active Channel As. This brings up the Active Channels Selector
dialog, which shows the Active Channels resource tree. Navigate to where you want to
save the channel, enter a new name for it, and click OK.
You can use a copy of the filter for an active channel independently, or as a basis for other
filters. Right-click the filter name in the header, and choose Save Filter. This opens the
Filter Selector dialog, which shows the Filters resource tree. Navigate to where you want to
save the filter, enter a new name for it, and click OK.
Editing an Active Channel
1
Right-click a channel in the Navigator panel's Active Channel resource tree and choose
Edit Active Channel.
2
To change an active channel's operating parameters, click the Attributes tab.
Feature
Usage
Start Time
The relative or absolute time reference that begins the period to
track events in the channel. Edit the time expression, choose a
common expression from the drop-down menu, or click the
Selector button to choose an absolute date and time value. See
“Timestamp Variables” on page 943 for more options.
Note: If a channel is open when Daylight Savings Time starts or
ends, it does not show the correct start time until you restart it.
You can change the default start time for new channels by editing
the console.properties file in the <ArcSight_Console_HOME>/
current/config directory. For example, add the this line...
console.channel.newChannel.defaultSubtractTime="$Now - 2h"
... to change the start time to two hours ago. For a list of possible
time values see the Start Time: field pull-down menu.
Confidential
ArcSight Console User’s Guide 83
4 Monitoring Events
Feature
Usage
End Time
The relative or absolute time that ends the period to actively
track the events in the channel. Edit the time expression, choose
a common expression from the drop-down menu, or click the
Selector button to choose an absolute date/time value. See
“Timestamp Variables” on page 943 for more options.
Notes:
•
If a channel is open when Daylight Savings Time starts/ends,
the live channel does not show the correct start time until you
restart it.
•
If setting the End Time results in the message “Invalid end
date for sliding channel,” the channel is set to Continuously
evaluate instead of Evaluate once at attach time. Either
re-set the End Time or change the Time Parameters option for
the channel to Continuously evaluate.
•
Avoid creating active channels that query over more than one
day. For active channels that query for more than one day,
use Evaluate time parameters once at attach time
instead of Continuously evaluate. Better yet, use trends for
these types of active channels. See also “Best Practices to
Optimize Active Channel Performance” on page 86.
Use as
Timestamp
Choose the event-timing phase that best supports your analysis.
End Time represents the time the event ended, as reported by
the device. Manager Receipt Time is the event's recorded
arrival time at the ArcSight Manager.
Time
Parameters
Choose whether the channel will Continuously evaluate to
show events that are qualified by Start and End times which are
re-evaluated constantly while the channel is running, or Evaluate
once at attach time to show only the events that qualify when
the channel is first run.
A channel set to Continuously evaluate is also known as a
sliding channel, and typically has its End Time option set to
$Now.
Default Field
Set
Choose an existing event field set for the events processed
through the channel. The default field set is for users who view a
channel for the first time. If no default is specified, the ArcSight
system default is used. When a user closes a channel, ArcSight
saves the field set (and all other console settings) to the user’s
.ast file.
After a user has opened a channel once, the console does not use
the default field set for that user again. Changing the default only
affects other users who have never opened the channel before.
Entering data in the Common and Assign sections is optional, depending on
how your environment is configured. For information about the Common and
Assign attributes sections, as well as the read-only attribute fields in Parent
Groups and Creation Information, see “Common Resource Attribute Fields”
on page 630.
3
Click the Filter tab to edit the channel's filter condition as described in “Creating
Filters” on page 173.
4
Click the Sort Fields tab to explicitly set which fields to sort the channel on in grid
views, the sort order for those fields, and whether sorting for each field is ascending
(A to Z) or descending (Z to A).
84 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
5
Click the Local Variables tab to use ArcSight local variables with the channel's filters.
You can create local variables, which are only available to the resource
you are creating (in this case, an active channel), or use global variables.
For information on creating global variables, see “Creating Filters” on
page 173 and Chapter 14‚ Global Variables‚ on page 435.
6
Click Apply or OK to save the updated channel.
Defining Grid Fields Options
In the New Active Channel dialog box your can choose from the Select a Field Set menu,
or you can click the Define button to open the Define Grid Fields dialog box. See “Creating
and Using Field Sets” on page 154 for more information. To change these choices after
creating a channel, use the steps described in “Customizing Columns” on page 100.
Feature
Usage
Fields
A name for the set.
Available Fields
Select the event fields (also called data fields or attributes) that
you want the channel to process. As you make selections, they
appear in the Fields to Show list at the right. Remember that
not all fields are readily sortable.
Fields to Show
This list shows the selections you have made in the Available
Fields list. The order you give to the fields in this list becomes
their default presentation order in grid views. Once populated,
you can select one or more fields (Shift+click and Ctrl+click
apply) to rearrange with the Move Up, Move Down, and
Remove buttons.
Move Up, Move
Down, Remove
These buttons move or remove the fields you select in the
Fields to Show list. The order you set becomes the
presentation order in grid views.
Sort First By
After selecting and ordering fields, you establish their sorting
order (also called their group by order). Use Sort First By to
set the ascending (A to Z) or descending (Z to A) order of the
first or most-significant column.
Then By
Use the first Then By sort-order field to set the second sorting
order. Use the second Then By sort-order field to set the third
sorting order.
More, Less
Click More if you need an additional Then By field. Click Less
to remove one.
Discovering Patterns in an Active Channel
Right-click the channel in the Navigator panel's Active Channels resource tree and choose
Discover Patterns. ArcSight takes a snapshot of the channel's current contents and
examines it for patterns. You see the snapshot in the Viewer panel and the profile that
generated the pattern appears in your personal folder in the Navigator panel's Pattern
Discovery resource tree. For more information on pattern discovery, see “Pattern
Discovery” on page 127.
Deleting an Active Channel
Right-click the channel in the Navigator panel's Active Channels resource tree and choose
Delete Active Channel.
Confidential
ArcSight Console User’s Guide 85
4 Monitoring Events
Adding a View Format
To add another type of presentation (view) for the data in an active channel, click the View
Type icon in the lower-right corner of the Viewer panel. Choose among grids and the
various types of chart or graphic views.
Changing View Layouts
To change the visual arrangement of individual channels within a view container, such as
data monitors within a dashboard, click the Layout icon and choose to show or arrange
the views by Tab, or Tile Best Fit, Tile Horizontally, or Tile Vertically.
Best Practices to Optimize Active Channel Performance
The following topics compare active channels, reports, query viewers, and trends in terms
of goals and optimal resources for various use cases.
Active Channels or Reports?
Active channels are the better choice if you would rather see results streaming in as the
queries proceed, rather than wait for the results to appear in one view in a report.
However, if speed of results is your goal, you might want to run a report instead. The total
completion time of an equivalent report would be faster than the total time it takes for the
channel to load 100%. This is because the active channel runs multiple smaller queries
instead of one large query to display initial results quicker.
See also, “Building Queries” on page 302 “Building Trends” on page 318, and
“Understanding Reporting Workflow” on page 279 in this guide, and “Query and Trend
Performance Tuning” in the Administrator’s Guide.
Active Channels or Query Viewers?
Query Viewers behave more like reports (see “Active Channels or Reports?” on page 86) as
they issue a single query and return all results in one go instead of the streaming
progression of results from an active channel. Query viewers are most suitable if you have
to slice and dice these query results further, for example, by changing the sort columns,
changing types of charts/grid, and so on. These operations are performed on the client
side with the results of the already-executed query. If you were using active channels
instead, these types of changes would result in a re-run of the query.
See also “Query Viewers” on page 233.
Active Channel Query Time Ranges
Take note of the query time range in one of your active channels. The more hours you are
querying, the slower the results are to load. IAn active channel shows results in minutes if
you are querying a few hours of data. But the channel might start taking several hours to
query larger time ranges that span more than 24 hours of data.
If you are querying over more than a day's worth of data, we recommend running a report
(using queries and trends) or a query viewer instead of using an active channel.
Active Channel Filters
The more filter conditions you define in an active channel, the more work the channel has
to do in the database to evaluate the conditions. A channel that does not have any filter
conditions loads data fastest. (This does not mean that the query will run on all events in
the database. Only a subset of events are queried, based upon the page you are looking at
in the channel.)
86 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Filtering on Indexed Fields
Filtering on indexed fields is faster than filtering on non-indexed fields. You can find out
which fields are indexed, by viewing these field sets:
/All Field Sets/ArcSight System/Sortable Field Sets/Field Set Based On ARC_E_ET Index
/All Field Sets/ArcSight System/Sortable Field Sets/Field Set Based On ARC_E_MRT Index
Filtering on Join Fields
The ESM event schema consists of a main arc_event table and several side tables. These
side tables hold fields related to Annotation, Device fields, Agent fields, Resource
References, and so on. If your query has a filter condition on a join field, the resulting
channel would have to do more work to evaluate it.
Continuously-Updating Time Parameters
A channel that is “live” (querying against a moving time window and continuously updating
the query time ranges) has to do more work than a channel based against fixed time
windows. Performance will be better and faster on a channel with a fixed time window than
on a live channel. (See also “Use of the “Live” Channel from Standard Content” on
page 87.)
End Time or Manager Receipt Time
Using “End Time” as the time field in your active channel is faster than using Manager
Receipt Time.
Also, we recommend that you avoid creating channels that are based on one time field but
sort on a different time field. A common cause of poor channel performance is user-created
channels with this problem; that is, a channel based on End Time, but sorted on Manager
Receipt Time (or vice versa).
Sorting in Active Channels
By default, the channel has a sort order based upon the time field that was used for
creating the channel (End Time or Manager Receipt Time). You have the option to sort on
any other indexed columns defined in the two field sets referenced in “Filtering on Indexed
Fields” on page 87). Note that the sorting operation is done in the database query, so every
time you change sort by any column in your currently open active channel, effectively it has
to re-create the complete channel. (You can use a query viewer instead, that does sorting
on the client side with the data it has already queried.)
Also, the sorting operation can be very expensive, especially when millions of events match
your filter conditions. Avoid sorting if your filter conditions are not restrictive. For example,
the base channel with no filter conditions is normally fastest to load, but it would become
the slowest to load if you change its default time based sort order.
Use of the “Live” Channel from Standard Content
If you are using /All Active Channels/ArcSight System/Core/Live or any
similar channel, be aware that the performance of that channel is slower because it has
several complex joins (Joins with Annotations, Resource Reference, Device), uses unindexed fields, and performs additional bit-wise operations to evaluate its filter conditions.
Depending upon your specific use-case, you can simplify and create your own “Live”
channel that is more efficient.
Case Sensitive or Case-Insensitive Conditions?
Wherever possible, use case-sensitive conditions. That will save the extra computation
needed for TOUPPER operation required for case-insensitive matches.
Confidential
ArcSight Console User’s Guide 87
4 Monitoring Events
I/O Subsystem Performance
Channel query performance is typically limited by the performance of the I/O subsystem on
the database. The more events you are inserting, the more load it would cause on the I/O.
SAN performance, RAID levels, I/O caches, and so on play a role in how much performance
we can obtain.
Database Parameters
Make sure that you are using the right-sized database template for your setup. You can
seek ask Customer Support for help on adjusting the database to make use of more
available RAM, and so on.
To diagnose channel performance issues, start with the most basic active channel to see
whether it meets your performance needs, and then keep refining/expanding to come to a
point where you can tell what change is affecting performance. We recommend starting
with the most basic active channel that has the following characteristics:

Based upon End Time

No filter conditions (also, make sure to run as an administrator user so that there is no
access control filter)

Query time is two hours ago to Now

No continuous updates of time parameters
With above basic active channel, you should see less than a minute wait in starting the
channel and doing random scrolls in the channel.
Investigating Views
This topic explains how to use the Console's Investigate command to easily refine and
explore channels contextually, using attributes of the events already being displayed in grid
views. The Investigate command uses these attributes, and the values found in their
events, to automatically formulate simple filters or conditions. When you create or refine a
filter through Investigate, the Viewer panel automatically opens a new view of the channel
with the filter applied. You explore the filter's effect in this view. You then have the option
to keep the view by saving the channel under a new name, or discarding it by right-clicking
in the grid and choosing Close.
When you use Investigate to add a condition to a resource editor such as Rules or Filters,
the condition appears in the editor panel where you can modify it or click Apply to put it
into effect.
The new or modified views you generate with the Investigate command can be grids, or
you can choose to display them in applicable chart formats using the Viewer Selector
icon in the lower-right corner of the Viewer panel.
To learn more about the event attributes these options use, please see “Data Fields” on
page 803.
88 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Below is a temporary view created with the Investigate command
Using an Event Attribute to Show a New Filtered View
These options completely control the new view created, ignoring the filter in the original
view. You most often use them to test and explore.
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Option
Use
Create Filter
[Attribute=Value]
Show only those events in which the selected attribute
matches the value in the selected event.
Create Filter
[Attribute!=Value]
Show only those events in which the selected attribute does
not match the value in the selected event.
Create Filter [List of
Related
Attributes=Value,
!=Value]
When the selected attribute is of a type that has related
attributes, choose to show only those events that do (or do
not) match one of the related attributes on the additional
menu. Generally, attributes are considered related if they
share a common focus such as IP addresses.
Refining a Filter with an Event Attribute
These options open a new view that uses a version of the prior filter modified to include
the new filter component just selected. You usually apply these as part of a filterrefinement process.
Confidential
ArcSight Console User’s Guide 89
4 Monitoring Events
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Option
Use
Add [Attribute=Value]
to Filter
Show only those events that match both the prior and new
filter elements.
Add [Attribute!=Value]
to Filter
Show only those events that do not match both the prior
and new filter elements.
Add to Filter [List of
Related
Attributes=Value,
!=Value]
When the selected attribute type has related attributes,
choose to show only those events that do (or do not) match
one of the related attributes on the additional menu. This
filtering element is applied in addition to any other already
present. Generally, attributes are considered related if they
share a common focus such as IP addresses.
Adding an Event Attribute to a Filtering Condition
The Add condition to editor options apply to the editor in the Inspect/Edit panel that
currently has focus. If no editor is open, the default target is the Filters Editor.
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Option
Use
Add Condition
[Attribute=Value] to
Editor
In the current editor, insert a new condition in which the
selected attribute matches the value in the selected event.
Add Condition
[Attribute!=Value] to
Editor
In the current editor, insert a new condition in which the
selected attribute does not match the value in the selected
event.
Add Condition to Editor
[List of Related
Attributes=Value,
!=Value]
When the selected attribute is of a type that has related
attributes, add a condition to the current editor using the
available list of attribute-value pairs that do (or do not)
equate. Generally, attributes are considered related if they
share a common focus such as IP addresses.
To remove a condition from the editor, right-click it and choose Delete.
When you are using these options to affect a view that is subject to the editor in use, click
Apply or OK in the editor to put the condition into effect.
Contextual filters (in contrast to conditions) are temporary unless you save the modified
view as a named active channel. Condition statements are saved with their relevant
editors.
Permanently Modifying an Active Channel
1
Use the Navigator panel's Active Channel resource tree to open the view's channel in
the Active Channel Editor.
2
Modify a view as described above.
3
In the editor, give the channel a new name and click OK.
90 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Showing an Exploited Vulnerability
The Investigate options include the ability to look for potentially exploitable vulnerabilities
associated with an event.
1
Select an event in a grid view.
2
Right-click the event and choose Investigate>Show Exploited Vulnerabilities.
Available information appears in the Vulnerabilities tab of the relevant Asset Editor.
Showing a Targeted Asset
You can also find out more about an asset targeted by an event.
1
Select an event in a grid view.
2
Right-click the event and choose Investigate>Show Targeted Asset. Available
information appears in the Asset Editor.
Using Charts
The Console offers several chart view options for active channels and for data monitors.
You can add chart views of the data in many active channels or data monitors simply by
choosing a chart type from the Format pop-up menu in the view's lower-right corner.
ArcSight charts remain linked to the data they represent. You can immediately see a chart's
events in a grid view that presents the data as charted, or filtered further using the options
of the Investigate command. Charts use the same color for all values in a series. For
example, if you are plotting successful and failed logins in a chart, successful logins as a
series will have one color. Failed logins as another series will have a different color.
You can click and drag three-dimensional charts on their vertical or horizontal axes to tilt
them for better viewing.
Charting an Active Channel's Contents
1
In the Navigator panel's Active Channels resource tree, right-click a channel and
choose Show Active Channel.
2
In the Viewer panel, in the lower-right corner of the newly opened active channel, click
the Viewer Selector icon to open its menu.
3
In the menu's Chart branch, choose one of the chart types described below.
4
The data in the view opens in an additional chart presentation, in the chosen format,
within the active channel.
5
Click the Layout icon in the channel's lower-right corner to change the visual
arrangement (tabbed or tiled) of the views within the channel, if needed.
Charting a Data Monitor's Contents
Confidential
1
In the Navigator panel's Dashboards resource tree, double-click a dashboard or rightclick it and choose Show Dashboard.
2
In the Viewer panel, in the lower-right corner of an applicable data monitor, click the
Viewer Selector icon to open its menu.
3
In the chart menu, choose one of the types described below.
4
The data in the monitor switches to a chart presentation.
ArcSight Console User’s Guide 91
4 Monitoring Events
For data monitors, the Chart Showing Priorities submenu offers many of these same
charting options, but with graphic elements such as pie wedges or bar segments that
distinguish their priority-level components.
Contents of charts are affected by the things that affect active channels or data monitors,
such as changing time parameters or filters. Not all charts are applicable to, or available for,
all views.
For more about the format tools available for dashboards (
Dashboards” on page 102.
), see “Monitoring
For more about custom view dashboards, see “Using Custom View Dashboards” on
page 116.
For more about working with dashboards, see “Using Dashboards” on page 102.
Chart Type
Description
Area
A horizontal chart in which bands occupy various amounts of the
displayed area to indicate relevant values.
Area Radar
A circular chart that shows proportional values as solid graphic
extensions from a central zero point, outward to a higher-value
border, and occupying relative numbers of degrees of the available
circle.
Horizontal Bar
A horizontal chart that shows changes in relative quantities, usually
by time units seen as solid rectangles, over a span of time.
Line
A horizontal chart that shows changes in relative quantities, usually
by time units plotted on a line, over a span of time.
Pie
A circular chart with proportional wedges for the relevant values.
Radar
A circular chart that shows proportional values as a line plot from a
central zero point, outward to a higher-value border, and occupying
relative numbers of degrees of the available circle.
Scatter Plot
A horizontal chart that shows changes in relative quantities, usually
by time units plotted as separate points, over a span of time.
Stacking Area
A horizontal chart in which stacked bands occupy various amounts of
the displayed area to indicate relevant values.
Stacking Bar
A horizontal chart that shows changes in relative quantities, usually
by time units seen as stacked solid rectangles, over a span of time.
3D Bar
A corner-anchored graph with height, width, and depth dimensions
that can show three axes of categorical and quantitative
information.
Exploring the Events Behind a Chart
To see a grid view of the events behind an active channel's chart, double-click the section
of the graphic that represents those events. To filter those events further, right-click the
relevant section of the chart and choose an Investigate command option. In charts that
show color keys, such as Events by Priority, you can also double-click a color chip to open a
grid view filtered by that key.
To see an active channel grid view of the events behind a data monitor's chart, double-click
the section of the graphic that represents those events, or right-click and choose Show
92 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Details, or choose Show Detailed Channels to see a view for each of the chart's
components.
Using Active Channels
The tasks in this topic explain how to monitor events in active channels. To better
understand the details in grid views, please read more about event grid data fields.
Monitoring Events in the Active Channel
Click an active channel's tab at the top of the Viewer panel and select the Grid view of that
channel using the tab at the bottom. When new events occur, they are displayed at the top
of an active channel as a new row. Events can appear in ArcSight Severity or filter colors.
You can set the color-code for events by using the steps described in “Changing User
Preferences” on page 716.
Sorting Columns in the Active Channel
Right-click on the column header and select Sort Column. Columns that support sorting
have up/down triangles to the right of the column heading( ). If the column contains
numerals, it sorts from highest to lowest value (or vice versa). If the column contains
words or alphabetic characters, it sorts alphabetically from A to Z (or vice versa).
You can also perform an advanced sort on one or more columns in the active channel.
When selecting a secondary sort column, select the secondary column first, then the
primary column. For example, to sort by Event Name then by Detect Time, sort Detect
Time first, then Event Name.
After you sort a column it automatically pauses the current channel, stopping events from
appearing in the active channel. Click the Play button in the Replay Controls to restart the
channel and resume receiving events in the active channel.
When you sort on time and on priority, you might observe cases where
events with the same apparent time are not in priority order. Because events
are timestamped to milliseconds, they may in fact be in time order although
the milliseconds are not showing. In this case, you can show milliseconds to
validate time order. Choose Edit > Preferences, then in the Date and Time
panel change the Date & Time Format to also show milliseconds by adding
“SS” to the seconds parameter, e.g., d MMM yyyy HH:mm:ss:SS z.
Adding, Replacing, or Removing a Columns
A quick way to add, replace or remove columns in a active channel (for example, active
channel or list) is to right-click on the appropriate column header and select one of the
following options:

Columns > Add/Remove Column > <Select a field from the menu>

Columns > Replace This Column > <Select a field from the menu>

Columns > Remove This Column
These are context-dependent commands that apply to the column on which you launch the
right-click menu. (To add a column, right-click on the header of the column you want to
add the new column next to. Columns are added to the right of that header. To replace or
remove a column, right-click on the header of the column you want to replace or remove.)
Alternatively, you can use the Customize Columns dialog to define the columns shown in
the viewer as described here:
Confidential
ArcSight Console User’s Guide 93
4 Monitoring Events
1
Right-click the column header and select Columns > Customize Columns to bring
up the associated dialog. (Note that fields shown in italics are derived fields.)
Looking for information about custom columns? If you want to add a
custom column, you need to create or define it first. After that, it shows up in
the Available Fields list under Custom Column, and you can include it in active
channels as with any other field. For information on creating custom columns,
see “Customizing Columns” on page 100.

To add a column: Select data fields (column titles) to add from the Available
Fields list on the left. Check marks indicate selected columns. The selected
columns show up in the list on the right as you select them. Alternatively, when
you deselect or uncheck a data field on the left, the column is removed from the
right-hand list.

To remove a column: Select a field from the right-hand list and click the Delete
button
. Also, deselecting a data field from the Available Fields list on
the left removes it from the right-hand list. Removing a column from an active
channel does not delete the column information from the ArcSight Database.
You also can remove a column directly from the active channel
without opening the Add/Remove Columns dialog. To do this, rightclick a column header and select Remove Column.

To re-order the columns: Select a data field (column title) in the right-hand list
and click the Up
and Down
buttons to move it. The top-tobottom order shown in the Show columns in this order list on the right
translates to a left-to-right order when applied in the active channel. A column
title at the top of this list will show as the first column in the channel on the far
left in the grid display. A column title at the bottom of this list will show as the last
column on the far right of the grid.
2
Click OK to save changes you made on the Add/Remove Columns dialog. The active
channel reflects added, replaced, removed, or re-sorted fields.
Sizing a Column in the Active Channel
Right-click a column header and select Size Column To Fit.
94 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Showing or Hiding Column Text and Icons
Right-click a column header and select one of the following options:
Option
Display Result
Text and Icon
Display the column heading and its icon.
Text Only
Display only the column heading.
Icon Only
Display only the icon.
Exporting Events to a File
1
Right-click one or more events in the Viewer panel and choose Export > Events in
channel. This brings up the Export Events dialog.
2
Use the file browser to navigate to the location where you want to save the file. You
can use the buttons across the top right of the dialog to move up one directory level,
go to your desktop, create a new folder, show files as a list or a list with details. Also,
you can use the Files of Type drop-down menu to display only comma-separated
values (CSV) format files or all files while you are browsing the directories.
3
In the File Name field, enter a name for the file to which you want to export the
events.
4
Under Export Data Options:

Select All in channel to export all the events in the channel. The system will
export all events in the channel to the specified file, regardless of which events
you originally selected in the active channel. (This is option is selected by default.)

Select Selected rows only to export only the events you selected in the active
channel.

From the Columns drop-down menu, choose a field set to use for the exported
events. This limits the fields exposed in the exported events to the chosen field
set. The default for “Columns” is the Export field set. You can keep the default, or
select other field sets from a list of All Field Sets.
If you want to limit the exported columns (field sets) to only those showing in the
current channel, you have a few options for doing this. See the tips on How to
Limit Export to Fields Visible in Channel.
Confidential
ArcSight Console User’s Guide 95
4 Monitoring Events

5
Select a Destination for the file. Local CSV File is selected by default, and is
typically the only option.
Click OK to export the events to a file with the specified settings.
How to Limit Export to Fields Visible in Channel
The default “Export” field includes a large number of columns. Unless
you have a pressing need to export all these fields for channel events,
you might want to modify the export. Exporting a large field set for a
large event set could be time- and resource-consuming.
If you want the exported file to include only the fields shown in the
current channel, do either of these:
•
If the channel is unmodified from its default (i.e., you have not
added or removed fields), you can select the channel’s default field
set on the file export option. To find the default field set name, edit
the channel and look at “Default Field Set” name or right-click any
column header in the channel and choose Field Set > Selected Field
Set. The default field set will be selected. (For example, for /All
Active Channels/ArcSight System/Core/Live active channel, the
default field set is Standard-MgrRcpt. Selecting this field set on the
export will give you that set of columns in the CSV file.)
•
If you have modified the channel from its default (i.e., added or
removed fields), you can save it as a custom field set and then
choose your custom field set on the export dialog. To save a custom
field set, right-click anywhere on the column headers in the active
channel and choose Field Sets > Save As. On the Field Sets Selector,
navigate to the group you want, name the new field set and click OK.
Now it will be available to choose from on the export dialog.
The Export field set itself is also customizable. If you are sure you
always want exported events to include a limited set of fields, you can
edit the Export field set. (See “Creating and Using Field Sets” on
page 154 and “Editing a Field Set” on page 159.)
Choosing Active Channel Menu Commands
Right-click an event or event field in the active channel to open a context menu. The
commands available are those that apply to the current combination of event type, view,
filter, and so forth.
Command
Description
Show Event
Details
Use the Event Inspector to examine all the attribute details
associated with the event.
Rule Options
•
Simple chain: Show this event's base and correlated event tree
in the Event Inspector.
•
Detailed chain: Show this event's base and correlated events in
detail in a new active channel.
•
Show triggering resource: Show the rule that triggered this
event in the Rule Editor.
•
Clear rule actions: Clears the list (if one is showing) of rule
actions pending on the ArcSight Manager.
96 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Command
Description
Investigate
Create a temporary filter as required based on the field's highlighted
event. The Investigate command uses the event's attribute type
(its column heading), and the particular event's field value (for
example, an exact IP address), to formulate simple filters based on
these two factors. The filter's operators can include Create Filter [X
= Y] and Add Condition [X = Y] to Editor. The Investigate
submenu also offers the Show Exploited Vulnerability and Show
Targeted Asset commands to open detailed views of assets or
vulnerabilities, if present in the selected event.
Debug Event
Priority
Display information on how event priorities are determined for the
selected event. The window lists which conditions match the event.
Items under each heading (for example, Severity) show individual
scores. The individual scores are added but if the sum exceeds the
upper limit of 10, 10 is displayed. Lower limit is 0.
Debug Event Priority is applicable to Threat Level Monitoring,
described in “Threat Evaluation” on page 939 and also “Priority
Calculations and Ratings” on page 894.
Confidential
Active List
Add the selected event to, or remove it from an active list. This is
explained further in “Active Lists” on page 735 and “Managing Active
Lists” on page 509.
Annotate
Event
Open this event in the Annotate Events dialog box, where you can
click the Stage field to set a collaboration workflow sequence for
this event. When you select a stage you automatically place the
event in the corresponding group in the Stages resource tree in the
Navigator panel, where you and other analysts can collaborate on its
investigation and resolution.
Move Timeline
to Current
Event
Reset the event timeline in the view to the time of the currently
selected event.
Select Events
with Matching
Cell
Select any other events in the view that have values matching that
in the currently selected cell.
Invert
Selection
Select all events not currently selected, and deselect those that are
currently selected.
Event Graph
Graph any logical relationships (i.e., source/target IP address
connections) that exist among the currently selected events.
Rule Chain
Graph
Graph the rule chains behind the currently selected triggered
events.
Geographic
View
Geographically map the source and destination IP addresses of the
selected events.
Tools
Run your choice of the standard network lookup tools, using field
values from the selected events.
Create Rule
Use the Rule Editor to create an ArcSight rule to apply to the
selected events.
Export
Export the selected events to an external event-tracking system,
such as comma-separated-value (CSV) data in a report or for a
spreadsheet, or save it as an HTML or a JPEG file.
Add to Case
Add the selected events to a new case for tracking.
Payload
Keep or discard the payload associated with a selected event.
ArcSight Console User’s Guide 97
4 Monitoring Events
Command
Description
Show Context
Report
Output a report concerning rules and events within a specified time
window.
Close
Close the current individual view within the selected view type.
Knowledge
Base
Show the Knowledge Base pages associated with the selected
events, or associate new pages.
Vendor Page
If available, show vendor Web page of the event's sensing device.
Help
Open the online Help to this topic.
Filtering Active Channels with Inline Filters
Active channels have an inline means for creating simple filters. These filters are based on
using a value found in one column, or creating AND conditions between values found in
two or more columns. Inline filtering is a very rapid way to constrain detailed views.
These filters are called inline filters. Also, note that while they are in effect, inline filters
affect all views generated for the channel.
You can create, change, save, hide, and remove inline filters from the active channel. Also,
you can create and manage multiple inline filters from this view.

To create an inline filter, click the Inline Filter link in the event header or click the Edit
Inline Filter
button at the top right of the active channel to display the inline
filtering fields. Type a value by which you want to filter for one or more fields relating
to a column in the grid. Click Apply to immediately apply the filter to the view. The
inline filter is displayed in the header under the standard filter.

To change an inline filter, click the Edit Inline Filter button again, and choose new
values, and apply. The Clear button clears the inline filter fields, and Cancel closes
the inline filtering window without saving current changes.

To remove an inline filter, right-click over the Inline Filter name in the header for the
selected event and choose Remove Inline Filter.

To save an inline filter, right-click over the Inline Filter name in the header for the
selected event and choose Save Inline Filter. This opens a Filters Selector dialog
that shows the Filters tree. Navigate to the folder where you want to save the current
filter, and click OK.

To highlight the filtered events, click the Highlight check box (on is check marked)
and use the drop-down color selector to select a color from the palette.

To create and manage multiple inline filters, click the + button next to the Highlight
options under the inline filters to add filter definition rows. (Click the - button to
remove filter rows.) The potential uses of multiple inline filters are extensive, but
essentially this provides a means of creating a filter with complex conditions, inline in
an active channel. For example, in the Name column for an event, you could specify
that the event name contains ActiveList on the first filter row and that the name
does not contain Successful. You could extend this filter by specifying what you are
looking for in some of the other fields or even add more qualifiers on the Name field.
98 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
All fields can be narrowed down in this way, using multiple filter definition rows.
Custom columns are not available as arguments for inline filtering.
Confidential
ArcSight Console User’s Guide 99
4 Monitoring Events
Customizing Columns
You can create active channel columns with customized cell content and presentation
formats, tool tip contents, and right-click pop-up values.
You make these changes through the Custom Columns Editor. In the Editor you create new
named columns. For each column you select event data fields to display, and if you wish,
the HTML formatting to use in its cells. The tool tip option specifies the formatting and
content of the tool tips you see when you hover the pointer over cells in that column. The
right-click field option sets the event data field to use in columns where there are right-click
commands that use field names as arguments such as “Investigate....”
Creating a Custom Column
1
Right-click a column header in an active channel and choose Customize Columns >
Edit Custom Columns. This brings up the Custom Columns Editor.
2
Click Add to name a new column. If you want everyone to see the new column (not
just administrators), select the Share with all check box. (You can toggle this option
on or off later too from the Cell Format tab.) When you click OK on the Add Custom
Column dialog, the new column name is added to the Custom Columns list on the left
side of editor.
3
Click Field Selector on the Cell Format tab to pick the event attributes you want to
display in this column and click OK.
4
In the Format text box apply Java-compatible HTML formatting around the field
strings, if appropriate. Remember to bracket such formatting with the HTML tag, such
as <HTML><B>$type</B></HTML>.
5
Click Preview to see how the contents of the Format box will look in the active
channel.
100 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
6
Click the ToolTip Format tab to define a tool tip.
7
Choose a target event attribute in the Right-Click Field menu to populate variable
right-click commands, when applicable.
8
Click Rename or Remove to change or take away selected items in the Custom
Columns list.
9
Click Apply to put your changes into effect and Close to close the Custom Columns
Editor.
You can edit custom columns after they are created, including toggling on/off the “Share
with all” settings for a column, renaming it, changing its Field Selector mappings, and so
forth.
•
Custom columns are not available as arguments for inline filtering.
•
The Java Swing based browser supports basic HTML according to the
HTML 3.2 specification. Some more advanced tags may not be supported.
For Technical Reports describing HTML 3.2, please refer to the World Wide
Web Consortium (W3C) site at http://www.w3.org/. For information on
HTML support in Java Swing, refer to the Sun Developer Network at
http://java.sun.com/javase/reference/index.jsp.
Showing a Custom Column
Once a custom column is created, it is available for use in the Console. Right-click the
column header in an active channel and choose Customize Columns > Add Column to
add the new column to the active channel. Custom columns show up in the Available Fields
list under Custom Column. If a column is configured as Share with all, it is available
to all administrators. If not, it is available only to the user who created it. For more
information, see “Adding, Replacing, or Removing a Columns” on page 93.
Advanced Example: Creating a Custom Column with Velocity
Custom columns can display different contents based on external conditions. Use the
Velocity template language to specify these conditions.
To create a custom column that displays a particular image when an event's target is in a
specific Zone, create the custom column as described previously, but specify Velocity
template-language script in place of the HTML format.
The code in the Format text box might look like this:
<HTML>
#if (($targetZoneUri.length()>0) &&
($targetZoneUri.startsWith("/All Zones/
System Zones/Public Address Space Zones/
Ford Motor Company")))
<IMG src="file:///c:/fordlogo.gif" />
#end
</HTML>
Confidential
ArcSight Console User’s Guide 101
4 Monitoring Events
Using Dashboards
Dashboards are a graphical display of data gathered from one or more Data Monitors and
Query Viewers. Dashboards can display data in a number of graphical formats, including
pie and bar charts, tables, and custom layouts.
Administrators can control visibility of, or access to, dashboards, query viewers, and data
monitors by changing access control lists (ACLs) as needed. For more information on
general use of ACLs on any resource, see “Managing Permissions and Resources” on
page 591.
With ACLs, administrators can also control which users are allowed to deploy (enable) or
un-deploy (disable) a data monitor.
Monitoring Dashboards
You can organize and present events displayed by data monitors and query viewers on the
dashboard. Basic tasks include loading and displaying dashboards; inspecting events; using
zoom, slide show, or manipulating the views in various ways; working with dashboard
layouts; saving dashboards, and so on.
Loading Dashboards
1
Choose Views > Show Dashboard to open the Load Dashboard dialog box.
2
Expand the dashboard groups to locate the dashboards you want to include in your
display.
3
Select the checkboxes next to the dashboards you want to include.
4
When you've finished your selections, click OK.
Inspecting Events in Dashboards
You can investigate the events presented on the dashboard by selecting and right-clicking
those events and choosing Show Event Details for Last N Events data monitors or Show
details for other types of data monitors.
If you select events from a Last N Events, the details appear in the Event Inspector.
If you select events from any other data monitor or query viewer, a new view opens in the
Viewer panel for you to investigate.
You can drill down on grid, graph, or chart views.
By default on a data monitor, the displayed channel uses the same columns
as the default Standard Field Set (as defined in the
console.default.properties file in the ArcSight Console installation).
If a custom field set is defined for the data monitor Select Field Set
option, the drill-down channel will use that field set. (See “Data Monitors” on
page 842 for information on creating data monitors and defining settings for
them.)
You can add or remove columns in the active channel. To do so, right-click on
the active channel column headers to get the Customize Columns option.
For example, to investigate a data monitor pie chart display, either double-click the chart,
or right-click and select Investigate > Create Channel and choose a create channel
102 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
option (the menu option for a pie chart display of a query viewer may slightly vary with an
additional menu level).
An active channel is displayed showing more detail about the events or resources in the
original data monitor or query viewer display. If the channel came from a data monitor, the
channel uses the field set columns defined for use in the data monitor Select Field
Set option. (Or if no field set is defined, the data monitor uses standard field set columns.)
Drilling Down to Other Resources
If you have added one or more drilldowns to data monitors or query viewers, Console users
can select one by right-clicking on the data monitor or query viewer result and selecting
Drilldown > [drilldown name] from the context menu.
You can configure query viewers to drill down to one or a combination of the following
resources:
Confidential

Active channels

Dashboards

Other query viewers
ArcSight Console User’s Guide 103
4 Monitoring Events

Reports
The procedure for configuring drill downs from data monitors and query viewers is
essentially the same. The procedure for Query Viewers is in the topic “Adding a Drilldown”
on page 265. For data monitors, see “Adding a Drilldown” on page 110.
Displaying Dashboards
In the Navigator panel's Dashboards resource tree, right-click a dashboard and choose
Show Dashboard.
Displaying Dashboards in a Slide Show Rotation
To automatically sequentially display all the dashboards present in the Viewer panel,
choose Views > Slideshow > Interval in the Console's menu. Use Interval to set the
number of seconds to pause on each dashboard, then choose Views > Slideshow >
Start, or use the toolbar button
, to begin the slide show. Slide shows appear full-
window. Also, Tile Best Fit is the best display choice in slideshow dashboards so all data
monitors are visible. Use Views > Slideshow > Stop, or the toolbar button, to end a
slideshow and return to the previous view.
Rearranging Elements in Dashboard Layouts
You can change a dashboard's layout by dragging and dropping the elements on the
desired location in the dashboard. You can also click an element’s header and drag it to
another location.
Using Dashboard Menu Options
Right-click an element in a dashboard to use the Dashboard subcommands on its context
menu. The nature of the element determines which commands are applicable and enabled.
Zooming In or Out of Dashboards
Right-click an element and choose Dashboard>Zoom In or Dashboard>Zoom Out.
Fitting all Dashboard Elements
Right-click a dashboard element and choose Dashboard>Fit in Dashboard.
Saving Dashboard Layouts
In a dashboard, right-click and select Save Dashboard.
Closing a Dashboard
In a dashboard, right-click and select Close Dashboard.
Editing Dashboard Elements
Right-click in the element and choose <Dashboard element>Edit.
See also:

Editing a Data Monitor and Moving or Copying a Data Monitor

“Editing a Query Viewer” on page 270
Changing a Dashboard's Layout
Click the Layout button at the lower-right corner of the dashboard in the Viewer panel and
choose a tab or tile option.
104 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Managing Dashboards
This topic describes how to create dashboards and adding elements to it. Elements include
data monitors and query viewers.
Creating a Dashboard
When you create a dashboard, the ability to add data monitors is automatically available.
1
On the Dashboards tab, right-click a dashboard group and choose New Dashboard.
Alternatively, drag an existing dashboard to a different group, choose Copy to copy
the dashboard, and then rename it.
If you chose New Dashboard, an untitled dashboard appears in the Viewer panel and
the Data Monitors tab automatically comes forward so you can choose monitors to
add.
2
If you want to add data monitors now:
a
Select the Data Monitors tab and navigate through the groups of existing data
monitors to find ones you want to add to the dashboard.
b
Select a data monitor to add, right-click it and choose Add to Dashboard As,
then choose an applicable display format (see Display Formats).
c
Repeat the above step to add other data monitors, as needed. When you've
finished, right-click the dashboard in the Viewer panel and choose Save
Dashboard.
3
If you want to add query viewers, see “Adding a Query Viewer to a Dashboard” on
page 105.
4
In the Save As dialog box, navigate to a group and type in the Name text field.
5
Click Ok.
Adding a Data Monitor to a Dashboard
1
Right-click a dashboard and choose Show Dashboard.
2
On the Data Monitors tab, navigate through the groups of existing data monitors to
find ones you want to add to the dashboard.
3
Right-click a data monitor and choose Add to Dashboard As, then choose an
applicable display format (see Display Formats).
4
To save the dashboard, right-click it and choose Save Dashboard. If this is a new
dashboard, navigate to the group where you want to save the dashboard, enter a
name for the new dashboard, and click OK.
Adding a Query Viewer to a Dashboard
You can add a query viewer result to a dashboard as follows:
1
If you have identified an existing dashboard to which you want to add the query
viewer, open the dashboard in the viewer and make sure it is the focus. If you want to
add the query viewer to a new dashboard, continue to the next step.
2
Choose Query Viewers in the Navigator.
3
Select a query viewer, right-click and choose Add to Dashboard As >, then choose
an applicable display format (see Display Formats).
The query viewer result is displayed on the open dashboard. If a dashboard is not
displayed, a new untitled dashboard is created for the query viewer result.
Confidential
ArcSight Console User’s Guide 105
4 Monitoring Events
4
Save the existing dashboard.
Or if this is a new dashboard:
a
Right-click the title bar of the dashboard and choose Save Dashboard As.
b
In the popup dialog, navigate to the group where you want to save the
dashboard, enter a name for the dashboard, and click OK.
By default, this new dashboard is a regular dashboard. If you want to change it to
a custom view dashboard, see “Using Custom View Dashboards” on page 116.
You can add multiple query viewer results sets along with other resources to a single
dashboard.
Query viewer results on dashboards are accessible from ArcSight Web. For
more about ArcSight Web, see “ArcSight Web” on page 743.
Display Formats
The display options available depend on the nature of the dashboard element.
Display
Format
Bar Chart
Description
Shows data as a series of proportional bar elements and may include
bar segmentation to subdivide the data.
Applies to data monitors and query viewers.
Bar Chart
Table
A grid of proportional bar elements.
Horizontal Bar
Chart
Shows data as a series of proportional bar elements and may include
bar segmentation to subdivide the data. This format forces the bars
to run left-to-right rather than up-and-down.
Applies to data monitors.
Applies to data monitors and query viewers.
Pie Chart
Shows data as a circle with proportional wedges for elements.
Applies to data monitors and query viewers.
Statistics
Chart
Displays Moving Average data monitors, especially those that
contain and need to arrange (overlay) multiple graphs in one
monitor space. Compare Statistics Chart to Tile, which arranges
individual-graph monitors into fixed arrays.
Applies to data monitors.
Table
Displays data as a grid.
Applies to data monitors and query viewers.
3D Bar Chart
Shows data as a series of proportional bar elements and may include
bar segmentation to subdivide the data. The graph also has a third
axis (depth) to display more data and can be rotated by dragging.
Applies to data monitors.
Stacked Bar
Chart
Shows data as a series of proportional bar elements and may include
bar segmentation to subdivide the data.
Applies to query viewers.
106 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Display
Format
Description
Tile
Arranges individual Moving Average data graphs into separate, fixed
positions on a data monitor, when multiple graphs are present.
Compare Tile to Statistics Chart, which displays multiple graphs
(overlaid) in the same monitor space.
Applies to data monitors.
Editing a Dashboard
You edit dashboards by editing the data monitors within them as described in “Using
Custom View Dashboards” on page 116.
Deleting a Dashboard
1
In the Dashboards tab of the Dashboards resource tree, right-click the dashboard's
name and choose Delete Dashboard.
2
In the dialog box, click Yes.
Managing Dashboard Groups
The groups in the Dashboard tab of the Navigator panel's Dashboard resource tree store
individual dashboards or other dashboard groups. You use groups within groups to help
organize larger numbers of resources.
You can manage groups by drag-and-drop. You can move or copy dashboards or groups
within the Dashboards resource tree. And deleting a group also deletes the resources it
contained.
To copy multiple resources at once, use Copy and Paste. You can drag and
drop only one resource at a time.
Creating a Dashboard Group
1
In the Dashboards tab of the Navigator panel's Dashboards resource tree, right-click a
group and choose New Group.
2
Type a name in the group's text field.
3
Press Enter.
Renaming a Dashboard Group
1
In the Dashboards tab of the Navigator panel's Dashboards resource tree, right-click a
group and choose Rename.
2
Type a name in the group's text field.
3
Press Enter.
Editing a Dashboard Group
Confidential
1
In the Dashboards tab of the Navigator panel's Dashboards resource tree, right-click a
group and choose Edit Group.
2
In the Group Editor, edit the Name and Description text fields.
3
Click OK.
ArcSight Console User’s Guide 107
4 Monitoring Events
Moving or Copying a Dashboard Group
1
In the Dashboards tab of the Navigator panel's Dashboards resource tree, navigate to
a group and drag it into another group.
2
Choose Move to move the group, Copy to make a separate copy of the group, or
Link to create a copy of the group that is linked to the original group.
If you select Copy, you create a separate copy of the group that will not be affected when
the original group is edited. If you select Link, you create a copy of the group that is linked
to the original group. Therefore, if you edit a linked group, whether it be the original or the
copy, all links are edited as well. When deleting linked groups, you can either delete the
selected group or all linked groups.
Deleting a Dashboard Group
1
In the Dashboards tab of the Navigator panel's Dashboards resource tree, right-click a
group and choose Delete Group.
2
In the dialog box, click Yes.
Using Data Monitors
You populate dashboards with data monitors, which you most often select from the Data
Monitors resource tree in the Navigator panel (under Dashboards). However, when you
need to use data monitors that aren't pre-defined, you need to be able to create, edit, and
delete them.
Administrators can limit visibility of, or control access to, data monitors by changing access
control lists (ACLs) as needed. For more information on general use of ACLs on any
resource, see “Managing Permissions and Resources” on page 591.
With ACLs, administrators can also control which users are allowed to deploy (enable) or
un-deploy (disable) a data monitor.
Creating a Data Monitor
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a data monitor group and choose New Data Monitor.
2
In the Data Monitor Editor, select a Data Monitor Type from the drop-down menu.
See “Data Monitor Types” on page 113 for descriptions of each type. (See also “Data
Monitors” on page 842 in the reference section of this guide.)
3
Based on the Data Monitor Types you've selected, specify values and options in the
applicable fields to define the data monitor's data collection. Details on fields and
appropriate values are given in the information about each data monitor type.
Depending on the permissions associated with the user group to which
you belong, you may or may not have an option to Enable (deploy) or
disable (un-deploy) the data monitor. For more information, see
“Enabling or Disabling a Data Monitor” on page 111.
108 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
4
If the data monitor uses data fields for evaluation, you can use the Variables tab to
create a new specialized field if necessary
The following data monitors support variables:
•
Event graph
•
Hierarchy Map
•
Last N Events
•
Last State
•
Moving Average
•
Statistics
•
Top Value Counts (bucketized)
If you select a data monitor that does not support variables, the
Variables tab is disabled.
You can also add a global variable anywhere fields can be added. For instructions
about how to add a global variable to a data monitor, see “Adding a Global Variable to
a Data Monitor” on page 443.
5
If the Data Monitor type supports drill downs, you can use the Drilldown tab to
configure it. The following types of Data Monitors support drilldowns: Event Graph,
Hierarchy Map, Last N Events, Last State, Moving Average, Statistics, and Top Value
Counts (Bucketized).
In the ArcSight Console you can create drill downs to Dashboards, Active Channels,
Reports, and Query Viewers.
In a Custom View Dashboard and the Management Console, only drill downs to
dashboards are supported.
6
Click OK.
To add the new monitor to the current dashboard, right-click it and choose Add to
Dashboard As.
Editing a Data Monitor
1
Do either of the following to bring up the Data Monitor editor:

In the Data Monitors tab of the Navigator panel's Dashboards resource tree, rightclick a data monitor and choose Edit Data Monitor.

If a Dashboard containing a given Data Monitor is already displayed, hover the
cursor over that Data Monitor in the Viewer panel, right-click, and choose Data
Monitor > Edit.
2
In the Data Monitor Editor, edit the applicable fields.
3
Click OK to save your changes and close the Data Monitor Editor. Or click Apply to
save the changes and leave the editor open.
See “Data Monitor Types” on page 113 and “Data Monitors” on page 842 for field details on
all data monitors.
For customize view options on Last State data monitors, see Table View (Color Chooser and
Remove Entry) and “Tile View (Customize View)” on page 863 in the Last State Data
Monitor topic.
Confidential
ArcSight Console User’s Guide 109
4 Monitoring Events
Adding a Drilldown
You can configure data monitors to drill down to one or a combination of the following
resources:

Active channels

Dashboards

Query Viewers

Reports
Each drilldown has its own options. After you have added one or more drilldowns, Console
users can select one by right-clicking on the data monitor result and selecting Drilldown
> [drilldown name] from the context menu.
The procedure for setting this up is identical to the procedure for adding drilldowns to
Query Viewers and is covered in detail in “Query Viewer Drilldowns” on page 265.
Creating a drilldown definition to a resource is not supported on all types of data monitors.
You can create drilldowns from these types of data monitors:

Event graph

Hierarchy map

Last N Events

Last State

Moving Average

Statistics

Top Value Counts
You cannot drill down to resources from the following data monitors:

Asset Category Count

Event reconciliation

Event Correlation

Geographic Event Graph

Hourly Counts

Rules Partial Match

Session Reconciliation

System Monitor

System Monitor Attribute
110 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Moving or Copying a Data Monitor
You can move or copy a data monitor as you would any other resource (as described in
“Moving Copying, Linking, and Deleting Resources” on page 69).
•
Users who do not have data monitor deployment permissions can still
copy enabled data monitors, but the copies are disabled. Users need both
write and deploy permissions to enable or disable a data monitor.
•
Users who do not have data monitor deployment permissions can still
move data monitors from one group to another if they have write
permissions on the data monitors they want to move and the destination
group for the move operation.
For more about data monitor deployment permissions, see “Controlling Who
Has Permissions to Deploy Data Monitors” on page 601.
Deleting a Data Monitor
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a data monitor and choose Delete Data Monitor.
2
In the dialog box, click Yes.
Enabling or Disabling a Data Monitor
When a data monitor is enabled (deployed) it is actively processing events and updating its
display.
When you disable (un-deploy) a data monitor, it stops processing events and updating its
display. You might choose to disable a data monitor because it is not needed or should not
be considered under certain circumstances.
Data monitors can be enabled at time of creation (see “Creating a Data Monitor” on
page 108) or edited later to enable deployment.
Data monitor deployment is controlled through User Access Control Lists
(ACLs). Administrators can allow or block users for data monitor deployment
permissions.
Depending on the permissions associated with the user group to which you
belong, you may or may not have an option to Enable (deploy) or disable
(un-deploy) the data monitor.
Confidential
•
Administrators (all users belonging to the admin group) have permissions
to deploy/un-deploy data monitors.
•
To deploy a data monitor, a user needs both general data monitor
deployment permissions and write permissions to the specific data
monitor he or she wants to deploy. Users with permissions to deploy data
monitors can deploy only those data monitors for which they have write
permissions.
•
Administrators can grant permissions to deploy or restrict data monitors
to other non-Administrator users through the Access Control Lists (ACLs)
editor. For more information, see “Controlling Who Has Permissions to
Deploy Data Monitors” on page 601 and “Granting or Removing Resource
Permissions” on page 592.
ArcSight Console User’s Guide 111
4 Monitoring Events
Enabling or Disabling a Data Monitor from the Editor
You can set operations permissions on data monitor deployment by
editing Access Control Lists (ACLs) on user groups. Administrators can
allow or block user groups for data monitor deployment permissions.
(This is different than controlling permissions on who has access to the
data monitors resource.)
To set permissions for deploying data monitors, click the Operations
tab, then click the Add button to get the Permissions Selector dialog for
operations, select Deploy and click OK. For more information, see
“Controlling Who Has Permissions to Deploy Data Monitors” on page 601.
By default, only Administrators have permissions to enable and disable data monitors.
Administrators can grant permissions to enable and disable data monitors to other nonAdministrator users through the Access Control Lists (ACLs) editor. For more information,
see “Controlling Who Has Permissions to Deploy Data Monitors” on page 601.
If you have appropriate permissions, you can enable and disable data monitors in the Data
Monitor Editor. (See “Editing a Data Monitor” on page 109 for information on displaying the
editor.)
In the Data Monitor Editor, click the check box for Enable to toggle the data monitor on or
off. (Be sure to click Apply or OK on the editor to save your changes.)

A checkmark indicates the data monitor is enabled/deployed.

If the box is unchecked, the data monitor is disabled/un-deployed.
Enabling or Disabling a Data Monitor in the Navigator
You can also enable and disable data monitors in the Navigator by right-clicking data
monitors or a data monitor group.
1
In the Data Monitors tab of the Dashboards resource tree, right-click a data monitor or
a data monitor group.
112 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
2
Choose Enable Data Monitor to deploy or activate the monitors (if disabled) or
Disable Data Monitor to un-deploy or deactivate (if enabled).
For information about granting permissions to user groups to enable or disable data
monitors, see “Controlling Who Has Permissions to Deploy Data Monitors” on page 601.
Overriding a Data Monitor's Last State
Last State data monitors can sometimes display a status that has served its purpose as
soon as you have seen it. Once seen, you may want to directly reset or change the status
so you can watch for a new status change, without waiting for an automatic system
update.
When you see a status in a Last State data monitor that you want to reset, de-escalate, or
otherwise override, right-click a cell in the monitor and choose Override Status. In the
Select dialog box, select the new status and click OK.
Data Monitor Types
The ArcSight Console offers these predefined types to choose from when creating a new
data monitor. Data monitor types are listed here with a quick-glance description for each.
For full detail on each type of data monitor, follow the links or cross-references to the
associated topic in “Data Monitors” on page 842 in the reference section of this guide.
Data Monitor Type
Description
“Asset Category Count Data Monitor” on
page 843
Enumerate the number of real-time hits (events) that
occur per asset category, by priority, within a time
interval.
“Event Correlation Data Monitor” on
page 844
Provide flow-volume level correlation between two
different event streams (based on two different
specified filters).
“Event Graph Data Monitor” on
page 846
Draw real-time diagrams of selected event activity.
Automates the graphing of attacks in real-time. The
manual operations are described in “Graphing Attacks”
on page 124.
Confidential
ArcSight Console User’s Guide 113
4 Monitoring Events
Data Monitor Type
Description
“Event Reconciliation Data Monitor” on
page 847
Correlate events arriving from one sensor with events
arriving from another sensor. When qualifying events
occur on either or both sensors, this data monitor issues
a new event to signal it. Useful in helping to determine
the effectiveness of a firewall or IDS deployed in your
environment.
“Geographic Event Graph Data Monitor”
on page 850
Draw a real-time geographic map of selected events. In
effect, it does automatically and in real-time what you
can do manually, as described in “Graphing Attacks” on
page 124.
“Hierarchy Map Data Monitor” on
page 850
Draw an image made up of proportionally sized panels
where each panel represents a group of events selected
by group fields selected in the source node identifier. A
source-node criteria could be a combination of fields.
The Hierarchy Map data monitor includes several
enhancements, as described in “Feature Enhancements”
on page 851 in Hierarchy Map Data Monitor.
“Hourly Counts Data Monitor” on
page 859
Display the total count of events on an hourly basis
along with their Priority.
“Last N Events Data Monitor” on
page 860
Order events based on a specified configuration. In the
Table Viewer, the monitor displays the most recent
events by Priority, Event Name, Protocol, and Category.
With the BarChartTable configuration, the order is by
Priority and Event Name. The PieChart configuration is
ordered by Priority.
“Last State Data Monitor” on page 861
Provide an extra level of abstraction that you can use to
simplify the information presented to operators.
Sometimes called indicator lights or heads-up displays,
these monitors show graphics that translate more
complex values into simple, rapidly observable results
such as green/amber/red signal lights or
checkmark/asterisk/exclamation point symbols. Last
State data monitors could also be called most recently
known state monitors.
“Moving Average Data Monitor” on
page 865
Display the moving average of events by a selected data
field. The display provides a running count of events
within a specified time frame and generates an event
when the moving average changes significantly.
“Rules Partial Match Data Monitor” on
page 867
Display rules that have partial matches and the total
number of partial match events within a specified time
frame. For more information on partial matches, see
“Creating Rule Actions” on page 408.
“Session Reconciliation Data Monitor” on
page 868
Correlate events on the basis of their occurrence within
a relevant time period, as established by a session
event.
“Statistics Data Monitor” on page 870
Provide a broader generalization of Moving Average data
monitor functionality, except that it allows selection of
other statistical methods in addition to Moving Average.
Statistical methods include Average, Moving Average,
Standard Deviation, Skew and Kurtosis, as well as
Moving Average. These added capabilities could be used
to detect anomalous behavior that could not be detected
using moving average alone.
114 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Data Monitor Type
Description
“System Monitor Data Monitor” on
page 872
Provide measurements based on ArcSight Manager
internal monitoring system Java classes and attributes.
A number of system monitors that might be particularly
useful to ArcSight administrators are provided as
predefined System Data Monitors that you can include in
your dashboard displays to monitor system
performance.
“System Monitor Attribute Data Monitor”
on page 873
Similar to System Monitor, except that, rather than
provide measurements for all attributes of a specified
Java class, focus on a single specific attribute of a given
ArcSight Java class. Used primarily for measurements
on attributes that provide complex data structures.
“Top Value Counts Data Monitor” on
page 874
Display top events by selected data field, the total
number of events, and the event Severity within the
total number of events with the Table and BarChartTable
viewer configurations.
Managing Data Monitor Groups
Data monitor groups store similar data monitors in a single location. You can create groups
within groups to meet enterprise needs.
You can manage groups by drag-and-drop. You can move or copy dashboards or groups
within the Dashboards resource tree. Deleting a group deletes the resources it contained.
To copy multiple resources at once, use Copy and Paste. You can drag and
drop only one resource at a time.
Creating a Data Monitor Group
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a group and choose New Group.
2
Type a name in the text field.
3
Press Enter.
Renaming a Data Monitor Group
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a group and select Rename.
2
Type a new name in the group's text field.
3
Press Enter.
Editing a Data Monitor Group
Confidential
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a group and choose Edit Group.
2
In the Group Editor, edit the Name and Description text fields.
3
Click OK.
ArcSight Console User’s Guide 115
4 Monitoring Events
Moving or Copying a Data Monitor Group
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, navigate
to a group and drag it into another group.
2
Choose Move to move the group, Copy to make a separate copy of the group, or
Link to create a copy of the group that is linked to the original group.
If you choose Copy, you create a separate copy of the group that will not be affected
when the original group is edited. If you choose Link, you create a copy that is linked
to the original group. Therefore, if you edit a linked group, whether the original or the
copy, all links are edited as well. When deleting linked groups, you can either delete
the selected group or all linked groups.
Deleting a Data Monitor Group
1
In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click
a group and choose Delete Group.
2
In the dialog box, click Yes.
Enabling or Disabling Data Monitor Groups
Data monitors are enabled by default. When you disable data monitors they stop
processing events and updating their displays. You might choose to disable a data monitor
group because it is not needed or should not be considered under certain circumstances.
You can also enable and disable data monitors individually in the Data Monitor resource
tree or Data Monitor Editor.
1
In the Data Monitors tab of the Dashboards resource tree, right-click a data monitor
group.
2
Choose Enable Data Monitor to activate all the monitors in the group (if they are
disabled) or Disable Data Monitor to deactivate them (if they are enabled).
Using Query Viewers
Query viewers are a type of resource used for defining and running SQL queries. Query
viewers can be added to the dashboard. For more information about defining query
viewers and adding them to the dashboard, see “Query Viewers” on page 233.
Using Custom View Dashboards
You can create custom layouts of dashboard data. Also known as image dashboards,
custom view dashboards enable you to create custom views of dashboard data from query
viewers and from data monitors over an imported image, such as a geographical map.

Viewing custom view dashboards requires the Adobe Flash 10 plug-in available with
the 32-bit Firefox 3 browser.

Viewing custom view dashboards using the internal browser is only supported on 32bit Windows 7 and Vista. You can also use custom view dashboards on Linux, Mac OS,
and Windows operating systems using an external browser.

Additional configurations may be required to display content using Adobe Flash
depending on the operating system you are running.
For details about what platforms support custom view dashboards, see “Browser
Environments for Custom View Dashboards” on page 117.
116 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
For details about supported browsers and operating systems and the configurations
required to display features that use the internal browser, see “Web Browsers” on
page 973.
In custom view dashboards, Only drill-downs to dashboards are supported.
Custom view dashboards refresh event data at the same rate as regular dashboards.
Browser Environments for Custom View Dashboards
By default, custom view dashboards on 32-bit Windows use the internal browser for
display. On other operating systems or if your operating environment or settings make it so
the custom view dashboard cannot be launched in the internal browser, it opens using the
default external browser, if available. (As an option, you can open all features that use the
internal browser using the specified external browser. See “Setting Program Preferences”
on page 717.)
Follow the guidelines and configuration instructions provided in the section “Web Browsers”
on page 973. The table below describes additional details about the operating
environments that support the display of custom view dashboards in both the internal and
external browsers.
Viewing custom view
dashboards using the
internal browser
Viewing custom view
dashboards using the
external browser
Operating
system
32-bit Windows
32- or 64-bit Linux, Windows,
Mac OS
Browser
32-bit Firefox 3 with the Adobe
Flash 10 plug-in
Any 32-bit browser with the
Adobe Flash 10 plug-in.
Note: The internal browser
requires this particular version
of Firefox with the Adobe Flash
10 plug-in to be installed in the
Console operating environment.
Displaying Custom View Dashboards
There are several ways to switch from the regular dashboard view to the custom view
dashboard view. Each of these methods loads the custom view dashboard editor in the
Viewer Panel in the custom view dashboard’s View mode with the last configuration you
saved.


Confidential
From the regular dashboard view in the Viewer panel. Open the dashboard in
the viewer panel: in the Navigator panel, go to Dashboards; double-click the
dashboard you want to open, or right-click it and select Show Dashboard.

Click the Layout Selector button at the bottom of the display ( ) and select
Custom Layout.

Right-click the dashboard tab and select Custom Layout.

Right-click any data monitor in the dashboard and select Dashboard > Custom
Layout.
From the dashboard editor in the Inspect/Edit panel. Open the dashboard for
edit in the Inspect/Edit panel: in the Navigator panel, go to Dashboards; right-click the
dashboard you want to edit and select Edit Dashboard.
ArcSight Console User’s Guide 117
4 Monitoring Events

In the Layout field drop-down menu, select Custom Layout.

Click Apply to apply the changes and leave the editor open; click OK to apply the
changes and close the editor.
•
A new or edited dashboard must be saved before the custom
view dashboard is accessible.
If you are creating a new dashboard or have edited an existing one
to use the Custom Layout, you must first save the dashboard to
establish the custom layout for this dashboard on the Manager.
•
Custom view dashboards are displayed with the default chart
and color settings.
User customizations to chart settings and color selections applied to
dashboards in the regular viewer are not applied to the custom view
dashboard view.
•
Custom view dashboard backgrounds scale to fit the available
Viewer panel space.
The background image scales to fit the available space in the Viewer
panel. You may need to adjust the shape of your viewer panel or
browser window to preserve the proportions of the background
image.
For more about selecting and working with background images for
custom view dashboards, see “To Load a Background Image” on
page 120.
To see a change made from another Console, refresh the dashboard manually. Custom
view dashboards provide two modes: View mode for monitoring and investigating events,
and Arrange mode, for customizing the layout and background elements.
Access context menus using Ctrl, Alt, or Shift + left click.
The custom view dashboard’s internal browser uses Adobe Flash Player.
Instead of accessing context menus using right-click, access them using
Alt + left click from anywhere on the dashboard.
To Launch the Custom View Dashboard in a Separate Browser
Window
Click Launch Browser in the custom view dashboard top menu bar. The custom view
dashboard is accessible from any external browser that supports Flash and Java script at
the following URL:
https://<hostname>:<port>/www/managerui/com.arcsight.product.manager.kahuna.dashboard.DashboardLauncher
/index.html?resourceid=<resourceid>&auth=<auth>
To Refresh the Custom View Dashboard Layout
Click the Layout Selector button at the bottom of the display ( ) and select Custom
Layout, or use any of the other methods described in “Displaying Custom View
Dashboards” on page 117.
Custom View Dashboard Context Menu Options
Both the View and Arrange modes offer the following context menu options (Ctrl, Alt, or
Shift + left click):
118 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
Option
Description
Save Dashboard
Save the current dashboard layout. This option
becomes available when you have selected a different
layout using the View As context menu option.
Close Dashboard
Close the dashboard in the Viewer panel.
Data Monitor: Edit
Open the data monitor editor in the Inspect/Edit panel.
Data Monitor:
Enable/Disable Data
Monitor
Enable or disable the data monitor. For more about
enabling and disabling data monitors, see “Enabling or
Disabling a Data Monitor” on page 111.
Data Monitor: Minimize
Hide the data monitor from view.
To restore a minimized data monitor in a custom layout
view, switch to Arrange mode (“Arranging Custom View
Dashboards” on page 120), then select and check the
data monitor from the Data Monitors drop down menu.
Data Monitor: Close
Remove the selected data monitor from the dashboard.
View As
Change the data monitor view to a graphical format
supported for the data monitor type. For more about
data monitor views, see “Display Formats” on
page 106.
Show Events
Show the events displayed in the data monitor in an
active channel in a separate Viewer panel tab. This
enables you to see the event details and perform all
the tasks described in “Monitoring Active Channels” on
page 77.
Export
Export the events shown in the data monitor or
dashboard as a JPG, CSV, or HTML file, or export the
dashboard or data monitor as a report archive in JPG
or CSV format.
To Revert to the Regular Dashboard View
1
Close the custom view viewer version of the dashboard in the Viewer panel (right-click
the dashboard’s tab in the Viewer panel and select Close).
2
Re-open the dashboard from the Navigator panel (double-click the dashboard in the
Navigator panel, or right-click it and select Show Dashboard).
Working with Custom View Dashboards
Custom view dashboards open in the View mode. In View mode, you can interact with the
dashboard elements much the same way you do in the normal dashboard mode, such as
drill down on the events displayed in a dashboard element such as data monitor or query
viewer, and take context-menu actions.
The first time you switch to custom view dashboard mode, if there is no background
associated with a dashboard from when it was created using the Dashboard editor, the
dashboard will be displayed with a white background; otherwise you will see the last
background that was added. The dashboard elements will be rendered in evenly distributed
rows.
Confidential
ArcSight Console User’s Guide 119
4 Monitoring Events
To Select View Mode
In the custom view dashboard top menu bar, select View from the Mode drop-down menu.
To Show Events in an Active Channel View
As with regular dashboards, you can view the events displayed in many types of eventbased data monitors or query viewers in an active channel, which enables you to see the
event details and perform all the tasks described in “Monitoring Active Channels” on
page 77. There are two ways to view eligible elements displayed in a custom view
dashboard in an active channel:

Double-click the dashboard where the pointing hand cursor (
) is activated.

Activate the context menu (Crtl, Alt, or Shift + left click) and select Show Events.
Arranging Custom View Dashboards
In Arrange mode, you can customize the dashboard layout, toggle data monitors on and
off, and upload a background image.
When you switch to Arrange mode, chart-type data monitors appear with a yellow
background. You can relocate, resize, and reshape all types of data monitors anywhere in
the custom view dashboard view.
Changes saved to a custom view dashboard refreshes the dashboard
on all ArcSight Consoles attached to the Manager.
If the ESM Manager supports more than one ArcSight Console, any custom
view dashboard changes saved on one Console will refresh that dashboard on
the other Consoles attached to the Manager.
To Select Arrange Mode
In the custom view dashboard top menu bar, select View from the Mode drop-down menu.
To Load a Background Image
You can upload a background image to the custom view dashboard. The image you select
will be stretched to fit the available display space in the Viewer panel, so for best results,
select an image with adequate size and proportion to fill the space.
1
Launch the file upload process. There are several ways to load a background image in
a custom view dashboard:

Using the File resource. In the Navigator panel, go to File.

In the Navigator panel, first open the dashboard to which you want to add
the background image. It can either be in the regular dashboard view or
already in the custom view dashboard view.
In the Navigator panel, go to Dashboards. Double-click the dashboard you
want to open in the Viewer panel, or right-click it and select Show
Dashboard.



In the Navigator panel, go to Files. Create a new file (right-click your
personal folder, for example, Admin’s Files, and select New File). In the File
editor in the Inspect/Edit panel, give the file a name, and click Upload.
Right-click the file you uploaded and select Set as Background.
From the image viewer Background menu. In the image viewer Arrange
mode, click the Background drop-down menu and select Set Background.
120 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
2

From the regular dashboard viewer in the Viewer panel. You can add a
background from the dashboard’s Viewer tab context menu (right-click the
dashboard’s tab in the Viewer panel and select Set Background), or from a data
monitor (right-click the data monitor and go to Dashboard > Set Background).

In the regular dashboard editor in the Inspect/Edit panel. Open the
dashboard for edit in the Inspect/Edit panel: in the Navigator panel, go to
Dashboards; right-click the dashboard you want to edit and select Edit
Dashboard. In the Background field, select Set Background.
In the Upload File Content dialog, navigate to the location on your system where the
background image is stored and click OK. This loads the image file as a File resource.
If the background image does not display right away, refresh the
custom view dashboard.
To refresh the Custom Layout view, click the Layout Selector button at
the bottom of the display (
3
) and select Custom Layout.
To enable others to see the custom view dashboard with the image you uploaded,
copy the image from your personal Files folder into one of the Shared folders, such as
Public.
To Select a Previously Uploaded Background Image
If you have previously uploaded a background image that you want to load as the custom
view dashboard background, or you want to use an image, use the File menu resource.
Open the destination dashboard in the Viewer panel first
The File resource Set as Background option is only available if the
destination dashboard is open in the Viewer panel.
1
2
In the Navigator panel, first open the dashboard to which you want to add the
background image. It can either be in the regular dashboard view or already in the
custom view dashboard view.
a
In the Navigator panel, go to Dashboards.
b
Double-click the dashboard you want to open in the Viewer panel, or right-click it
and select Show Dashboard.
In the Navigator panel, go to Files. Right-click the image file you want to add as the
background and select Set as Background.
Other ways to load previously loaded background images
The File menu is the easiest way to see the available images you have
already uploaded, but you can use the methods described in “To Load a
Background Image” on page 120 to load a previously uploaded image.
Just go through the process to upload the image from your file system.
ESM will notify you that a file of that name already exists and ask if you
want to overwrite, use the old file, or cancel to stop.
Using Resource Graphs to Verify that a Background Image is
Attached
You can verify that a background image has been attached to a custom view dashboard by
viewing a resource graph from Files or Dashboards in the Navigator panel.
Confidential
ArcSight Console User’s Guide 121
4 Monitoring Events
1
In the Navigator panel, right-click the File or Dashboard resource and select Graph
View.
2
In the Viewer panel, verify that the image file is associated with the dashboard.
Removing a Background Image
To remove a background image from a custom view dashboard using the File
resource:
1
2
In the Navigator panel, open the dashboard from which to remove the background
image. It can be in the regular dashboard or custom view.
a
In the Navigator panel, go to Dashboards.
b
Double-click the dashboard you want to open in the Viewer panel, or right-click it
and select Show Dashboard.
In the Navigator panel, go to Files. Right-click the image file you want to remove as
the background image on the dashboard and select Remove as Background.
To remove a background image from a custom view dashboard using the Dashboard
editor:
1
In the Navigator panel, go to Dashboards. Open the dashboard from which you want
to remove the background image for edit in the Inspect/Edit panel (right-click the
dashboard and select Edit Dashboard).
2
In the Dashboard editor in the Inspect/Edit panel, click the Background field and select
Remove Background.
To Relocate, Resize, and Reshape Data Monitors
Relocate a data monitor by dragging and dropping it in the desired location. Use the sizing
handles at the sides and corners to stretch it to the size and shape you want.
To save the layout, use Ctrl, Alt, or Shift + left click and select Save Dashboard.
To Select Which Data Monitors to Display and How
There are two ways to select which data monitors you want to display in this dashboard
using what display format. The data monitors available to this dashboard must be set in
the regular dashboard view in the Console.


In a single operation from the custom view dashboard Data Monitors menu.
The custom view dashboard Data Monitors menu lists all data monitors available for
this dashboard.

To add or remove the data monitor from the dashboard, check or uncheck its
check box.

To change the data monitor display format, select a display format from the
available formats for this data monitor. For more about display formats, see
“Display Formats” on page 106.
For each individual data monitor from the custom view dashboard context
menu. Use Ctrl, Alt, or Shift + left click to access the context menu.

To add or remove the data monitor from the dashboard, use Ctrl, Alt, or Shift +
left click and select Data Monitor > Minimize.

To change the data monitor display format, use Ctrl, Alt, or Shift + left click and
select View As. For more about display formats, see “Display Formats” on
page 106.
122 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
You also have the same context menu options described in “Working with Custom View
Dashboards” on page 119.
Monitoring Active Lists
You can directly examine and modify the active lists available in the Navigator panel's
Active Lists resource tree.
Viewing Active List Contents
1
Choose the Active List resource tree in the Navigator panel.
2
Right-click an active list and choose Show Entries.
Refreshing Active List Views
Active lists show results as of the time they opened for viewing, or the last time they were
refreshed.
Click the Refresh button in the view header to update the contents.
Adding to or Subtracting from an Active List
You can conveniently add or remove event-attribute-based active list entries using selected
events in active channel grid views. This feature automatically offers the name of the active
list that is appropriate for the selected event.
1
In an active channel grid view, select an event that is relevant to an active list of
interest.
2
Right-click the event and choose Active List > Add to > [active list] or Active List
> Remove from > [active list].
If an active list uses the Old File Size event attribute, the value required
when adding an entry is in bytes, not kilobytes or megabytes.
Filtering Active Lists
In addition to the constraints of an active list itself, you can place a temporary filter on an
active list view to aid your analysis. Such filters are not saved with the active list.
1
Open an active list in the Viewer panel as described above.
2
Click the Filter status description in the view header to open the Common Condition
Editor. For example, the status No Filter Defined.
3
Use the Common Condition Editor as described in “Creating Filters” on page 173.
Editing Active Lists
You can change an active list's definition or simply add a new entry to its parameters.
Confidential

Right-click an active list in the Navigator panel and choose Edit Active List to open it
in the Active List Editor. See “Managing Active Lists” on page 509 to use the editor.

Click the Add Entry (+) button in the active list view header to open the Add Entry
editor.
ArcSight Console User’s Guide 123
4 Monitoring Events
Clearing Active List Views
While monitoring a particular active list grid view, you may want to see only traffic that
happens after a certain point in time. You can accomplish this by clearing the view.
1
In the Navigator panel's Active List resource tree, select the active list to clear.
2
Right-click and choose Clear Entries.
Customizing Active View Grid Columns
You can modify active list grid views just like other grid views, as described in “Customizing
Columns” on page 100.
Active List Grid Context Menu Commands
You can also use a set of right-click context commands available in active list grid views.
Menu
Command
Description
New
Add an entry to the active list using the Active List Entry Editor.
Edit
Edit the selected entry using the Active List Entry Editor.
Delete
Remove the selected entry from the active list.
Graphing Attacks
You use graphic analytics to quickly identify high-volume attackers or targets at a glance.
You can immediately locate and typify cascading attacks (e.g., worms and viruses), and
rapidly isolate and analyze events involving interactions between two or more devices (e.g.,
threat discovery).
The event data you visualize can be static (a snapshot of the selected events) or live
(continuously updated with specified real-time event data). You create static graphs by
selecting certain event data out of a source and casting it as a graphic. You create live
graphs using a graphic data monitor type.
See “Changing User Preferences” on page 716 to set or change your event graph
preferences.
Creating Static Event Graphs
1
Select an array of events in a grid, data monitor, or event inspector.
2
Right-click the selected set and choose Event Graph or Geographic View.
124 ArcSight Console User’s Guide
Confidential
4 Monitoring Events
The Viewer panel displays the selected events in a new view, using the graphic or
geographic styles described below.
Creating Live Event Graphs

Select an Event Graph or Geographic Event Graph data monitor in the Dashboards tab
of the Navigator panel's Dashboards resource tree. Right-click it and choose Add to
Dashboard As>Geographic Graph or Graph.

Alternatively, right-click your personal Data Monitors folder in the Navigator and
choose New Data Monitor. In the Data Monitor Editor, in the Data Monitor Type
drop-down list, choose Event Graph or Geographic Event Graph. Define the
graphic data monitor in the usual way.
The Data Monitor Editor has certain attributes for these types:
Confidential
Attribute
Usage
Max Event
Count
The number of most-recent events to show. Events older than this
are discarded.
Event Node
Identifier
The fields that are available to use to uniquely identify the event
type in a transaction.
Availability
Interval
The number of seconds for the interval between updates to the
graphic.
Show SourceTarget Nodes
as
See “Changing User Preferences” on page 716.
Source Node
Identifier
See “Changing User Preferences” on page 716.
Target Node
Identifier
See “Changing User Preferences” on page 716.
Show Event
Nodes
See “Changing User Preferences” on page 716.
ArcSight Console User’s Guide 125
4 Monitoring Events
Geographic Event Graph Attributes:
Attribute
Usage
Max Event
Count
The number of most-recent events to show. Events older than this
are discarded.
Availability
Interval
The number of seconds for the interval between updates to the
graphic.
Event Graph Notes
Link-analysis visualizations are chart-like or logically oriented. Geo-spatial visualizations are
map-based or physically oriented. Node size indicates increasing event volume.
Each event is composed of the event node itself (a turquoise circle) and its connected
source node (red square) and target node (white square) device assets. The source and
the target may be the same asset.
Blue squares indicate a combined source and target node (a “point event”). Pink nodes
indicate IP addresses that are worm or virus infection sources for other nodes.
Point events occur on a single host; for example, a syslog entry for a running process. They
graph as IP address nodes that loop to an event node and back.
In geo-spatial displays, source and target location plotting is based on the physical
addresses registered for IP addresses. ArcSight includes standard plotting information for
this purpose. The addresses are plotted against a world map that you can zoom in or out.
All the specific location data that supports this feature also appears as attributes in the
Event Inspector.
You can modify the way graphs plot events, choosing to keep the source-event-target
visual relationships compact, or to emphasize unique sources, targets, or both in order to
more easily clarify the nature of attacks or situations.
126 ArcSight Console User’s Guide
Confidential
Chapter 5
Pattern Discovery
ArcSight Pattern Discovery™ is a separately-licensed product that enables you to discover
previously unknown patterns, which might pose a threat, and view them for analysis.
This chapter contains the following sections:
Pattern Discovery Overview
“Installing Pattern Discovery” on page 129
“Pattern Discovery Life Cycle” on page 130
“Creating or Editing a Profile” on page 130
“Taking a Snapshot” on page 137
“Investigating Patterns” on page 142
“Usage Guidelines” on page 150
Pattern Discovery Overview
When finding threats by matching events against rules, you have to know the threat
characteristics and create a rule that matches them. ArcSight Pattern Discovery enables
you to search for threat patterns with known characteristics as well, but you can also find
unknown patterns, where the only characteristic you specify is that the transactions are
related and repeat.
The purpose of ArcSight Pattern Discovery is to:

Effectively search streams of potentially millions of events for patterns, which are
simply repeating sequences of related events.

Establish a baseline of patterns that represent normal event traffic and filter them out.

Analyze what remains for threats.
In this way you can discover and investigate patterns that might represent new threats or
threats whose characteristics are not known to you.
What Pattern Detection Provides
ArcSight Pattern Discovery can automatically detect subtle, specialized, or long-term
patterns that might otherwise go undiscovered in the flow of events. You can use Pattern
Discovery to:

Confidential
Detect day-zero attacks: Pattern Discovery profiles are general enough that they
can discover patterns that have never been seen before.
ArcSight Console User’s Guide
127
5 Pattern Discovery

Detect low-and-slow attacks: Low-and-slow attacks involve fewer events over a
longer period. Profiles with longer time periods can capture these patterns.

Automatically create rules: You can transform patterns into a rule set that is
unique to your environment and more accurate than generic predefined rules.

Discover normal patterns: New patterns discovered from current network traffic
are like signatures for a particular subset of network traffic. You can specify which
patterns are normal so that matching patterns can be eliminated as a threat.

Save a history of threat patterns: ArcSight Pattern Discovery can use event
patterns that originate from or target an asset to categorize those assets. For example,
a pattern of events from a machine that has an unauthorized program initiating a
connection to an attacker (a back door) can be shown as a cluster. If you see this
pattern originating from a new asset, it is a strong indication that the new asset also
has a back door installed.
Use Pattern Discovery for preventive maintenance and early detection in your security
management operations. Using periodic, scheduled analysis, you can continuously scan for
new patterns over varying time intervals to stay ahead of new exploits.
Pattern Components
Events in a pattern share one or more common field values. For example, they could share
the same source and target IP addresses, ports, host names, or other data.
The Pattern Discovery algorithm examines event components and identifies groups of
related components as transactions. Discovered patterns list the components involved and
the transactions containing common components. This data is output as a pattern
resource. Components can relate to one another in several ways:

Related by session: Session refers to a unique pair of source and target addresses.
The events for which this pair are the same are in the same session.

Together in a sub-stream: The event stream can be divided into sub-streams using
a “group by” operation on a subset of event fields. This step can also take time of
occurrence into account.

Together in time: All the components occur together in a small time window.
Event components with some kind of relationship are grouped together as transactions,
which then become potential candidates for patterns. The Pattern Discovery algorithm
processes all the transactions it finds and produces patterns, depending on whether they
satisfy one or more conditions that make them discernible as patterns.
Event components are subdivided into transactions in two major ways: time-based division,
and event field-based division. These two methods can be combined.
Time-based division is based on timing constraints, and is very similar to the constraints
used in defining rules. For example, the system creates a transaction at every division of an
event stream. The event stream can be divided depending on the rate of occurrence of
events and changes in those rates. This works well for dividing event streams that display
events in bursts of activity.
Event field-based division is very similar to doing a “group by” operation on event
fields. Every related group of events is a sub-stream of the original stream of events. For
example:

Based on source, target address, and port: Suppose there are three distinct
source addresses in the event stream. After doing a “group by,” three sub-streams are
generated, each one originating from and corresponding to a unique source address.
128 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery

Based on source and target address: In this case, all the events that have the
same source and target address belong to the same sub-stream.
How Pattern Discovery Works
Once the event stream is divided into transactions, Pattern Discovery identifies and groups
events that occur together in multiple transactions. These events are sub-grouped by
support level, which is the number of times that event occurred with its related events. A
higher support number means that a pattern has occurred more frequently than others.
For example, consider the separate grocery purchase transactions, below. Several patterns
emerge: Bread, butter, and jam were purchased together, as were milk and cereal. An
analyst can draw conclusions from those patterns: these shoppers intend to make toast, or
have cereal. Bread and strawberry jam also appear in two patterns and are a sub-pattern.
You can mask patterns you consider normal traffic so the system recognizes them and does
not reevaluate them. For potential threat patterns that you want to watch for, you can build
a rule based on the pattern characteristics. When the pattern occurs, the rule triggers an
action, such as notifying a group of users or running a command script.
Installing Pattern Discovery
ArcSight Pattern Discovery is a separate feature, installed with ESM, but is enabled by a
separate product license. Contact your ArcSight representative to obtain a license key.
The license file is in a ZIP file. Follow the steps below:
Confidential
1
Go to the Management Console’s Administration tab and find the License
Information section, under Configuration Management.
2
In the License File field specify or browse to the lic or zip file containing the
license you want to upload.
3
Click Upload to upload a new license.
ArcSight Console User’s Guide 129
5 Pattern Discovery
4
After uploading, the Management Console asks you if you want to Restart, which
restarts certain ArcSight server processes.
You can choose to restart later. If so, when you are ready, select Server
Management in the accordion panel under Configuration Management, and click
Restart, at the bottom. You will have to log in again.
Pattern Discovery Life Cycle
The creation and use of Pattern Discovery consists of three phases:

Create a profile (see “Creating or Editing a Profile” on page 130)

Generate snapshots (see “Taking a Snapshot” on page 137)

Investigate patterns (see “Investigating Patterns” on page 142).
Use these options to analyze and respond to the patterns you discover in snapshots.
Option
Usage
Create Rule
Use the Rules Editor to create a rule from a detected pattern of
events or a selected event-level in the pattern hierarchy.
Show Related
Events
Open a new channel filtered with a matchesPattern operator that
uses the whole pattern, or event-levels, as its argument.
Show Event
Graph
Graph the complete pattern or a selected event-level in the pattern
hierarchy, to analyze using the ArcSight Console's visualization
tools.
Inspect
Pattern
The Pattern Inspector shows details, and you can click the Actions
button to apply the options described in this table.
Investigate
You can create an active channel, or add a filter to the editor, using
(or not using) the name of the selected event item in the pattern.
Tools
Choose one of the network tools ArcSight provides to explore the
origin of the selected event item.
Annotate
Pattern
You can mark the pattern with a workflow collaboration Stage and
Assign it to a user for filtering by Stages and Users resources.
Creating or Editing a Profile
A profile is a set of filters that define what fields to include in your pattern search, and the
scope and properties of a pattern. It also specifies the time period to search. Profiles can
be general or specific. Typically you would use several different profiles to define the
parameters of snapshots, which collect all the events in the specified time frame and
evaluates them according to the filters set in the profile.
Pattern Discovery comes with two profiles in the Shared | All Profiles | ArcSight
System folder:

Daily Pattern Discovery - Searches for patterns over the previous 24 hours from the
time of the snapshot. This profile is not scheduled; you can run it on demand.

Quarter Hourly Pattern Discovery - Searches for patterns over the 15 minutes
prior to the snapshot. This profile is not scheduled, you can run it on demand.
Use the following procedure to create a new profile:
1
In the Navigator panel, go to Pattern Discovery and click the Profiles tab.
130 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
2
Expand the Profiles resource tree. Right-click a group in the resource tree and select
New Profile.
3
In the Inspect/Edit panel on the Profile Editor Attributes tab, you can modify most of
the values.
You cannot rename or delete profiles in the ArcSight System Profiles group. You can edit
them, but ArcSight recommends that you edit a copy you have pasted into another profiles
folder. To use one of these profiles as is, see “Taking a Snapshot” on page 137.
You cannot delete or modify a profile if it has patterns and snapshots derived
from it. This safeguards the relationships with snapshots that share the same
profile. To modify or delete a profile, delete associated snapshots or patterns.
To copy and paste a profile to another folder, select the profile to copy. Go to Edit | Copy
(Paste) or use Ctrl + C (V).
Editing Profile Attributes
Use the following procedure to edit a profile:
1
In the Navigator panel, go to Pattern Discovery and click the Profiles tab.
2
Expand the Profiles resource tree and navigate to the profile you want to modify.
3
In the Inspect/Edit panel on the Attributes tab, you can change most values and click
Apply. Some values, such as version ID, are set by ArcSight and are not editable.
Property
Usage
Summary
A profile summary appears below the Attributes tab. The
underlined items are values entered in the fields below.
Profile
Confidential
Name
Enter a descriptive name for your profile
Minimum Pattern
Length
Type or use the up/down arrows to select the minimum
number of unique associated events necessary to qualify the
events as a pattern. The default value is 2 events.
Minimum Pattern
Occurrences
Type or use the up/down arrows to select the minimum
number of times for an event-association of the specified
length to reoccur in order to qualify as a pattern.
The default value is 2 occurrences.
ArcSight Console User’s Guide 131
5 Pattern Discovery
Property
Usage
Start Time
Select a time stamp expression for the snapshot start time.
Expressions are described below.
•
$Now The current time in the format hh:mm:ss.
•
$Now – 1h The current time minus 60 minutes.
•
$Now – 1d The current time minus 24 hours.
•
$Now – 1w The current time minus 7 days.
•
$Today The start of the current day (12:00:00).
•
$Today – 1d The start of the current day at midnight
(12:00:00) minus 24 hours. In other words, the start of
yesterday.
•
$CurrentWeek The start of the current week (Sunday
12:00:00).
•
$CurrentMonth The start of the current month (the 1st
12:00:00).
The format of start time is $Now-<time>. The time is in
increments of hours, days, weeks, or months.
End Time
Use the $Now drop-down menu to select a timestamp
expression for the snapshot end time. The formats are the
same as for Start Time, above.
Events
Event Fields
Source
Target
You can select one or more of these (event field, source, and
target) for the pattern portion snapshot to display. Click in
the data entry area and then click drop-down menu to see
the field’s chooser.
In the Available Fields area, click the tab from which you
want to choose. you can select one or more:
•
Field Sets.
•
Local variables you created for this profile (see “Creating
Local Variables” on page 136).
•
Fields and global variables that are relevant to a pattern
discovery profile.
In the Selected Fields section:
Restrict by Filter
Advanced
132 ArcSight Console User’s Guide
•
Use the up and down arrows to specify the order in which
they appear.
•
Use the green alias icon to create an alias version.
•
Use the red X icon to remove one from the list.
•
You cannot specify date/time fields.
•
If you are going to add fields to a list, those fields must
appear in this section (except the End Time field, which
does not have to be here).
Click the All Events drop-down menu to choose a filter from
the Filters resource tree. The filter restricts the pool of
events from which the snapshot is constructed.
The check boxes in this section instruct the snapshot to
capture elements pertaining to time, which can lend vital
insight to a pattern.
Confidential
5 Pattern Discovery
Property
Usage
Record Time
Order
This includes the time sequence of the events contained in
patterns. For example, for a three-event pattern, it could
record that A-B-C occurred 40 percent of the time, B-A-C 35
percent, and A-C-B 25 percent.
Because event sequences can reveal intent, you can detect
and act upon certain kinds of activity even sooner.
Split on Inactivity
This detects potentially meaningful decreases in activity
between duplicate source/target pairs.
It creates a break if there is a pause or significant drop in
the number of times a particular pattern occurs. This treats
occurrences of the pattern on either side of the break as
separate instances.
On analysis, a split on occurrences of the same
source/target pairs means that there was a slow-down or
break in occurrences. This enables you to discover patterns
that happen repeatedly for one source/target pair.
Discovery
Results
Snapshot
Retention Time
Click the drop-down menu to select how long you want the
system to save a snapshot and its series of events.
Snapshots retain all the needed components of the events
and make them available during analysis. For example,
when you drill down in an event and select “Show related
events,” the events saved within the time frame set here will
be searched for matches.
The default retention time is 7 days.
Snapshot Group
Choose a group in the Snapshot resource tree in which to
store the resulting snapshots. By default, the system adds
the snapshot to the same folder you right clicked to add the
profile.
Pattern Group
Choose a group in the Patterns resource tree in which to
store the resulting patterns. By default, the system adds the
pattern to the same folder you right clicked to add the
profile.
Common
Confidential
External ID
An identification string suitable for, and which can be
referenced by, systems outside ArcSight. Common
applications of External IDs include appropriate naming for
Case and Asset resources that are tracked in common with
defect reporting or vulnerability-management systems. Your
ArcSight administrator can advise you on the correct values
for this field, if applicable.
Alias
An identification string suitable for referencing resources
within ArcSight. A given alias appear in place of the
resource's name everywhere it may be seen. Your ArcSight
administrator can advise you on the correct values for this
field, if applicable.
Version ID
If this profile came in a package or if you have exported it to
a package, this is the package’s version ID.
Description
A text description of the profile.
ArcSight Console User’s Guide 133
5 Pattern Discovery
Property
Usage
Assign
4
Owner
The user with responsibility for the profile.
Notification
Groups
The user groups to notify concerning changes to a profile.
Click OK to apply the changes and close the editor.
Specifying Actions
The Actions tab enables you to select a trigger, then specify the action to take when that
trigger occurs.
To specify an action:
1
Open the profile in the profile editor (double click the profile in the Navigator panel).
2
In the Inspect/Edit panel, click the Actions tab.
3
Before you add an action, specify when to take the action (the trigger). Select one of
the following trigger options:
4
Trigger Option
Description
On Pattern
Discovered
This specifies that the action be taken the first time a new
pattern appears. Choose this option for assigning new
patterns to an analyst to investigate.
On Pattern
Re-discovered
This specifies that the action will be taken if a new pattern
is repeated. Choose this option for ongoing operations.
Click Add and select one of the following options:
Action Option
Description
Annotate Pattern
In the dialog box, enter the following values and click OK:
Set Event Field
Send Notification
134 ArcSight Console User’s Guide
•
Select a Stage from the drop-down menu.
•
Assign a user from the drop-down menu.
In the dialog box, enter the following values and click OK:
•
Select a Field Set (or domain field set you created)
from the drop-down menu.
•
In the event fields grid, set values for the event fields
you are interested in.
Specify a notification group in the Notification Group dropdown menu.
•
Click Ack Required if those notified should
acknowledge that they received notification.
•
Write the message to send in the Message field.
Confidential
5 Pattern Discovery
Action Option
Execute Command
Description
In the dialog box, enter the following values and click OK:
•
Select an operating system platform from the dropdown menu.
•
Enter the command string. Use correct syntax; the
system does not validate command strings.
•
Enter required parameters. For example, the archive
tool needs the manager name, admin name, and
password. Specifying them lets the system execute the
command without user intervention.
•
In the Action Type drop-down menu, select one of the
following:
Automatically run on manager: Initiates the
command with no user intervention.
Run on Manager with Console confirmation:
Displays a confirmation dialog box in the ArcSight
Console for the designated user before the command
is initiated.
Run on connector(s): Sends the command to the
connectors that report the events.
Execute Connector
Command
Confidential
Specify a command to be executed at the SmartConnector
reporting the events, such as pause or stop/start event
flow. Enter the following values and click OK:
•
In the Connector drop-down menu, select the
SmartConnector to execute the command. When you
select an connector, the command field is populated
with the commands available for that connector.
•
In the Command field, select the command for the
connector to execute. The command may contain
required parameters.
Export to External
System
You can export the pattern to an external tracking system,
such as BMC Remedy, if you configured it to operate with
ESM. Click OK.
Active List
You can add (or remove) a pattern to an active list, where
its event details are available to other correlation tools for
reference.
•
To add a pattern to an active list, select Add to Active
List. In the dialog box, select an active list from the
drop-down menu and click OK.
•
To remove a pattern from an active list, select
Remove from Active List. In the dialog box, select
an active list from the drop-down menu and click OK.
•
You cannot add fields to an Active List f they are not
present in the Events section of the Profile.
•
You cannot add any date/time-based fields to an Active
List since data/time fields cannot be included in the
Events section of the profile.
ArcSight Console User’s Guide 135
5 Pattern Discovery
5
Action Option
Description
Session List
You can add a pattern to a session list, or terminate a
session list based on a pattern, where its event details are
available to other correlation tools for reference.
•
To add a pattern to a session list, select Add to
Session List. In the dialog box, select a session list
from the drop-down menu and click OK.
•
To terminate a session list, select Terminate Session
List. In the dialog box, select a session list from the
drop-down menu and click OK.
•
You cannot add fields to an Session List if they are not
present in the Events section of the Profile.
•
You cannot add any date/time-based fields to an
Session List (except EndTime) since data/time fields
cannot be included in the Events section of the profile.
The End time displayed in the Add to Session List
action is the time the entries are added to the session
list.
The action summary will be displayed in the Actions tab. To remove lines that are not
used, click Hide Empty Triggers.
Creating Local Variables
Click the Local Variables tab to manage local variables for this profile. These are available
to select from the drop-down menu on the Attributes tab for Event Fields, Source, and
Target attributes associated with the pattern.
From this tab you can:
Add a new variable, which enables you to


Name the variable

Specify a function (expression).

Specify the arguments. Available arguments depend on the function.

Edit an existing variable

Remove a selected variable

Make a variable global, which means it is available to resources outside this profile. If
you make a local variable global, it moves it from the Local Variables tab to the
Fields and Global Variables tab in the chooser for Event Fields, Sources and
Targets, on the Attributes tab.
For more information on using local and global variables, see “Variables” on page 947.
Pattern Discovery supports the following variable return data types:
•
Byte
•
Long
•
Double
•
Resource ID
•
Enumeration
•
String
•
Integer
•
Address
Therefore, function variables that return an unsupported data type are not supported. For
example, the following functions or function categories are not supported:
136 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery

Non-SQL-mode variables.

Variables that return a list, such as ActorByAccountID.AccountID and variables that
operate on multi-mapped active lists or overlapping session lists.

Variables that return a boolean value, such as the Category Model function
hasRelationship.
Adding Notes
You can keep track of changes made to a profile using the Notes feature. To add a note:
1
In the Profile Editor, click the Notes tab.
2
In the Notes field, enter a note and click Save to log it in the Table/List tabs.
3
You can view notes as a table or as a list by toggling between the Table and List tabs.
You can re-order the table view by clicking the column header.
Deleting a Profile
1
In the Navigator panel, go to Pattern Discovery and click the Profiles tab.
2
Right-click a profile in the resource tree and choose Delete Profile.
You cannot delete a profile that has patterns and snapshots derived from
it. This safeguards the relationships among snapshots sharing the same
profile. To delete a profile, delete all snapshots or patterns associated
with it.
3
Click Delete in the confirmation dialog box.
Taking a Snapshot
A snapshot is a record of qualifying events that occurred over a specified period of time
and evaluated according to the snapshot profile. When the Pattern Discovery algorithm
runs on the specified data set, it displays the result as a graphic, which you can use for
investigation and analysis.
You can generate snapshots manually, or run them on a schedule.You are likely to generate
snapshots more frequently during the early stage of implementation, when you are
establishing a baseline of normal patterns. Each snapshot is stored in the Navigator panel
in Pattern Discovery on the Snapshots tab.
You can also discover patterns directly from active channels. Right-click a channel in the
Navigator panel and choose Discover Patterns.
To take snapshots:
Confidential
1
In the Navigator panel, go to Pattern Discovery and click the Profiles tab.
2
Right-click a profile in the resource tree and select Take Snapshot.
ArcSight Console User’s Guide 137
5 Pattern Discovery
3
In the Viewer panel, the system processes the snapshot request and shows each
process as the Pattern Discovery engine runs:
4
When the process finishes, the system displays the snapshot in the Viewer panel. The
views are linked; click a node in the snapshot view to see its details in the patterns
view.
If the pattern is empty, no events passed the profile’s filter restrictions during
the specified period. Adjust these profile specifications and generate the
snapshot again.
138 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
Exploring a Snapshot
The upper part of the Viewer panel presents the snapshot view, which shows a hierarchy of
related event nodes.
The lower part of the Viewer panel is the patterns view, which shows blocks of events from
the hierarchy that are most closely related. Each block of events represents one specific
path through the pattern hierarchy.
4 on page 138 shows two patterns and a demarcation point (between support = 45 and
support= 18). The top two events are the SQL worm. The last event is generated by the
system. Pattern Discovery classified 18 of 45 sources as suspicious. There are 27 sources
that ran the slammer worm in the network, but they were not added to the suspicious list.
This discovery enables you to investigate why all 27 systems were not caught by the other
surveillance mechanisms in place on your network. Determining that will help you to
tighten your network security.
The “support” value for each node is the number of times that event occurred with its
related events. The higher the number, the higher the item appears in the hierarchy.
For example, in , below, there are two points at which there are sharp differences in
support from one item to the next. This shift in support level is called a demarcation point,
and indicates a sub-pattern in a longer sequence.
The demarcation points indicate attack stages, and sometimes variations of the same type
of attack on different network systems. For example, the SQL worm propagation attempt
makes up 1000 of the 1122 hostile attempts. The demarcation point in the center of the
graphic shows that there are two variations: attack from suspicious source, and UDP
Confidential
ArcSight Console User’s Guide 139
5 Pattern Discovery
packet tcpdump. This can indicate how different systems process the same type of SQL
worm attack. Demarcation points are circled, below:
Arranging Elements in Graphic View
Use the buttons across the top allow you to zoom in, zoom out, and arrange the elements
in different formations to give you better visibility of the overall pattern.
Button
Control
Description
Fit Content
Sizes the graphic to the available display space.
Zoom in/
Zoom Out
Increases or decreases the size of the displayed graphic.
Zoom
Selected
Zooms in on a selected portion of a graphic.
Hierarchic
Layout
Presents nodes in a vertically descending cascade, similar
to a family tree. Hierarchic layouts are appropriate when
viewing relationships with a common root.
Organic
Layout
Arranges nodes based on minimum edge length, which
tends to cluster items with a common relation. Clusters
with items in common also tend to group together.
140 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
Button
Control
Description
Circular
Layout
Hub-and-spoke arrangements with each node radiating
edges to, or receiving edges from, the items with which it
interacts.
Circular layouts are most useful when multiple roots are
present or there are a number of source-target
relationships to clarify. If an organic layout is difficult to
read because the edges are too dense, try a circular layout.
Orthogonal
Layout
Arranges items on the basis of logical connections, using
electrical schematic-style right-angle layouts. These layouts
are useful for clearly tracing connections and identifying
node clusters.
Overview
Opens a reduced rendering of the entire graph. You can
drag the highlighted section in the reduction to move the
displayed area in the main view.
In addition to the control buttons, you can drag items around in the Viewer panel while
maintaining the connections. This can make the view clearer for overlapped items.
Scheduling a Snapshot
You can schedule a snapshot to be taken at intervals. The schedule frequency can be part
of your daily analysis and operations. For example, as a best practice, you can run Pattern
Discovery once a day to capture event patterns that happened over the last 24 hours. You
can specify a longer period to find patterns with a longer term. To fully automate daily
Pattern Discovery, add actions to a schedule, such as sending notifications, opening cases,
or adding systems to an active list, if certain conditions are met.
1
In the Navigator panel, go to Pattern Discovery and click the Profiles tab.
2
Right-click a profile in the resource tree and select Schedule Snapshots.
Profiles in the System Profiles group are locked; you cannot add to or modify
the schedules for profiles in the System Profiles folder.
To use one of the System Profiles as a template, copy it to another folder.
3
Confidential
On the Jobs tab, click Add.
ArcSight Console User’s Guide 141
5 Pattern Discovery
4
In the Summary field at the bottom, select Click here to set up schedule
frequency. This activates the Job Frequency dialog.
5
Click OK when you have set the frequency and time range.
6
Repeat Step 3 to add more schedules for the same snapshot.
7
When you have added all the schedules for this snapshot, click OK at the bottom of
the Jobs tab.
8
To add an action to be taken every time the profile is run, specify an action in the
Actions tab of the profile editor, as described in “Specifying Actions” on page 134.
Re-opening a Snapshot
If you have closed a snapshot in the Viewer panel, you can re-open it.
1
In the Navigator panel, go to Pattern Discovery and click the Snapshots tab.
2
Navigate to the snapshot graph. Right-click the snapshot and select Show Snapshot.
When the snapshot's graphic has formed in the Viewer panel, you can click the icons at the
top of the view to change its layout as described in “Visualizing Resources” on page 620.
Deleting a Snapshot
1
In the Navigator panel, go to Pattern Discovery and click the Snapshots tab.
2
Right-click a snapshot in the resource tree and choose Delete Snapshot.
3
Click Yes to confirm the deletion.
Investigating Patterns
When you take a snapshot, the Pattern view shown in the snapshot is also saved in the
Patterns tab of the Pattern Discovery resource tree. You can use the Patterns tab to access
more event investigation tools.
142 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
Investigating Patterns in the Snapshots View
Pattern Discovery gives you access to investigative tools from a series of buttons. These
same tools are available from the right-click menu. The snapshot view and the patterns
view offer most of the same investigative tools with a few specific differences. Right-click
on any item in the graphical Snapshots view to open a new window within the snapshot
view that contains details about the related events:
Right-Click Option
Description
Show related events
Opens a new active channel in the Snapshots tab, filtered with
a matchesPattern operator. This channel uses the pattern, or
selected event-level in the pattern hierarchy, as its argument.
To toggle back to the graphic view, click the Snapshot tab at
the bottom of the snapshot Viewer panel.
Investigate
Creates a channel in a grid view that contains the associated
events sorted according to Attacker Address, Name, and
Target Address.
Tools
Configure… includes the following options, and can be
accessed directly through the larger Tools menu:
•
Nslookup - Resolves an IP address to a host name
(domain name) and vice versa.
•
Ping - Determines whether a particular IP address is online
and/or it tests and debugs a network by sending a packet
and waiting for a response.
•
PortInfo - Lists standard usage such as WWW or FTP for a
specified port number.
•
Traceroute - Shows the path from the ArcSight Console to
the IP address selected in the grid view, reporting the IP
addresses of all routers in between.
•
WebSearch - Search the Web through Google to find links
to the keywords present in currently selected active
channel grid view cells.
•
Whois - Looks up who is behind a given domain name;
information might include addresses and telephone
numbers.
•
Results… - provides the results of running a network tool
using the attributes of the selected pattern block
For more information about network tools, see the online Help.
Create Rule…
Launches a Rules Editor in the Inspect/Edit panel. The rule you
create here is stored in the Rules resource tree under the
personal rules of the user who created it.
For instructions about how to construct a rule, see “Creating
Rules from Patterns” on page 147.
Show Event Graph
Confidential
Displays the pattern as an event graph, which shows pattern
components and their relationships in graphic form. For more
information about ESM event graphs, see the online Help.
ArcSight Console User’s Guide 143
5 Pattern Discovery
Right-Click Option
Show
Description
Allows you to reset the graphic view with the following options:
•
Show all nodes - Displays the entire snapshot graphic.
This is helpful if you have drilled down and wish to redisplay the original snapshot.
•
Show all nodes containing selected items - Displays
only the event hierarchy that contains the selected item.
•
Hide all nodes containing selected items - Displays all
the event hierarchies that do not contain the selected item.
The example in shows our sample pattern displayed as an event graph. To save space, the
event graph consolidates items that have many members. In this case, the sample on the
left shows the source address nodes consolidated into a single cluster with a single line
representing the connections to each of the event name nodes.
To see the details and number of these connections, as shown on the right, uncluster the
node by right-clicking the node and selecting Uncluster selected nodes.
Toggle between multiple views in the Snapshot window using tabs. Unclustering the source
address nodes allows you to see the details of those nodes.
When you use the right-click menu to open a new view, it displays in a new tab within the
snapshot pane. Use the tabs at the bottom of the pane to toggle between the views.
To close tabs in the snapshot view, right-click the tab at the bottom and select Close.
To rearrange open tabs in snapshot view:
1
Use the down arrow (
144 ArcSight Console User’s Guide
) to tile the open tabs horizontally, vertically, or to fit.
Confidential
5 Pattern Discovery
2
To select different views on an event graph, use the
viewing event graphs, see the online Help.
button. For details about
Investigating Patterns in the Patterns View
You can re-open just the patterns view part of the snapshot in the Viewer panel.
1
In the Navigator panel, go to Pattern Discovery and click the Patterns tab.
2
Select one or more patterns in the resource tree, right-click the selections and choose
View Pattern. This opens the Pattern pane in the Viewer panel.
3
You can take the same actions on the Pattern view as described in “Investigating
Patterns in the Patterns View” on page 145.
In the Patterns view, you can click the Actions button or right-click a pattern, where you
have the following options:
Button
Right-Click
Option
Description
Inspect Pattern
Opens the Pattern Inspector in the Inspect/Edit panel.
For more about how to inspect patterns, see
“Investigating Patterns” on page 142.
Create rule from
Pattern
Launches a Rules Editor in the Inspect/Edit panel. The
rule you create here is stored in the Rules resource
tree under the personal rules of the creating user.
For instructions about how to construct a rule, see
‘“Creating Rules from Patterns” on page 147
Annotate Pattern
Click this to open the Annotations dialog box. This
allows you to escalate a pattern to another user for
further investigation. For more information about how
to annotate a pattern, see “Annotating Patterns” on
page 149.
Event Graph
Displays the events as an event graph, which shows
interactions between two or more devices.
For more information about how to use ESM event
graphs, see the online Help.
Related Events
Click this to open a grid view of the events contained
in the Pattern Discovery snapshot.
Create Channel
Creates a channel based on the selected pattern block.
Add Condition to
Editor
Enables you to edit the condition statements
associated with this pattern block.
Viewing Patterns with Filter
You can view patterns assigned to a particular user or stage using Annotations.
Confidential
1
In the Navigator panel in Pattern Discovery, click the Patterns tab.
2
Navigate to the pattern.
3
Right click that pattern and select View Patterns with Filter.
4
To filter for patterns assigned to a user, use the Select a User drop-down menu.
ArcSight Console User’s Guide 145
5 Pattern Discovery
5
To filter for patterns assigned to a workflow stage, use the Select a Stage drop-down
menu.
6
You can use one or both parameters for your search.
Inspecting Patterns
The Pattern Inspector provides you one more level of investigative control. If you decide
that a pattern requires more investigation, you can use the Pattern Inspector to edit its
details to be more descriptive for other users.
For example, you can rename the pattern from the default date and time of the snapshot
to something more specific, such as “Potential worm attack.” Then you can add a
description of the pattern so that another user can verify your findings.
To launch the Pattern Inspector:
1
In the Navigator panel, go to Pattern Discovery and click the Patterns tab.
2
Right-click a pattern in the resource tree and choose Inspect Pattern….
Details of the pattern are displayed in the Inspect/Edit panel. Use the following sections as
described below to tailor the pattern for further investigation:
Section
Description
Summary
Use this section to modify the name of the pattern from the
default date-and-time name to a more descriptive name. You
can also add a description of the pattern to aid other analysts.
The Profile field is not editable.
Items
Use the Investigate drop-down button or right-click an item
name to display the associated event details in a channel in
the Viewer panel.
Snapshot
Use this drop-down menu to open patterns generated from the
same profile definition so you can compare them.
Transactions
This table shows the source and destination data defined in the
profile (address, port, host name, and so on) for the events
involved in the pattern.
Time Spread
This table is only present if you selected Record Time Order in
the profile. This table shows the details about the time spans
involved between pattern occurrences.
146 ArcSight Console User’s Guide
•
Average - the average time between events in this pattern
•
Deviation - the difference in time spread between multiple
occurrences of this pattern
•
Min - the minimum time between events in this pattern
•
Max - the maximum time between events in this pattern
Confidential
5 Pattern Discovery
The Pattern Inspector (below) shows item details and source/target transactions. You can
rename a pattern to something more specific than the default date and time, and you can
include a description.
Creating Rules from Patterns
You can create rules based on discovered patterns. Going back to our example, if Pattern
Discovery finds a pattern between an MS-SQL worm propagation attempt reported by
Snort, an MS SQL version overflow attempt, and an attack from a suspicious source, this
indicates dangerous worm activity, and can create a rule to notify users or quarantine a
server whenever the system detects traffic that matches this pattern. For additional
information on creating and managing rules, see “Creating Rule Actions” on page 408.
You can create rules from patterns in the Snapshot view in the Viewer panel, or in the
Pattern Inspector in the Inspect/Edit panel.

To access the Rules Editor from the Snapshot view:
Right click on any item in the hierarchy graphic and select Create Rule…

To access the Rules Editor from the Snapshot Patterns view:
Right click on any item in the pattern block and select Create Rule…. You can also click
the create rule button (

Confidential
) in the button menu.
To access the Rules Editor from the Pattern Inspector:
In the button menu, click the create rule button.
ArcSight Console User’s Guide 147
5 Pattern Discovery
The Rules Editor opens in the Inspect/Edit panel showing the Attributes tab. Once the
Rules Editor is open, do the following:
1
Enter a name for the rule. You can also assign an external ID, alias, description,
Version ID, owner, notification groups for the filter, and mark a resource as
deprecated. Click Apply.
2
In the Rules Editor on the Conditions tab, the pattern's elements already appear in
the common conditions editor. Modify the logic to express additional conditions for the
rule to evaluate. For information, see “Specifying Rule Conditions” on page 397.
The OR conditions are intentional. OR is a more memory-efficient way to
process rules than AND because it also applies a threshold value (the number
of items involved) and distinct item names to track the components of the
rule, rather than a blanket (join) approach.
3
At the Aggregation tab, set the number of matches and time frame for the rule.
4
At the Actions tab, set the actions for the rule to trigger when the thresholds are met.
5
a
Click Hide Empty Triggers in the top row. This reduces the list of available
thresholds to those that are active (applicable to the conditions set in the rule).
b
Select a threshold from the list and click Add. Choose an action from the list that
appears. See “Rule Actions Reference” on page 412.
At the Variables tab, enter variables. Variables break down compound data fields into
smaller parts so they can be sorted and acted upon. For example, you can break the 7-
148 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
part timestamp field or a multi-value URI into component parts, which can be reassembled in a more human-readable order, or sorted by component. For more about
dependent variables, see the online Help and search for Dependent Variables.
6
You can keep track of changes made to a profile using the Notes feature:
a
In the Inspect/Edit panel, click the Notes tab.
b
In the Notes field, enter a note and click Save. The entry is logged in the
Table/List tabs.
c
You can view notes as a table or as a list by toggling between the Table and List
tabs. You can re-order the table view by clicking the column header.
Annotating Patterns
Annotation is a light-weight way to escalate a pattern to other users through your workflow
system for analysis or investigation. You can use annotations instead of cases to escalate
only one pattern. Use cases to escalate multiple patterns or if you use a third-party incident
management system.
You can annotate patterns from the snapshot and Pattern views in the Viewer panel, or
within the Pattern Inspector in the Inspect/Edit panel.
To access the Annotation Editor from the Snapshot Patterns view:
1
In the Navigator panel, go to Pattern Discovery and click the Snapshots tab.
2
Double-click the snapshot to display it in the Viewer panel.
3
Expand the pane so you can see the Patterns view at the bottom.
4
Right click any item in the pattern block and select Annotate Pattern…. You can also
click the Annotate Pattern button (
) in the button menu.
To access the Annotation Editor from the Pattern Inspector:
Confidential
1
In the Navigator panel, go to Pattern Discovery and click the Patterns tab.
2
Navigate to the pattern and double-click it.
3
In the Inspect/Edit pane on the Pattern Inspector tab button menu, click the Annotate
Pattern button.
ArcSight Console User’s Guide 149
5 Pattern Discovery
Once the Annotation Editor is open, enter the following values and click OK.
Field
Value
Stage
Select a stage from the drop-down menu. The default is Queued.
Assign to
Select a user from the drop-down menu.
Comments
Enter any comments to communicate to other ESM users.
Deleting a Pattern
1
In the Navigator panel, go to Pattern Discovery and click the Patterns tab.
2
Select one or more patterns.
3
Right-click the selected patterns in the resource tree and choose Delete Pattern.
4
Click Yes to confirm the deletion.
Usage Guidelines
Establishing a Baseline of Normal Patterns
Use broader profiles and more frequent snapshots in order to capture an example of all the
patterns that occur as part of normal business practices. identifying normal patterns takes
time and investigation, and requires that you be familiar with traffic in your enterprise.
Once you have identified normal patterns, use annotation for moving them out of the
analysis workflow. You can also use filters, but it is more reliable to move patterns by
annotating them to a stage, such as Closed, because it assures that the pattern has been
inspected and classified. For instructions about how to use event annotation to manage
Pattern Discovery workflow, see “Annotating Patterns” on page 149.
Using Pattern Discovery in Routine Operations
Once normal patterns are identified and annotated so they are removed from the routine
traffic flow, you can focus on the new patterns that are not yet classified. Routine
operations consist of the following tasks:

Workflow. As Pattern Discovery turns up new or unclassified patterns, a designated
user needs to review them and start them through the workflow using the ESM
annotations feature. You can also schedule Pattern Discovery to run at intervals.

Investigation and analysis. Once assigned to an analyst, the analyst can use the
full array of ESM’s investigation and analysis tools, including snapshot and pattern
graphics, event graphs, filters, and rules, to determine the level of threat represented
by the pattern.
During this investigation, it may be useful to drill down to the native device
information to help identify the significance of a pattern. For example, if an event in a
pattern was generated by Snort, you can retrieve the Snort rule number and look for
its detailed explanation to obtain important event details.

Take action. When a threat level is determined, the analyst can take a number of
actions, such as use the ESM rule builder to take a prescribed action on this pattern
and others that match it that may occur in the future; assign it to another user for
follow-up; or close the pattern if it is deemed benign.
150 ArcSight Console User’s Guide
Confidential
5 Pattern Discovery
Performance Considerations
Pattern Discovery jobs can be resource intensive. Under high EPS (for example, greater
than 15K), Pattern Discovery jobs can cause a degradation in performance, and may fail to
return a matching result set. ArcSight recommends that you reduce the scope and/or
frequency of Pattern Discovery jobs when running a system with high EPS.
Adjusting Pattern Discovery Memory
By default, Pattern Discovery limits its memory usage to about 4 GB of memory. However,
if the search for patterns involves too many transactions and events, the task can run out
of memory and abort. If the pattern discovery task aborts, a message to that effect
appears in the ArcSight Console. Run the pattern discovery task again after increasing the
pattern discovery memory usage limit.You can control the memory usage limit indirectly by
changing the maximum number of transactions and events that can be held in memory.
For information, see “Adjusting Pattern Discovery Memory” in the “Configuration” chapter
of the Administrator’s Guide.
Confidential
ArcSight Console User’s Guide 151
5 Pattern Discovery
152 ArcSight Console User’s Guide
Confidential
Chapter 6
Field Sets
Who
License, Permissions, or
Configuration Required?
The field sets panel provides access to resources that are used to group and extend the
fields of the event and resource schema. The Field Sets tree presents tools for the following
tasks:
What
Why
When
Where
How
Creating
Field
Sets
SOC
operators,
authors, and
analysts
concerned
with
traditional
securityrelated use
cases.
No
A named subset
of available
data fields in
the standard
schema and the
user-defined
dynamic
schema.
To narrow the
fields available
in the standard
400+ field event
schema and the
user-defined
dynamic schema
to make it easier
to select and
view fields.
Any
time
Active
channels,
CCE
See “Field
Sets” on
page 154.
Creating
Global
Variables
SOC
operators,
authors, and
analysts
concerned
with any type
of use case.
No
A way to derive
a unique value
from existing
values in a data
field, and the
derived value
itself, stored in
a global
variable field.
To make
correlation,
monitoring, and
investigation
more precise.
Anytim
e
Active
channels,
CCE,
regular
field sets,
other
global
variables
See
“Global
Variables”
on
page 435.
Confidential
ArcSight Console User’s Guide 153
6 Field Sets
Field Sets
“Navigating to Field Sets” on page 154
“Creating and Using Field Sets” on page 154
“Where Field Sets can be Selected” on page 161
“About Global Variables” on page 161
Navigating to Field Sets
In the Navigator panel, select Field Sets from the drop-down menu.
Creating and Using Field Sets
Field sets are named subsets of available data fields. Field sets can help you quickly focus a
grid view, Event Inspector, or other field array on a particular context, such as customer
accounts or vulnerability.
Field sets are a shareable resource that you can manage and apply through the Field Sets
resource tree in the Field Sets section of the Navigator panel. (In the Navigator, choose
Field Sets, and click the Field Sets tab.) Field sets also support local and global variable
data fields.
In addition to field sets based on the Security Event schema, you can create field sets
based on certain resources. ArcSight supports the following types of field sets:

Actor field set. An actor field set contains fields that make up the Actors resource.
Actor fields are attributes to identify users and track their activity. ArcSight provides a
base set of Actors fields from which you can make user-defined subsets.

Asset field set. An asset field set contains fields that make up the Assets resource.
Asset fields are attributes used to identify monitored assets. ArcSight provides a base
set of Asset fields from which you can make user-defined subsets.

Case field set. A case field set contains fields that make up the Cases resource. Case
fields are attributes used to track events that have been added to cases. ArcSight
provides a base set of Case fields from which you can make user-defined subsets.

Event field set. An event field set is a named subset of available data fields from the
ESM security event schema.
A base or root field set is provided for each schema type (Event, Actor, Asset, and so on)
from which you can create user-defined subsets. A derived field set may inherit all or a
subset of its parent's base fields, and additionally may include local or global variables not
present in the parent. All field sets will have a parent (field sets created in previous
versions of ESM will by default use the Event base field set as its parent).
Creating a Field Set
To create a field set:
1
Choose File>New on the Console's menu, or the New Resource button (
), and
the Field Set ( ) command. You can also right-click a folder in the Field Sets
resource tree and choose New Field Set.
2
In the Field Set Editor in the Inspect/Edit panel, enter attributes for the field set and
assign it one or more existing fields.
154 ArcSight Console User’s Guide
Confidential
6
3
Field Sets
Click Apply to save the field set in the resource tree and continue editing. Click OK to
save the set in the resource tree and close the editor.
For details about what to enter in each field of the Field Set Editor, see “Field Set
Editor: Attributes Tab” on page 155.
Field Set Editor: Attributes Tab
The attributes tab is where you name the field set and specify what type of field set it is.
Field
Description
Name
Enter a name for the field set that identifies what it represents.
Type
From the drop-down menu, select what type of field set it is:
•
Actor Field Set. Select this if the field set will contain only actor
fields for use cases relating to tracking actors.
•
Asset Field Set. Select this if the field set will contain only asset
fields for use cases relating to tracking assets.
•
Case Field Set. Select this if the field set will contain only case
fields for use cases relating to tracking cases.
•
Event Field Set. Select this if the field set will contain fields
from the ESM security event schema for event-based use cases.
For a description of what to enter in the Common fields, see “Common Resource Attribute
Fields” on page 630.
Field Set Editor: Fields Tab
The Fields tab is where you add the data fields to the field set.
Creating a domain field set?
If you are creating a domain field set, see “Creating Domain Field Sets” on
page 452.
The Field Set editor provides several ways to add different types of fields:
Confidential

Fields & Global Variables tab. Use this tab to add existing user-defineddomain
fields and global variables.

Field Sets tab. Use this tab to add standard event and resource schema fields. This
field selector is similar to those available in the CCE and active channel editors.
ArcSight Console User’s Guide 155
6 Field Sets

Local Variables tab. Use this tab to add one or more local variables defined on this
field set’s top level Local Variables tab.
Once fields are added to the field set, you can re-order and delete them, and create aliases
for event-based fields. For instructions, see “Editing a Field Set” on page 159.
Derived fields shown in italics
Fields shown in italics are derived from data in other fields. Derived fields
appear in various places on the Console UI including on the Field Set editor,
and the Common Conditions Editor (CCE) aggregation tabs (for example,
Rules, Filters, and so forth). See also “Using Field Sets” on page 792 in the
“Common Conditions Editor (CCE)” on page 782 reference topic.
Looking for information about custom columns?
If you want to add a custom column, you need to create or define it first. For
information about creating custom columns, see “Customizing Columns” on
page 100. For information about working with grid views, see “Using Active
Channels” on page 93.
Once a custom column is created, you can add it to your field set using the
Add Custom Columns button at the bottom of the Fields tab editor. For
details, see “Adding Custom Columns” on page 159.
156 ArcSight Console User’s Guide
Confidential
6
Field Sets
Adding Fields from the Fields & Global Variables Tab
The Fields & Global Variables tab enables you to select fields from a resource tree like the
one presented in the Fields & Global Variables Navigator panel. Use this tab to add userdefined fields and global variables to your regular field set.
Fields & Global Variables tab also presents regular event fields
The Fields & Global Variables selector also provides a tree-level view of the
standard event and resource schema fields. You can use this view to add
event fields, or add them from the Field Sets tab described in “Adding FIelds
from the Field Sets Tab” on page 157.
In the Fields and Global Variables tab, select any existing fields or global variables you want
to add to the field set. The selected field will appear in the Selected Fields panel.
For more about global variables, see “Global Variables” on page 435.
Adding FIelds from the Field Sets Tab
The Field Sets tab enables you to select regular event fields that are part of a domain field
set using a functionally organized field selector similar to that in the CCE and active
Confidential
ArcSight Console User’s Guide 157
6 Field Sets
channel editor. You can also use field sets in the Field Sets tab to narrow the list of fields
down to those you are interested in.
You can navigate the entire event and resource schema for the fields you are interested in,
or select a field set from which you want to select fields in the Choose fields from dropdown menu.
Adding Local Variables from the Local Variables Tab
In the Available Fields for <type of> Field Set section at the Local Variables tab, select a
local variable that you define in “Field Set Editor: Local Variables Tab” on page 159.
Create a local variable in the Local Variable tab first
If you want to add a local variable to this field set, but the local variables tab
in the Field tab contains no items to select, first define the local variable in
“Field Set Editor: Local Variables Tab” on page 159.
In the Available Fields for <Type of> Field Set panel in the Local Variables tab, select the
check box for the local variable you want to add to the field set.

To re-order the local variables in the list, select a field and use the up /down
arrows to place it in the desired order. The variables will be evaluated in the order
shown here.

To remove the local variable from the list, select the field and click the delete button
(
).
158 ArcSight Console User’s Guide
Confidential
6

Field Sets
For instructions about how to construct a local variable using the Field Set editor’s
Local Variables editor, see “Field Set Editor: Local Variables Tab” on page 159.
Adding Custom Columns
The bottom of the Fields tab provides a button that enables you to add an existing custom
column to the field set. To add a custom column:
1
Click Add Custom Columns.
2
In the Add Custom Columns dialog, select an existing custom column and click OK.
For more about custom columns and how to create them, see “Customizing Columns” on
page 100.
Field Set Editor: Local Variables Tab
Use this top-level local variables tab to define one or more local variables that you can then
add to this field set in the Local Variables tab of the Fields tab. You can create multiple
chained variables and add one or more of them to the field set itself.
1
In the Local Variables tab, click add (
) to launch the Add Local Variable editor.
2
In the Name field, give the local variable a name. In the Function drop-down, select a
function category, then select a function and click OK.
3
In the Arguments section, enter appropriate arguments for the function you selected
in the previous step.
4
in the Preview section, select or enter parameters and click Calculate to test the
results of the function.
5
When you are finished editing the field set, click OK to close the editor.
For complete instructions about constructing a variable, see “Variables” on page 947.
Editing a Field Set
1
Confidential
In the Field Sets tab of the Active Channels resource tree, right-click a field set and
select Edit Field Set.
ArcSight Console User’s Guide 159
6 Field Sets
2
In the Field Set Editor, use the Attributes tab to change the field set's name.
3
Click the Fields tab and use its Available Fields list to select fields to add to the list.

To Reorder Fields: To re-order the fields in the list, select a field and use the
up /down
arrows to place it in the desired order. Fields and variables will be
displayed and evaluated in the order specified in this list.

To Create an Alias for Event-Based Fields: To create an alias for a field,
select the field, then click the alias button (
). In the Create Alias dialog box,
enter an alternate name for the field. This alias will be used to identify this field in
this field set anywhere this field set is used to select or display fields, such as an
active channel column heading or a CCE field selector.
You can create an alias for event-based fields only
You cannot create an alias for resource-based fields, such as assets
or cases. You also cannot create an alias for a field set or a global
variable.

To Delete a Field from the Field Set: To remove the field from the list, select
the field and click the delete button (
).
4
Use the Local Variables tab to define variables you can add to the field set usin.g the
Local Variables tab in the Fields tab. See “Adding Local Variables from the Local
Variables Tab” on page 158
5
Rearrange or remove fields in the Fields to Show list.
6
Click Apply to save the set in the resource tree and continue editing. Click OK to save
the set in the resource tree and close the editor.
Sharing a Field Set
When you create a field set in the Shared folder in the Field Sets resource tree, it is
available to other users who have permission for those folders. If you create one in your
own folder, it is not available to other users unless you move, copy, or link it into a Shared
folder.
1
Click the field set in your folder and drag it to the appropriate Shared folder.
2
In the Drag and Drop dialog box, choose to Move, Copy, or Link the resource in its
new location.

Moving relocates the resource, leaving a single instance of it in the tree.

Copying makes a duplicate, leaving two independent instances of the resource.

Linking leaves the original in place, and creates a connected copy in the new
location that will change whenever the master instance changes.
You create sortable field sets in the same way, but without the option to add variables to
the sets.
You control access to field set folders like any other resource.
See also “Applying a Field Set to an Active Channel” on page 80 and Sorting Events in a
Channel.
160 ArcSight Console User’s Guide
Confidential
6
Field Sets
Deleting a Field Set
1
In the Navigator panel at the Field Sets tab, right-click the field set you want to delete
and select Delete Field Set.
2
In the confirmation dialog box, click Delete to delete the field set.
Where Field Sets can be Selected
Field sets can be applied in the following resources:

To sort active channels. For more about how to use field sets in active channels,
see “Applying a Field Set to an Active Channel” on page 80.

To narrow the list of fields available for selecting in the CCE. For more about
how to use field sets when authoring resources in the CCE, see “Common Conditions
Editor (CCE)” on page 782.
About Global Variables
Global variables are created from the Fields & Global Variables tab in the Field Sets
Navigator panel.
For more information about global variables, see “Global Variables” on page 435.
Confidential
ArcSight Console User’s Guide 161
6 Field Sets
162 ArcSight Console User’s Guide
Confidential
Chapter 7
Selecting and Investigating Events
This chapter describes how you use ArcSight to monitor enterprise security.
“Investigating Events in Active Channels” on page 163
“Showing Event Details and Rule Chains” on page 164
“Investigating Session Events” on page 165
“Collaborating on Events” on page 166
“Showing Event Payloads” on page 169
“Getting Knowledge Base Articles” on page 171
Investigating Events in Active Channels
An active channel is a grid view in which there is a row for each event. In an active channel
you can select which events you want to investigate. After selecting one or more events in
the channel, you can perform several analysis and authoring tasks.
Selecting Events to Investigate
To select an event in the channel, click an event or Ctrl+click a set of events. To select a
range of events, click one event and Shift+click the event at the end of the range.
Inverting Event Selections
Select one or more events in the channel, right-click and choose Invert selection.
Selecting Events with Matching Cells
Select a cell in an event, right-click and choose Select events with matching cell to see
if other events in the channel have matching cell values.
Exporting Data Fields to a CSV File
You can export a set of channel events into a comma separated values (CSV) file. The
procedure for doing this is described here and also in “Exporting Events to a File” on
page 95.
Confidential
1
In the channel, select one or more events.
2
Right-click and choose Export > Events in Channel.
ArcSight Console User’s Guide 163
7 Selecting and Investigating Events
3
On the Export Events file browser, navigate to the location where you want to save the
CSV file, then enter or select options for these fields:
File Name
Type a file name for the CSV file. (Note: No need to
include the file name extension; the csv extension is
added automatically when the file is created.)
Files of Type
Select Comma separated values (*.csv).
Export Data Options
For “Rows”, you have two options:
•
If you choose “All in channel”, all events in the
channel will be exported to the CSV file.
•
If you choose “Selected rows only”, only those rows
highlighted for the right-click operation will be
exported to the CSV file.
The default for “Columns” is the Export field set. You
can keep the default, or select other field sets from a
list of All Field Sets.
The exported CSV file will include the fields in the
selected field set. If you want to limit the exported
columns (field sets) to only those showing in the
current channel, see “How to Limit Export to Fields
Visible in Channel” on page 96.
(For more information on creating, editing, and
applying field sets, see “Creating and Using Field Sets”
on page 154.)
For “Destination”, choose “Local CSV File”
4
Click OK to save the file.
Showing Event Details and Rule Chains
Displaying Event Details
In an active channel, select an event. Right-click and choose Show event details. The
event's details appear in the Event Inspector.
If you encounter an “unable to retrieve event” message while viewing events
in the Events tab of the Case Editor, be advised that those events are
unavailable because they are archived.
Load Time Expected When Applying an Actor Field Set in the Event
Inspector
When you apply an actor field set to an event being displayed in the event
inspector, you may experience an extended load time.
Displaying Simple Event Rule Chains
In an active channel, select a correlation event. Right-click and choose Rule options, then
Simple chain.
164 ArcSight Console User’s Guide
Confidential
7 Selecting and Investigating Events
Displaying Detailed Event Rule Chains
Rule-based Correlation events are those generated by a triggered ArcSight rule as a
reaction to an original sensor-generated event. In other words, an event concerning an
event. You recognize correlation events in active channels by their red Flash icon
. To
mask active channels so they show only correlation events, select the check box at the top
of the channel's left-most column.
In an active channel, select a correlation event. Right-click and choose Rule options, then
Detailed chain.
The events leading up to the correlation event appear in the Description panel at the top of
the Inspector. Click any event in the chain to see its details below.
Displaying Correlation-Event Rules
In an active channel, select a correlation event. Right-click and choose Rule options, then
Show triggering resource.
The rule or resource that triggered the correlation event is selected in the Navigator panel's
Rules resource tree and that rule appears in the Rules Editor.
Executing or Clearing Rule Actions
In an active channel, select a correlation event. Right-click and choose Rule options, then
Clear Rule Actions to clear all actions associated with this rule. For more information, see
“Creating Rule Actions” on page 408.
Launching Event Details in a Browser
1
In an active channel, right-click an event and choose Show event details.
2
In the condition table of the Event Inspector, right-click and choose Launch Event
Details in Browser.
A Web browser opens with the selected event's details.
Hiding Empty Rows in the Event Inspector
1
In an active channel, right-click an event and choose Show event details.
2
In the condition table of the Event Inspector, right-click and choose Hide Empty
Rows.
Investigating Session Events
This topic explains how to use the ArcSight Console's Investigate > Session Events
command to easily refine and explore channels contextually, using attributes of the events
already being displayed in active channels.
Session List entries can be investigated two ways: you can filter the set of entries based on
the attributes of a particular entry, or you can create an Investigation Channel that contains
only the entries that match one or more attributes of the initial Session List entry.
Investigating a Session Event
1
Confidential
Right-click a Session List in the Navigator and choose Show Entries.
ArcSight Console User’s Guide 165
7 Selecting and Investigating Events
2
In the Viewer panel, select an entry that bears investigation by clicking it.
3
Right-click the selected entry. The menu includes commands to Create Channel and
Add Condition to Channel Editor. The details of each command will vary based on
which column you right-click.
For example, if you right-click a Source IP column containing the value
192.168.10.0, the choices will be:

Create Channel (Source IP = 192.168.10.0)

Create Channel (Source IP != 192.168.10.0)

Create Channel >

Add Condition to Channel Editor (Source IP = 192.168.10.0)

Add Condition to Channel Editor (Source IP != 192.168.10.0)

Add Condition to Channel Editor >
The sub-menus (indicated by the >) will offer similar choices for all the other columns
of the Session List entry.
If you Create Channel, it is added to the Viewer panel. If you Add Condition to Channel
Editor, a channel editor will open in the Inspect/Edit panel.
For more information about creating and using views for investigation, see “Investigating
Views” on page 88.
Collaborating on Events
You can use workflow-style annotation to collaborate with other users in analyzing or
reviewing selected events. (See also “Case Management and Queries” on page 527.)
When you are annotating, you can make collaboration-stage changes to just the event you
originally selected, or have that change also affect a larger set of similar events that should
also be carried forward in the review process.
The central tasks in annotating events for collaborative analysis are assigning them to
yourself or another user, then assigning them to one of the available sequential workflow
stages (dispositions). While ArcSight comes with a default set of stages, your enterprise
will very likely have edited these stages and created new ones.
Compare collaborative annotation to cases, which are a more formal way to track sets of
events that are under investigation.
Viewing Annotations for an Event
Annotations on an event are displayed in the Annotations tab of the Event Inspector
when that event is selected.
To view the annotations for an event:
1
Right-click an event in an active channel (such as an active channel or active list) and
choose Show Event Details to bring up the Event Inspector.
2
In the Event Inspector, click the Annotations tab.
166 ArcSight Console User’s Guide
Confidential
7 Selecting and Investigating Events
Annotating an Event
1
Select one or more events in any active channel. If not already annotated, you can
start a collaboration cycle.
2
Right-click the events and choose Annotate Events (or Ctrl+T keyboard command).
3
In the Annotate Events dialog box, set or change the events' Annotations fields, as
described below.
4
To have this change also affect related events, use the Mark Similar Events fields,
as described below.
5
Click OK to update the event.
Event Annotation Fields
Event
Annotation
Field
Usage
Stage
Click this field to choose a different disposition state for the events'
collaboration cycle. The default stages run from Initial to Closed;
other stages may be available.
Assign to
Click this field to choose an ArcSight user to take the next step.
Is Reviewed
This read-only field tells you whether this event has been reviewed.
In Case
This read-only field tells you whether these events are already part
of an ArcSight case. If they are, you have more ways to track their
disposition.
Correlated
This read-only field tells you whether these events are part of a
correlated event chain. If so, you can learn more through the rules
authored to control that chain of correlation.
Hidden
This read-only field tells you whether these events are hidden from
all but the assigned users of this stage.
Closed
This read-only field tells you whether the investigation of these
events has been marked as closed. Closed events may no longer be
visible to interested parties through active channels, etc.
Comments Field
The Comments field is for text comments you can add as needed to clarify the
collaborative process.
Annotation Preservation
With the CORR Engine, when the day’s events are archived at the end of the day, the
archive is immutable. If, while the archive is still online, you make changes or additions to
event annotations, they are preserved as a supplemental archive when the archive goes off
line at the end of the retention period. If you reactivate an offline archive and make more
annotation changes, they are only preserved until you deactivate the archive, at which time
these annotation changes are deleted.
Mark Similar Events Fields
Event “similarity,” for collaboration purposes, is defined as a combination of time
constraints and having certain key event attributes in common. For example, you could
Confidential
ArcSight Console User’s Guide 167
7 Selecting and Investigating Events
apply a collaboration change to additional events received in the future on the basis of
those events having the same Attacker value and having occurred within the last two days.
Similarity
Field
Usage
Time
Constraints
Choose a bracketing combination of Start Time and End Time or
Duration.
Start Time
Date and time values to set the beginning of a time-constraint
window. Choose from the drop-down menu of expressions or click
the ellipsis button to set exact times.
End Time
Date and time values to set the end of a time-constraint window.
Choose from the drop-down menu of expressions or click the
ellipsis button to set exact times.
Duration
The length of the time window, relative to a Start Time or End Time,
when using Duration as a time constraint.
Criteria
A menu of key event-attribute characteristics you can use to define
similarity. The text box below specifies the criteria being set.
Creating New Stages
1
Choose the Stages resource tree in the Navigator panel.
2
Right-click the All Stages group and choose New Stage.
3
In the Stage Editor, enter a name for the stage.
4
Make other appropriate choices, as described in the following table showing Stage
Editor Fields.
5
Click Apply to save your changes and keep the editor open, or click OK to save and
close.
Please keep stages provided as standard content in the given folders and do
not move them into another folder. Standard content stages are Closed, Final,
Flagged as Similar, Follow-up, Initial, Monitoring, Queued, and Rule Created.
Stage Editor Fields
Stage Editor
Field
Usage
Subsequent
stages
Select one or more stages to set as follow-on stages to this one.
Events in this stage will show these other stages as options in the
Stage field of the Annotate Fields dialog box.
User required
Select whether you want to prompt for a user assignment when
assigning this stage. If you don't prompt for a different user, or no
change is made, the current user remains in effect.
Comment
required
Select whether you want to require users to add a comment when
assigning this stage.
Can be
skipped
Select whether this stage can be bypassed when assigning from one
stage to the next.
168 ArcSight Console User’s Guide
Confidential
7 Selecting and Investigating Events
Stage Editor
Field
Usage
Mark similar
required
Choose whether you want events that are similar to the selected
events to be automatically assigned to this stage. Similarity is
scoped at assignment time through the Mark Similar Events fields
of the Annotate Events dialog box you see when you choose
Annotate in an active channel. Note that similarity marking applies
only to subsequent events received in the future. Events already
processed are not affected.
Mark similar
stage
Select whether you want to use this stage as a routing mechanism
for other stages in a workflow. When selected, assigning one or
more events to this stage causes all following (subsequent) similar
events to be automatically redirected to the chosen stage. Events
already processed are not affected. Similarity is scoped at
assignment time through the Mark Similar Events fields of the
Annotate Events dialog box you see when you choose Annotate in
an active channel.
Hidden
Select whether you want events assigned to this stage to be hidden
from all but the assigned users (True), left visible to everyone
(False), or to leave the current visibility unchanged (Ignore).
Closed
Select whether you want events assigned to this stage to be marked
as closed to investigation (True), not marked as closed (False), or
left in their previous state (Ignore).
With the assistance of HP ArcSight Professional Services, you can customize
the similarity criteria selector for Mark Similar events. In this way you can
have conditions that are different from the defaults. This is done with the
Velocity scripting language, by modifying certain Velocity templates present
on the ArcSight Console, in the config/similarity directory. Ask your
ArcSight administrator for more information or make a request of HP ArcSight
Professional Services.
Editing Stages
1
Choose the Stages resource tree in the Navigator panel.
2
Right-click a stage under the All Stages group and choose Edit Stage.
3
In the Stage Editor, make any necessary changes to the fields as previously described
in Stage Editor Fields.
4
Click Apply to save your changes and keep the editor open, or click OK to save and
close.
Please keep stages provided as standard content in the given folders and do
not move them into another folder. Standard content stages are Closed, Final,
Flagged as Similar, Follow-up, Initial, Monitoring, Queued, and Rule Created.
Showing Event Payloads
An event “payload” is the information carried in the body of the event's network packet, as
distinct from the packet's header data. From the ArcSight Console, you can search,
retrieve, view, save to a file, or discard event payloads.
Confidential
ArcSight Console User’s Guide 169
7 Selecting and Investigating Events
Finding Payloads
The first step in handling event payloads is to be able to locate payload-bearing events
among the general flow of events in an active channel.
1
In an active channel, right-click a column header and choose Add
Column>Device>Payload ID.
2
Look for events showing a Payload ID
in that column.
Retrieving Payloads
1
In an active channel, double-click an event with an associated payload.
2
In the Event Inspector, click the Payload tab.
3
Click Retrieve Payload.
Preserving Payloads
You can select to preserve the payload for an event in either of two ways:

In an active channel, right-click an event with an associated payload, choose
Payload, then Preserve.
Or

In the Event Inspector, click the Payload tab, then Preserve Payload.
Discarding Payloads
In an active channel, right-click an event with an associated payload and choose Payload,
then Discard Preserved.
You can also use the Event Inspector.
1
In an active channel, double-click an event with an associated payload.
2
In the Event Inspector, click the Payload tab.
3
Click Discard Preserved Payload.
Saving Payloads to Files
1
In an active channel, double-click an event with an associated payload.
2
In the Event Inspector, click the Payload tab.
3
Click Save Payload.
4
In the Save dialog box, navigate to a directory and enter a name in the File name
text field.
5
Click Save.
Viewing Payloads in Other Viewers
1
In an active channel, double-click an event with an associated payload.
2
In the Event Inspector, click the Payload tab.
3
Click Launch External Payload Viewer.
170 ArcSight Console User’s Guide
Confidential
7 Selecting and Investigating Events
4
View the payload using the Preferred Payload Viewer and Text to PCAP
Converter, specified in the ArcSight Console's Edit>Preferences>Programs panel.
Getting Knowledge Base Articles
Knowledge Base articles can be associated with events, rules, or any resource. Knowledge
Base articles can have links or notes to help you respond to events.
Displaying Articles from the Knowledge Base Window
In the Navigator panel drop-down menu, select Knowledge Base. Navigate to and rightclick an article, and choose Show Article.
You can also choose Knowledge Base from the Help menu.
Displaying Articles from an active channel
In an active channel, right-click an event and choose Knowledge Base, then Show.
Choose KB entry for cell, KB entry for row, or KB entry for column, then the article
name.
The Knowledge Base article opens in an ArcSight Web client. For more information about
active channels, see “Using Active Channels” on page 93.
Displaying Articles from the Event Inspector
In the Event Inspector, right-click an event and choose Knowledge Base, then Show
Article.
The Knowledge Base article opens in an ArcSight Web client.
Confidential
ArcSight Console User’s Guide 171
7 Selecting and Investigating Events
172 ArcSight Console User’s Guide
Confidential
Chapter 8
Filtering Events
The Filters resource tree in the Navigator panel is pre-populated with some typical event
filters you can use directly, or as templates for more specific purposes. You can create and
edit your own filters and inline filters for use in active channels.
“Creating Filters” on page 173
“Moving or Copying Filters” on page 176
“Deleting Filters” on page 177
“Debugging Filters to Match Events” on page 177
“Applying Filters” on page 181
“Importing and Exporting filters” on page 182
“Using Filter Groups” on page 182
“Investigating Views” on page 183
“Modifying Views” on page 186
Creating Filters
This topic discusses creating and editing filter resources through the Filter Editor. As a
matter of efficient authoring and enterprise-wide analysis consistency you should always
seek to use the established filter resources you find in the Navigator panel's Filters resource
tree. These filters should have been designed and tested to appropriately accomplish your
organization's analytical goals.
As of v4.0, Inline filters offers you a user-friendly visual representation of Boolean logic,
typically found in the Common Conditions Editor (CCE). The inline filters feature allows you
to preview matching events through highlighting, thereby verifying the accuracy of your
filter prior to applying it, and the ability to create AND/OR conditions effortlessly.
Creating a New Filter
Confidential
1
In the Navigator panel, choose Filters.
2
In the Filters resource tree, right-click a group and choose New Filter.
3
In the Filters Editor, type in the Name text field.
4
In the table, scroll to a relevant event field and choose a logical operator (Op), enter a
conditional statement (Condition), select case-sensitivity (Aa), and select inequality
or negate (Not), if appropriate.
ArcSight Console User’s Guide 173
8 Filtering Events
5
Customize the filter, if appropriate, using the features described in “Common
Conditions Editor (CCE)” on page 782.
6
Repeat the above step for each condition you want to add to the filter.
7
Click Apply below the Inspect/Edit panel to update the filter or click OK to add the
filter to the resource tree.
Filter definitions (meaning the total text used in a filter's condition statements)
cannot exceed 10,000 characters. If your filter uses more than 10,000
characters, create a second filter by splitting the definition, and use the
matchesFilter operator to combine the two.
Because you can reference filters in other filters you can create hierarchies
similar to style sheets. It is wise to plan your filtering needs in advance so
you can create filters, filter groups, and filter hierarchies that will promote the
most efficient and consistent analysis results.
Changing or Editing a Filter
1
In the Navigator panel, choose Filters.
2
In the Filters resource tree, right-click a filter and choose Edit Filter.
3
In the Filters Editor, you can edit the filter name, if needed.
4
You can make changes to the filter conditions as described in “Common Conditions
Editor (CCE)” on page 782. You can edit logical operators and condition statements in
the filter using the CCE as follows:
5

To edit a logical operator, right-click the logical operator and choose Edit, then
choose a logical operator and click OK. (For more information, see “Logical
Operators” on page 884.)

To edit a condition statement, right-click the condition statement and choose an
operator, condition editor, or selection operation. For more information, see
“Creating Filters” on page 173 and “Common Conditions Editor (CCE)” on
page 782 (CCE). (Search fields and undo/redo features are now available, as
described in “Editor Features” on page 783 in the CCE topic.)

To delete a logical operator, right-click the operator and choose Delete. In the
confirmation dialog box, click Yes. The logical operator and all its condition
statements are removed.

To delete a condition statement, right-click it and choose Delete. In the
confirmation dialog box, click Yes.

To edit or delete a filter, right-click the filter and choose Edit or Delete.
Click Apply in the Inspect/Edit panel to put the modified filter into effect or OK to
save the filter as a resource.
•
Be cautious when making changes to filters used in hierarchies.
•
Understanding how to use the Common Conditions Editor (CCE) is integral
to creating and editing filters. Please refer to “Common Conditions Editor
(CCE)” on page 782, “Conditional Statements” on page 796, and
“Conditions” on page 797 for more information.
174 ArcSight Console User’s Guide
Confidential
8 Filtering Events
Creating an Inline Filter
Steps to create an inline filter are summarized here. For more details and
examples, see also “Filtering Active Channels with Inline Filters” on page 98.
In any active channel grid view you can use the fields of the grid's top line to select filtering
event-attribute values for certain columns, which will be used with implied AND operators
to impose ad hoc filters and use the grid's bottom line to select filtering event-attributes
values which will use OR operators.
These filters are not retained with the prior active channel, but you can give the revised
channel a name and save it through the Active Channel Editor.
You cannot select a grayed-out column to include in your filter. Grayed-out
columns have either variables or they are a custom column.
1
In the Navigator panel, choose Active Channels.
2
In the Active Channels resource tree, select a channel you want to add an inline filter.
3
In the Viewer panel, go to Inline Filter and click No Filter. This opens the inline filter
pane.
4
Select the parameters for your inline filter: Manager Receipt, Name, Attacker, Target
Address, Target Port, Priority, Device Vendor, and Device Product. Click Apply.
5
To highlight all matching events for your filter, select the Highlight check box.
Highlighting allows you to preview the events that match your filter prior to saving the
filter. Click Apply to activate the inline filter.
You can specify the highlight color by clicking the drop-down picker and select your
color.
6
To add or delete rows to the inline filter table, click + (plus) or click - (minus).
To create and manage multiple inline filters, click the + button next to the Highlight
options under the inline filters to add filter definition rows. (Click the - button to
remove filter rows.) The potential uses of multiple inline filters are extensive, but
essentially this provides a means of creating a filter with complex conditions, inline in
an active channel. For example, in the Name column for an event, you could specify
that the event name contains “ActiveList” on the first filter row and that the name does
not contain “Successful”. You could extend this filter by specifying what you are
Confidential
ArcSight Console User’s Guide 175
8 Filtering Events
looking for in some of the other fields or even add more qualifiers on the Name field.
All fields can be narrowed down in this way, using multiple filter definition rows.
Moving or Copying Filters
1
In the Filters resource tree, navigate to a filter and drag and drop it into another
group.
2
Choose Move to move the filter, Copy to make a separate copy of the filter, or Link to
create a copy of the filter that is linked to the original filter.
If you choose Copy, you create a separate copy of the filter that will not be affected
when the original filter is edited. If you choose Link, you create a copy of the filter
that is linked to the original filter. Therefore, if you edit a linked filter, whether it be the
original or the copy, all links are edited as well. When deleting linked filters, you can
either delete the selected filter or all linked filter copies.
176 ArcSight Console User’s Guide
Confidential
8 Filtering Events
Deleting Filters
To delete a filter resource:
1
In the Filters resource tree, right-click a filter and choose Delete filter.
2
In the dialog box, click Yes.
For information on how to delete inline filters, see “Creating an Inline Filter” on page 175.
Debugging Filters to Match Events
Starting with ESM v4.5, you can use a filter debugger to test whether a selected filter
matches a certain type of event and, if there are mis-matches, to determine which filter
conditions are not matching the event details.
On an Active Channel, select the kind of event you want to capture and test (debug) your
filter against it.
The new debug filter utility is available as a right-click option on an event in an active
channel. The filter debugger compares the conditions in a selected filter with the metadata
that describes the selected event to determine whether the filter would capture such
events. The filter definition is displayed to show the results of this comparison.

If the selected filter matches the event, the filter definition shows no errors or mismatches.

If the filter does not match the event, the filter definition highlights the mis-matches
between the filter conditions and the selected event with red-highlighted X’s.
The display of red highlighted X’s in a filter as a result of filter debugging
on an event do not necessarily indicate that the filter is invalid. Red
highlights are shown here only to highlight where the selected filter does
not match the selected event.
To debug a filter against an event:
1
Confidential
Select an event in the viewer in an active channel against which you want to test a
filter.
ArcSight Console User’s Guide 177
8 Filtering Events
2
Right-click and choose Debug Filter from the context menu.
3
In the filter selector dialog, navigate to and select the filter you want to test.
The filter definition is displayed in its editor.

If the selected filter matches the event, the Debug Filter dialog shows no errors or
mis-matches in the definition.
178 ArcSight Console User’s Guide
Confidential
8 Filtering Events

If the filter does not match the event, the Debug Filter dialog highlights the mismatches between the filter conditions and the selected event with red X’s.
The display of red highlighted X’s in a filter as a result of filter
debugging on an event do not necessarily indicate that the filter is
invalid. Red highlighted X’s are shown here only to highlight where
the selected filter does not match the selected event.
4
If you find mis-matches between filter conditions and an event type that you want to
capture with the given filter, use the debug highlights in the filter definition along with
the Event Inspector to adjust the filter to match the event.
In the example shown above, we are comparing a Hostile Attempt event to two
different filters; a filter called “Hostile Attempt” and another filter called “Hostile
Reconnaissance”.
Confidential
ArcSight Console User’s Guide 179
8 Filtering Events
Here is a snapshot of the Event Inspector for this event. (To get this view, right-click
the event and choose Show Event Details.)

The first filter (our “Hostile Attempt” filter) matches the selected because both
conditions on the filter match field values present in the event:
Category Behavior = /Modify/Configuration
and
Category Object = /Host/Application
Our “Hostile Attempt” filter would capture these types of events.

The second filter (our “Hostile Reconnaissance” filter) has a condition that does
not match field values present in the event.
The filter is looking for an event where Category Object = /Host, but ESM
categorizes this event as Category Object = /Host/Application
To capture this type of event with our “Hostile Reconnaissance” filter, we would
have to modify the filter.
180 ArcSight Console User’s Guide
Confidential
8 Filtering Events
The filter editor provides a common conditions editor (CCE) you can use to define, edit,
and debug filters. For more information on using the CCE, see “Common Conditions Editor
(CCE)” on page 782.
For more information about using the Event Inspector to investigate events, see
“Inspecting and Editing” on page 52 and “Event Inspector” on page 877.
See also “Creating Filters” on page 173 and “Applying Filters” on page 181.
Applying Filters
This topic discusses how to apply the filtering resources in the Navigator panel to other
filterable analysis resources: active channels, SmartConnectors, filters, reports, and rules.
Adding Filters to Resources
You apply existing filters to other resources by referencing them in those resource editors.
1
Right-click a resource in the Navigator panel such as a filter or rule and choose Edit
<resource>.
2
Click the editor's Conditions tab if it isn't already at the front.
3
In the Inspect/Edit panel, click the Filters button and select a filter in the Filter
Selector dialog box. The selected filter becomes a new condition line in this resource's
filter.
4
Click OK or Apply to save the resource's definition including its new filter reference.
You can use hierarchies of filter references (including filters within filters) to
better manage them, similar to style sheets.
Applying Resources as Filters to Active Channels
You can quickly apply or test the effects of using particular SmartConnectors, assets,
categories, zones, vulnerabilities, customers, stages, or filter resources as conditions to
filter active channels. These filters make the referenced resource a condition for the
channel in use. You can choose to make the condition exclusive or additive.
1
Open the channel to filter in the Viewer panel or select it to bring it forward.
2
In an applicable resource tree in the Navigator panel, right-click an item and choose
Set as current filter or Add to current filter. The filter change takes effect
automatically and the channel's header immediately shows the new filter condition
exclusively (set as) or as an addition (add to).
3
You can click the filter description in the channel's header to open the filter in the
Active Channel Editor.
Removing a Filter Condition or Resource
You use the Filters tab of a resource's editor to change or remove any filters that affect it.
Confidential
1
In the Navigator panel, right-click the filtered resource and choose Edit <resource>.
2
In the Inspect/Edit panel, click the Filter tab of the resource's editor.
ArcSight Console User’s Guide 181
8 Filtering Events
3
In the Conditions editor, right-click the statement that imposes the condition you want
to remove and choose Delete.
4
Confirm the deletion and click Apply to restart the channel.
Importing and Exporting filters
To import and export filters, use the packages feature. Packages supersedes
the import/export facility provided in previous releases and offers enhanced
functionality, including version support, dependency management, and
import/export capabilities. Portable ArcSight packages can automatically
manage dependencies across resources and other packages. For more
information on packages, see “Managing Packages” on page 633.
For information on how to import and export filters on SmartConnectors, see “Importing
and Exporting SmartConnector Configurations” on page 672 (especially the topics on
“Creating SmartConnector Filters” on page 660 and “Adding SmartConnector Filter
Conditions” on page 660).
Using Filter Groups
Filter groups are created to store similar groups or filters in a single location. Groups can be
created within groups to meet enterprise needs. When a group is created within a group,
the new group inherits the existing group's access control list (ACL).
Groups and filters can be managed with drag and drop functionality. You can move or copy
groups and filters into other groups. If a group is deleted, the filters within that group are
also deleted.
To copy multiple resources at once, use Copy and Paste. You can drag and
drop only one resource at a time.
Creating Filter Groups
1
In the Navigator panel, choose Filters.
2
In the Filters resource tree, right-click a group and choose New Group.
3
In the Name text field, type in a name.
4
Press Enter.
Renaming Filter Groups
1
In the Filters resource tree, right-click a group and choose Edit Group.
2
In the Name text field, rename the group.
3
Press Enter and click OK.
Editing Filter Groups
1
In the Filters resource tree, right-click a group and choose Edit Group.
2
In the Group Editor, edit the Name and Description text fields, and press Enter
after each.
182 ArcSight Console User’s Guide
Confidential
8 Filtering Events
3
Click OK.
Moving or Copying Filter Groups
1
In the Filters resource tree, navigate to a group and drag and drop it into another
group.
2
Select Move to move the group, Copy to make a separate copy of the group, or Link
to create a copy of the group that is linked to the original group.
If you select Copy, you create a separate copy of the group that will not be affected
when the original group is edited. If you select Link, you create a copy of the group
that is linked to the original group. Therefore, if you edit a linked group, whether it be
the original or the copy, all links are edited as well. When deleting linked groups, you
can either delete the selected group or all linked groups.
Deleting Filter Groups
1
In the Filters resource tree, right-click a group and choose Delete Group.
2
In the dialog box, click Yes.
Investigating Views
This topic explains how to use the Console's Investigate command to refine and explore
channels contextually, using attributes of the events already being displayed in grid views.
The Investigate command uses these attributes, and the values found in their events, to
automatically formulate simple filters or conditions.
When you create or refine a filter through Investigate, the Viewer panel automatically
opens a new view of the channel with the filter applied. You explore the filter's effect in this
view. You can keep the view by saving the channel under a new name, or discarding it by
right-clicking in the grid and choosing Close.
Below is a temporary view created with the Investigate command
Confidential
ArcSight Console User’s Guide 183
8 Filtering Events
When you use Investigate to add a condition to a resource editor such as Rules or Filters,
the condition appears in the editor panel where you can modify it or click Apply to put it
into effect.
The new or modified views you generate with the Investigate command can be grids, or
you can choose to display them in applicable chart formats using the Viewer Selector
icon in the lower-right corner of the Viewer panel.
To learn more about the event attributes these options use, please see “Data Fields” on
page 803.
Using an Event Attribute to Show a New Filtered View
These options completely control the new view created, ignoring the filter in the original
view. You most often use them to test and explore.
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Option
Use
Create Filter [Attribute=Value]
Show only those events in which the selected
attribute matches the value in the selected event.
Create Filter [Attribute!=Value]
Show only those events in which the selected
attribute does not match the value in the selected
event.
Create Filter [List of Related
Attributes=Value, !=Value]
When the selected attribute is of a type that has
related attributes, choose to show only those
events that do (or do not) match one of the
related attributes on the additional menu.
Generally, attributes are considered related if they
share a common focus such as IP addresses.
Refining a Filter with an Event Attribute
These options open a new view that uses a version of the prior filter modified to include
the new filter component just selected. You usually apply these as part of a filterrefinement process.
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Option
Use
Add [Attribute=Value] to Filter
Show only those events that match both the prior
and new filter elements.
Add [Attribute!=Value] to Filter
Show only those events that do not match both
the prior and new filter elements.
184 ArcSight Console User’s Guide
Confidential
8 Filtering Events
Option
Use
Add to Filter [List of Related
Attributes=Value, !=Value]
When the selected attribute is of a type that has
related attributes, choose to show only those
events that do (or do not) match one of the
related attributes on the additional menu. This
filtering element is applied in addition to any other
already present. Generally, attributes are
considered related if they share a common focus
such as IP addresses.
Filtering Out ArcSight Events or Other Customizations
You can modify existing filters to refine your view to show only the events you want to see.
Suppose you have an active channel that includes both system events and non-system
events, but you want to see only the non-system events. You can modify the filter on the
channel (or copy it and modify the copy) as follows:
1
Double-click the filter in the channel header to get the channel editor.
2
Click the Filter tab in the channel editor.
3
Add this condition to the filter (with an AND):
!=NOT MatchesFilter(“/All Filters/ArcSight System/Event
Types/ArcSight Internal Events”)
To create or customize active channels in other ways, follow this same approach. Find a
filter that does what you want and add condition statements to filters for a channel. Or, as
in the example above, find a filter that does the opposite of what you want, add it to a
channel, and negate the condition statement as shown above. Since we wanted to limit the
channel to show only non-ArcSight events, we found the ArcSight Events filter, added the
ArcSight Events condition to a channel, and negated it to get the effect of filtering out all
ArcSight events
Adding an Event Attribute to a Filtering Condition
The Add condition to editor options apply to the editor in the Inspect/Edit panel that
currently has focus. If no editor is open, the default target is the Filters Editor.
In a grid view, right-click an attribute (column) in an event listing and choose
Investigate, followed by one of these options:
Confidential
Option
Use
Add Condition [Attribute=Value]
to Editor
In the current editor, insert a new condition in
which the selected attribute matches the value in
the selected event.
Add Condition
[Attribute!=Value] to Editor
In the current editor, insert a new condition in
which the selected attribute does not match the
value in the selected event.
ArcSight Console User’s Guide 185
8 Filtering Events
Option
Use
Add Condition to Editor [List of
Related Attributes=Value,
!=Value]
When the selected attribute is of a type that has
related attributes, add a condition to the current
editor using the available list of attribute-value
pairs that do (or do not) equate. Generally,
attributes are considered related if they share a
common focus such as IP addresses.
To remove a condition from the editor, right-click it and choose Delete.
When you are using these options to affect a view that is subject to the editor in use, click
Apply or OK in the editor to put the condition into effect.
Contextual filters (in contrast to conditions) are temporary unless you save the modified
view as a named active channel. Condition statements are saved with their relevant
editors.
Permanently Modifying an Active Channel
1
Use the Navigator panel's Active Channel resource tree to open the view's channel in
the Active Channel Editor.
2
Modify a view as described above.
3
In the editor, give the channel a new name and click OK.
Showing an Exploited Vulnerability
The Investigate options include the ability to look for potentially exploitable vulnerabilities
associated with an event.
1
Select an event in a grid view.
2
Right-click the event and choose Investigate>Show Exploited Vulnerabilities.
Available information appears in the Vulnerabilities tab of the relevant Asset Editor.
Showing a Targeted Asset
You can also find out more about an asset targeted by an event.
1
Select an event in a grid view.
2
Right-click the event and choose Investigate>Show Targeted Asset. Available
information appears in the Asset Editor.
Modifying Views
This topic covers the use of “inline” (in the grid itself) grid view filtering options. The inline
filter is the row of blank event values you see at the top of any grid in the Viewer panel.
Inline filtering directly affects the current view. Changes you make to a grid view by inline
filtering also apply to any other versions of the view you open such as its applicable chart
types.
186 ArcSight Console User’s Guide
Confidential
8 Filtering Events
Modifying a View Inline
Use inline filters by clicking the inline fields at the top of view columns and choosing an
event-attribute value to use as a constraint. When you choose multiple fields they
automatically form AND conditions. Click the Checkmark icon to apply your filter
selections.
Inline filters are temporary unless you save the modified view as part of a named active
channel.
Undoing an Inline Filter
1
Click any of the filter fields in the top line of the grid view to show the inline filter
control buttons.
2
Click the X (clear) button to remove the current filter elements and restart the view.
For details on working with filters and inline filters, see “Creating Filters” on page 173 and
“Filtering Active Channels with Inline Filters” on page 98.
Permanently Modifying a View
Confidential
1
Use the Navigator panel's Active Channel resource tree to open the view's channel in
the Active Channel Editor.
2
Modify a view as described above.
3
In the editor, give the channel a new name and click OK.
ArcSight Console User’s Guide 187
8 Filtering Events
188 ArcSight Console User’s Guide
Confidential
Chapter 9
Actors
The actors feature creates a real-time user model that maps humans or agents to activity
in applications and on the network, making it possible to identify the actors behind events.
Once the actor model is in place, you can construct category models to visualize
relationships among actors and use those relationships for correlation. Actors is a
separately licensed feature that is available with an ArcSight Identity View license.
Information on configuring actors in the “Configuration” chapter of the Administrator’s
Guide.
This topic describes how to use the actors resources to model users and associate them
with events. It also describes how to construct category models to depict relationships
among actors.
“About Actors” on page 189
“Navigating to Actors” on page 195
“Viewing Actors in the ArcSight Console” on page 195
“Investigating Actors” on page 204
“Creating and Editing Actors for Testing Purposes” on page 208
“Creating and Using Category Models” on page 212
“Actor-Related Resources Provided in Standard Content” on page 224
About Actors
A critical factor in having situational awareness is knowing who is doing what with
resources on your network, when they’re doing it, and how. This awareness is critical for
maintaining network security and demonstrating compliance with the increasing
requirements of regulatory standards.
Identity management systems (IDMs) enable IT security professionals to protect their
assets while granting different levels of access to a range of users, such as full-time
employees, part-time employees, employees with certain security clearances, partners,
contractors and customers.
However, following exactly what a specific person is doing across all the resources on your
network can be difficult, because each user will have different account IDs and roles on
different systems and applications. Examples of different information used to identify a
given user include badge IDs (physical access devices), MAC addresses (for devices
assigned to a specific person), email addresses, user names, Distinguished Names
(particularly for Active Directory-related events), and so on.
Confidential
ArcSight Console User’s Guide
189
9 Actors
The Actors feature maps humans and their activity to events from applications and network
assets by leveraging user attributes defined within identity management systems and
correlating them with user account information from the user authentication systems on
your network. Correlating user identifiers from the event traffic that reflects their activity
throughout the day makes it possible to ensure that users are doing role-appropriate
activity across the assets in your organization, and to detect and track inappropriate access
and suspicious activity.
The actors feature works in conjunction with ArcSight’s new Actor Model Import
connectors, which regularly poll your Identity Management System (such as the
SmartConnector for Active Directory Actor Model Import). This system automatically
maintains an up-to-date actor model you can use to correlate users and their roles with
their activity on the network.
ArcSight Supports Actor Models with up to 50,000 Actors
ArcSight supports actor models with up to 50,000 members. Supporting a
large actor model can require special configuration. For details, see “Tuning
Guide for Supporting Large Actor Models” in the “Configuration” chapter of
the Administrator’s Guide.
Also, see the searchindex command in the “ArcSight Commands” chapter of the ArcSight
ESM Administrator’s Guide. The searchindex command is a utility that creates or updates
the search index for resources in ArcSight Database.
Once the actor model is in place, use the modeling and visualization tools (category
models) to show direct and indirect relationships among actors in the Actor model. You can
use this model to group and visualize users in your organization in numerous ways, such as
reporting structures, organizational units, or role-based functions, then use these
relationships as parameters in user-defined monitoring, analysis, and correlation.
For testing purposes, you can also manually add actors. You can also import or redefine
views of user groups and relationships with category models.
Actor Channels and Navigating Thousands of Actors
Actor channels present all the actors in your actor model in a single, scrollable view. Like
active channels, apply local filters to actor channels to find actors with certain attributes.
Actor channels are the only way to see actor models that contain 1,000 or more members
because display space in the Navigator panel is limited. You can also use actor channels for
viewing actor models with fewer than 1,000 members.
For more about viewing actors in actor channels, see “Viewing Actors in an Actor Channel”
on page 199.
Viewing Relationships Among Actors Using Category Models
Once you have actor information created, you can make logical groupings to represent
relationships among actors and actor attributes using category models.
Category models can reflect direct actor relationships, such as reporting hierarchies, or
relationships between actors who share common attributes, such as actors in a particular
location. Category models can also reflect relationships between actors using custom
attributes defined by the user.
You can use category models to visualize these relationships, then leverage the data
gathered in them using the HasRelationship function in local and global variables.
190 ArcSight Console User’s Guide
Confidential
9 Actors
For more about category models, see “Creating and Using Category Models” on page 212.
For more about how to view actors using resource graphs, see “Viewing Category Models in
Graphs” on page 221.
For more about using category model relationship data in monitoring, investigation, and
correlation, see “Leveraging Category Model Data Using Variables” on page 223.
Using Actor Global Variables to Identify Actors from Events
The actor data stored in the Actor Resource Framework coupled with actor global variables
make it possible to identify an actor from any given event, then correlate that activity with
other activity or attributes of that actor. The ability to identify an actor from a given event
and correlate that activity with other events involving that actor and attributes of that actor,
such as location and role, make it possible to verify that an actor’s activity across the
network is appropriate.
Standard content provides a series of actor global variables that are part of the Actor
Resource Framework, which identifies and stores actor-related data from events in the
look-up tables of the Actor Resource Framework. You can also use these global variables in
your own correlation content. For more about using the Actor Resource Framework global
variables, see “Actor Resource Framework Global Variables” on page 224.
You can construct your own actor global variables. For an outline of this process, see
“Leveraging Actor Data Using Variables” on page 211.
Using Standard Content to Track Actor Configuration Changes
Standard content also provides a set of coordinated resources that track actor
configuration changes, such as when actors are created, updated, and deleted.
For more about this standard content, see “Tracking Actor Configuration Changes Using
Standard Content” on page 227.
How the Actors Feature Works
ArcSight SmartConnectors normalize event data from hundreds of different devices on a
network into a common data schema. The Actors feature normalizes user identity
information stored in different formats in different authentication data stores to create a
complete profile of data used to identify each user on your network in various contexts.
As shown in the following example, a model import connector imports data from an identity
management system, such as Microsoft Active Directory. For a complete list of supported
identity management systems, contact Customer Support.
In the following example, the actor data comes in from the Microsoft Active Directory
system using a model import connector. Events arrive from applications that all use
different data stores to authenticate user activity, which all use different account IDs to
Confidential
ArcSight Console User’s Guide 191
9 Actors
identify the user John Zed. The activity is identified as belonging to the same actor. That
actor is represented as JOHN.
The actors feature works in conjunction with an Actor Model Import connector to import
user data from an identity management system and to normalize user data in event traffic.
The actors feature is supported internally using the Actor Resource Framework, a series of
internal look-up tables maintained by regular updates from the Actor Model Import
connector.
As part of setting up the actors feature, you also configure an applications and
authenticators active list to identify the mapping between the applications in your network
environment and the data stores they use to authenticate users. In the example shown
above, Windows Server Active Directory is the authentication data source for Microsoft
Exchange and SAP Real-Time Security.
The diagram below shows a detailed look at how the Actors feature works. When events
arrive at the Manager, resources that use conditions or select fields invoke one or more of
the actor global variables provided in standard content. These global variables and the
actor data maintained in the Actor Resource Framework provide several ways to identify
actors using whatever user identity attributes are available in events arriving from different
applications from across the network.
The global variables first look up the authenticator using the device-specific data, such as
vendor and product information in the event, then look up the relevant user information
from the Actor Resource Framework tables to positively identify the actor. For details about
192 ArcSight Console User’s Guide
Confidential
9 Actors
the Actor Global Variables in standard content, see “Actor Resource Framework Global
Variables” on page 224.
Resources leverage system-provided actor global variables to look up actor identity
attributes maintained in the Account Authenticators table and the Actor Resource
Framework.
About the Actor Model Import Connectors
The ArcSight Actor Model Import connectors support bulk import of user accounts from
multiple identity management systems, such as Microsoft Active Directory. (For a complete
list of supported identity management systems, see the ArcSight connector
documentation.)
The Actor Model Import connector supports the Identity View solution. The Actor Model
Import connector imports the user data into the actors resource, where it is leveraged by
the infrastructure that identifies and tracks user activity. Correlated and normalized data
about user activity is then available for monitoring and investigation, further correlation,
and reporting.
Confidential
ArcSight Console User’s Guide 193
9 Actors
The actor model used to describe users is automatically populated with the attributes
configured for it by the Actor Model Import connector when connecting to the connector.
Actor Model Import connector should be configured with all attributes
you are interested in tracking before initial connection.
During Actor Model Import connector configuration, make sure that all the
attributes you are interested in tracking are configured. Once actor information
is imported, the list of attributes the Actor Model Import connector sends for
existing actors is not updated.
If you add or remove attributes to be sent from the Actor Model Import
connector after an actor model has already been imported, you must first
delete the actor group, then re-import the actor data.
For details about how to delete an existing actor group, see “Deleting Actors”
on page 211.
The following table lists the attributes that the actor model supports. The Actor Model
Import connector administrator configures the Actor Model Import connector with the
attributes from this list that it will send to populate the actor model. Not all IDM systems
support all these attributes. An actor resource is only populated with the attributes
configured by the Actor Model Import connector administrator.
Single-value attributes
UUID
First Name
Middle Initial
Last Name
Full Name
IDM Identifier
DN
Employee Type
Status
Title
Company
Organization
Department
Manager
Assistant
Email Address
Location
Office
Business PhoneMobile
Phone
Fax
Pager
Address
City
State
Zip Code
Country Or Region
Multi-value attributes
Account
•
Account ID
•
Authenticator
Role
•
Role Name
•
Resource Name
•
Role Type
In addition to the basic single-value attributes, each actor will likely have multi-value
attributes, specifically multiple account IDs, and multiple roles, which are tracked using
your IDM system. These multi-value attributes can appear differently in events coming
from different devices. In some cases, such as a non-IT-related role, the information is not
included in event data at all, but is still valuable information to help identify users and
correlate their activity to help ensure appropriate behavior and access to resources hosted
on the network.
Troubleshooting Errors with Actor Model Imports
It is possible that during the actor import process from the Actor Model Import connector,
one or more actor import files containing data for multiple actors may not have imported
successfully into the Manager. This might happen because of network connection
194 ArcSight Console User’s Guide
Confidential
9 Actors
problems, an out-of-memory error, or some other problem that caused the import of that
file to fail.
In such cases, there is an archive file in $ARCSIGHT_HOME/archive/webservices for
each actor import file that failed to import successfully. Each such archive file is created
with the file extension .bad.
If an actor file did not import as expected, or during routine maintenance, check the
$ARCSIGHT_HOME/archive/webservices directory for actor files that failed to import.
The .bad archive file contains all the missing actor information, and you can use the
ArcSight Archive utility to import that file individually from a command line on the Manager
system. For instructions about how to run the ArcSight Archive utility to import an archive
file, see the topic “The Archive Command Tool” in the Administrator’s Guide.
Tips for using the ArcSight Archive utility:
•
To see a list of commands available with the ArcSight Archive utility,
include -h (for “help”) in the archive utility command script.
•
If the archive file name starts with a dash (-), rename the file before
running the ArcSight Archive utility to ensure that the command works.
•
If the archive file name starts with a dash (-), rename the file before
running the ArcSight Archive utility to ensure that the command works.
For details about the Actor Model Import connector and how to configure it, see the Actor
Model Import connector documentation for your IDM system, for example, the
SmartConnector™ Configuration Guide for Microsoft Active Directory Actor Model.
Navigating to Actors
In the Navigator panel, select Actors. Here you will find the actors resource and the
category models you can use to organize and visualize them.
Viewing Actors in the ArcSight Console
In a typical workflow, actors are created automatically by installing the ArcSight Actor
Model Import connector and configuring it to your IDM system. New actors added to the
IDM are automatically created and existing ones updated with changes made on the IDM
with every connection made between the Manager and the Actor Model Import connector
as described in “About the Actor Model Import Connectors” on page 193.
Confidential
ArcSight Console User’s Guide 195
9 Actors
For testing purposes, you can also create an actor individually using ArcSight Console
resources, or edit an existing one. For more about creating actors individually for testing
purposes, see “Creating and Editing Actors for Testing Purposes” on page 208.
ArcSight Console-created actors or those edited individually using
ArcSight Console resources do not update the user information
stored in the IDM.
Communication from your IDM to the Manager is one way. Any actors that
you add from scratch or existing ones that you update using ArcSight Console
tools are not added to the IDM system. Any changes you want to persist to
the IDM should be made at the IDM, and the new actor information will be
automatically imported into the actor model at the next Actor Model Import
connector connection.
Viewing Actors in the Navigator Panel
Actor models with fewer than 1,000 members can be viewed from the Navigator panel.
Upon connection, the Actor Model Import connector creates the destination group in which
the actors are placed based on the value set at the Actor Model Import connector. The
example below shows three actors in a group called World-Wide Operations.
196 ArcSight Console User’s Guide
Confidential
9 Actors
Viewing Actors in the Actor Editor
To view the details of a particular actor in the Actor editor, double-click the actor, or rightclick the actor and select Edit. Use the scroll bar to see all the actor attributes.
Viewing Actor Base Attributes
The attributes in the Actor section of the Actor editor is also referred to as the Actor Base
attributes. These are the basic standard attributes that describe an actor. These base
attributes are part of the Actor Base field set. (For more about actor field sets and usage,
see “Creating and Using Field Sets” on page 154.)
Confidential
Attribute
Description
UUID
The Universally Unique Identifier for the actor
Full Name
The actor’s full name
First Name
The actor’s first name
Last Name
The actor’s last name
Middle Initial
The actor’s middle initial
ArcSight Console User’s Guide 197
9 Actors
Attribute
Description
IDM Identifier
The friendly name for the IDM selected by the Actor Model
Import connector administrator at Actor Model Import
connector setup time.
DN
The distinguished name for the actor, for example, CN=JohnDoe,
OU=Sales,DC=companyname,DC=com
Employee Type
The type of employee this actor is in your company, for
example, full-time, exempt, or contractor.
Status
The employment status of the actor’s account, for example,
Active, Deleted in IDM, or Disabled.
Notes:
•
When an actor is deleted from the IDM, the actor will remain
in the actor model with the status Deleted in IDM.
•
The license tracking feature includes actors that are still in
the actor model with the status Disabled or Deleted in
IDM. The identity management feature preserves disabled
and deleted actors in the actor model to track any
unauthorized activity related to disabled or deleted actors. If
you do not want the license tracking feature to evaluate
actors with the status Disabled or Deleted in IDM, you
can manually remove them from the ESM actor model.
Manually removing disabled or deleted actors also removes
the ability to track unauthorized activity related to these
accounts.
For more about the license tracking feature, see “License
Tracking” on page 60.
Title
The actor’s job title
Company
The company by whom the actor is employed.
Org
The organization within your company of which the actor is a
member
Department
The department within your company of which the actor is a
member
Manager
The distinguished name of the actor's manager
Assistant
The name of the actor’s assistant as it appears in the IDM
Email Address
The actor’s company email address
Location
The actor’s location name
Office
The actor’s office name
Business Phone
The actor’s business phone
Mobile Phone
The actor’s mobile phone
Fax
The actor’s fax number
Pager
The actor’s pager number
Address
The actor’s business address
City
The city of the actor’s business address
State
The state of the actor’s business address
Zip Code
The zip code of the actor’s business address
198 ArcSight Console User’s Guide
Confidential
9 Actors
Attribute
Description
Country Or Region
The country of the actor’s business address
Viewing Actor Account Attributes
The Account_Attributes table displays the unique account IDs attributed to this user by the
various user authentication data stores relevant to this user. Like the base actor attributes,
the values in this table are populated by values from the Actor Model Import connector for
your IDM system.
Field
Description
Authenticator
The friendly name for the user authentication data store containing
the actor’s account ID
Account ID
The account ID for the actor
Viewing Actor Role Attributes
The Role_Attributes table displays role name, resource type, and role type for each role
represented by the actor. The values in this table are also populated by values from the
Actor Model Import connector for your IDM system.
Field
Description
Role Name
The name of the role or group, such as Administrators or
Software Developer
Resource
Name
The name of the resource in which the role is assigned, such as the
active directory domain, identity management system, or
application
Role Type
The role's category, such as Global Security Group, Business
Role, or IT Role
Because an actor can have multiple roles, a query viewer will display each
role in separate entries. For example, if an actor has 4 accounts and 10 roles,
running a query on this actor’s accounts and roles will result in the Cartesian
product of the accounts and roles: 40 entries.
For information about queries, see “Building Queries” on page 302. For
information about query viewers, see “Query Viewers” on page 233.
Viewing Actors in an Actor Channel
For actor models that contain thousands of members, actor channels present all the actors
in your actor model in a single, scrollable view. You can apply local filters to actor channels
to find actors with certain attributes.
If a group in your actor model contains more than 1,000 members, the actor tree in
Navigator panel displays the message:
Confidential
ArcSight Console User’s Guide 199
9 Actors
“This group has more items than can be displayed. Double click to open a
channel.”
You can also view actor models with fewer than 1,000 members in an actors channel.
To view an actor model in an actors channel:
1
In the Actors navigation panel, right-click an actors group and select Show Actors. If
your actor model contains more than 1,000 members, you can also double-click the
message “This group has more items than can be displayed. Double click to
open a channel.”
‘Show Actors’ on a Group Shows Actors Only for that Group
When you select Show Actors on a group of actors, the actor channel
will only display the members of that immediate group. If the group has
a sub-group, the actors in that sub-group will not be displayed in the
actor channel.
To view the actors in a sub-group, right-click that group and select Show
Actors.
2
In the Viewer panel, navigate to the actor channel.
The following sections describe the attributes of an actor channel, and how to interact
with them.
200 ArcSight Console User’s Guide
Confidential
9 Actors
About the Actor Channel UI
The actor channel is an active channel with a simplified header that displays the actor
resources in your actor model.
Sorting Fields in Actor Channels
The fields shown are from the Actor Information Field Set (/All Field
Sets/ArcSight System/Actor Field Sets/Actor Information).
Sort fields in actor channels the same way you sort fields for event-based channels.
Multi-value columns cannot be sorted.
Columns that contain multi-value attributes, such as Account ID, cannot be
sorted.
The names of sortable fields in column headers are indicated with a double-arrow icon
If a field is already sorted, an up
or down
.
arrow indicates the direction of the sort.

To sort the list by a column, right-click over the column and select Sort Column.

To reverse the sort order, select Sort Column again on an already-sorted column.

To remove a sort, right-click over a sorted column and select Remove Sort.
For more about sorting columns in channels, see “Sorting Events in an Active Channel” on
page 79.
Actor Channel Options
There are several options available to take on actors from the tree view in the Navigator
panel and from the grid view in the Viewer panel.
Confidential
ArcSight Console User’s Guide 201
9 Actors
Right-Click Options from the Grid View
Option
Description
Export
Save the actor data in this actor channel as a CSV list.
Edit Actor
Open the selected actor to view its details in the event
inspector.
Delete Actor
Delete the selected actor from the actor model.
Caution: Make sure the actor is also deleted from the
source IDM. Subsequent updates from the IDM that still
contains this actor data can result in an unstable actor data
set for this actor.
Add Actors to Category
Model
Add the selected actors to an existing category model.
Add to Package
Add the selected actors to a new or existing package.
Report
Run a custom actor context report, or one using default
values. For more about actor context reports, see
Find Actor in Navigator
Expand the containing group and highlights the selected
actor in the Navigator panel.
Graph View
Display the actor in a resource graph in the Viewer panel.
Lock Actor
Locking is a common feature for all resources.
Filtering Actor Channels
There are two ways to filter the contents of an actor channel: adding a local filter to the
resource itself, or applying an inline filter to one or more columns.
Adding a Local Filter to the Actor Channel Resource
You can add a local filter to the actor channel using the Active Channel: Actor Channel
editor. This enables you to use the CCE to apply a filter locally to the selected actor
channel. You cannot save a local filter added to an actor channel.
To add a local filter to the resource:
1
click the Filter link in the channel header:
202 ArcSight Console User’s Guide
Confidential
9 Actors
This opens the Active Channel: Actor Channel editor in the Inspect/Edit panel.
2
3
In the Attributes tab, set the name and select the Actor field set you want to use.
a
Name. Replace the default name Actor Channel with a name that describes the
channel, and maybe the filter you want to apply to it, such as Managers in WorldWide Operations.
b
Default Field Set. By default, no field set is used. You can select a field set if
you want to select a specific actor field in a particular field set. If you choose to
specify a field set, only the actor field sets are displayed, such as the Actor Base
field set (Field Sets/Shared/All Field Sets/ArcSight
System/Actor Field Sets/Actor Base). You can select this field set, or
another actor field set created in your environment.
c
Common Attributes. Set any other common attributes you want for the actor
channel. For a description of the data that goes in the Common section, see
“Common Resource Attribute Fields” on page 630.
In the Filter tab, construct the filter you want to apply. You can select any existing
Actor field set, or apply a global variable.
For instructions about constructing a condition using the Common Conditions Editor
(CCE), see “Common Conditions Editor (CCE)” on page 782.
4
In the Sort Fields tab, select the columns by which you want the actor channel to sort.
Fields that contain lists and multi-values cannot be sorted. For instructions about using
the Sort Fields tab, see Step 4 on page 84.
5
On the Local Variables tab, define any local variables you want to use to extract a
particular value from a particular field. For instructions about how to use the Local
Variables editor, see “Variables” on page 947.
6
Click Apply to apply changes to the actor channel displayed in the Viewer panel. Click
OK to save the filtered actor channel.
Where to Find Saved Actor Channels
Once you have modified and saved an actor channel, you can find it in
the Active Channel area of the Navigator panel. Actor channels are
saved with the suffix [Actor] behind the active channel name, for
example, Managers in World-Wide Operations [Actor].
Creating an Inline Filter
Like event-based active channels, you can create an inline filter to operate on one or more
columns to find actors with particular attributes in common.
For instructions about how to construct inline filters, see “Filtering Active Channels with
Inline Filters” on page 98.
In an actor channel, if you apply an inline filter to a specific column, the inline filter
automatically becomes part of the actor channel’s filter condition, as if you manually edited
the actor channel and entered settings on the Filter tab. You have the option to save the
actor channel with the new filter, or close the channel without saving the filter.
To save the filtered version of the channel, see “Saving Actor Channels” on page 204.
Confidential
ArcSight Console User’s Guide 203
9 Actors
Saving Actor Channels
To save an actor channel from the Viewer panel:
1
Right-click the active channel header and select Save Active Channel As.
2
In the Active Channels Selector, navigate to where in the Active Channels branch you
want to save the actor channel and click OK.
You can also save an actor channel by opening the actor channel editor in the Inspect/Edit
panel as described in “Filtering Actor Channels” on page 202.
Where to Find Saved Actor Channels
Once you have modified and saved an actor channel, you can find it in the
Active Channel area of the Navigator panel. Actor channels are saved with the
suffix [Actor] behind the active channel name, for example, Managers in
World-Wide Operations [Actor].
Editing Saved Actor Channels
You can find saved actor channels in the Active Channel area of the Navigator panel. Actor
channels are saved with the suffix [Actor] behind the active channel name.
To edit a saved actor channel:
1
In the Navigator panel, go to Active Channels.
2
Right-click the actor channel you want to edit and select Edit Active Channel.
3
Make modifications to the actor channel in the Active Channel: Actor Channel editor in
the Inspect/Edit panel and click OK. For details about what to enter in the active
channel editor, see “Filtering Actor Channels” on page 202.
Viewing Saved Actor Channels
To view a saved actor channel:
1
In the Navigator panel, go to Active Channels.
2
Double-click the actor channel you want to view, or right-click it and select View
Active Channel.
For details about viewing actors and navigating actor channels, see “Viewing Actors in the
ArcSight Console” on page 195.
Investigating Actors
You can investigate events to identify the actor behind the activity represented in an event
by running a context report from an event or actor channel. The actor context report looks
at which actor is bound to the event you are investigating, and then run a report that will
show activity for that actor.
Running Context Reports from an Actor Channel
From an actor channel, you can choose to run the report based on the following actor
global variables:

ActorByAccountID
204 ArcSight Console User’s Guide
Confidential
9 Actors

ActorByAttackerUsername

ActorByCustomFields

ActorByTargetUsername
The report will be populated if the actor global variable finds the values for the supported
attributes, for example, account ID, custom field, attacker user name, and so forth. When
the report is launched, it will use the actor global variable specified in the field set. If there
is more than one actor global variable in the field set, the report will default to
ActorByAccountID.
Actor context reports will not show data if you are looking up actors using the
ActorByUUID or ActorByDN global variable. These global variables are used
for internal actor lookups.
For context reports out of the actor channel, you have the following choices for running
actor context reports:


With default parameters:

Default time range: last hour

Default filter: correlation events only
With custom parameters (you set these explicitly)

Start time

End time

Filter by
The following example shows the available options for running actor context reports from
an actor channel.
To run an actor context report from an actor channel:
1
2
Display an actor channel and right-click an actor.
Select Report and then select one of the displayed report types.
If you have the ArcSight IdentityView solution, you can also run context
reports on global variables that come with the IdentityView. Refer to the
ArcSight Solution Guide IdentityView for a list of actor global variables
provided by the solution.
If you choose a report type that ends in with defaults, for example, Actor Context
Report by Attacker Username with defaults, the report is displayed with the
following parameters:
Confidential

Default time range: last hour

Default filter: correlation events only
ArcSight Console User’s Guide 205
9 Actors
If you choose a report type that does not end in with defaults, for example, Actor
Context Report by Attacker Username, the following screen appears:
3
Set your custom parameters. For example, set StartTime, EndTime, and FilterBy. Keep
the ActorResourceID parameter value; this is the value used to identify the actor of
interest.
4
Click OK.
Investigating an Actor from an Event Channel
You can investigate an actor from an event channel in one of the following ways:

By using the Show Actor option on an event that is related to an actor
This option is enabled if the channel contains ActorResourceID values, for example,
ActorByAccountID.ID. Actor data is displayed on the Inspect/Edit panel.

By running an actor context report on any active channel that has ActorResourceID
values, for example, ActorByAccountID.ID.
Running an actor context report provides additional options:

Report with default parameters (see related information on page 205)

Report with custom parameters which you set explicitly (see related information
on page 205)
To show an actor related to an event:
1
Display an event channel.
2
Right-click an event and select Show Actor. If the channel does not use a field set
containing an actor global variable, then the Show Actor option is disabled.
206 ArcSight Console User’s Guide
Confidential
9 Actors
The edit panel displays details about the actor. See “Viewing Actors in the Actor Editor”
on page 197 for an example of an actor edit panel.
To run an actor context report from an event channel:
1
Display an event channel.
2
Right-click an event and select Report.
3
Select the report with defaults or the report that provides options to set report
parameters.
The report is displayed on the ArcSight Console’s Viewer panel.
Actor Context Reports in Standard Content
If needed, you can modify the resources upon which these context reports are based.
Reports
/All Reports/ArcSight System/Core/
Report
Description
Actor Context Report
by Account ID
This report is used by the system to show activity related to
an actor based on the ActorByAccountID global variable.
Actor Context Report
by Attacker Username
This report is used by the system to show activity related to
an actor based on the ActorByAttackerUserName global
variable.
Actor Context Report
by Custom Fields
This report is used by the system to show activity related to
an actor based on the ActorByCustomFields global variable.
Actor Context Report
by Target Username
This report is used by the system to show activity related to
an actor based on the ActorByTargetUserName global
variable.
For details about modifying reports, see “Defining Report Settings” on page 337.
Queries
/All Queries/ArcSight System/Core/Actor Context Report/
Confidential
Query
Description
Actor Event Count by
Account ID
This query shows activity related to an actor based on the
ActorByAccountID global variable.
Actor Event Count by
Attacker Username
This query shows activity related to an actor based on
ActorByAttackerUserName global variable.
Actor Event Count by
Custom Fields
This query shows activity related to an actor based on the
AccountByCustomFields global variable.
ArcSight Console User’s Guide 207
9 Actors
Query
Description
Actor Event Count by
Target Username
This query shows activity related to an actor based on the
AccountByTargetUserName global variable.
Actor Events by
Account ID
This query shows activity related to an actor based on the
ActorByAccountID global variable.
Actor Events by
Attacker Username
This query shows activity related to an actor based on the
ActorByAttackerUserName global variable.
Actor Events by Custom
Fields
This query shows activity related to an actor based on the
ActorByCustomFields global variable.
Actor Events by Target
Username
This query shows activity related to an actor based on the
ActorByTargetUsername global variable.
Actor Information
This query shows activity related to an actor.
For details about working with queries, see “Defining Query Settings” on page 305.
Report Template
/All Report Templates/ArcSight System/
Report
Description
Actor Context Report
This report template is used by the “Actor Context Report”.
For details about working with report templates, see “Designing Custom Templates” on
page 286.
Creating and Editing Actors for Testing Purposes
For testing purposes, you can create an actor from scratch using ArcSight Console
resources, or edit an existing one. If you are manually creating actors, manually enter data
in the fields you are interested in tracking.
In a production situation, the Actor Model Import connector automatically populates the
actor attributes it has been configured to send based on values set at the source IDM. The
IDM may not use or store data for every field. To learn more about the values the Actor
Model Import connector can be configured to send, see the Actor Model Import connector
documentation for your IDM system, for example, the SmartConnector™ Configuration
Guide for Microsoft Active Directory Actor Model.
Important points to consider about making manual changes to actors
If you are creating, editing, or deleting an existing actor that IDM sent through the Actor
Model Import Connector, you should first consider the following points:

Actors you create using the ArcSight Console are not sent back to the IDM. The flow of
data is one way from the IDM through the connector.

Any changes you want to persist to the IDM should be made at the IDM. Any new
actor information will be automatically imported at the next scheduled Actor Model
Import connector connection.

If you made manual changes in the ArcSight Console to actors imported from the IDM,
these changes will be overwritten the next time the Actor Model Import connector
sends updated data for the same actors.
208 ArcSight Console User’s Guide
Confidential
9 Actors

If you manually deleted an actor attribute, that attribute will not be updated by a
subsequent update from the Actor Model Import connector, unless the connector
report includes an updated value for the very attribute that was deleted.

You should be careful about using the ArcSight Console to delete actors sent by the
IDM, especially if the actors still exist in the IDM, because it is possible that the actor
will not be updated during a subsequent import.
Creating Actors for Testing Purposes
Before proceeding, review the information in “Important points to consider about making
manual changes to actors” on page 208.
To test the process of creating an actor using ArcSight Console tools:
1
In the Navigator panel, go to Actors. Right-click the All Actors group (or any
group under All Actors) and select New Actor to launch the Actors editor.
You can also launch the Actors editor by going to File > New > Actor, or by clicking
) and selecting Actor. If you used the File > New >
the New Resource icon (
Actor menu option, the actor will appear in the Unassigned folder. Later, you can move
the unassigned actor to an existing group.
2
In the Actor Editor in the Inspect/Edit panel, enter the following values and click OK to
save the actor and close the editor (click Apply to save the actor and keep the editor
open).
a
In the Actor section of the Attributes tab, enter values for the required fields,
UUID and Full Name. Enter any other relevant attributes. All attributes are treated
as data type string. Use the scroll bar to see all the Actor attributes.
b
In the Account_Attributes table, add all the unique account IDs attributed to this
user by the various user authentication data stores relevant to this user.
Completing the Account_Attributes Table

•
In a production environment where the IDM sends data through
an Actor Model Import connector, this table will be automatically
populated with the user account ID and authenticator values the
Actor Model Import connector is configured to send.
•
For tips about tools to use to find user account IDs and
authenticator information, see “Configuring Actors” in the
“Configuration” chapter of the Administrator’s Guide.
•
In a test situation, or any situation where an actor has been
added manually using ArcSight Console tools, you must populate
the account attributes you are interested in tracking.
Click the Add icon (
) to make the fields editable.
In the Authenticator column, enter an identifier for the user authentication
data store, for example, Active Directory: mycompany.com. This is a
friendly name that will help admins and other users identify which data store
is the authentication source.
In the Account ID column, enter the user’s account ID used in that
authentication data store, for example, john_doe, jdoe, or john.d.
With each entry, the next set of fields becomes editable. Add as many data
store authenticators and account IDs as are relevant. For example, an entry
for an Active Directory authenticator could be Active Directory:
Confidential
ArcSight Console User’s Guide 209
9 Actors
companyname.com. Following is an example of a completed
Account_Attributes table:

To remove an entry, click anywhere on the row you want to delete and click
the Delete icon (
c
).
In the Role_Attributes table, add all the unique roles attributed to this user and
their type.
Completing the Role_Attributes Table

•
In a production environment where the IDM sends data through
an Actor Model Import connector, this table is automatically
populated with the user role values the Actor Model Import
connector is configured to send.
•
In a test situation, or any situation where an actor has been
added manually using ArcSight Console tools, you must populate
the role attributes you are interested in tracking.
Click the Add icon (
) to make the fields editable.
In the Role Name column, enter a role name, such as Administrator,
User, Approver, or Manager.
In the Resource Name column, enter the application to which this role
applies, for example, SAP, or Microsoft Exchange.
In the Role Type column, enter what type of role it is, such as whether it’s an
IT role or a business role.
With each entry, the next set of fields becomes editable. Add as many user
roles as are relevant. Following is an example of a completed Role_Attributes
table:

To remove an entry, click anywhere on the row you want to delete and click
the Delete icon (
).
Editing Actors for Testing Purposes
This section contains instructions for how to edit the actors you’ve created manually for
testing purposes. In a production environment, actor changes should be managed
automatically through the Actor Model Import connector.
1
In the Navigator panel, go to Actors.
210 ArcSight Console User’s Guide
Confidential
9 Actors
2
Double-click an actor (or right-click an actor and select Edit Actor) to open the Actor
Editor in the Inspect/Edit panel.
How to find an actor among thousands of actors
If a group in your actor model contains more than 1,000 members, view
the actors using an actors channel. In the Actors navigation panel, rightclick the group and select Show Actors.
For more about creating and viewing actors in an actors channel, see
“Viewing Actors in an Actor Channel” on page 199.
3
Refer to the topic “Viewing Actors in the Actor Editor” on page 197 for details about
what to enter in the editor’s fields.
Deleting Actors
The actors feature is designed to reflect the latest state of your IDM data as sent through
regular updates from the Actor Model Import connector. As such, changes made to actor
data in your environment should be made first at the IDM, which is then sent through an
update from the Actor Model Import connector.
If you delete a user at the IDM, the actor remains in the actor model, and its status is
updated to “Deleted in IDM.”

To delete an actor from the actor model permanently, right-click the actor and select
Delete.

To delete a group of actors permanently, right-click the actor group and select Delete.
Leveraging Actor Data Using Variables
You can create a local or global variable that focuses just on actor base and list fields. This
enables you to make a specific value derived from actor data available for use in actorrelated resources: actor field sets, actor queries (used both in reports, query viewers, and
trends), and actor channels.
ESM v5.0 does not support velocity expressions for actor fields
ESM v5.0 does not support using velocity expressions for actor fields in local
or global variables.
Creating an Actor Global Variable
Variables derive particular values from existing data fields. The global variables feature
enables you to define your variables only once, and then re-use it in multiple places
wherever conditions can be expressed. Global variables work with the actors feature so you
can build user correlations.
To create an actor global variable:
1
Launch the global variable editor: in the Navigator panel, go to Field Sets. On the
Fields & Global Variables tab, right-click a group and select New Global Variable.
2
In the Attributes tab, give the global variable a name, and specify Actor Global
Variable as the variable type.
For details about the fields in the Global Variable Editor Attributes tab, see “Global
Variable Editor: Attributes Tab” on page 437.
Confidential
ArcSight Console User’s Guide 211
9 Actors
3
4
In the Parameters tab, specify the parameters you want to set for the actor global
variable.
a
In the Function field, select a category, then a function appropriate for the data
you want to extract from the actor fields.
b
In the Arguments section, select the fields or resources to which you want to
apply the function. Enter the other relevant arguments for that function.
c
To test the result returned by the parameters you selected, enter test values and
click Calculate to test the results of the actor global variable.
In the Local Variables tab, you can optionally add a local variable to the actor global
variable, which will extract a value from a field that you want to use in the overall actor
global variable.
For details about how to create a global variable using the global variable editor, see
“Creating a Global Variable” on page 436.
For details about the functions available to local and global variables, see “Variables” on
page 947.
Creating an Actor-Based Variable in Another Resource
Actor-based variables are only applicable to Actor-based resources. You can add a local
variable based on an actor field to the following resources:

Active channels

Field sets

Global variables

Queries (available to reports, trends, and query viewers)
To create actor-based local variables:
1
In the resource editor Local Variables tab, click Add.
2
In the Add Local Variable dialog:
a
Enter a name for the local variable
b
Select a function that is compatible with the actor field whose values you want to
leverage in the variable
c
In the Arguments section, select fields and add values relevant to the actor data
you want to leverage
d
In the Preview section, enter test values and click Calculate to test the results of
the actor global variable.
e
Click OK.
Creating and Using Category Models
Once you have actor information created, you can make logical groupings to represent
relationships among actors and actor attributes using category models.
Category models can reflect direct actor relationships, such as reporting hierarchies, or
relationships between actors who share common attributes, such as actors in a particular
location. For reporting hierarchies, your model can consist of a top-to-bottom structure (by
212 ArcSight Console User’s Guide
Confidential
9 Actors
Manager), or its reverse (by Assistant). Category models can also reflect relationships
between actors using custom attributes defined by the user.
You can use category models to visualize these relationships, then leverage the data
gathered in them using the HasRelationship function in local and global variables.
Memory Recommendations for Using Category Models
Category models can be resource intensive on run-time processing memory, depending on
the size of your actor model and the nature of the relationships you are modeling. For best
results, adjust Java Heap Memory Size in the ArcSight Console setup script to at least 1 GB.
To adjust the Java Heap Memory Size on the ArcSight Console:
1
If running, close the ArcSight Console.
2
In the directory <ARCSIGHT_HOME>/bin/scripts/, make a backup of the ArcSight
Console startup script file:
3

Windows: console.bat

Unix: console.sh
Open the Console startup file (console.bat or console.sh) in a text editor, and
change the default maximum heap size value from -Xmx512m to –Xms1024m.
For example (value to change is highlighted):
Windows: Change the line
set ARCSIGHT_JVM_OPTIONS=-Xms64m -Xmx512m
-XX:MaxPermSize=84m -
to
set ARCSIGHT_JVM_OPTIONS=-Xms64m -Xmx1024m
-XX:MaxPermSize=84m -
Unix: Change the line
ARCSIGHT_JVM_OPTIONS="-Xms32m -Xmx512m
-XX:MaxPermSize=84m "
to
ARCSIGHT_JVM_OPTIONS="-Xms32m -Xmx1024m
4
Save the updated Console startup file.
5
Restart the ArcSight Console.
-XX:MaxPermSize=84m "
Creating Category Models
You can create three types of category models depending on the type of relationships you
want to represent:
Confidential

Actor-to-actor. Actor-to actor category models establish direct or indirect
relationships between actors themselves, such as reporting hierarchies. This category
model is also called a dual-field category model.

Model by actor attributes. Actor attribute category models are a way to group
actors who share one base actor attribute in common, such as location, department,
or country. This category model is also called a single-field category model.

Model by user-defined attributes. User-defined category models are a way to
group actors who share one or more attributes that are outside of the schema, for
example, users who come in on Saturdays, users who play racquetball, or users who
ArcSight Console User’s Guide 213
9 Actors
take public transportation. This category model is also called a manually-created
category model.
Manually-created category models will not be included in an export of
the actor resource. For more information about exporting resources, see
“Creating Packages” on page 633.
To create a category model:
1
In the Navigator panel, go to Actors and click the Category Models tab.
2
Right-click an existing group, such as Public, and select New Category Model.
3
In the Category Model Editor in the Inspect/Edit panel, name the category model,
select its type, and select the fields by which you want it to model. For details about
what fields to populate for which type of category model, see the following topics:

“Creating Actor-to-Actor Category Models” on page 214

“Creating Actor Attribute Category Models” on page 216

“Creating User-Defined Category Models” on page 218
4
Depending on the type of category model you create, use the Data tab to view the
members of the category model, or use the Attributes tab to define the attributes by
which you want to model users.
5
Click OK to save the category model and close the editor, or click Apply to save the
category model and leave the editor open.
Creating Actor-to-Actor Category Models
Actor-to-actor category models establish direct or indirect relationships between actors
themselves, such as reporting hierarchies. The categorization is based on what data you
want to track using the Parent Field, and how to look up the actors for populating the
model through the Child Field.
When creating actor-to-actor category models, enter the following values in the Attributes
tab of the Category Model editor:
Attribute Field
Description
Name
Enter a name for the category model. This name will appear in
pick lists and wherever category models can be referenced in
conditions. Spaces, underscores, and hyphens are allowed.
Create From
Use the Create From field to select the type of category model.
For an actor-to-actor category model, select Actor Fields. After
the category model is saved, this field becomes read-only.
Field Set
By default, the system uses the Actor Base field set, because
only actor-based fields are relevant for category models. You
can also select a user-defined actor field set.
The field set selected here defines the fields available for the
parent and child field choices and defines the columns available
for the table below the graph view (for more about the graph
view, see “Viewing Category Models in Graphs” on page 221).
After the category model is saved, this field becomes read-only.
214 ArcSight Console User’s Guide
Confidential
9 Actors
Attribute Field
Description
Relationship Name
Use this optional field to describe the relationship you want the
category model to show.
For example, if you want the category model to show managers
and their direct reports, you could enter Direct Report to
identify the relationship between the manager and the direct
report.
The value you enter here appears as a mouse-over tool tip on
the relationship lines that connect the parent and child fields in
the category model graph view.
Parent Field
This field enables you to establish which Actor data field to use
to build a hierarchy of relationships.
From the drop-down menu, select Manager or Assistant as
the parent field.
For example, if you are building an actor-to-actor category
model that shows top-down reporting relationships, select
Manager to produce a category model of every manager
identified in your IDM data. The resulting model will display
managers at the top.
A Parent Field of Assistant will display an inverted hierarchy
with lower-level actors appearing at the top.
Note: Only the Manager and Assistant fields are supported for
the Parent Field when building actor-to-actor category models.
Child Field
In Child Field, the UUID (or DN, if used) is the unique identifier
the system uses to look up the actors and populate members
who are related to Parent Field.
From the drop-down menu, select UUID or DN as the unique
identifier to correctly determine who the members are in a
particular structure. (DN is specific to the Active Directory IDM.)
Note: Only the UUID and DN fields are supported in the Child
Field when building actor-to-actor category models.
For example, if you selected Manager in the Parent field, and
the actor’s Manager field is populated by a UUID value, then
select UUID as the Child Field here. Likewise, if the actor’s
Manager field is populated by the DN value, then select DN
here. The following example scenario explains how the category
model is created based on the Parent Field and Child Field
values.
Example scenario:
Let’s say you are building an organizational chart with managers
at the top node.
Delimiter
Confidential
•
Actor A has a UUID = 1234. Actor A is the manager of
Actor B and Actor C.
•
Actor B and Actor C’s values for Manager = 1234, which
corresponds to Actor A’s UUID.
•
In building this category model, use Parent Field =
Manager and Child Field = UUID. The Manager looks up
Actor B and Actor C’s Manager field, which has Actor A’s
UUID. It then creates Actor B and Actor C under Actor A in
the resulting category model.
The delimiter field does not apply to the actor-to-actor category
model.
ArcSight Console User’s Guide 215
9 Actors
For a description of the data that goes in the Common section, see “Common Resource
Attribute Fields” on page 630.
Use the Data tab to view the members of the group in tree form.
You can also view the group hierarchy in a resource graph. Right-click the category model
and select View Category Model. For details, see “Viewing Category Models in Graphs”
on page 221.
Creating Actor Attribute Category Models
Actor attribute category models are a way to group actors who share one base actor
attribute in common, such as location, country, or any actor attribute that can possibly
have a hierarchical groupings.
When creating actor attribute category models, enter the following values in the Attributes
tab of the Category Model editor:
Attribute Field
Description
Name
Enter a name for the category model. This name appears in pick
lists and wherever category models can be referenced in
conditions. Spaces, underscores, and hyphens are allowed.
Create From
Use the Create From field to select the type of category model.
For an actor attribute category model, select Single Actor
Field. After the category model is saved, this field becomes
read-only.
Field Set
By default, the system uses the Actor Base field set, since only
actor-based fields are relevant for category models. You can
also select a user-defined actor field set.
The field set selected here defines the fields available for the
parent and child field choices, and also defines the columns
available for the table below the graph view (for more about the
graph view, see “Viewing Category Models in Graphs” on
page 221). After the category model is saved, this field
becomes read-only.
216 ArcSight Console User’s Guide
Confidential
9 Actors
Attribute Field
Description
Relationship Name
Use this optional field to describe the relationship you want the
category model to show.
For example, if you want the category model to show employees
by location, you could enter Location to identify the
relationship between the actor and the group he is associated
with.
The value you enter here appears as a mouse-over tool tip on
the relationship lines that connect the actor and the attribute
they’re being modeled by in the category model graph view.
Parent Field
From the drop-down menu, select the attribute that you want to
model the users by.
For example, if you are building an actor attribute category
model that categorizes all the actors by their location, select
Location.
Child Field
The child field does not apply to single-actor field category
models.
Delimiter
Enter the delimiter you used in the actors’ Delimiter attribute.
The default is the forward slash (/).
The Delimiter is used to denote the hierarchy of values, from
top to bottom, in the attribute you are tracking in Parent Field.
Example scenario:
•
Actor A has Location = /USA
•
Actor B has Location = /USA/California/Mountain View
•
Actor C has Location = /USA/California/Mountain View
The delimiter used to denote a hierarchy is /, therefore, in the
category model editor, set Delimiter = /.
The resulting resource graph produced by these values has
three levels: USA, California, and Mountain View.
A combination of delimiters builds a hierarchy if one is found
If the attribute from which you are creating the category model contains
multiple values with more than one type of delimiter, for example, a URL,
such as
http://www.arcsight.com,
include all the delimiter characters in the Delimiter field. For example:
://.
This indicates that the dot (.) is the delimiter used to separate all the
elements of the URL into the following hierarchy:
http
www
arcsight
com
For a description of the data that goes in the Common section, see “Common Resource
Attribute Fields” on page 630.
Confidential
ArcSight Console User’s Guide 217
9 Actors
Use the Data tab to view the members of the group in tree form.
In the example above, the value for the two actors’ Location field are entered as
/US/CA/MountainView.
You can also view the group hierarchy in a resource graph. Right-click the category model
and select View Category Model. For details, see “Viewing Category Models in Graphs”
on page 221.
Creating User-Defined Category Models
User-defined (or manually-created) category models are a way to group actors who share
one or more attributes that are outside of the actor schema, for example, users who come
in on Saturdays, users who play racquetball, or users who take public transportation.
The user-defined groupings can be created in hierarchical fashion. For example, users to
who take public transportation can be further classified into those who take the train, those
who take the bus, and those who take a ferry. For user-defined category models, the
hierarchy evaluation is based on the actor’s UUID value.
1
When creating category models based on user-defined attributes, enter the following
values in the Attributes tab of the Category Model editor:
Attribute Field
Description
Name
Enter a name for the category model. This name will
appear in pick lists and wherever category models can be
referenced in conditions. Spaces, underscores, and
hyphens are OK.
Create From
Use the Create From field to select the type of category
model.
For a user-defined attribute category model, select
Manually. After the category model is saved, this field
becomes read-only.
Field Set
By default, the system uses the Actor Base field set, since
only actor-based fields are relevant for category models.
You can also select a user-defined actor field set.
The field set selected here defines the columns available for
the table below the graph view (for more about the graph
view, see “Viewing Category Models in Graphs” on
page 221). After the category model is saved, this field
becomes read-only.
218 ArcSight Console User’s Guide
Confidential
9 Actors
Attribute Field
Description
Relationship Name
Use this optional field to describe the relationship you want
the category model to show.
For example, if you want the category model to show actors
who take different types of public transportation, you could
enter Commutes By to identify the relationship between the
actor and the group he is associated with.
The value you enter here appears as a mouse-over tool tip
on the relationship lines that connect the actor and the
attribute they’re being modeled by in the category model
graph view.
Parent Field, Child Field, and Delimiter don’t apply to this category model.
For a description of what to enter in the Common fields, see “Common Resource Attribute
Fields” on page 630.
2
Use the Data tab to define the attributes by which you want to group users, and to
add actors to the category model.
For example, if you want to create a hierarchy of users that take different types of
public transportation, do the following:
a
In the Category Model editor at the Data tab, click New Group.
The name of the new group is automatically highlighted so you can give it a
relevant name, for example, Public Transportation Commuters. Press the
Enter key to save the new name.
To rename a group at any time, right-click the group and select Rename; or click
the Rename button. After entering the new name, press Enter.
b
Add actors to the category model group. You can add actors from the Navigator
panel and from an actors channel in the Viewer panel.
From the Navigator panel: Drag and drop actors from the navigator panel into
the category model group. You can drag and drop multiple actors at a time.
From an Actors channel in the Viewer panel: You can view any group of
actors in an actors channel in the Viewer panel. An actors channel is the only way
to view groups with 1,000 or more members. Select the actors you want to add to
the category model group, right-click, and select Add to Category Model.
c

To select multiple actors in a row, use shift + click.

To select multiple actors out of sequence, use ctrl + click.
To create a sub-group of the first group, such as Train Commuters and Bus
Commuters, click New Group again. You can also right-click the existing group
(or right-click anywhere in the editor panel and select New Group.


Confidential
By default, the new group is made a child of the first group.
You can make the new group a parent group by dragging and dropping it to
the desired location, or click Move Out (or right-click the group and select
Move Out).
ArcSight Console User’s Guide 219
9 Actors


3
You can make a parent group the child of another by dragging and dropping
the group to the desired location, or click Move In (or right-click the group
and select Move In).
There is no limit to the number of parent nodes you can have, nor a limit on
the number of child nodes
View the category model in a resource graph. Right-click the category model and
select View Category Model. For more about viewing category models as graphs,
see “Viewing Category Models in Graphs” on page 221.
Editing a Category Model
To edit an existing category model:
1
In the Navigator panel, double-click the category model to open the Category Model
editor. Or right-click the category model and select Edit Category Model.
2
Make edits to the category model attributes, click OK to save, and close the editor.
Click Apply to save the category model and leave the editor open.
For details about the category model fields for the different types of category models,
see “Creating and Using Category Models” on page 212.
Moving or Copying a Category Model
You can move or copy a category model the same way you move or copy any resource.
To move or copy a category model:
1
In the category model resource tree, navigate to an asset and drag and drop it into
another group.
2
Choose Move to move the category model, Copy to make a separate copy of the
category model, or Link to create a copy of the category model that is linked to the
original category model.
If you choose Copy, you create a separate copy of the category model that will not be
affected when the original category model is edited. If you choose Link, you create a
copy of the category model that is linked to the original asset. Therefore, if you edit a
linked category model, whether the original or the copy, all links are edited as well.
When deleting linked category models, you can either delete the selected category
model or all linked category model copies.
220 ArcSight Console User’s Guide
Confidential
9 Actors
Deleting a Category Model
To delete a category model:
1
In the Navigator panel, right-click the category model and select Delete Category
Model.
2
At the confirmation dialog box, click Delete.
Viewing Category Models in Graphs
To fully visualize a category model, view it as a graph. Category model graphs are very
similar to resource graphs, only instead of modeling relationships among all resources,
category model graphs render relationships among attributes of actor resources.
To view category model graph:
In the Navigator panel, right-click a category model and select View Category
Model.
The Viewer panel displays the graph. By default, all top-level nodes are displayed in
collapsed form.
Working with Category Model Graphs
The category model graphs are displayed on the Viewer panel. As with all resource graphs,
There is a set of command buttons at the top of the view and a parallel set of commands
available by right-clicking the graph itself.
The table below shows the Category Model Toolbar Buttons and Right-click Commands
Command
Button
Description
Fit Content
Size the model to the available display space.
Zoom In /
Zoom Out
Increase or decrease the size of the displayed
model.
The system is optimized to show the entire
category model graph in the available space of the
viewer panel. If a category model has many nodes
and members, its elements can appear very small.
To zoom in, click the zoom in icon (+ magnifying
glass). To zoom out, click the zoom out icon (magnifying glass).
Confidential
ArcSight Console User’s Guide 221
9 Actors
Command
Button
Description
Zoom Selected
Zoom in on a selected portion of the model.
Hierarchic
Layout
Present nodes in a vertically descending cascade,
similar to a family tree. Hierarchic layouts are
appropriate when viewing event relationships that
have a common root.
Organic
Layout
Display nodes in an arrangement based on
minimum edge length, which tends to cluster
nodes that relate to a common node. Likewise,
node clusters with nodes in common will also tend
to group together.
Circular
Layout
Position nodes in hub-and-spoke arrangements
with each node radiating edges to, or receiving
edges from, the nodes with which it interacts.
Circular layouts are most useful when multiple
roots are present or there are a number of sourcetarget relationships to clarify. If an organic layout
is difficult to read because the edges are too
dense, try a circular layout instead.
Orthogonal
Layout
Arrange nodes on the basis of logical connections,
using electrical schematic-style right-angle
layouts. These layouts are very useful for clearly
tracing connections and identifying node clusters.
Overview
Open a reduced rendering of the entire graph. You
can drag the highlighted section in the reduction
to move the displayed area in the main view.
Hierarchy Tree
Open a complete list of the nodes as seen on the
category model editor’s Data tab. Click a node in
the list to scroll to that node in the main view.
Print
Print the displayed model.
Export to JPEG
Create and save a JPEG-format copy of the current
image.
Add Graph
View to Case
Add the current graph view to a case you select.
Help
Display the relevant ArcSight Console online Help
topic.
Expand One
Level/
Collapse One
level
Expand all collapsed nodes to display nodes one
level below. Collapse one level of all expanded
nodes.
222 ArcSight Console User’s Guide
Choosing this option opens the Case Selector
dialog, where you can browse cases. Select a case
to which to add the current graph view and click
OK on the Case Selector dialog. The graph view is
added to the selected case as an attachment,
accessible on the Attachments tab in the case
editor for that case.
This feature works only if any node was not
manually expanded or collapsed previously.
Confidential
9 Actors
Command
Button
Description
Plus (+)/Minus
(-)
Expand or collapse a single node on the graph.
Increase/
Decrease
Node to Node
Distance
Increase or decrease distances between nodes by
small increments.
Single-person
icon
Denotes an individual actor.
Two-person
icon
Denotes a group of actors.
This feature works on expanded nodes.
Every time a node is expanded or collapsed, the entire category model graph re-sizes to fit
into the available space of the viewer panel
Actors with no value for the field used to define the category model
do not appear in the model
If an actor does not have a value for the field that was used to build the
category model, that actor will not appear in the model.
For example, if you build the category model on the Office attribute, and if an
actor does not have a value in the Office field, that actor is not represented in
the category model view.
For more about resource graphs, see “Visualizing Resources” on page 620.
Leveraging Category Model Data Using Variables
You can use the HasRelationship function in local and global variables to leverage data
represented in a category model.
Local and global variables are available in resources that use conditions: active channels,
filters, rules, data monitors, and queries. Local variables are available for use only in the
resource for which the variables are defined; global variables can be re-used in multiple
condition-based resources.
To leverage data represented by a category model in a variable:
1
Launch the variable editor.

Local variable: From the channel, filter, rule, query, or data monitor editor, click
the Local Variable tab. Click Add to launch the Add Local Variable dialog box.

Global variable: In the Navigator panel, go to Field Sets. On the Fields & Global
Variables tab, right-click a group and select New Global Variable.
In the Attributes tab, specify Event as the variable type.
For details about the fields in the Global Variable Editor Attributes tab, see “Global
Variable Editor: Attributes Tab” on page 437.
Confidential
ArcSight Console User’s Guide 223
9 Actors
2
Select the function category Category Model and the HasRelationship function.
In the Arguments section, select the category model whose data you want to leverage
and specify the parent and child field or group.
Field
Description
Name
When creating local variable based on category model data,
provide a friendly name for the variable. This name is used
anywhere the variable is applied (CCE, resource field
selectors).
Function
From the Function drop-down menu:
1
Select the category Category Model.
2
Select the function HasRelationship.
3
Click OK.
Category Model
Browse to and select the category model from which you
want to leverage data.
Parent Field or
Group
Navigate to the field or single-value variable you want to
use as the parent. Use the Field/Group drop-down to
indicate whether the parent is a field (single attribute) or a
group.
Child Field or
Group
Navigate to the field or single-value variable you want to
use as the child.
Inherit All Related
Actors
Select true for the variable to consider all the actors in a
related hierarchy. For example, VP > Director > Manager
> direct report.
Select false for the variable to consider only direct
relationships between actors. For example, Manager >
direct report.
For details about working with the Global Variable editor, see “Creating a Global Variable”
on page 436.
For details about local variables and the functions available to both local and global
variables, see “Variables” on page 947.
Actor-Related Resources Provided in Standard
Content
Standard content includes basic resources that provide infrastructure support for the Actor
Resource Framework, global variables for extracting specific data from actor fields, and
basic resources that track statistics when actors are added, updated, and deleted.
For an overview of the infrastructure that supports the actors feature, see “How the Actors
Feature Works” on page 191.
For a list of the audit events generated by actor change events, see the “Actor” section,
under “Audit Events” on page 756.
Actor Resource Framework Global Variables
The Actor Resource Framework provides a series of actor global variables and uses the
following variables to identify an actor from data contained in the base actor fields and in
224 ArcSight Console User’s Guide
Confidential
9 Actors
elements of the Actor Resource Framework. These global variables are located in Field
Sets > Fields & Global Variables All Fields/ArcSight System/Actor
Variables.
Confidential
Actor Variable
Description
ActorByAccountID
This variable maps the account information in an event
with an actor. The account information consists of the
device vendor and product, and information derived
from the attacker or target user name, with preference
to the attacker user name.
ActorByAttackerUserName
This variable maps the account information in an event
with an actor. The account information consists of the
device vendor and product, and information derived
from the attacker user name.
ActorByCustomFields
This variable attempts to retrieve actor information
from events where the authenticator information is
maintained in device custom strings. It works similarly
to the ActorByAccountID variable, but maps Device
Custom String 1 to the vendor field, Device Custom
String 2 to the product field, and Device Custom String
3 should hold the Account ID.
ActorByDN
This Actor global variable looks for a DN (Distinguished
Name) in Device Custom String1, and retrieves the
Actor with that DN.
ActorByTargetUserName
This variable maps the account information in an event
with an actor. The account information consists of the
device vendor and product, and information derived
from the target user name.
ActorByUUID
This Actor global variable looks for a UUID in Device
Custom String1, and retrieves the Actor with that
UUID.
ArcSight Console User’s Guide 225
9 Actors
When expanded in the Navigator panel, the global variable lists all the fields produced as a
result of the global variable conditions.
Although these global variables are leveraged by the Actor Resource Framework, you can
also select any of these global variables wherever global variables can be selected: active
channels, filters, report queries, rules, field sets, and data monitors.
The Actor Resource Framework uses these variables to identify actors, and you can also
use these global variables in a condition, or as a field selection. For example, a query could
use one of the Actor Resource Framework global variables to get the full name of an actor
related to the selected events, or the actor field Full Name could be used as a display
field in a data monitor.
The Actor Resource Framework global variables rely on an the actor's account and identity
information available in the actor resource and in the look-up tables provided the ArcSight
Actor Framework. To establish an actor’s identity, the Actor Resource Framework global
variables perform the following steps:
1
Selects a field from an event that contains information that can be tied to a specific
actor.
2
Determines the Authenticator using the event’s agent address and zone, and device
vendor and product information.
3
Combines the Authenticator with the data from the event field (from step 1) to look up
the actor data:
a
Uses the Authenticator and event field data as keys to get the value representing
the actor from the Actor Resource Framework.
226 ArcSight Console User’s Guide
Confidential
9 Actors
b
Returns the information as the returned value of the global variable based on
information stored in the Actor Resource Framework.
As a user, you can use an Actor Resource Framework global variable in a condition (for
example, ActorByAccountID.Manager = John Doe), or as a display value in a
query, data monitor, or to set an event field action in a rule (for example, select
getActorByEmail.fullName, targetAssetZoneName, targetAssetName, name,
count).
For instructions about how to add global variables to a resource, see “Adding a Global
Variable to a Resource” on page 442, and “Adding or Removing Global Variables Using the
CCE” on page 793 in the reference topic “Common Conditions Editor (CCE)” on page 782.
Tracking Actor Configuration Changes Using Standard
Content
The actor configuration changes resources show different configuration changes made to
the actor resources using an active channel, dashboards and data monitors, query viewers,
and reports. The changes can be initiated either by edits made directly to an actor
resource, or updates received from an Actor Model Import connector.
Actor Configuration Changes: Monitoring
You can use these resources to monitor actor configuration changes.
Resource
Name
Description, Location
Active Channel
Actor Audit Events
This active channel displays events
related to changes to data in the actor
resources.
All Active Channels/ArcSight
Administration/ESM/Configuration
Changes/Actors
Dashboard
Actor Administration
This dashboard shows the “Actor
Authenticators” query viewer.
All Dashboards/ArcSight
Administration/ ESM/Configuration
Changes/Actors
Dashboard
Actor Change Log
This dashboard shows an overview of
Actor resource changes based on the
Actor Change Overview and Actor Change
Log query viewers.
All Dashboards/ ArcSight
Administration/ ESM/ Configuration
Changes/Actors
Confidential
ArcSight Console User’s Guide 227
9 Actors
Resource
Name
Description, Location
Data monitor
Actor Change Log
This data monitor displays the most
recent events related to changes in
actors. These changes include creation,
deletion, and modification of singlevalued and multi-valued parameters of
actor resources.
Note: This Data Monitor will not populate
all values when running in Turbo Mode
Fastest!
All Data Monitors/ArcSight
Administration/ESM/Configuration
Changes/Actors/Actor Change Log
Data monitor
Actor Change Overview
This data monitor shows an overview of
the ArcSight Actor resource changes. The
data monitor shows the total number of
changes by type for the last hour.
All Data Monitors/ArcSight
Administration/ESM/Configuration
Changes/Actors/Actor Change
Overview
Actor Configuration Changes: Query Viewers
You can use these query viewers directly to monitor actor configuration changes, and they
are also used by the actor configuration dashboards and reports. These query viewers are
all located in All Query Viewers/ArcSight Administration/ESM
/Configuration Changes/Actors.
The queries upon which these query viewers are based can be found in Reports >
Queries All Queries/ArcSight Administration/ESM/Configuration
Changes/Actors.
Query Viewer Name
Description, Location
Actor Authenticators
This query viewer shows the list of all the authenticators for
actors.
Actor Configuration
Changes
This query viewer displays all audit events resulting from
changes to Actor resources.
Note: This will not populate all values when running in
Turbo Mode Fastest!
Actor Full Name and
Email Changes
This query viewer shows information from Actor audit
events resulting from changes to an actor's Full Name or
Email attribute, showing the old and new information.
Actor Manager and
Department Changes
This query viewer shows information from Actor audit
events resulting from changes to an actor's Department or
Manager attribute, showing the old and new information.
Actor Title and Status
Changes
This query viewer shows information from Actor audit
events resulting from changes to an actor's Title or Status
attribute, showing the old and new information.
228 ArcSight Console User’s Guide
Confidential
9 Actors
Query Viewer Name
Description, Location
Actors Created
This query viewer displays all the audit events for actors
that have been created.
Note: This will not populate all values when running in
Turbo Mode Fastest!
Actors Deleted
This query viewer displays audit events for actors that have
been deleted.
Note: This will not populate all values when running in
Turbo Mode Fastest!
Actor Updated
This query viewer displays audit events for actors that have
been updated.
Note: This Report will not populate all values when running
in Turbo Mode Fastest!
IDM Deletions of Actors
This query viewer shows a list of actors that have been
deleted by the IDM. The query will not show actors that you
deleted.
Actor Configuration Changes: Reports
These reports leverage queries to report about specific types of changes made to actor
resources, and by whom the changes were made. These reports are all located in All
Reports/ArcSight Administration/ESM/Configuration Changes/Actors.
The queries upon which these query viewers are based can be found in Reports >
Queries All Queries/ArcSight Administration/ESM/Configuration
Changes/Actors.
Name
Description, Location
Actor Full Name and
Email Changes
This report shows information from Actor audit events
resulting from changes to an actor's Full Name or Email
attribute, showing the old and new information.
Actor Manager and
Department Changes
This report shows information from Actor audit events
resulting from changes to an actor's Department or
Manager attribute, showing the old and new information.
Actor Title and Status
Changes
This report shows information from Actor audit events
resulting from changes to an actor's Title or Status
attribute, showing the old and new information.
Configuration Changes
by Type
This report shows recent ArcSight Actor configuration
changes in a table. The table lists all the changes, grouped
by type and user, and sorts them chronologically.
Configuration Changes
by User
This report shows recent ArcSight Actor configuration
changes in a table. The table lists all the changes, grouped
by user and type, and sorts them chronologically.
Created
This report shows the list of all the actors created on the
previous day.
Note: This Report will not populate all values when running
in Turbo Mode Fastest!
Confidential
ArcSight Console User’s Guide 229
9 Actors
Name
Description, Location
Deleted
This report displays audit event information for actors that
have been deleted.
Note: This does not populate all values when running in
Turbo Mode Fastest!
IDM Deletions of Actors
This report shows a list of actors that have been deleted by
the IDM. The report does not show actors that you deleted.
Updated
This report shows the list of all the actors updated on the
previous day.
Note: This Report does not populate all values when
running in Turbo Mode Fastest!
Actor Configuration Changes: Global Variables
The actor configuration changes content leverages a series of global variables that extract
particular values out of actor fields that enable the resource to focus on the actor change
the resource monitors. These global variables are located in Field Sets > Fields & Global
Variables All Fields/ArcSight Administration/ESM/Actor.
Name
Description, Location
Department New Value
This global variable extracts the new value for the
Department in actor update audit events (single-value
parameters).
Department Old Value
This global variable extracts the old value for the
Department in actor update audit events (single-value
parameters).
DN New Value
This global variable extracts the new value for the DN
(Distinguished Name) in actor update audit events (singlevalue parameters).
DN Old Value
This global variable extracts the old value for the DN
(Distinguished Name) in actor update audit events (singlevalue parameters).
Email Address New
Value
This global variable extracts the new value for the Email
Address in actor update audit events (single-value
parameters).
Email Address Old
Value
This global variable extracts the old value for the Email
Address in actor update audit events (single-value
parameters).
Employee Type New
Value
This global variable extracts the new value for the
Employee Type in actor update audit events (single-value
parameters).
Employee Type Old
Value
This global variable extracts the old value for the Employee
Type in actor update audit events (single-value
parameters).
Full Name New Value
This global variable extracts the new value for the Full
Name in actor update audit events (single-value
parameters).
Full Name Old Value
This global variable extracts the old value for the Full Name
in actor update audit events (single-value parameters).
230 ArcSight Console User’s Guide
Confidential
9 Actors
Confidential
Name
Description, Location
Location New Value
This global variable extracts the new value for the Location
in actor update audit events (single-value parameters).
Location Old Value
This global variable extracts the old value for the Location
in actor update audit events (single-value parameters).
Manager New Value
This global variable extracts the new value for the Manager
in actor update audit events (single-value parameters).
Manager Old Value
This global variable extracts the old value for the Manager
in actor update audit events (single-value parameters).
Org New Value
This global variable extracts the new value for the Org in
actor update audit events (single-value parameters).
Org Old Value
This global variable extracts the old value for the Org in
actor update audit events (single-value parameters).
Status New Value
This global variable extracts the new value for the Status in
actor update audit events (single-value parameters).
Status Old Value
This global variable extracts the old value for the Status in
actor update audit events (single-value parameters).
Title New Value
This global variable extracts the new value for the Title in
actor update audit events (single-value parameters).
Title Old Value
This global variable extracts the old value for the Title in
actor update audit events (single-value parameters).
ArcSight Console User’s Guide 231
9 Actors
232 ArcSight Console User’s Guide
Confidential
Chapter 10
Query Viewers
This topic describes how to define and use query viewers to get high-level summaries
about trends, events, other resources, and system health along with drill-down capability in
a dynamic viewer.
“What are Query Viewers?” on page 233
“Navigating to Query Viewers” on page 235
“Pre-Built and Custom Query Viewers” on page 235
“Running Queries and Viewing Results” on page 237
“Adding Query Viewers to Dashboards” on page 248
“Making Query Viewer Results Available to ArcSight Web” on page 248
“Adding Query Viewers as Startup Views” on page 248
“Generating Reports from Query Viewers” on page 249
“Defining and Using Baselines” on page 250
“Customizing Query Viewers” on page 257
“Editing a Query Viewer” on page 270
“Deleting a Query Viewer” on page 271
“Example Queries for Common Scenarios” on page 271
What are Query Viewers?
Query viewers are a type of resource for defining and running SQL queries on other
resources, including trends, assets, cases, connectors, events, and so forth. Each query
viewer contains an SQL query along with other logic for establishing and comparing
baseline results, analyzing historical data to find patterns in network activity, and
performing drill-down investigation on a particular aspect of the results. The query viewer
you create displays all the fields specified in the query you select (or create) for the query
viewer.
You can use query viewers to run the same SQL queries used for reports, and get results
quickly. Then, if desired, you can generate a simple report directly from the query viewer
results. Full-featured reporting (with queries, trends, and templates) is still offered for
more robust reporting requirements (see “Building Reports” on page 279), but query
viewers provide a shortcut to running those same SQL queries apart from reporting. (See
also, “Active Channels or Query Viewers?” on page 86.)
Query viewers provide high-level summaries to monitor system health, reveal trends, and
allow for drill-down investigation of all types of resources. Query viewers can work with
Confidential
ArcSight Console User’s Guide 233
10 Query Viewers
trend tables rather than event tables, and so can return results much faster than Active
Channels.
The SQL-based summary views and trend analysis in query viewers use aggregation to
provide a higher-level perspective than data gleaned from exclusively event-focused active
channels and snapshot, limited-range data monitors.
Query viewers offer a way to run queries outside of a full reporting paradigm (where
queries and trends are always tied to a particular report). They offer a quick way to run
SQL queries on the data sources available to report queries.
Also, you can generate simple reports directly from query viewer results.
Query Viewers leverage an existing report query to run SQL queries on data sources, such
as trends, active lists, session lists, assets, cases, events, and notifications. Each query
viewer contains a base SQL query along with other logic for establishing and comparing
baseline results, analyzing historical data to find trends, and performing drill-down
investigation on a particular aspect of the result. The results are displayed in interactive
charts and tables, which can be added to dashboards and published as reports.
Query viewers provide:

A quick way to run SQL queries and trends apart from full-scale reporting. If
you want to run a pre-built SQL query and view results quickly, or build and test
several iterations of a custom query, query viewers are an easy way to do it. (You can
also generate a simple report directly from a query viewer.)

High-level summaries. For example, using the aggregation provided by queries and
trends allows summaries of “interesting things” over the last month, day, or hour.

Non-event-based summaries. Queries can be used to analyze resources other than
events (such as assets and cases).

Event-based summaries. Queries can be used to analyze events, and eventually
lead to active channels (with drill-down investigation).
234 ArcSight Console User’s Guide
Confidential
10 Query Viewers

Baselines. Analysts can apply a baseline to the information resulting from a particular
run of a query viewer. A baseline acts as a reference point against which to compare
results of other runs of the same query and highlights the deltas (differences) to help
identify areas that vary significantly from normal.

Drilldown. Query viewers can provide drilldown investigation into the same or
another query viewer for good performance on the next level of results as well.
Ultimately, the drilldown can lead to an event channel, where the performance costs
are the trade-off for the power of event-based analysis in an active channel. The query
viewer author defines the appropriate drilldown paths and levels.

Performance. Query viewers can use trend tables which are typically much smaller
than event tables, and can be pre-built with summary views in mind. So, in most cases
query viewers can return and display results faster than Active Channels.

History. When based on trends, query viewer result data can be kept for as long as
desired and be independent of the event archival process.

Flexibility. ArcSight provides both pre-built query viewers and a resource editor for
adding custom query viewers to suit the needs and environment of your organization.

Presentation Options. Query viewer results can be displayed as tables (with
baselines, if desired), pie charts, and bar charts, and added to Dashboards for quick
display and monitoring.
Navigating to Query Viewers
In the Navigator panel, select Query Viewers resource from the drop-down menu.
Pre-Built and Custom Query Viewers
The Manager to which your Console is connected has pre-built query viewers available for
use. At a minimum, you have access to standard content query viewers that ship with
ArcSight. You might also have access to custom query viewers provided by content
developers for your organization.
Standard Content
ArcSight comes with a set of pre-built query viewers that address common network
monitoring and trend analysis scenarios. To access the standard content query viewers, in
the Navigator panel select Query Viewers, then click to expand the list to Query
Viewers/Shared/All Query Viewers.
Folders for ArcSight Foundation and ArcSight Administration include the standard content
query viewers.
If you have purchased ArcSight Solutions packages, query viewers for those are displayed
under ArcSight Solutions.
Confidential
ArcSight Console User’s Guide 235
10 Query Viewers
For information on how to run and use any pre-built query viewer, see “Running Queries
and Viewing Results” on page 237, “Generating Reports from Query Viewers” on page 249,
and “Defining and Using Baselines” on page 250.
Custom Query Viewers
When administrators or content developers at your organization create custom query
viewers, they have the option of sharing these with other administrators and users. So,
depending on your role and user permissions, you might have access to:

query viewers that ship with ArcSight

custom-built query viewers that other administrators have shared

your own custom-built query viewers
For information on how to create your own custom query viewers, see “Customizing Query
Viewers” on page 257.
Customizing Query Viewers as Needed
You can modify the provided query viewers as needed to get the data you want.
Customizing an existing query viewer can range from hiding or showing data fields,
changing the sort order inherited from the base query, to adding variables and modifying
key fields. These kinds of changes do not affect the base query, only the query viewer.
Once a query viewer is defined to reference a particular base query, that query viewer
cannot be changed. If you want to reference a different base query, you need to create a
new query viewer. Which brings us to an important point. Where do you get the base
queries you need? See “Query Viewers Need Base Queries” on page 236 to find out.
inActiveList Conditions for Queries
In a query, you can define an inActiveList condition and map multi-valued attributes to
single-valued active list fields. For example, you have an active list that keeps track of
roles, where one of the role values can be Normal, Restricted, and Privileged. You can test
if an actor has one of these roles through the inActiveList condition. In this scenario, your
list has a field called RoleName. You map the actor's role name attribute to this field. Keep
in mind that an actor's RoleName attribute is multi-valued because an actor can have
multiple roles. Through the inActiveList condition, your query will check if one of the actor's
roles is, for example, Privileged.
Query Viewers Need Base Queries
A primary attribute of any query viewer is the SQL query it references and uses. This is the
core of the query viewer. If you create the query viewer yourself, you define this as part of
the initial query viewer attributes by browsing to and choosing a query from the
Reports/Queries tree. If you are using a pre-defined query viewer, it already references
a base query.
Reports, trends, and query viewers are all consumers of SQL queries, which still must be
created first in the Reports resource Queries tab. So, if you don’t find a query viewer or
query that gives the data view you want, you first need to create a new query in Reports
> Queries. Then go to the Query Viewers resource to create a new query viewer that
references the base query you just created. (For information on creating queries, see
“Building Queries” on page 302.)
236 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Running Queries and Viewing Results
To run a query defined in a query viewer, do either of the following:

Select a query viewer and choose View Data as... > <Display Format>
Or

Double-click a query viewer.
Double-clicking provides the default view, as defined in the query viewer. For
information on how to set the default view, see related information on page 259 in
“Query Viewer Attributes” on page 258.
The query runs, and returns results in the Viewer on the current state of the network and
event flow.
Alternatively, you can add the result of a query viewer directly to a dashboard. For
information on this, see “Adding Query Viewers to Dashboards” on page 248.
To run queries and view results:
1
In the Navigator panel, choose the Query Viewers resource.
2
Navigate the tree, and select the query viewer you want to run.
3
Right-click the selected query viewer and select View Data as > <Display Format>
and choose one of these options:
Results Display Format
Description
Bar Chart
Display query results as a bar chart.
Horizontal Bar Chart
Display query results as a horizontal bar chart.
Pie Chart
Display query results as a pie chart.
Table
Display query results in table format.
Note: Baselines can only be applied to or viewed
for query results shown in table format. (For more
about establishing and using baselines, see
“Defining and Using Baselines” on page 250.)
Chart-style views (Pie and Bar charts) are limited to showing a
maximum of 99 rows. This is a hard limit for charts to guarantee
readability; it is not user-configurable. Therefore, results in chart views
and table views for the same query viewer might not match since table
views can accommodate up to 10,000 rows of data in a query result.
Details on how to read and manipulate query results for each of these formats are
provided.

Confidential
If you choose a Table display format, the results are displayed instantly.
ArcSight Console User’s Guide 237
10 Query Viewers

If you choose a bar chart or pie chart, you are asked to configure the chart display
in the Configure Chart dialog.
Select fields for Values and Point Labels.
Field
Description
Values
The Values drop-down menu lists fields in the
query result that contain data types. The value
you choose is used as the numbers by which to
plot the vertical y axis points on a bar chart or the
slice sizes on a pie chart.
Values typically represent an unknown set of
values, like a count. A common example of
numeric data appropriate for values is a time like
HourOfDay or a count like Count(Event ID).
Point Labels
The Point Labels drop-down menu provides fields
in the query result that contain non-numeric data
types. The point labels are used to plot the
horizontal x axis labels on a bar chart or the slice
labels on a pie chart
Examples of non-numeric data types appropriate
for point labels are timestamps, strings such as
are used for event names, and different types of
addresses such as IP or MAC addresses. Point
labels are typically a known set of limited values
(like hours in a day denoted by timestamps).
Example View Settings
For example, for the Event Counts by Hour of Day query viewer, selecting
Count(Event ID) for Values (the y axis) and Hour of Day (or Timestamp) for
Point Labels (the x axis) results in the following display showing the event count for
each hour of the day. The event count is depicted on the vertical y axis, with higher
bars representing a higher event count for that hour. The hour of day (time) is
238 ArcSight Console User’s Guide
Confidential
10 Query Viewers
represented on the horizontal x axis. The event count is shown for the last 24 hours
starting at 11 am.
Confidential
ArcSight Console User’s Guide 239
10 Query Viewers
Understanding the Results View
The results are displayed in the Viewer. The following example shows the “Event Counts By
Hour of Day” query result as table, bar chart, pie chart.
Notice that the time range for the base query is shown on the lower left of the query
viewer results. Hover the cursor over the time range to see an annotated view of start and
end times (data collection start time and data last received). This time
range comes from the base query. (Another way to see the query time range is to open the
query viewer in the editor and double-click *Query in the Attributes display to drill down
to the base query editor, which shows query start and end times.)
Below is the Time Range of Base Query
240 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Working with Query Viewer Results
Various options are available to you with the different query result display formats (Bar
Chart, Horizontal Bar Chart, Pie Chart, or Table).
Viewing query results in table format give you the ability to establish baselines and make
comparisons, as well as manipulate the table data.
Query viewers and channels display results from variable calculations
differently. For example, a value may be displayed as -0.1 in a query viewer,
and -0.099999999999… in a channel.
Such variations are due to differences in the way floating point operations are
carried out.
Bar charts and pie charts provide at-a-glance, graphical overviews of the results but with
fewer options for manipulating the data after the fact.
Other options, such as filtering a query viewer results or running reports, are available on
all result views.
Details of working with each view format are provided in the following topics.
Results in Table Format
To get results in Table format, right-click a query viewer and choose View Data as >
Table. You can sort, re-order, and create/compare baselines for data in a table view.
Investigate View Options
The following right-click Investigate options are available on query viewer results in table
format (obtained by choosing View Data as > Table):
Confidential

Baselines. Right-click anywhere on the table of results in the Viewer to add a baseline
or compare the current results to an existing baseline.

Drilldowns. Right-click a row in the table result to launch a given drilldown on that
row item (if drilldowns are provided in the query viewer).

Channels. Right-click a cell in the table result to create an active channel with a filter
based on the value of the selected table cell.
ArcSight Console User’s Guide 241
10 Query Viewers

Conditions. Right-click a cell in the table result to add a filter condition based on the
value of the cell.
The Investigate option is not available if your base query is not on events,
for example, the query is on a session list.
These options are described in detail in the table below.
Investigate Options for Results are shown in the following table.
Option
Description
Add as baseline
Add the current results as a baseline for the query
viewer.
Right-click anywhere on the table result in the Viewer
to add a baseline to the query viewer or compare the
current results to an existing baseline.
(See “Defining and Using Baselines” on page 250 and
“Adding a Baseline” on page 252.)
Compare with: <Baseline>
Compare the current results with the selected baseline.
Right-click anywhere on the table result in the Viewer
to compare the current results to an existing baseline.
This menu option is available if there is one or more
baselines established for the query viewer. All
baselines associated with the query viewer are
available from this menu for comparison.
(See “Comparing Displayed Results to a Baseline” on
page 253.)
242 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Option
Description
Drilldowns
Query viewers enable you to drill down to Active
Channels, dashboards, query viewers, and reports. If
the query includes an event ID or resource ID, you can
also drill down to that resource. See “Viewing an Event
or Resource Directly from the Query Viewer” on
page 247 for details.
If there are drilldowns associated with the query
viewer, these are listed after the baseline options on
the right-click Investigate menu for a selected row in
the query viewer result.
Right-click a row in the table result, and choose
Investigate > <Drilldown Option>.
For example, an Events query viewer could provide
drilldowns to view all source addresses for a selected
event. Assuming each row in the result table
represents an event, choosing this drilldown from the
Investigate menu would lead to a table showing source
addresses for the selected event.
(See “Query Viewer Drilldowns” on page 265 and
“Drilldown Example” on page 274.)
Create Channel
Creates an active channel with a filter based on the
selected cell in the table result.
For example, right-clicking a table cell with an event
name and choosing Investigate > Create Channel
[EventName] creates an active channel that monitors
and filters for occurrences of that event name. The
filter is always set to the value of the cell (which in this
example would be the event name).
For more information about using active channels, see
“Viewing and Using Channels” on page 78.
Add Condition
Brings up the Conditions Editor for the selected item,
where you can add or modify conditions (filters) on the
selected item.
Right-click a cell in the query viewer table result to add
a filter condition based on the value of the cell.
For more information on working with Conditions, see
“Common Conditions Editor (CCE)” on page 782.
Column Sort, Display, and Edit Options
Right-click a column header in a query viewer table result to get various options on that
column.
Confidential
ArcSight Console User’s Guide 243
10 Query Viewers
Option
Description
Sort Column
Sort items in the column in ascending or descending order.
Columns that have been sorted after the query viewer run show an up or
down arrow next to them to indicate the direction of the sort.
You can also sort the column by left-clicking the column header. Clicking
multiple times toggles the sort between:
•
ascending order (indicated by a up arrow next to the header)
•
descending order (indicated by a down arrow next to the header)
Notes:
•
Sorting on the contents of a column after a query viewer displays its
results changes the view of the data provided by the original query. A
query sorts during a query run, and then displays the data based on
the sorting it did. If you click columns to re-sort, you are changing
the sort order the query gave you. In the cases where the original
query used a “single-column” sort, you can “get back” to it in the
viewer, but you can’t get back to a multi-column sort because this is
offered only in the query sort options, not on the Console UI.
•
Keep in mind that this option sorts on the data result returned by the
query. This in combination with query row limits (applied when the
query is run) can sometimes yield unexpected results. Example: If
the query is defined to run on 2 days’ worth of data but hits the
10,000 row limit after processing only 1 day of data, then only 1
day’s worth of data is returned in the result. An “after-query” sort, in
this example, is a sort on only 1 day’s worth of data.
•
Sorting at the query viewer level sorts only the data returned by the
query to Viewer. Initial sorting is done by the base query. which is
responsible for running against the database. If the query level sort is
yielding unexpected results, keep in mind that the original base
query sort determines how much you can modify the view of the
result.
See also “Sort Baseline Data” on page 255.
Remove Sort
Remove a sort on the selected column. You can remove sorting imposed
when the query viewer was run or when a UI column-click sort was done
on the displayed result.
Show Column
Right-click anywhere on any column header in a table to get a context
menu of columns included in the display result.
Select columns to hide or show in the result. Columns with no checkmark
beside them are hidden.
This is the equivalent of hiding or showing a column before the query
viewer runs. (However, only columns configured to be included in the
original query are available to hide/show after the query is run.)
To show a column in the results view that is currently hidden (whether
before or after the query ran), right-click again and choose it (checkmark
it).
See also “Show or Hide Baseline Columns” on page 255.
Size to Fit
Expand the column, if needed, to accommodate the full width for text in
each row of the selected column.
244 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Option
Description
Drag-and-Drop options
Left-click-and-drag on a column header to reposition it in a different
horizontal order in the table. For example, if the original query viewer
result shows columns in this order:
You can click-and-drag Timestamp to the right so that the columns
display in this order:
Results in Chart Formats
To get results in Chart format, right-click a query viewer and choose either:
Confidential

View Data as > Bar Chart or Horizontal Bar Chart

View Data as > Pie Chart.
ArcSight Console User’s Guide 245
10 Query Viewers
Chart Option
Description
Drilldowns
Query viewers can provide drilldowns to Active Channels. If the query
includes an event ID or resource ID, you can also drill down to that
resource. See “Viewing an Event or Resource Directly from the Query
Viewer” on page 247 for details.
If there are drilldowns associated with the query viewer, select an item in
the first or key column, then right-click to get drilldown options in the
Investigate menu.
For example, an Events query viewer could provide drill-downs to view
all source addresses for a selected event. Choosing this drilldown from
the Investigate menu on a query result would lead to a table showing
source addresses for the selected event.
(See “Query Viewer Drilldowns” on page 265 and “Drilldown Example” on
page 274.)
Create Channel
Creates a channel on the selected item. (For example, right-clicking an
event and choosing Investigate > Create Channel [EventName]
creates an active channel that monitors and filters for occurrences of that
event.
For more information about using active channels, see “Viewing and
Using Channels” on page 78.
Add Condition
Brings up the Conditions Editor for the selected item, where you can add
or modify conditions (filters) on the selected item.
For more information on working with Conditions, see “Common
Conditions Editor (CCE)” on page 782.
Filtering Query Viewer Results
You can filter query viewer results shown in table and chart formats.
Adding a Filter
To filter query viewer results:
1
Click “Filter: No Filter” in the header of a query result view. (You can also right-click
the filter name and choose Edit Filter from the context menu.)
The Common Conditions Editor (CCE) dialog opens.
246 ArcSight Console User’s Guide
Confidential
10 Query Viewers
2
Use the CCE dialog to add a filter. (For details on how to use the CCE dialog to create
filters, see the topic on the “Common Conditions Editor (CCE)” on page 782.)
3
Click OK to save the filter, and filter the current result view.
Filters on query viewer results are locally saved and available only while
the current result set is displayed. These filters are not saved as a part of
the query viewer. When you close the query viewer result, the filter is no
longer available; recreate it on a new result set.
Filters can also be applied to baseline delta columns. (See “Defining and
Using Baselines” on page 250.)
Removing a Filter
To remove a filter from a displayed query viewer result, right-click the filter name in the
header of the result view and select Remove Filter from the context menu.
Viewing an Event or Resource Directly from the Query
Viewer
If your query viewer is for events or resources and the query viewer results include an
event ID or resource ID field, you can go directly to a specific event or resource from the
query viewer.
Right-click the event or resource and select View > [Event Name] Details or View
[Resource Name] Details. For example, drill down to
Confidential

An event if the query includes the event ID field

An actor if the query includes the actor ID field

An asset if the query includes the asset ID field

A case if the query includes the case ID field
ArcSight Console User’s Guide 247
10 Query Viewers
Troubleshooting Query Viewers
If queries time out, especially if your environment monitors high event rates (in the
thousands per second). Try reducing the number of rows to the range of 100 to 1000 and
see if there is an improvement. If that does not improve execution time, refer to the ESM
Administrator’s Guide’s “Troubleshooting” appendix. Look for the topic, Query and Trend
Performance Tuning.
Adding Query Viewers to Dashboards
You can add a query viewer result to a dashboard. Refer to “Adding a Query Viewer to a
Dashboard” on page 105.
For more information about working with dashboards, see “Using Dashboards” on
page 102.
Making Query Viewer Results Available to ArcSight
Web
Query viewer results on dashboards are accessible from ArcSight Web. For more about
ArcSight Web, see “ArcSight Web” on page 743.
For more information about working with dashboards, see “Using Dashboards” on
page 102.
Adding Query Viewers as Startup Views
Query Viewers can be set as the startup view for a group as follows:
1
Select Users in the Navigator
2
Right-click a group and choose Edit Groups from the context menu.
3
In the editor for the selected group, click Startup Views tab, then click Query
Viewers subtab.
4
Click Add (
5
In the Query Viewer Selector dialog, navigate to and select (checkmark) the query
viewer you want as the startup query viewer for this group and click OK.
) to bring up the Query Viewer Selector.
The full path to the query viewer you selected is shown on the Query Viewers tab in
Startup Views.
6
Click Apply to save your changes and leave the group editor open, or click OK to save
and close the group editor.
For more information on editing groups and startup views, see “Editing User Groups” on
page 590 and “Setting Startup Views” on page 591.
Regardless of startup view settings for groups, the Query Viewers you have
showing when you close the Console are reloaded when you restart the
Console.
248 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Generating Reports from Query Viewers
After you run a query viewer, you can generate a simple report containing the results.
The report display format is based on the query viewer result display. For
example, if you chose to view query data as a pie chart, the generated report
shows the same pie chart view. To generate a report showing results for the
same query as a bar chart or table, you would need to re-run the query
viewer (<Query Viewer> > View Data as) in one of those formats, and then
generate the report from that view.
The report contents might not include as much data as the query viewer
result shown in the Console for these reasons:
•
Reports on pie charts and bar charts have a default row limit of 25. This is
user-configurable. You can set a higher or lower row limit on the Report
Parameters dialog you get when you run the report. (See Step 2 on
page 250.)
•
Reports on tables have no hard limit on number of rows in the table.
•
Data viewed in chart format has a hard limit of no more than 99 rows,
therefore reports on charts have the same hard limit of no more than 99
rows displayed on the Console and Web user interface.
To generate a report on a query viewer:
1
Confidential
Right-click the query viewer results table or chart (anywhere in the Viewer panel) and
click Report.
ArcSight Console User’s Guide 249
10 Query Viewers
2
Specify the options on the Report Parameters dialog or take the defaults and click OK.
•
For more about Report row limits, see these Tips and related
information on page 249.
•
If you click Save Output on the Report Parameters dialog, you get
additional options for setting archived report “Save Output
Parameters”.
For more help on setting report parameters, see “Report Parameters” on page 379.
3
When the report is ready, a dialog gives you the option of opening it to view it now or
saving it to a location you specify through a file browser.
Choose Open to view the report or Save to save it in a specified location.
Reports initiated from query viewers are provided for convenience as a quick
way to share the result data. Query viewer reports are limited to displaying
data from the single query covered by the query viewer and retain the format
of the chart or table in which the query viewer results are displayed. For
information on creating and publishing richer, highly formatted reports on
multiple data sources see Chapter 11‚ Building Reports‚ on page 279 and
Chapter 12‚ Running and Managing Reports‚ on page 377.
Defining and Using Baselines
You can establish a particular set of query results as a baseline snapshot against which to
compare the results of other runs of the same query. Comparing the results of the same
query run at different times and in different contexts highlights the deltas (differences) and
helps identify areas that vary significantly from normal.
You can define baselines and run comparisons with any query viewer that:

Lends itself well to a table format display

Includes one or more key fields by which to locate matching entries between the
baseline and currently displayed information.
For example, suppose you have a query that returns the top 10 event counts by name and
you want to compare it against some baseline. A reasonable comparison would be between
250 ArcSight Console User’s Guide
Confidential
10 Query Viewers
similarly named events in both sets of data. In this case, the event name would be used as
the key field.
•
Baselines are applicable only to table views of result data.
Baselines do not apply to graphical views such as pie charts, bar charts,
and so on. You always have the option to view query data from any query
viewer as a graphical chart or a table, but the baseline data is only
accessible from the table view of the data.
•
Baselines require one or more key fields by which to locate matches
between the baseline and the displayed data. The key fields must be built
into the query viewer to which you want to add a baseline.
•
Values for Key fields must be unique. When adding baselines, make
sure key fields in the query viewer have unique values. (See the Fields
tab in the query viewer editor.) Also, check the query viewer start and end
times (on the Attributes tab in the query viewer editor) to make sure the
time frame over which the query runs makes sense.
You can add one or more baselines to a single query viewer, and delete them as needed.
Why Baselines are Useful
In addition to providing a way to compare result data from different query runs, baselines
provide an efficient way to save, annotate, and retrieve data that might otherwise be too
difficult to access in any meaningful way.
Once a baseline is defined, it is preserved as a File resource that is associated with the
query viewer. In the Navigator, choose Files and expand the Attachments folder to view
the new baseline files you created.
The query viewer baseline files in the Files\Attachments folder appear
along with other files in alphabetical order. For your convenience, in the Files
resource, you may add a folder (add a group) to contain only your baselines.
You can name it <yourname> Baselines and drag your own baseline files
from Attachments to your own folder. The baseline files always remain in
Attachments but a link is established from files in Attachments to the files in
your own folder.
With Query Viewer baselines, you can:
Confidential

Retrieve the snapshot baseline data by running comparisons against it.

Compare current result data against one or multiple baselines.

Get meta-information about the baseline (such as when it was saved, by whom, and
comments).

Sort, show, or hide the baseline comparison columns.

Maintain the baseline data as a Files resource baseline even if the original data is lost
or is too performance-intensive to re-generate (for example, an aggregation query).
(All baselines are automatically added as Files resources when they are created.)

Add and remove baselines as needed, and edit some meta-information on baselines
(for example, description comments).

Use filters on the baseline (delta) columns. For example, you could filter on a baseline
column to find where the current results differ from the baseline by more than some
specified value.
ArcSight Console User’s Guide 251
10 Query Viewers
Planning for Baseline Comparisons
Query viewer baselines might prove most useful if you take a little time to identify some
goals for their use or questions you want answered, and then plan how to implement the
baselines for those purposes. Here are some suggestions to start off with.
1
Establish questions or goals for baseline comparison monitoring and identify the type
of data you want to evaluate.
For example, you might want to determine what type of event traffic is at its highest at
different times of day or when network attacks tend to increase. Or, you might notice a
spike in certain query viewer results (such as more logins from a particular user) and
decide to compare the behavior against a sampling of results from subsequent or
previous query runs.
2
Identify the query viewer (and associated query) appropriate to use. If the query
viewer you need is not provided, you can develop it. See “Customizing Query Viewers”
on page 257 for more information on this.
For example, if you want to monitor what type of event traffic is at its highest, you
could establish a baseline for a query viewer that returns “Top Event Counts by Hour
of Day.” You could also use a query viewer baseline to take snapshots of event counts
throughout the day, either for record-keeping or to explore and compare later.
3
Monitor results for your chosen query (by running the query viewer) to identify a
“typical” or “normal” result set to use as a baseline.
4
Add (capture) the baseline from the typical/normal result set.
5
Monitor subsequent results for variation (spikes, dips) or time periods against which
you want to compare with the baseline, and run baseline comparisons on these.
Adding a Baseline
A baseline is a snapshot of the current results that can be used later as a reference point to
compare other query result views. Baselines are often added to capture “normal” network
behavior, so that when spikes, dips, or other anomalies surface, these can be compared
against the baseline.
Baselines can only be defined on numeric data (because they are designed to show deltas,
the difference or change between two values).
To add a baseline to a query viewer:
1
In the Navigator panel, choose the Query Viewers resource.
2
Select and run the query viewer (containing the query) for which you want to define a
baseline.
To do this, right-click the query viewer and choose View Data As > Table.
Baselines are applicable only to table views of result data.
The query viewer result is displayed in the Viewer.
252 ArcSight Console User’s Guide
Confidential
10 Query Viewers
3
Right-click anywhere in the results table in the Viewer, and select Investigate > Add
as baseline... to get the Add a baseline... dialog.
4
Enter a name for the baseline, optional description, and click OK to add it.
This saves the current query result data as a named baseline for the selected query
viewer, and makes it available for use (through Investigate > Compare with...
against results from other runs of the same query viewer).
The baseline is shown on the Fields tab of the query viewer to which you added it.
If the query viewer editor is not currently displayed, double-click the
same query viewer in the Navigator panel to open it in the editor. Click
the query viewer editor Fields tab.
Comparing Displayed Results to a Baseline
Once you establish a baseline for a query, you can compare subsequent results for the
same query against the baseline.
Confidential
•
Baseline comparisons, like baselines, can only be derived from table views
of the query viewer results. (Select a query and choose View Data as >
Table. See “Results in Table Format” on page 241.)
•
The query viewer you select for baseline comparison needs to have at
least one baseline already added to it. Baselines are shown on the Fields
tab of the Query Viewer editor.
ArcSight Console User’s Guide 253
10 Query Viewers
To run a comparison:
1
If you do not already have a table view of the data you want to compare, right-click
the query viewer you want to evaluate against a baseline, and choose View Data as
> Table from the Navigator menu.
2
In the Viewer, right-click anywhere on the table view results and select Investigate >
Compare with: <SomeBaseline>.
The comparison data is collected and added as a new column. You have the option of
hiding or showing it in the table as needed.
3
Make your selections on the Select columns table and click OK.
If you selected the comparison column, it is displayed on the table next to the original
results for that column.
Note that differences between the current values and the baseline can be positive or
negative, as shown in the example comparison above. A positive value in the baseline
comparison indicates more events in your current sample, compared to the baseline. A
negative value in the baseline comparison indicates fewer events in your current
254 ArcSight Console User’s Guide
Confidential
10 Query Viewers
sample, compared to the baseline. If the baseline field for a row is null, this indicates
that no baseline value was available for that key.
•
By the time the Select Columns dialog is displayed, the Baseline
comparison is already available. If you select columns, those are
displayed in the viewer on the Table result.
•
After running a baseline comparison, the right-click over Table
Investigate > Compare with <Baseline> option for the baseline
you just ran is grayed out (even if you chose not to immediately
select any columns or clicked Cancel on the Select Columns dialog).
This is because the baseline is already added.
•
To show or hide more columns (including baseline columns), rightclick the column header, choose Show Column, and check (enable)
or un-check (disable) columns. See also “Show or Hide Baseline
Columns” on page 255
Show or Hide Baseline Columns
You can always show or hide columns, including baseline columns. To do this rightclick anywhere in the table header (on any of the column titles), choose Show
Column > <SomeField>.
See also “Column Sort, Display, and Edit Options” on page 243.
Sort Baseline Data
You can perform an after-query sort on baseline comparison data by clicking the column
headers. A pre-query sort for baseline data is not available. (That is, there is no option to
add a sort as a part of the baseline in the query viewer definition.)
See also “Column Sort, Display, and Edit Options” on page 243.
Confidential
ArcSight Console User’s Guide 255
10 Query Viewers
Filter Baseline Data
You can filter on the baseline comparison column the same way you would filter on any
other column. Click the Filter in the query viewer header to bring up the Query Data Filter
dialog. Enter your filter conditions and click OK. After the filter is applied, the query viewer
automatically updates.
The Query Data Filter is based on the Common Conditions Editor (CCE). For information
about using the CCE to define filters, see “Common Conditions Editor (CCE)” on page 782.
Removing a Baseline
Baselines, like the queries themselves, are associated with and contained in query viewers.
To remove a baseline, you remove it from the list of baselines in the query viewer editor.
Removing a baseline from a query viewer is different from hiding or showing
a baseline column in a query result. If all you want to do is temporarily hide a
baseline column in a results table, use the right-click “Show Column” option
in the Viewer on the results table as described in “Column Sort, Display, and
Edit Options” on page 243 in “Results in Table Format” on page 241.
To remove a baseline from a query viewer:
1
In the Navigator panel, right-click the query viewer containing the baseline you want
to remove and select Edit Query Viewer.
This opens the editor for the query viewer in the Inspect/Edit panel.
2
In the editor, click the Fields tab.
256 ArcSight Console User’s Guide
Confidential
10 Query Viewers
3
Under Baselines, select the baseline you want to remove and click Remove.
4
Click Apply to save your changes to the query viewer, or click OK to save changes and
close the editor.
Note that there is no confirm dialog for this Remove baseline action, but if you do not
want to save your changes, click Cancel and the baseline is not removed.
Customizing Query Viewers
Query viewers provide a shortcut alternative to running SQL queries as a part of reporting.
Keep in mind that query viewers use base queries, so a first step in creating a query viewer
is deciding what SQL query you want to use. If you can’t find one that does what you want,
you’ll need to create one first, before defining your query viewer.
Creating a New Query Viewer
The high-level steps for creating a query viewer are as follows:
1
Identify your questions and what information you are looking for. (For example, “What
types of actions represent the highest volume of events on my network during various
times of day?”)
2
Based on the question you want answered, decide what kind of query you need and
determine whether it is available or you have to create it.
If you do not find a suitable query when you browse the choices under Reports/
Queries (or on the Query Viewer “Query” field “Select a Query” drop-down menu), you
can create one. To get started creating a new query, navigate to Reports, and click
the Queries tab. For more information see “Building Queries” on page 302.
When you know which query you want to use and have either found a pre-built one or
created a new one, you are ready to create a query viewer that uses that query.
3
Select Query Viewers in the Navigator.
4
Right-click a group (folder) and select New Query Viewer. This launches the Query
Viewer Editor in the Inspect/Edit panel.
As a general rule, it is best to create new content in the user's own
folder.
Confidential
ArcSight Console User’s Guide 257
10 Query Viewers
5
Define general attributes for the query viewer as described in “Query Viewer
Attributes” on page 258. At a minimum, fill in the required values (red asterisks) on
the Attributes tab (query viewer name and “base query” to use).
6
Choose the Fields to display for the query viewer as described in “Query Viewer
Fields” on page 262. (Fields are inherited from those available in the base query.)
7
Define Variables for use in the query viewer as described in “Query Viewer Variables”
on page 264 (optional).
8
Specify any Drilldowns you want to make available as described in “Query Viewer
Drilldowns” on page 265 (optional).
9
Click Apply or OK to create the new query.
Be sure to click Apply or OK frequently to save settings periodically as
you work through the above steps. Clicking Apply saves settings and
leaves the Editor open. Clicking OK saves settings and closes the Editor
for this query. If you do not apply or accept settings using these buttons,
your settings are not saved.
The following sections provide details on defining attributes, fields, variables, and
drilldowns for a query viewer.
Defining Query Viewer Settings
Use the Query Viewer Editor to build a new query viewer or edit an existing one. Query
viewer settings are defined on multiple sub-tabs.
•
To access the editor for a query viewer, follow the first steps in either
“Creating a New Query Viewer” on page 257 or “Editing a Query Viewer”
on page 270.)
•
If you want to edit more than one query viewer at a time, choose Edit >
Preferences from the Console menu, then click Global Options. On the
Global Options panel, check Allow multiple editors of the same type,
then click OK to save the change and close the Preferences dialog. For
more on setting Console preferences, see “Changing User Preferences” on
page 716, especially the subtopic “Changing Global Options Like Panel
and Editor Characteristics” on page 718.
Query Viewer Attributes
The following fields in the Query Viewer section are attributes to specify when creating a
new query viewer.
Query Fields
Description
Name
Name for the query viewer. Spaces and special characters are okay.
This is a required attribute.
258 ArcSight Console User’s Guide
Confidential
10 Query Viewers
Query Fields
Description
Query
Specifies the base query used in this query viewer. This is a required attribute.
If you are creating a new query viewer:
1
Click this field to get a drop-down menu showing all available queries on this
Manager. You can choose from queries created for reports, for other query
viewers, or a new query you created specifically for this query viewer.
If you want to create a new query, you need to do this first before creating the
query viewer. (See also “Building Queries” on page 302.)
2
From the drop-down menu, select the query you want to use.
Note: If you are editing an existing query viewer, the Query field is not editable
since the base query is set at the time the query viewer is created. If you want to
use a different query, create a new query viewer.
Refresh Data
After
Sets an amount of time (in minutes or hours) after which the query viewer
automatically runs again and shows new data based on that most recent run. The
query viewer is regularly refreshed based on the specified refresh time period.
The default for this setting is after every 15 minutes. To change this default:
Query Time
Out
1
Click the field to activate the settings.
2
In the left-hand field, enter a numeral, and in the right-hand drop-down
menu, select minutes or hours.
Defines a time out limit in which the query must return results. If the query does
not complete and send results within the specified time out period, the Manager
stops the query run.
By default, a time-out of 300 seconds (5 minutes) is configured on the Manager in
server.defaults.properties. If you do not specify a Query Time Out in the
Attributes tab, this time-out of 5 minutes applies (even if the Query Time Out field
shows “None”). If you specify a time out here, then that one is used instead of the
default.
Setting a a time out limit is good practice especially if the event rate (events per
second or EPS) is unusually high, start/end time range is large, or the query is
complex. Time outs can help guard against infinite or long running queries that
impact system performance. Although this is less of an issue with query viewers
since they are designed to minimize impact on system performance, this can still
be an issue in some scenarios.
Setting time outs can be a useful troubleshooting technique for new queries, or
existing queries in new scenarios, for example where event counts spike higher.
Default View
The Default View attribute determines how the result data are displayed when you
double-click the query viewer to open the results in the Viewer panel.
Define the default (double-click) view format for this query viewer. The choices
are to show data as:
•
Table (this is the default)
•
Pie chart
•
Bar chart
Double-clicking a query viewer in the Navigator displays result data in the format
set here.
If you choose Pie Chart or Bar Chart as the default view format, choose fields to
use for the Values Column (to plot the y axis points on a bar chart or slice sizes
on a pie chart) and Points Labels column (to plot the x axis labels on a bar chart
or slice labels on a pie chart). The Values Column and Points Labels are also
described in , “Select fields for Values and Point Labels.,” on page 238.
Confidential
ArcSight Console User’s Guide 259
10 Query Viewers
Query Fields
Description
Values Column
The Values field applies to bar charts and pie charts. This setting provides fields
in the query result that contain data types. The value chosen is used as the
numbers by which to plot the vertical y axis points on a bar chart or the slice sizes
on a pie chart.
Values typically represent an unknown set of values, like a count. A common
example of numeric data appropriate for values is a time like HourOfDay or a
count like Count(Event ID).
Point Labels
Column
The Point Labels field applies to bar charts and pie charts. This setting provides
fields in the query result that contain non-numeric data types. The point labels are
used to plot the horizontal x axis labels on a bar chart or the slice labels on a pie
chart.
Examples of non-numeric data types appropriate for point labels are timestamps,
strings such as are used for event names, and different types of addresses such
as IP or MAC addresses. Point labels are typically a known set of limited values
(like hours in a day denoted by timestamps).
Setting the following attributes (start time, end time, or row limit) in the Query Viewer overrides
these settings in the base query. (See related information on page 259 about defining the base
query in the Query attribute.)
Start Time
Specifies the starting point for the data gathering.
A drop-down menu provides values to select based on Velocity Templates (such as
$Now, $Now - 1d, and so on). You can also provide a timestamp such as: 27 Jul
2008 16:00:00 PDT.
For more on timestamps and timestamp variables, see “Timestamps” on
page 942, “Timestamp Variables” on page 943, and “Variables” on page 947.
End Time
Specifies an end point for the data gathering.
A drop-down menu provides values to select based on Velocity Templates (such as
$Now, $Now - 1d, and so on). You can also provide a timestamp such as: 28 Jul
2008 16:00:00 PDT.
For more on timestamps and velocity references, see “Timestamps” on page 942,
“Timestamp Variables” on page 943, and “Variables” on page 947.
Row Limit
Set the row limit for the data table.
The default for all new base queries is the maximum allowable, which is 10,000
rows.
If the default is not changed in the base query, and no limit is specified here in the
query viewer, the result shows up 10,000 rows of data.
Entering data in the Common and Assign sections is optional, depending on how your
environment is configured. For information about the Common and Assign attributes
260 ArcSight Console User’s Guide
Confidential
10 Query Viewers
sections, as well as the read-only attribute fields in Parent Groups and Creation
Information, see “Common Resource Attribute Fields” on page 630.
Confidential
ArcSight Console User’s Guide 261
10 Query Viewers
Query Viewer Fields
To define the data display, click the query viewer Fields tab.
Data Fields
The data fields shown on this tab are inherited from the base query. When a query viewer
is first created, the data fields are shown here with the same settings they inherited from
the base query for Use and Key fields. So, initially all fields are enabled for Use and fields
that are grouped by columns in the base query show as Key fields here.
You have the option of overriding the base query settings for Use and Key settings on
inherited data fields in the query viewer. (Settings here do not affect the base query.) You
can override these settings when you first create the query viewer, or when you edit it later.
Select (check) Use for fields to display in the query viewer results. Fields not selected to
Use do not show up in the query results.
Optionally, you can select one or more fields to use as Key fields. Key fields are columns
that can be used to uniquely identify a role in the query. Only the fields selected as keys
are used when doing baseline comparisons.
262 ArcSight Console User’s Guide
Confidential
10 Query Viewers
The query viewer displays results from these columns, showing them from left to right in
the order specified. The above settings would result in a query viewer that shows
Timestamp as the left-most column, followed by Name, and so forth. You can re-order
the columns by selecting a row and clicking the up or down arrow to move it.
Sort Options
The query viewer inherits the sort options from the base query, but you can override those
sort options here, without affecting the base query.
You can add data fields from the base query to sort the query results in the query viewer
display.
Click Add (
) to get the list of available fields and select those you want to sort
on.
In the example above, the Timestamp is sorted from newest to oldest. Data with the
newest Timestamp is at the top of the list. Data with the oldest Timestamp is at the bottom
of the list. (This is indicated by the Z-A sort order and up arrow.) In a case where multiple
rows have the same Timestamp, these are sorted by the Count(Event ID) from smallest to
largest (as indicated by the A-Z sort order and down arrow).
You can change the priority of a column by selecting a column and clicking the up or down
arrow to move it.
Note: It is possible to sort on fields that you choose not to display in the query result.
Suppose you decide to hide the timestamp and count (event ID) columns. In the query
viewer Sort Options, you can still sort by Count (Event ID) and Timestamp.
The list of event names and results for this query viewer display in this multi-column sort
order by timestamp and count (event ID), but those columns do not show up in the display.
BaseLines
If any baselines have been set on results returned on this query viewer, those are listed in
the Baselines area of the Fields tab.
Confidential
ArcSight Console User’s Guide 263
10 Query Viewers
Baselines are created on query results tables using the right-click popup option
Investigate > Add as baseline... after a query runs. (See “Defining and Using
Baselines” on page 250.)
When a query has one or more baselines available, you can compare the current results of
a table view with the baseline.
To remove baselines from the query viewer, click the Fields tab, select the baseline name,
and click Remove (
). Be sure to click OK or Apply on the Query Viewer Editor
to save your changes.
If you remove the baselines from the query viewer definition, they are not available on the
next run of the query viewer.
Query Viewer Variables
To add a local variable, click the Variables tab.

Provide a name for the local variable.

Choose a function from the drop-down Function menu.

Fill in other details as needed and click OK to add the variable to the query viewer.
The variable you add here shows up in the following views:

As a field in the Fields tab in the query viewer editor definition (including the options
to Use and use as a Key field)

As a column in the query viewer result (If the query viewer result is displayed in the
viewer when you add the variable, the variable shows up immediately as a column in
the result.)
264 ArcSight Console User’s Guide
Confidential
10 Query Viewers
For example, you can add a Timestamp Function (such as GetHour, GetDayOfWeek,
GetDayOfMonth, and so forth).
A query viewer local variable cannot be promoted to a global variable
Local variables defined for data from events, actors, cases, and assets can be
promoted to a global variable.
Local variables defined for a query viewer cannot be promoted to a global
variable. Query viewers operate on queries, which have their own distinct
schema for each instance. A local variable defined for a query viewer is likely
only applicable to the specific query viewer it applies to.
For more on using variables in resources, see “Variables” on page 947.
For more information on global variables (which can be used in queries), see “Global
Variables” on page 435.
Query Viewer Drilldowns
Adding drilldown capability to a query viewer provides the user the option of getting more
focused views (by means of additional query viewers) on particular aspects of a single item
(asset, case, event, and so on) in the query result.
Create Query Viewers for Drilldowns
As a first step in adding drilldown capability to a query viewer, decide what kind of
information you want the user to be able to focus on and then create query viewers that
get that information.
For example, suppose you have a query viewer that returns the top 10 most frequent
events by name. The query viewer might also show timestamps for the events and other
information, depending on the base query it leverages and what fields are hidden or shown
in the query viewer.
Adding a Drilldown
You can configure query viewers and data monitors to drill down to one or a combination
of the following resources:

Active channels

Dashboards

query viewers

Reports
Each drilldown has its own options. After you have added one or more drilldowns, Console
users can select one by right-clicking on the result and selecting Drilldown > [drilldown
name] from the context menu.
To add a drilldown:
1
Click the Drilldowns tab.
There are two ways to get to the drilldown tab:
Confidential
a
Right-click on the query viewer/data monitor results in a dashboard and select
Drilldowns/Edit Drilldowns, which opens the editor to the Drilldowns tab.
b
Right-click on a query viewer or data monitor in the Navigator panel and select
the Edit option, then select the Drilldowns tab.
ArcSight Console User’s Guide 265
10 Query Viewers
2
Click Add (
) to open the Add Drilldown panel.
3
Enter the following settings for the drilldown’s destination:

A resource type, for example, Dashboards

The corresponding specific resource, for example, My_Dashboard

A menu label (defaults to the specific resource’s name) to represent this drilldown
on the Viewer panel’s right-click Drilldowns menu

An optional description
4
If your destination is a dashboard, click Finish to complete the process and add the
dashboard to the list of drilldowns. For other destinations, click Next.
5
Set the remaining options for the destination resource:
If resource type is ...
Follow these steps ...
Active Channels
For an active channel destination, the settings in the Channel Display
Options tab are not required; you may click Finish. If you want to set
display options:
Dashboards
1
Select a field set from the drop-down list and click OK.
2
Change the Sort By field from the drop-down list and the sort
order.
3
Click Finish.
After you select the specific dashboard resource and click Finish, you
are done.
266 ArcSight Console User’s Guide
Confidential
10 Query Viewers
If resource type is ...
Follow these steps ...
Query Viewers
For a query viewer destination, field mapping is required:
1
On the Field Mapping tab, click Add
to display a
dropdown list of source fields. You must define at least one field
map.
The source fields are from the source query viewer (the one you
are drilling down from). The mapping condition is always set to =.
2
Under the Destination Field column, select a field from the
destination query viewer (the one you are drilling down to).
For example:
The Drilldown definition shown in the example maps the source
query viewer/data monitor “Name” column to the target query
viewer/data monitor “Name” column. This constructs the following
drilldown filter:
<target>.Name = <source>.Name
where <source>.Name is replaced by the actual value from the
source query viewer/data monitor row.
If there are no eligible field mappings, you cannot complete the
drilldown definition; the Finish button is disabled. You can add or
remove field mappings, but your choices are limited to the columns
already provided in the query viewer.
Confidential
3
On the Display tab, you can choose to show (check) or hide
(uncheck) the data fields in the drilldown result.
4
On the Sort tab, you can click Add
to select the
columns to specify the sort order of the resulting values. For each
added column, change the sort order to ascending (the default) or
descending.
5
Click Finish.
ArcSight Console User’s Guide 267
10 Query Viewers
If resource type is ...
Follow these steps ...
Reports
For a report destination, the settings in the Report Display Options tab
are not required. To use the parameters set for the report, click
Finish. If you want to change the drilldown’s display options:
1
Click Add
to display a list of the destination report’s
custom parameters, then select a parameter.
2
Under the Value column, select the field whose value will be used
for the parameter.
3
Click Finish.
Repeat the process to add multiple drilldowns as required. Following is an example of
a Drilldowns tab with a variety of drilldowns:
Figure 10-1 Example of Drilldowns Added to a Query Viewer. The drilldowns are initially
displayed in the order they were created. The first drilldown is automatically the default.
Tips on Drilldown Definitions

If the query viewer/data monitor has only one drilldown, this is the default drilldown
for the query viewer. If the query viewer has multiple drilldowns, the first drilldown is
the default, and you can change it.

When you run the query viewer results, right-click, and select Drilldown, the
selection list displays the list of drilldowns defined for this query viewer. The default
drilldown is at the top of the list, and the remaining drilldowns are displayed in the
sequence as they appear on the Drilldowns tab.

Drilldowns can be defined for multiple fields of different data types. For example, you
could define a drilldown to return a combination of event name and IP address. The
268 ArcSight Console User’s Guide
Confidential
10 Query Viewers
first step would be to define a base query viewer to return these fields in a result (see
“Create Query Viewers for Drilldowns” on page 265), and then, as a next step, add a
drilldown and select that query viewer to use as the “Drill down to” query viewer.

Drilldowns cannot be defined to go to fields that are SQL functions.
Changing the Default Drilldown
The first drilldown added to a query viewer/data monitor is always the default drilldown. If
you have multiple drilldowns, the default is always displayed at the top of the selection list
of drilldowns from the query viewer/data monitor result’s right-click, Drilldowns menu.
This default position is not affected by any sorting of drilldowns (see “Changing the Order
of Drilldowns” on page 269 for related information).
To change the default drilldown:
On the Drilldowns tab under the Default column, click the button corresponding to the
drilldown you want as the default.
Editing a Drilldown
To edit a drilldown:
1
If you have not done so already, open the editor for the query viewer/data monitor
you want to edit. (See “Editing a Query Viewer” on page 270.)
2
Click the Drilldowns tab.
3
Select the drilldown you want to edit and click Edit
.
The drilldown dialog for this drilldown is displayed. Make changes to the fields and
options as described in “Adding a Drilldown” on page 265.
You can also edit the drill down from the query viewer/data monitor
results. Right-click and select Drilldown > Edit Drilldowns. Selecting
this command opens the editor for the query viewer at the Drilldowns
tab.
Changing the Order of Drilldowns
When you create multiple drilldowns to different resource types, the query viewer’s
Drilldowns tab displays the drilldowns in the sequence they were created. This initial sort
order affects the selection list when you right-click the query viewer results on the Viewer
panel and select Drilldowns.
You can re-order the drilldowns in two ways:

Sorting the drilldowns

Moving specific drilldowns up or down the list
To change the sort order:
1
If you have not done so already, open the editor for the query viewer you want to edit.
(See “Editing a Query Viewer” on page 270.)
2
Click the Drilldowns tab and toolbar, click Sort (
).
Multiple drilldowns on the query viewer’s Drilldowns tab are sorted in two ways, as
follows:

Confidential
First, the drilldowns are sorted alphabetically according to resource type: active
channels, dashboards, query viewers, and reports.
ArcSight Console User’s Guide 269
10 Query Viewers

Next, within the resource type, drilldowns are again sorted alphabetically by their
menu labels.
Once you have clicked the Sort button, clicking it again will not change the sort order.
The following example is the result of clicking Sort based on Figure 10-1 on page 268:
Even if the default drilldown moves after sorting, it will still be at the top
of the selection list when you right-click on the query viewer results and
select Drilldowns. See “Changing the Default Drilldown” on page 269 for
related information.
To move a drilldown’s position on the list:
1
If you have not done so already, open the editor for the query viewer you want to edit.
(See “Editing a Query Viewer” on page 270.)
2
On the Drilldowns tab, and select a drilldown (don’t click under the Default column if
you don’t want to change the default drilldown).
3
On the toolbar, click the up
or down the list.
or down
arrow buttons to move the drilldown up
Removing a Drilldown
You can remove any drilldown, including the default drilldown. If you delete the default and
you have multiple drilldowns, the first one on the list becomes the default.
To remove a drilldown from a query viewer:
1
If you have not done so already, open the editor for the query viewer you want to edit.
(See “Editing a Query Viewer” on page 270.)
2
Click the Drilldowns tab.
3
Select the drilldown you want to remove and click Remove (
).
Editing a Query Viewer
1
Navigate to Query Viewers in the Navigator panel and select the query viewer you
want to modify.
2
Right-click the query viewer and select Edit Query Viewer from the context menu.
This launches the Query Viewer Editor in the Inspect/Edit panel, and shows the
definition for the selected query viewer.
3
Edit the query viewer definition as needed. (See “Customizing Query Viewers” on
page 257 for details.)
270 ArcSight Console User’s Guide
Confidential
10 Query Viewers
4
Click Apply or OK to save your changes. (Click Cancel to exit the Query Viewer editor
without saving changes.)
To edit a query viewer for which results are currently displayed in the Viewer,
click the Edit Query Viewer button
on the lower right of the Viewer.
The results display for the query viewer you want to edit must have focus
(that is, be on top) in the Viewer.
Deleting a Query Viewer
1
Navigate to Query Viewers in the Navigator panel, right-click the query viewer you
want to delete, and select Delete Query Viewer.
A confirmation dialog is displayed.
2
Click Delete to confirm your choice and delete the query viewer. (Or click Cancel if
you decide you do not want to delete it.)
Example Queries for Common Scenarios
Query viewers can be used to monitor daily network traffic and get high level summaries of
typical activity. Query viewers can also be used to drill down on anomalies or other
interesting events.
Following is a brief, conceptual scenario of how an analyst might use query viewers to
monitor and investigate certain types of activity.
Also included here is a description of how the query content developer might build and
configure the base query and query viewers that the analyst uses.
In practice, ArcSight ships with pre-built queries and query viewers as
standard content. It is likely that the types of resources described here are
provided with ArcSight.
Even so, the configuration of the base query and query viewers is described
to illustrate and support this example, and show how a content developer
might fine tune these resources to gather the information needed.
Basic Analysis High Level Summaries
A security analyst wants to check if anything unusual is happening on their system. The
analyst brings up a query viewer called “Events” that shows all events by event name for
the last 2 hours. The columns include:
Confidential

Event name

Total count of all events

Count by unique source address

Count by unique destination address
ArcSight Console User’s Guide 271
10 Query Viewers
Analyst’s First View of Events
The analyst can easily glance at the data and see if anything looks out of the ordinary.
Columns can be sorted and filters can be changed to refine the details. The data should
come up almost immediately.
How the Events Query Viewer is Built
The Events query viewer described in this example leverages the Events query.
Attributes
Bringing up the query viewer editor for the Events query viewer shows that the Events
query is used as the base query. Bringing up the Events query (base query) in the query
272 ArcSight Console User’s Guide
Confidential
10 Query Viewers
editor shows that the base query searches on events for the last 2 hours. (Queries are
under Reports > Queries in the Navigator.)
Fields
The fields selection, order by, and group by logic are all defined in the Fields tab for the
base query. The Events query viewer inherits the fields from the base query. These show
up on the query viewer Fields tab.
Confidential
ArcSight Console User’s Guide 273
10 Query Viewers
Events Base Query Conditions Tab
The condition logic to search on Events is defined in the Conditions tab for the base query.
If the event value in your query is the @ symbol by itself, enclose it in double
quotes. For example:
Name Contains “@”
You are not required to use the double quotes if the @ symbol is used with
other text, for example, Name Contains @mycompany.
Drilldown Example
Continuing with the previous example, the security analyst notes that one of the counts
seems troublesome. For example, “Attack from Suspicious Source” is high and showing a
lot of unique destination addresses. The analyst would right-click this row and choose
Show Source Addresses.
The resulting query viewer would show, for this event and time range, the source
addresses, as well as other columns of interest (for example, destination address). Then by
sorting by source address, the analyst could decide if a single source address (probably
with the highest count) was the initiator of most of the attacks. This information could also
be provided from an appropriate back end trend table (the same one or a different one),
and, as a result, the display should come up almost immediately.
274 ArcSight Console User’s Guide
Confidential
10 Query Viewers
The analyst could also show destination addresses for the same event row, if that
drilldown is defined as a part of the query viewer.
Confidential
ArcSight Console User’s Guide 275
10 Query Viewers
How the Drilldowns are Built
The source and destination drilldowns are added to the Events query viewer on the
Drilldowns tab at content development time.
Here is the Drilldowns > Field Mapping tab for the Events query viewer example. The
drilldown requires that at least one field is mapped. In this example, this is the Name field.
Here is the Drilldowns > Display tab for the Events query viewer example.
Non-Event Analysis Example
A security analyst wants to examine “Asset Counts by Vulnerability.” The analyst selects this
viewer and gets the most recent result (from a trend run) and can examine a table
containing columns: Vulnerability and Asset Count. Right-clicking a particular vulnerability
row would allow drilldown into the assets with that vulnerability.
Baseline Analysis for Data Comparison
Continuing with the previous example, the security analyst notes that one of the counts
seems significantly higher than last recalled. The analyst right-clicks the query viewer and
selects “Compare with Baseline”, from which there are zero or more baselines to choose.
This makes additional columns available to the currently displayed viewer that can be
added by the user. For example, a new column could be added next to the current “Count”
column showing “Count - <Selected Baseline>”. This is a comparison number showing the
difference between the current value of the count and the baseline value for the count.
This is positive, negative, or empty (if a baseline doesn't exist for this vulnerability). The
276 ArcSight Console User’s Guide
Confidential
10 Query Viewers
analyst can right-click the new column to sort this column in ascending or descending
order.
Other options available to the analyst would be:

Add as Baseline... to save the current values in the display as the new named
baseline.

Compare with… to compare to any other set of data available in the trend table.
History Analysis Example
As hinted in the previous example, any previous trend runs can be used for baseline
comparison. Similarly, the analyst can change the query viewer to go back into the past to
look at previous data. The analyst could use the default baseline and go back in history to
see when some count began to significantly differ from the baseline.
Confidential
ArcSight Console User’s Guide 277
10 Query Viewers
278 ArcSight Console User’s Guide
Confidential
Chapter 11
Building Reports
These topics describe how you use ArcSight to monitor enterprise security.
“Understanding Reporting Workflow” on page 279
“Using Report Templates” on page 283
“Building Queries” on page 302
“Building Trends” on page 318
“Creating Reports” on page 335
“End-to-End Reporting Examples” on page 361
Reports are captured views or summaries of data that can be viewed in the ArcSight
Console or exported for sharing in a variety of file formats. Reporting is an essential tool for
communicating the state of your enterprise security to internal and external stakeholders.
Reporting is a broad subject in ArcSight. Because it can use all the scheduling, conditional
logic, resource- and rules-based filtering capabilities of the system, the possibilities can
take some time to explore. Creating a report is a multi-step process that can involve steps
using several different resources.
See also Chapter 12‚ Running and Managing Reports‚ on page 377 and “Archiving and
Scheduling Reports” on page 384.
For other options for filtering the database, see “Query Viewers” on page 233, “Viewing
and Using Channels” on page 78, and “Active Channels or Reports?” on page 86 under
“Best Practices to Optimize Active Channel Performance” on page 86.
Understanding Reporting Workflow
Building Reports is a multi-step process that involves use of a few different data gathering
and reporting tools. ArcSight can gather report data using standard queries or trends.
Reports can be relatively simple (you can create a report with the Report
Wizard based on the results of a single query) or complex (you can create a
report based on the results of layers of queries and trends that feed data
results up the chain as the basis for new queries). See “End-to-End Reporting
Examples” on page 361 for examples of both basic and complex reports.
Following is a quick overview of reporting workflow tasks and tools, along with a reminder
about dependencies among reporting resources.
Confidential
ArcSight Console User’s Guide 279
11 Building Reports
For a more in-depth description of how these elements build on each other to create
various views of the data, see also “Query-Trend Relationships in Reporting” on page 319.
Step 1 - Build a Query
A query is an ArcSight resource that defines the parameters of data to gather from an
ArcSight data source. The results of the query then become the basis for one or more
ArcSight reports or trends. As a data source, queries can use the ArcSight database of
events, assets, cases, notifications, active lists, session lists, or data gathered from a trend.
Queries are described in “Building Queries” on page 302.
If all you want to do is build a report based on a single query, at this point
you can skip to step 4 and select a template. (See “Step 4 - Select or Design
a Report Template” on page 281.)
Queries built for reports can be used in query viewers also.
And if you want to run quick SQL queries for monitoring and analysis outside
of the reporting resource, you can use query viewers. You can add query
viewers to dashboards and generate simple reports on query viewer results.
For information on query viewers, see Chapter 10‚ Query Viewers‚ on page
233.
Step 2 - Build a Trend (Based on a Query)
A trend is an ArcSight resource that defines how and over what time period data is
evaluated for trends. A trend is always based on a query. The trend results are stored in a
trend table in the ArcSight database, and are themselves queryable. Trends can also be
used as the primary data source for a report.
280 ArcSight Console User’s Guide
Confidential
11 Building Reports
Trends are described in “Building Trends” on page 318.
If you want a report based on a single trend-query, at this point you can skip
to step 4 and select a template. (See “Step 4 - Select or Design a Report
Template” on page 281.)
Step 3 - Build a Query (Based on a Trend)
At this point you have the option of using a simple query or trend in a report, or you can
further refine query results by using a trend in another query.
See the “Building Queries” on page 302 and “Building Trends” on page 318 for more
information on how to do this.
Step 4 - Select or Design a Report Template
Use an existing report template layout or create your own using the new Report Designer
tool. For information on working with templates, see “Using Report Templates” on
page 283.
Step 5 - Create a Report
A report is an ArcSight resource that binds data from a query or trend to an existing report
template. Once run, the results of a report can be viewed in the ArcSight Console Viewer
panel, saved (archived), and/or exported in a variety of formats. Reports can be scheduled
to run at regular intervals, and also can be run on demand as needed.
Reports are described in “Creating Reports” on page 335, and an overview of the whole
topic is provided in “Understanding Reporting Workflow” on page 279.
Focused reports enable you to run the same report definition on different subdivisions of
the data without having to copy and modify the master report every time. For example,
you can run an individual Top 10 Infected Systems report for each of your business
divisions.
Confidential
ArcSight Console User’s Guide 281
11 Building Reports
The job scheduler enables you to schedule reports and focused reports to run
automatically at specific time intervals. (The job scheduler is also used as a part of building
trends which, by nature, involve scheduling.)
Queries and trends are intended to capture data. Reports are used to display
the data from queries and trends. For example, if you wanted to run monthly
or quarterly reports on VPN login statistics, you would first create one or
more queries to capture the data, then create trends (based on the queries)
to define a schedule for running the queries and storing the results, and
finally create and run reports on the trends. For a full walk-through of this
process, see “End-to-End Reporting Examples” on page 361.
Step 7 - Run a Report
ArcSight ships with a set of ready-made reports available under the Reports resource. (For
example, on the Navigator panel under the Reports resource look in /Reports/Shared/All
Reports/ ArcSight Solutions/. Open the sub-groups (folders) to see provided reports.)
For information on how to run an existing report, see “Running Reports” on page 377 and
Running a New or Archived Report.
Step 8 - Archive and Maintain Reports
After running a report, you can elect to save (archive) the report results. This enables you
to retrieve a particular report for immediate viewing without having to regenerate the
report. Reports that are run on demand are saved on the Archives tab just like scheduled
reports. If the Save Output option is chosen for an on-demand report, the archived report
has an expiration date of 6 months from the time it was run (by default). If the Save
Output option is not chosen for an on-demand report, the report is maintained in the
archive for one day only.
Archived reports can also be sent to a notification group after the scheduled report is run.
For information on how to archive and maintain reports, see “Archiving and Scheduling
Reports” on page 384 and “Managing Reports” on page 381.
282 ArcSight Console User’s Guide
Confidential
11 Building Reports
Managing Dependencies for Reports Resources
As you work with these resources, keep in mind that queries, trends, and reports generally
have multiple dependencies upon each other. Modifying some elements within one
resource can affect another. If modifications to a resource impact another to the extent
that the dependent resource is rendered unusable, errors are reflected in the ArcSight
Console. ArcSight manages and updates most of these resources and dependencies
automatically, but not all.
For example, a trend built on a query relies on a set of fields (columns) contained in the
base query. If you modify fields in the base query that are used in the trend, the trend is
disabled. (The proper approach for modifying a query used in a trend is to create a new
trend.) Similarly removing a resource (like a query) that another resource (like a report)
depends on generates error messages on the ArcSight Console.
Using Report Templates
To provide more flexibility in reporting, ArcSight now offers powerful report template tools
including a rich offering of ready-made templates and a template design wizard for more
customized reports. Template definitions determine how query and trend data are
displayed in a report. You can create and adjust templates to specify which data is
displayed, what visual elements are used (variations on tables, charts, graphs, and so on),
the layout of those elements, the report output file format, and much more. A template
consists of report design elements, such as headers, footers, title bars, charts, and tables,
arranged on a page according to a layout specification.
Templates can accommodate input from multiple queries and show multiple visual
elements, such as three charts and a table each pulling from a different data source, in a
single report.
You can use the templates provided or create custom templates with the report template
designer.
Navigating to Templates
In the Navigator panel, select Reports resource from the drop-down menu and click the
Templates tab.
Confidential
ArcSight Console User’s Guide 283
11 Building Reports
Report templates are a component of ArcSight Reporting resource tools. Be sure to see
“Building Reports” on page 279 for an overview of all reporting tasks and tools.
Using Standard Templates
To get you started, ArcSight provides a rich set of templates you can use as-is or copy to
use as a starting point for your own template layouts. There are two ways to use standard
templates for reports. You can apply a template to an existing report, or you can create a
new report based on a template.
Applying a Template to an Existing Report
1
With the Reports resource selected in the Navigator panel, click the Reports tab.
2
If Reports groups (folders) are collapsed, click + to expand user and Shared folders
and view reports.
3
Double-click the report to which you want to apply a template. (Alternatively, you can
select the report, right-click and select Edit Report from the context menu.) This
brings up the Report editor in the Inspect/Edit panel.
4
In the Report editor, click the Templates tab for the selected report.
5
In the Report Template field drop-down menu, select a template.
6
Click OK to apply the template and close the file browser.
284 ArcSight Console User’s Guide
Confidential
11 Building Reports
7
Click Apply or OK to verify and save the template choice for the selected report.
Creating a New Report Based on a Template
1
With the Reports resource selected in the Navigator panel, click the Templates tab.
2
Right-click your user folder (group) and select New Report from Template. This
launches the Reports Editor in the Inspect/Edit panel with the chosen template.
3
See “Creating Reports” on page 335 for details on how to define data for your report
and fine-tune the template by means of the Template tab in the Report editor for this
report.
Copying a Template
An easy way to get started customizing a template is to copy an existing template and
modify it to suit your needs. To copy a template:
Confidential
1
Select the Reports resource in the Navigator.
2
Click the Templates tab.
3
Open the All Report Templates folder, navigate to a template you want to copy, and
select it.
4
Left-click, and drag and drop the selected template into your user folder.
ArcSight Console User’s Guide 285
11 Building Reports
5
Select Copy from the Drag & Drop Options dialog. A copy of the template is dropped
into your user folder.
Alternatively, you can select the template you want to copy in the Navigator and choose
Edit > Copy from the menus. Then select your user folder and click paste to drop the
template into the folder.
Opening the Designer to Edit a Template
1
Select the Reports resource in the Navigator.
2
Click the Templates tab.
3
Right-click a template and choose Open in Designer, or choose Edit Template and
click the Open in Designer button on the Attributes tab for the template editor.
For more about using the template Designer, see “Designing Custom Templates” on
page 286.
The Report Designer is powered by InetSoft, who provide the Report
Designer’s online help.
•
There are additional InetSoft documents available online for the report
designer. They are attached to a Knowledge Centered Support (KSC)
article entitled “InetSoft’s Online Help Guides,” available from the HP SSO
support site.
•
For support, contact HP Customer Support. Do not use the InetSoft
support information mentioned in their documentation.
Designing Custom Templates
You can use the report template designer to create report templates specific to the needs
of your organization. This can be useful, for example, if you need to customize reports per
corporate branding, policy requirements, or standards compliance. This can be useful, for
example, if you need to customize reports per corporate branding, policy requirements, or
standards compliance. (You can also copy the stock templates and use the Designer to
modify these templates to suit your needs.)
Opening the Template Designer to Edit Existing Templates
1
Select the Reports resource in the Navigator.
2
Click the Templates tab.
3
Right-click a template and choose Open in Designer, or choose Edit Template and
click the Open in Designer button on the Attributes tab for the template editor.
Creating a New Template
To design a custom template, you need to first create a new template then launch the
report designer wizard:
1
With the Reports resource selected in the Navigator panel, click the Templates tab.
2
Select the template group (folder) where you want to store your new template. (We
suggest that you create new content in your user folder. The name of this folder
depends on the user name with which you logged into the ArcSight Console.)
3
Right-click and select New Template from the context menu. This brings up the
Template editor in the Inspect/Edit panel.
286 ArcSight Console User’s Guide
Confidential
11 Building Reports
4
Provide a Name for the new template in the Template Editor and click OK. (Your new
template is now displayed in the group you selected in the Navigator.)
5
In the Navigator panel, select the template you just created, right-click, and select
Launch Designer from the context menu. This starts the Report Designer, as shown
below. Use the Report Designer to create custom templates.
From the Report Designer menus, you can launch wizards for building common report
elements such as Section > Section Wizard and Query > Table Wizard.
Template Designer User Interface
The Report Template Designer provides options for creating fully customized report
templates. These topics introduce the Designer features and functions, and provide a quick
tour of the user interface (UI).
Tour of Designer UI
The Report Template Designer user interface (UI) consists of the following panels and
tools. See also “Menus” on page 289 and “Toolbars” on page 292 for detailed descriptions
of those options.
Confidential
ArcSight Console User’s Guide 287
11 Building Reports
Overview Diagram
Element Map
The element map displays a hierarchical tree view of all elements in the current report. The
element map appears in a frame between the report element toolbar and the document
window, and looks like this:
Selecting an element on the element map causes that element to be selected in the report.
To display the element map, click Element Map on the View menu.
Document Window
The document window is the largest window on the Report Designer screen and contains
all the currently opened report templates. Reports can be minimized, maximized, resized
and moved within the document window.

To arrange open report templates, click Cascade on the Window menu.

To change the active report template, click the template's file name on the Window
menu.
288 ArcSight Console User’s Guide
Confidential
11 Building Reports
Status Bar
The status bar appears at the very bottom of the Report Designer application window and
looks like this:
The information displayed on the status bar, from left to right, is as follows:

Current page number

The number of elements in the current page

The ID of the currently selected report element

Information about the currently selected report element: ID and element type
Change the Report View
Normal View
Click the View menu
or
Check the check box button to
the left of Layout View
Click the Layout
toolbar button
when the report is in page layout view
Page Layout View
Click the View menu
or
Uncheck the check box button to
the left of Layout View Change
the Editing Mode
Click the Layout
toolbar button
when the report is in normal view.
Change the Editing Mode

To switch to Element Selection Mode, click the Selection Mode (Pick Tool)
toolbar button.

To switch to Text Mode, click the Text Mode (Text Tool)
toolbar button.
Change the Report Magnification
To increase or decrease the display size of the report (zoom in or zoom out), select the
magnification percentage from the drop-down list
on the toolbar.
Menus
The Report Template Designer menus are described in the following tables.
Confidential
File Menu item
Description
New
Creates a new Style Report template.
Save
Saves the current report template.
Export
Exports the current report in one of the following formats:
PDF, HTML, Excel, RTF, SVG, CSV, or text.
Preview
Displays a preview of the generated report in a new
window.
Print
Prints the current report.
ArcSight Console User’s Guide 289
11 Building Reports
File Menu item
Description
Page Setup
Sets the current report's page format properties.
Most recently used file
list
These menu items display the most recently opened
reports. Clicking one of these items opens the
corresponding report template in a new window.
Exit
Exits the Report Designer.
Edit Menu item
Description
Undo
Reverses, one at a time, a series of editor actions.
Copy
Copies the current selection to the clipboard.
Cut
Deletes the selection from the report and copies it to the
clipboard.
Paste >> Into Page
Inserts the contents of the clipboard into the current
document.
Paste >> Into Section
Inserts the contents of the clipboard into selected Section
element.
View Menu item
Description
Layout View
Sets the report view to either Normal view or Layout view.
Element Map
Displays a tree mapping all report elements on the page in
a frame to the left.
Ruler
Sets the visibility of the ruler.
Grid
Sets the visibility of the grid.
Snap To Grid
Sets whether inserted report elements should be placed at
the nearest grid vertex or not.
Properties
Displays the properties dialog for the selected report
element.
Console
Displays the error console.
Insert Menu item
Description
Header
Elements are inserted into the page header.
Body
Elements are inserted into the page body.
Footer
Elements are inserted into the page footer.
Basic Element >> Table
Inserts a table.
Basic Element >> Text
Inserts a text element.
Basic Element >>
Textbox
Inserts a text box.
Basic Element >>
Image
Inserts an image.
Basic Element >>
Chart
Inserts a chart.
290 ArcSight Console User’s Guide
Confidential
11 Building Reports
Confidential
Insert Menu item
Description
Basic Element >> Tab
Moves the insertion point to the next tab stop.
Basic Element >>
Bullet
Inserts a bulleted item.
Basic Element >>
Separator
Inserts a horizontal line across the page.
Spacing Element >>
Newline
Inserts a newline.
Spacing Element >>
Break
Inserts a line break.
Spacing Element >>
Space
Inserts a non-breaking space.
Spacing Element >>
Page Break
Inserts a page break.
Spacing Element >>
Conditional Page Break
Inserts a page break that only occurs when one or more
specified conditions are met.
Spacing Element >>
Area Break
Inserts an area break.
Special Field >> Table
of Contents
Inserts a table of contents.
Special Field >> Page
Number
Inserts a text element displaying the current page number
into the header or footer.
Special Field >> Page
Count
Inserts a text element displaying the page count into the
header or footer.
Special Field >> Date
Inserts a text element displaying the current date into the
header or footer.
Format Menu
item
Description
Preference
Displays the formatting preferences dialog.
Draw Area
Inserts a new page area into the report template.
Order Area
Changes the flow order of the page areas in the report template.
Window
Menu item
Description
Cascade
Places all document windows in a cascading arrangement.
Close All
Closes all document windows.
Window list
This list contains a menu item for each open document window.
Clicking one of these items brings the corresponding window to the
foreground.
ArcSight Console User’s Guide 291
11 Building Reports
Toolbars
The Report Template Designer toolbars are described in following tables.
Standard Toolbar
Description
Save
Saves the current report template.
Preview Report
Displays a preview of the generated report in a new
window.
Print
Displays the print dialog, allowing the user to print the
active document.
Selection Mode
(Pick Tool)
Text Mode
(Text Tool)
Cut
Switches to element selection mode.
Switches to text editing mode.
Copies the current selection to the clipboard and deletes
the selection from the report.
Copy
Copies the current selection to the clipboard.
Paste
Inserts the contents of the clipboard into the current
document.
What's This
Clicking this item and then a menu item, toolbar button or
window region displays help information on what was
clicked.
Layout Toolbar
Description
Header
Elements are inserted into the page header.
Body
Elements are inserted into the page body.
Footer
Elements are inserted into the page footer.
Element Map
Sets the report view to Normal Layout view, with a tree
mapping all report elements on the page in a frame to the
left (in Report Designer).
Layout View
Switches between Normal and Layout views, and displays
the page layout properties dialog.
Draw Area
Inserts a new page area into the report template.
Order Area
Changes the flow order of the page areas in the report
template.
Columns
292 ArcSight Console User’s Guide
Places two page areas side-by-side on the page to split the
report into columns. The areas flow from left to right.
Confidential
11 Building Reports
Format Toolbar
button
Description
Font
Sets the current font.
To use Japanese characters in reports, install the Arial
Unicode MS True Type font (ARIALUNI.TTF) or an equivalent
Unicode font in your system font directory. Use that font for
any component (such as a textbox or a table) for which you
want Japanese/Unicode characters.
Font Size
Zoom
Zooms in and out according to the percentage selected.
Bold
Makes text boldface.
Italic
Renders the current text in italics.
Underline
Underlines the current text.
Left Justify
Changes the alignment to left justification.
Center
Changes the alignment to center justification.
Right Justify
Changes the alignment to right justification.
Fill
Changes the alignment to fill justification.
Decrease Indent
Decreases the current indentation.
Increase Indent
Increases the current indentation.
Report Element
Toolbar button
Description
Table
Inserts a table.
Text
Inserts a text element.
Text Box
Confidential
Sets the current font size.
Inserts a text box.
Chart
Inserts a chart.
Image
Inserts an image.
Separator
Draws a horizontal line across the page.
Table of Contents
Inserts a table of contents.
Tab
Moves the insertion point to the next tab stop.
ArcSight Console User’s Guide 293
11 Building Reports
Report Element
Toolbar button
Description
Newline
Inserts a newline.
Space
Inserts a non-breaking space.
Setting Report Page Options
As a part of your report template designs, you can set page options such as page size,
orientation, margins, and so forth. The page settings you define at template design time
are built into the “deployed” template as defaults.
Setting the Page Size
1
Select the File > Page Setup from the menus.
2
Select a page size from the drop-down list, or enter the size and units of measurement
for non-standard page sizes.
3
Click the OK button.
Setting the Page Orientation
1
Select the File > Page Setup from the menus.
2
Select either Portrait or Landscape.
3
Click the OK button.
Setting the Page Margins
1
Select the File > Page Setup from the menus.
2
Set the distance, in inches, from the edge of the page for the Left, Top, Right, and
Bottom fields
3
Set the distance, in inches, from the edge of the page to the top of the page header
and footer in the Header and Footer fields.
4
Click the OK button.
Setting the Page Background
Select the File > Page Setup from the menus, and click the Background tab.
Setting a Background Color
1
Select the Color option.
2
Select a color from the drop-down list.
3
Click the OK button.
Setting a Background Image
1
Select the Image option.
2
Enter the path to the image.
3
Select the loading method.
4
To embed the image in the template file, check the Embed option.
5
Select either Tile or Center positioning option.
6
Enter preferred size of image or leave unspecified for actual image size.
294 ArcSight Console User’s Guide
Confidential
11 Building Reports
7
Click the OK button.
Editing the Page Header
1
Click the Header
menu.
toolbar button or select the Header item from the Insert
2
Insert and edit report elements as you would normally.
Editing the Page Footer
1
Click the Header
menu.
toolbar button or select the Header item from the Insert
2
Insert and edit report elements as you would normally.
Designing Report Flow Layout
With the Report Template Designer, you can design the flow layout for a report template
that specifies layout of the report content on the page.
Drawing a Page Area
1
Change the report view to Layout
2
Click the Draw Area
3
Click and hold the left mouse button where you want the upper-left corner of the page
area to be placed.
4
Continue holding the left mouse button and drag the cursor to the location you want
for the lower-right-hand corner of the page area.
5
Release the mouse button.
toolbar button.
Changing the Order of Page Areas
1
Set the report view to Page Layout.
2
Click the Order Areas
3
Move the mouse over the area you want to receive the flow first. The cursor should
turn into a hand.
4
Click the left mouse button. The number in the corner of the page area should now be
“1”.
5
Repeat steps 3 and 4 for each page area, in the order you want to flow.
toolbar button.
Inserting an Area Break
1
Click the cursor on the location where you want the break.
2
Select the Area Break from the Insert»Spacing Element menu.
Creating a Non-flow Area
Confidential
1
Set the report view to Page Layout.
2
Click the Draw Area
3
Click and hold the left mouse button where you want the upper-left corner of the page
area to be placed.
4
Continue holding the left mouse button and drag the cursor to the location you want
for the lower-right corner of the page area.
toolbar button.
ArcSight Console User’s Guide 295
11 Building Reports
5
Release the mouse button.
6
Right-click the page area you just created.
7
Click Properties on the popup menu.
8
Disable (uncheck) the Flow Area property.
9
Click the OK button.
Creating a Fixed Position Element
1
Set the report view to Page Layout.
2
Click a non-flow area.
3
Set the report view to Normal.
4
Insert the element into the non-flow area as you would a normal page area.
Creating an Element Associated Area
1
Set the report view to Page Layout.
2
Click the small arrow in the corner of the Layout
3
Click the Edit item on the drop-down menu.
4
From the drop-down list on the dialog, select the report element you want to associate
with the page layout.
5
Click the New button.
6
Click the OK button.
toolbar button.
Creating Parallel Report Flows
1
Set the report view to Page Layout.
2
Create a non-flow area to one side of the report.
3
Create normal report areas in the remaining page area however you want.
4
Right-click the non-flow area.
5
Click the Properties item on the popup menu.
6
Deselect (uncheck) the Repeat Contents property.
7
Set the report view to Normal.
8
Place report elements in the non-flow area for one part of the parallel report flow.
9
Place report elements in the other page areas for the other part of the parallel report
flow.
Designing Report Tabular Layout
Using the Report Template Designer, you can define the default layout for tables in a report
template.
Inserting a Row
1
Set the report view to Page Layout.
2
Click the row you want to insert the new row before.
3
Right-click the row.
296 ArcSight Console User’s Guide
Confidential
11 Building Reports
4
Click Insert Row on the popup menu.
Inserting a Column
1
Set the report view to Page Layout.
2
Click the column you want to insert the new column before.
3
Right-click the column.
4
Click Insert Column on the popup menu.
Deleting a Row
1
Set the report view to Page Layout.
2
Click the row you want to delete.
3
Right-click the row.
4
Click the Delete Row item from the popup menu.
Deleting a Column
1
Set the report view to Page Layout.
2
Click the column you want to delete.
3
Right-click the column.
4
Click the Delete Column item from the popup menu.
Splitting a Cell
1
Set the report view to Page Layout.
2
Click the cell you want to split.
3
Right-click the cell.
4
Select the Split Cell item on the popup menu.
5
To split the cell horizontally select Rows; to split the cell vertically select Columns.
6
Enter the number of cells to split the current cell into.
7
Click the OK button.
Resizing a Cell
1
Set the report view to Page Layout.
2
Move your mouse over the cell's edge until the cursor changes to the resize
cursor.
3
Press and hold the left mouse button.
4
Drag the mouse until the cell is the desired size.
5
Release the mouse button.
Building Report Elements into a Template
The following topics describe how to use the Report Template Designer to include different
types of report elements into a template.
Confidential
ArcSight Console User’s Guide 297
11 Building Reports
Inline Elements
Inline elements include options for inserting text, text formatting, working with tabs, and
spaces.
Inserting Text
1
Click the report at the location you want to insert the text.
2
Click the Text
toolbar button or select the Text item from the Insert>>Basic
Element menu.
3
Type the text to display.
Formatting text
1
Right-click the text or textbox element.
2
Select the format to apply from the Format submenu on the popup menu.
These formats are available in the Report Designer:
Format Type
Description
Date format
Specifies conversion for date/time values.
Decimal
format
Specifies conversion for numeric values.
Currency
format
Specifies formatting of numbers as currency (with a currency
symbol).
Percent format
Specifies formatting of numbers as percentages.
Inserting a Tab
To insert a tab, press the Tab key or click the Tab
toolbar button.
Setting the Tab Stops
Select the Format > Preferences item from the menus, and click the Tab Stops tab.
Adding a Tab Stop
1
Enter the distance, in inches, from the left margin to position the tab stop in the text
field.
2
Click the Set button.
Removing a Tab Stop
1
Select the tab stop from the list.
2
Click the Clear button.
To apply the changes, click the OK button.
Inserting a Space
To insert a space, press the Space key or click the Space
toolbar button.
Setting a Space's Width
1
Click the space element to format.
2
Right-click the element.
298 ArcSight Console User’s Guide
Confidential
11 Building Reports
3
Select the Properties item from the popup menu.
4
Enter the width, in points, of the space in the Number of Points field.
5
Click the OK button.
Float Elements
Float elements include options for setting anchors, working with text wrap, setting margins,
working with charts and text boxes, and inserting images.
Setting the Anchor
1
Move the mouse over the float element.
2
Click and hold the left mouse button.
3
Drag the element to the desired position.
4
Release the mouse button.
If a float element's anchor is not set, it is laid out as an inline element.
Setting the Text Wrapping
When one or more anchored elements exist on a line, other flow elements could wrap
around the anchored elements. To set the wrapping:
1
Click the element to edit.
2
Right-click the element.
3
Select the Properties item from the popup menu.
4
Click the Layout tab.
5
Select the wrapping style to apply to this element.
The Report Designer offers these wrapping styles:
No wrapping; the flow overlaps the float element.
Wraps around the left side of the float element.
Wraps around the right side of the float element.
Wraps around both sides of the float element.
No contents allowed on either side of the float element.
Setting the Margins
Confidential
1
Click the element to edit.
2
Right-click the element.
3
Select the Properties item from the popup menu.
4
Click the Layout tab.
ArcSight Console User’s Guide 299
11 Building Reports
5
Enter the size, in points, in the Left, Top, Right, and Bottom fields.
6
Click the OK button.
Inserting a Chart
1
Click the report at the location you want to insert the report.
2
Click the Chart
toolbar button or select the Chart item from the Insert
>>Basic Element menu.
3
Select the chart type from the drop-down list that appears.
Inserting a Text Box
1
Click the report at the location to insert the element.
2
Click the Text Box
toolbar button or select the Text Box item from the
Insert>>Basic Element menu.
3
Type the text to display.
4
Right-click the text box and select the Properties item from the popup menu to apply
formatting.
Inserting an Image
1
Click the report at the location you want to insert the image.
2
Click the Image
toolbar button or select the Image item from the
Insert>>Basic Element menu.
3
Enter the path to the image in the text field.
4
Check the Embed option if you want to embed the image data in the report template.
5
Select the loading option (see below) to use.
6
Click the OK button.
The loading options supported by the report designer are:
Loading
Option
Description
Resource
Loads the image as a resource. The path to the image must be
relative to the class path.
URL
Loads the image from the specified URL.
Relative path
The path to the image is relative to the location of the report
template in the local file system.
Full path
The path to the image is the full path on the local file system.
Block Elements
Inserting a Table
1
Click the report at the location you want to insert the table.
2
Click the Table
3
Select the number of rows and columns for the table.
300 ArcSight Console User’s Guide
toolbar button.
Confidential
11 Building Reports
Or
1
Click the report at the location you want to insert the table.
2
Select the Table item from the Insert>>Basic Element menu.
3
Edit the number of rows and columns for the table by selecting the table element.
4
Right-click and select Properties.
5
Select Headers and Data tab and modify rows and columns fields and click OK.
Inserting a Bullet
1
Click the report at the location you want to insert the bullet.
2
Click the Bullet
toolbar button or select the Bullet item from the
Insert>>Basic Element menu.
3
Type the text to appear next to the bullet. The bullet and the text are separate
elements.
Inserting a Separator Change a Separator's Line Style
1
Click the report at the location you want to insert the separator.
2
Click the Separator
toolbar button or select the Separator item from the
Insert>>Basic Element menu.
Inserting a Newline
1
Click the report at the location to insert the newline.
2
Click the Newline toolbar
button or press the Enter key.
Changing a Newline's Height
1
Click the newline element to edit.
2
Right-click the element and select the Properties item from the popup menu.
3
Enter the number of lines in the Number of Newlines field.
4
Enter the height, in points, of each newline in the Newline Size field.
5
Click the OK button.
Inserting a Page Break
1
Click the report at the location to insert the page break.
2
Select the Page Break item from the Insert>>Spacing Element menu.
Inserting an Area Break
1
Click the location in a page area to insert the break.
2
Select the Area Break item from the Insert>>Spacing Elements menu.
Drawing a Freehand Shape
Confidential
1
Change the report view to Page Layout
2
Click one of the shape buttons on the report element toolbar.
3
Press and hold the left mouse button at the location of the upper-left corner of the
shape.
ArcSight Console User’s Guide 301
11 Building Reports
4
To constrain a rectangle to a square, or an oval to a circle, hold down the Shift key.
5
Drag the mouse to the location of the lower-right corner of the shape.
6
Release the mouse button.
You can draw these freehand shapes:
A rectangle or square
An oval or circle
A line
Inserting a Numbered Heading
1
Click the report at the location to insert the heading.
2
Click the Heading
3
Select the heading level from the drop-down list.
4
Type the text for the heading.
toolbar button.
Inserting a Table of Contents
1
Click the report at the location to insert the table of contents.
2
Click the Table of Contents
toolbar button or select the Table of Contents item
from the Insert>>Special Field menu.
3
Select the style for the table of contents from the drop-down list.
4
Click the OK button.
The table of contents is generated automatically, based on the numbered headings in the
report.
Changing an Element's Font
1
Click the element whose font you want to modify.
2
Select the font's name
3
Select the font size
4
To make the font bold, click the Bold
5
For an italic font, click the Italic
6
To underline the font, click the Underline
from the drop-down list on toolbar.
from the drop-down list on the toolbar.
toolbar button.
toolbar button.
toolbar button.
Building Queries
A query is an ArcSight resource that defines the parameters of the data you want to report
on derived from an ArcSight data source. The result of the query then becomes the basis
302 ArcSight Console User’s Guide
Confidential
11 Building Reports
for one or more ArcSight report and trend. The Query Editor is a component of ArcSight
Reporting resource tools.
Queries built for reports can also be used in query viewers.
And if you want to run quick SQL queries for monitoring and analysis outside
of the reporting resource, you can use query viewers. You can add query
viewers to dashboards and generate simple reports on query viewer results.
For information on query viewers, see Chapter 10‚ Query Viewers‚ on page
233.
How Queries Work
As a data source, queries can use the ArcSight database of events, actors, modeled
network objects (assets), cases, notifications, session lists, or active lists, or data gathered
from a trend.
In a query, you select the data fields you want to report on, specify any additional functions
you want run on them (such as sum, average, and so on), and any sort or group-by
conditions you want to add, such as grouping results by source address, zone, or priority.
Using Queries and Trends Together for Reports
A query can be used as the primary data source for a report. Or, a trend (based on one
query) can be used as the data source to another query that further refines the initial query
result. A collection of trend queries (queries that use trends as their data source) can
provide focused views of a data set which can then be fed into a single report or multiple
reports.
For a more detailed description of the relationships you can build between queries and
trends for reporting, see the “Query-Trend Relationships in Reporting” on page 319.
Using Queries in Query Viewers
You can use queries built for reports in query viewers, outside of the reporting paradigm.
Query viewers provide a “channel-style” view of SQL query results but are not limited to
events in terms of scope. They provide high-level summaries to monitor system health,
reveal trends, and allow for drill-down and investigation of all types of resources across
time. Query viewers are performance-tuned to work with trend tables rather than event
tables, and so can return results much faster than active channels.
Query viewers include their own simple reporting option by which you can initiate a report
on the query results from the query viewer.
For more about using query viewers, see Chapter 10‚ Query Viewers‚ on page 233.
Confidential
ArcSight Console User’s Guide 303
11 Building Reports
Building a Query
Navigating to Queries
In the Navigator panel, select Reports resource from the drop-down menu and click the
Queries tab.
Creating a New Query
The high-level steps for creating a query are as follows:
1
Right-click a group (folder) and select New Query. This launches the Query Editor in
the Inspect/Edit panel.
As a general rule, it is best to create new content in the user's own
folder.
2
Define General Query Attributes. At a minimum, fill in the required values (red
asterisks) on the General tab.
3
Define a schema for Query Fields.
4
Create Query Conditions.
5
Define Query Variables (optional).
6
Click Apply or OK to create the new query.
Be sure to click Apply or OK frequently to save settings intermittently as
you work through the above steps. Clicking Apply saves settings and
leaves the Editor open. Clicking OK saves settings and closes the Editor
for this query. If you do not apply or accept settings using these buttons,
your settings are not saved.
The following sections provide details on how to use the Query editor to define query
attributes, fields, conditions, and variables.
304 ArcSight Console User’s Guide
Confidential
11 Building Reports
Defining Query Settings
Use the Query Editor to build a new trend or edit an existing one. Query settings are
defined on multiple sub-tabs.
General Query Attributes
The following fields in the Query section are required attributes that must be specified
when creating a new query.
Confidential
Query Fields
Description
Name
Name for the query. Spaces and special characters are OK. This is an
alias for the query that appears in pick lists in other editors.
Query on
From the drop-down menu, select one of the following data sources:
•
Event - Select Event if you want to create a report or view
trends on event activity
•
Active List - Select Active List to query or view trends on list
entries. Additionally select a Query Type. (For more about active
lists, see “Managing Active Lists” on page 509.)
•
Actor - Select Actor to query or view trends on actor
information. (For more information on actors, see “Actors” on
page 189.)
•
Asset - Select Asset if you want to report or view trends on
statistics about the assets on your network, such as a list or
count of assets categorized in a particular asset category, or the
zone a particular asset is in at a particular time. (For more about
assets, see “Modeling the Network” on page 679.)
•
Case - Select Case if you want to report or view trends on the
status of cases, such as number of cases opened and resolved.
(For more about cases, see “Case Management and Queries” on
page 527.)
•
Notification - Select Notification if you want to report or view
trends on the status of events sent out in the notification
workflow, such as number of events in the Investigate stage.
(For more about notifications, see “Managing Notifications” on
page 603.)
•
Session List - Select Session List to query or view trends on
session activity. (For more about session lists, see “Managing
Session Lists” on page 520.)
•
Trend - Select Trend if you want to report or maintain trend
information on the data gathered in another trend. For
instructions about how to build a trend, see “Building Trends” on
page 318.
Query On
Resource
Available for queries on active lists. Select an active list from the
drop-down panel.
Query Type
Available for queries on active lists. Select one:
•
Snapshot - Select Snapshot if you want the query to return
values from the active list with no historical baseline.
•
Interval - Select Interval if you want to view values within a
specified period.
ArcSight Console User’s Guide 305
11 Building Reports
Query Fields
Description
Start Time
This field only appears if you are querying on an interval active list,
event, or trend. Enter values depending on the data source you
selected:
•
Active List, Interval type - Specify the starting point for the
data gathering from the specified active list.
•
Event - Specify the starting point for the data gathering from
the events database. Event data is generally kept unarchived for
30 days by default, so specify a start time within that time
frame.
•
Trend - Specify the starting point for the data gathering from
the trends database. Be sure to specify a period within the
lifecycle of the trend (otherwise, the query returns an empty
result set).
Tip: If the query is used as a base query in a trend, the trend start
time overwrites the start time set here. See “Trend Parameters” on
page 326.
End Time
This field only appears if you are querying on an interval active list,
event, or trend. Enter an end time depending on the type of source
data you selected:
•
Active List, Interval type - Specify the ending point for the
data gathering from the specified active list.
•
Event - Specify the ending point for the data gathering that is
some time after the starting point. Keep in mind that large time
spans can mean large amounts of data, which can affect system
performance.
•
Trend - Specify the end point for the data gathering that is some
time after the starting point.
Tip: If the query is used as a base query in a trend, the trend end
time overwrites the end time set here. See “Trend Parameters” on
page 326.
Use as
Timestamp
This field only appears if you are querying on an interval active list,
event, or trend. This field indicates which value to use as the
timestamp for the report itself. This value helps with sorting and
scheduling.
The following options are available for queries on events and trends:
•
End Time - Select End Time if you want to use the event or
trend end-time you specified in the End Time field. The
timestamp reflects the event end time. If you are querying on a
trend, select this option.
•
Manager Receipt Time - Select Manager Receipt Time to use
the time the event was received at the Manager. (If you are
querying on a trend, this is probably not an appropriate option to
choose because in that case, Manager Receipt Time would
indicate when the trend is run, rather than when events are
received by the Manager.)
The following options are available for interval queries on active
lists:
•
Date-based field on the active list - This is the default, if such
field exists in the active list.
•
Creation Time - When the list was first populated (created)
•
Last Modified Time - When the list was last updated
306 ArcSight Console User’s Guide
Confidential
11 Building Reports
Query Fields
Description
Row Limit
Set the row limit for the data table. The default is 10000 rows.
Tip: The row limit you set here determines the row limit for reports
using this query. If the query is used as a base query in a trend, the
trend row limit overwrites the row limit set here. See “Trend
Parameters” on page 326.
The example below shows a query definition for VPN Logins Outcome - Hourly that returns
VPN login attempts over a one day period each time it is run (Start Time is $Now - 1d and
End Time is $Now).
Entering data in the Common and Assign sections is optional, depending
on how your environment is configured. For information about the
Common and Assign attributes sections, as well as the read-only
attribute fields in Parent Groups and Creation Information, see “Common
Resource Attribute Fields” on page 630.
Query Fields
The Query Fields tab contains the following main options with which to define query data
and structure:
Confidential

SELECT Query Fields

GROUP BY Query Fields
ArcSight Console User’s Guide 307
11 Building Reports

ORDER BY Query Fields
Drag-and-drop is available on Query Structure panels. You can dragand-drop items between options (for example, to group by Category
Outcome, drag it from SELECT to GROUP BY. It stays in SELECT but is also
used to GROUP BY)
Search Shortcuts
•
Type part of the field name to find (for example, Name) in the Search box.
•
Use the up/down arrow keys to jump to each instance of “Name” in the
available fields.
•
When you find the field name you want, press Return to add it to the
condition statement under the selected section (SELECT, GROUP BY, or
ORDER BY)
•
Ctrl+F gets the Search box back in display if it’s hidden
Common Conditions Editor (CCE). The Query Editor, like other resource
editors, uses the CCE for building conditional statements (query structure).
For more tips on using the CCE, see “Common Conditions Editor (CCE)” on
page 782.
308 ArcSight Console User’s Guide
Confidential
11 Building Reports
SELECT Query Fields
Click Add SELECT columns to select the data for the query. Data selected enters one big
bucket, and any functions set for any of the data fields is performed on the entire bucket of
data.
Fields in shown in italics on the Data Options panel are derived, referenced,
or side table fields (rather than “hard event data” in the main database
tables). See also, “Data Fields” on page 803 and “Variables” on page 947.
Query Structure (SELECT)
The Query Structure section at the top provides a summary of the fields selected in the
SELECT section at the bottom. If you add GROUP BY or ORDER BY settings, these show up
here also.
You can select from Fields and Global Variables, Field Sets, or Local Variables as
data to build the query. Choosing a field set limits the fields shown to the selected field set.
Confidential

Click a field or variable (checkmark it) to select it.

Click again (remove the checkmark) to deselect it.
ArcSight Console User’s Guide 309
11 Building Reports

To edit a field or variable that you already have set as a query condition (showing
under SELECT), simply double-click it or select it (click once) and click the Edit button
(
) in the toolbar. (For example, you might want to edit the query by adding a
function to it, as described in “Applying Functions to SELECT Columns” on page 310.)

To duplicate a field or variable that you already have under SELECT, select it (click
once) then click the Duplicate Column button (

) in the toolbar.
To move column up or down, select it and click the up or down arrow in the toolbar.
You can also select a condition item and right-click to get the various Edit options (Edit,
Copy, Delete, Duplicate, etc.)
Applying Functions to SELECT Columns
Optionally, you can specify an aggregate function on a particular column of data, such as a
line item count, or in the case of numeric data, a sum or average
If the query is not grouped by one or more columns, then aggregate functions added here
are applied to the whole result set.
If the query is grouped by one or more columns, then the aggregate function is performed
on each group individually.
Adding a function adds a data field to the query schema that provides the results of the
function, which can later be displayed in a report.
To specify a function for column data, double-click a field or variable in the top pane under
“SELECT” and select a Function (from the drop-down menu) to apply to the column data.
The available functions are:

COUNT - Count the number of line items returned in this column.

SUM - Add all numerical data in a column, such as aggregated event count.

AVERAGE - Calculate the average of all numerical data in a column, such as
aggregated event count.

MAX - Calculate the top values of the items returned in this column.

MIN - Calculate the lowest values of the items returned in this column.

Standard Deviation (STDDV) - Calculate the variation from the “average” (mean) for
this column. (Square root of the variance.)

VARIANCE - Calculate the amount of variation within the values returned for this
column.
310 ArcSight Console User’s Guide
Confidential
11 Building Reports
Select Unique to apply the function only to unique values in the column. (For example, the
target address column may have 50 items in it, but only three are unique. To get a count of
unique target addresses, check the Unique box.)
Click the green checkmark button (
) to add the function.
To remove a function from a field, select the field, change the function selection to None,
and click the green checkmark button again.
To cancel a modification to a function, click the (
the UI (off of the Function menu.)
) button or simply click elsewhere on
GROUP BY Query Fields
Click Add GROUP By to divide query results into separate buckets. For example, you
could do a “group by” if you are interested in sorting items by timestamp, such as logins
between 3 and 5 p.m. Functions on GROUP BY data apply to timestamp based fields only.
Confidential
ArcSight Console User’s Guide 311
11 Building Reports
Fields in shown in italics on the Data Options panel are derived, referenced,
or side table fields (rather than “hard event data” in the main database
tables). See also, “Data Fields” on page 803 and “Variables” on page 947.
Query Structure (GROUP BY)
The Query Structure section at the top provides a summary of the fields selected in the
GROUP BY section at the bottom. SELECT and ORDER BY settings show up here also.
Adding and editing fields and variables to order by works similarly to adding them for
SELECT. See “Query Structure (SELECT)” on page 309.
Applying Time-Based Functions to GROUP BY Columns
You can specify a time-based function on the group by column of data. Time-based
functions apply only to time-based fields, such as event end time.
To specify a function for GROUP BY column data, double-click a field or variable in the top
pane under “GROUP BY” and select one of the available time-based functions (from the
drop-down menu) to apply to the column data.
Functions on items under GROUP BY create a separate bucket of data for each time
function specified.
312 ArcSight Console User’s Guide
Confidential
11 Building Reports
To specify a function for column data, select a data field in the Query Columns section then
select a Function (from the drop-down menu) to apply to the column data:

Second - Creates a new bucket for all events that occur in the same second.

Minute - Creates a new bucket for all events that occur in the same 60-second period.

Hour -Creates a new bucket for all events that occur in the same 60-minute period.

Day - Creates a new bucket for all events that occur in the same 24-hour period.

DayofWeek - Creates a new bucket for all events that occur on the different days of
the week, such as Monday, Tuesday, and Wednesday.

DayofMonth - Creates a new bucket for all events that occur on various days of the
month, such as the first, second, and third.

Week - Creates a new bucket for all events that occur in a week.

Month -Creates a new bucket for all events that occur in a month.

Year - Creates a new bucket for all events that occur in a year.

Quarter - Creates a new bucket for all events that occur in a quarter.
ORDER BY Query Fields
Click Add ORDER BY columns to specify the order in which you want the data in your
buckets sorted. For example, you might “order by” if you were interested in the numeric
value of the items in your bucket such as the top 10 logins.
Confidential
ArcSight Console User’s Guide 313
11 Building Reports
Fields in shown in italics on the Data Options panel are derived, referenced,
or side table fields (rather than “hard event data” in the main database
tables). See also, “Data Fields” on page 803 and “Variables” on page 947.
Query Structure (ORDER BY)
The ORDER BY columns can be different than the ones you chose for the query data under
SELECT. Also, you can apply functions to these columns.
Adding and editing fields and variables to order by works similarly to adding them for
SELECT. See “Query Structure (SELECT)” on page 309.
314 ArcSight Console User’s Guide
Confidential
11 Building Reports
Applying a Column Function to Order By
Optionally, you can specify an aggregate function on a particular column of data to group
by, such as a line item count, or in the case of numeric data, a sum or average.
You apply a function to ORDER BY columns the same as you do to a SELECT column, and
the same functions are available depending on the fields or variables chosen. See “Applying
Functions to SELECT Columns” on page 310.
To specify a function for column data, double-click a field or variable in the top pane under
“ORDER BY” and select a Function (from the drop-down menu) to apply to the column
data.
Sort Order
Under ORDER BY you can also set the sort order on the fields/columns. By default, the sort
order is ascending (ASC). You can change it to descending (DESC).
Query Conditions
Optionally, you can create conditions on individual fields or on groups as part of the query.
You can add filters, and conditions based on assets, vulnerabilities, and active lists.
Use the Common Conditions Editor (CCE) within the query editor to create query conditions
as described in this section.
Confidential
ArcSight Console User’s Guide 315
11 Building Reports
The Common Conditions Editor is used throughout the ArcSight Console for
various resources. In addition to the topics that follow on defining conditions
for a report query, see also “Common Conditions Editor (CCE)” on page 782,
“Conditional Statements” on page 796, “Conditions” on page 797, and
“Logical Operators” on page 884.
Creating Conditions on a Field
For information on how to create conditional statements, see “Common Conditions Editor
(CCE)” on page 782, “Conditional Statements” on page 796, “Conditions” on page 797, and
“Logical Operators” on page 884.
1
Click the Conditions tab and select data fields from the fields below list to build a
condition statement in the display area at the top of the Edit sub-tab.
The data field table displays a Name, Operator, and Condition column. These three
columns are combined to create <data field> <logic operator> <data field value>
condition statements. For example, if monitoring a Cisco Router, you could define a
condition statement to specify Device Product = Cisco Router: Device
Product as the data field, equals (=) as the logic operator, and Cisco Router
as the data field value.
2
In the Op column, double-click the cell and select a logic operator from the drop-down
menu.
3
In the Condition column, type a data field value or double-click the cell and select a
value from the drop-down menu. Press Enter to add the condition to the statement
above.
4
Repeat this process to add more statements to the condition.
5
Click Apply or OK to save your changes and create the condition.
Tips on creating conditions

Drop-down menus appear if the selected data field has a set of value options.

For example, if the Category Behavior data field is selected, a drop-down menu
appears with the value options of /Access, /Access/Start, Access/Stop/ and
so on. One of the choices in this menu is /Authentication/Verify, which is the
condition we selected for Category Behavior in our example condition.

For date and time data fields, such as Detect Time, you can type an actual date value,
such as 10/12/2002 8:54:00 AM, or you can use special Time variables.

The condition statement appears as a branch under the logical operator.

To add a condition to an event field, click in its condition box and click the ellipses icon.

To activate all operands on the top, select an item in the editor view, as shown above.
Creating Group Conditions
Creating a group condition is similar to creating a normal condition, except you pick an
aggregate function to perform on the group.
You would use it if, for example, to group by event name and when you want to get only
the events with more than 100 occurrences in the query. In this case, you would add a
Count() aggregate function to the eventID field, for example, count(eventId) > 100
to eliminate the events that have occurred less than 100 times.
316 ArcSight Console User’s Guide
Confidential
11 Building Reports
Query Variables
Variables are run-time information derived from the source data (event, asset, case,
notification, or trend, depending on the schema) that can be used in the query wherever
normal fields can be used.
You can create local variables which are available only to the resource you are
creating (in this case, a query), or use global variables. The following steps
describe how to set a local variable. For information on creating global
variables, see Chapter 14‚ Global Variables‚ on page 435.
To set a local variable:
1
Click the Variables tab.
2
Click Add to launch the Variables dialog.
3
The Variables dialog displays different values depending on the function you choose.
In the Variables dialog, enter the following values and click OK.
Options
Description
Name
Enter a name for the variable. This is the alias that appears in the
Conditions editor when you can use the variable. Spaces and special
characters are OK.
Function
From the drop-down menu, select a function. For a description of
each function, click Help in the lower right corner.
Arguments
The arguments section contains a series of fields where you set the
parameters for the variable. The available fields vary with the
function you select.
Preview
The preview area provides an interface where you can enter values
for the key variable fields so you can verify that the parameters you
specified return the expected results.
Enter test values and click Calculate.
Editing a Query
1
Navigate to Reports in the Navigator panel, select the Queries tab, and select the
query you want to modify.
2
Double-click the query, or right-click and select Edit Query from the context menu.
This launches the Query Editor in the Inspect/Edit panel, and shows the definition for
the selected query.
3
Edit the query definition as needed and click Apply or OK to save your changes. (Click
Cancel to exit the Query editor without saving changes.)
If the query is used in a trend, the query and associated schema referenced in
the trend are set at the time the trend was created. After the trend is created,
you can add columns to the base query, but columns added to the query after
the trend is created are not used by the trend. You can remove columns from
the base query that are not used by the trend. However, if you want to add or
remove columns (data fields) in the query that are used in the trend, create a
new trend and select that modified query.
Confidential
ArcSight Console User’s Guide 317
11 Building Reports
Building Trends
A trend is an ArcSight resource that defines how and over what time period data are
aggregated and evaluated for trends. A trend executes a specified query on a defined
schedule and time duration.
The ArcSight trends engine evaluates source data for trends based on event conditions
(such as number of worm outbreaks, incident time-to-close, or number of cases closed) or
common network elements (such as operating system, business role, or regulatory
compliance relevance).
Trends can be used as the primary data source for a report, or used as the data source
input to another query which is then used in a report (perhaps along with other queries or
trends).
Building trends is a component of ArcSight Reporting resource tools. Be sure to start with
Chapter 11‚ Building Reports‚ on page 279 for an overview of all reporting tasks and tools,
and “Understanding Reporting Workflow” on page 279 to see how trends fit in to the
process of creating a report.
How Trends Work
A trend references a query, specifies a schedule on which the query automatically triggers,
and provides mechanisms for efficiently storing, viewing, and leveraging the trend results
for reporting. The trend results are stored in a trend table in the ArcSight database and can
therefore be queried.
Trends can be set to run indefinitely or to end at a specified date and time. A trend can be
configured to start retrieving historical data from logs, start with current events, or at some
specified time in the future. (You can also specify advanced options on how and when to
build tables and store data.
Once trend data is collected, you can view the results in the Data Viewer table and
generate a trend report that displays the results in tables and graphs.
Depending on the data gathered by the base query, the trend is either snapshot trend or
an interval trend.
Snapshot Trend
A snapshot trend uses a query that operates on a fixed moment in time, for example, to
gather information about assets on your network. Snapshot trends are built from queries
based on assets, cases, or notifications. For example, snapshot queries and the trends built
from them would be used to determine metrics such as current number of assets, number
of systems with a particular operating system, or number of systems with particular
vulnerabilities. A snapshot trend operates on data in the current moment in time, and only
collects data going forward. Thus, trends cannot be used to answer the question, “how
318 ArcSight Console User’s Guide
Confidential
11 Building Reports
many assets were there in this zone a month ago?” You can use trends to collect data from
this point forward, however, and in a month from now, you have a month's worth of data
telling you how many assets were in this zone at regular intervals over the last month.
Interval Trend
An interval trend uses a query that operates on events that happen over a specified time
window, for example, to gather information about how many events of a particular
description occurred daily over a 6-month period. Interval trends are event-based. For
example, an interval trend using a base query with a time window could gather information
to determine the number of login attempts in the past hour. You can refresh an interval
trend manually as needed by selecting the trend in the Navigator and clicking Refresh on
right-click context menu. Interval trends are typically event-based.
Query-Trend Relationships in Reporting
A base trend is made of one query. Trends can be used as the primary data source for a
report. Or, a trend (based on one query) can be used as the data source to another query
that further refines the initial query result. A collection of trend queries (queries that use
trends as their data source) can provide focused views of a data set, which can then be fed
into a single report or multiple reports.
For example, you could create a trend called “VPN Logins Outcome - Hourly” that
references a query that returns all VPN login attempts, successful logins, and failed
attempts. You could schedule the trend to run hourly. You can use this base trend directly
in a report.
A more powerful approach would be to further refine the data results by creating three new
trend queries, each of which takes the base trend as its data source, but then sets further
conditions on the query data to return one specialized slice of the results. One query could
return only login attempts, another only successful attempts, and another only failed
attempts. You could then draw on four queries in a single or multiple reports to show
different views of the data. (The base query would show all types of login events, and the
other three would show the focused views.)
Confidential
ArcSight Console User’s Guide 319
11 Building Reports
Multiple reports can be generated from a single query or trend, and a single report can
capture data from multiple queries and trends.
The ability to automate and refine queries by feeding them into trends and vice versa,
along with the flexibility in populating reports solves many typical enterprise security
reporting challenges. You can build a trend that gets a daily event count, feed the trend
into a query that sums up the daily counts to get a monthly event count, and even feed
that monthly count query into another trend and so forth. Managed Security Service
Providers (MSSP) can tier query-trend approaches to create focused reports for multiple
customers built from what are initially broad range queries.
Building a Trend
Before you begin building a trend, make sure that you have a query defined that captures
the data on which to build a trend. (See “Building Queries” on page 302 if you need more
information.)
For a query used in a trend, the query and associated schema referenced in
the trend are set at the time the trend was created. After the trend is
created, you can modify some elements of the query if they do not affect the
trend. For example, you can add or remove columns in the query if the
related trend does not depend on them. Such modifications made to a
referenced query are not reflected in the trend. If you modify aspects of the
query that a trend depends on, the trend is disabled.
Navigating to Trends
In the Navigator panel, select the Reports resource from the drop-down menu and click
the Trends tab.
Creating a New Trend
The high-level steps for creating a trend are as follows:
1
Right-click a trend group (folder) and select New Trend. This launches the Trend
Editor in the Inspect/Edit panel. As a general rule, it is best to create new content in
your own folder.
2
Define trend attributes. At a minimum, fill in the required values (red asterisks) on the
Attributes tab as described in the Trend Attributes topic.
320 ArcSight Console User’s Guide
Confidential
11 Building Reports
3
Verify the trend schema represented by the selected Data Fields is appropriate.
4
Test the trend schema to make sure it is returning the expected data as described in
Testing a trend.
5
Define a trend schedule as described in Trend Schedule.
6
Click Apply or OK to create the new trend.
Do not click Apply or OK until you have defined the required values in the
Trend section (trend name and query to use) and the trend schema in the
Data Fields section of the Attributes tab. When you commit changes to the
trend, the query and the schema are set and cannot be edited. If you decide to
use a different base query or need to make a change to the schema, delete the
trend and start with a new trend.
A trend uses a “snapshot” version of the query as its data source. After you
have used a query in a trend, you can modify some elements of the query if
they do not affect the trend. For example, you can add or remove columns in
the query if the related trend does not depend on them. Such modifications
made to a referenced query are not reflected in the trend. If you modify
aspects of the query that a trend depends on, the trend is disabled.
Defining Trend Settings
Use the Trend Editor to build a new trend or edit an existing one.
Trend Attributes
The following fields in the Trend section are required attributes to specify when creating a
new trend.
Trend Fields
Description
Name
Name for the trend. Spaces and special characters are OK. The
name you enter here is the alias that appears in data source pick
lists in other editors.
Query
Specifies the query that this trend uses.
If you are creating a new trend, use the Query drop-drown menu to
select a query as the source data for your trend.
Caution: Once the trend is created, you can add columns to the
base query, but columns added to the query after the trend is
created are not used by the trend. You can remove columns from
the base query that are not used by the trend. However, if you want
to remove columns (data fields) in the query that are used in the
trend, create a new trend and select that modified query.
Enabled
Confidential
By default, the Enabled check box is checked. This activates the
trend to begin working on live data as soon as the trend is created.
Uncheck this box if you want to experiment with the trend before
pushing it live.
ArcSight Console User’s Guide 321
11 Building Reports
The example below shows a trend that uses the “VPN Login Outcome - Hourly” query as its
basis.
The Data Collection section provides default values for row limit and query duration. You
can keep the defaults or modify as needed.
Data
Collection
Fields
Trend Interval
Row Limit
Description
Time span over which the trend operates. The default is one hour.
For example, if the query counts the number of logins, this setting
counts the number of logins every hour.
Maximum number of rows of data the trend captures.
The default number is 1000.
The Advanced section provides optional settings to offset trend data collection and
refresh trend data at a specified point in the future. By default, the offset and refresh
values are set to None. You can keep the defaults or modify as needed.
Advanced
Fields
Offset
Collection By
Description
Delays trend data collection by the time period specified. Offsetting
trend data collection time enables you to compensate for events that
arrive to the Manager late, either from a time zone lag or other data
collection lag. Trend data collection starts after the time delay
entered here.
Enter a time delay and select Hours or Minutes from the drop-down
menu. The default offset is None.
322 ArcSight Console User’s Guide
Confidential
11 Building Reports
Advanced
Fields
Refresh Data
After
Description
Triggers the system to automatically re-evaluate the query data at a
later time to capture any additional events that may have come in
late.
Enter a refresh interval and select Hours or Minutes from the dropdown menu. The default refresh is None.
Note: The Manager supports late arrival of events. For example, a
SmartConnector can send a batch of events later if it is falling
behind. You need to explicitly schedule a refresh of trend data only if
SmartConnectors frequently lag behind in sending events to the
Manager. If SmartConnectors rarely go down and are generally on
time delivering events, there is no need to set this option.
Partition Size
Specifies the time range of partitions for this trend data, which in
effect determines the partition size.
The default “time slice” for trend tables is WEEKLY. That is, if the
default setting is used, each partition would contain a week's worth
of data. Partition size can be set to weekly or monthly. You can
always modify the Partition size as needed by editing the trend
definition.
If you import a package from an ESM system using Oracle into a
system using the CORR Engine, and it contains trends with daily
partitions, they are converted to weekly partitions.
Database partitioning is for space and archive management
purposes (keeping trend data organized for long term storage. It can
also help to improve query performance.
The Partition Size works in concert with the Partition Retention
Period, described below.
Partition
Retention
Period (in
days)
Specifies the number of days to retain the partitions from this trend
as active in the ArcSight database. The default is 180 days. (You can
always modify the Partition Retention Period as needed by editing
the trend definition.)
Note: The Partition Retention Period works in combination with the
Partition Size. The system makes sure you always have as much
data, if not more, than you specified in the configuration of these
two settings. Similarly for factors such as time zones and daylight
savings time, more data (never less) is retained. For example, if the
Partition Size is set to MONTHLY and the Partition Retention Period is
45 days, the system stores two month's worth of data; two
partitions. If the Partition Retention Period is set to 0 days, the data
collected from one run of the trend is retained until the next
partition is started. For example, if the Partition Size is MONTHLY
and the Partition Retention Period is 0 days, then you keep one
month's worth of data. Make sure that the trend start date is
appropriate; a trend with a MONTHLY partition size, 0 days
retention, and a start date near the end of the month would not
maintain data for very long.
Confidential
ArcSight Console User’s Guide 323
11 Building Reports
Advanced
Fields
Query Overlap
Time
Description
The query overlap time is the amount of time by which the next
query should overlap with the previous query (overlapping the tailend of the previous query).
The default overlap is 0 (“None”), which corresponds to the normal
non-overlapping trend query case.
By setting a query overlap time, you can configure a trend to
support calculations like moving averages. The query overlap time
extends the trend to include overlapping query ranges.
For example, to collect moving average data over a 10 day period,
you could run the query each day over the previous 10 days. A
query overlap time set to 0 (the default) would result in nonoverlapping runs, such that the query would run every 10th day over
the previous 10 days.
On the other hand, to get an overlapping trend run, you could
specify a 9 day overlap. With this setting, the query would run every
day (10 day query - 9 day overlap) over the previous 10 days. The
trend would gather data every day for days 1-10, 2-11, 3-12, etc.
Notes:
Imported
Trend Start
Time
•
Queries should not normally be run on the event table for
anything longer than a day. Queries longer than a day should
normally only run on other trend tables to allow the query to
finish in a reasonable amount of time.
•
This option is enabled for snapshot trends.
If the trend is exported without schedule start and end times, the
trend start time specified here is used when the trend is imported.
If the trend is exported without Schedule start and end times and no
value is specified for Imported Trend Start Time, then when the
trend is imported it defaults to use $CurrentDate as the start time.
(With this setting, the trend captures data starting from 12:00:00
AM of the current day.)
Note: The imported trend start time takes effect only if the trend is
exported without Schedule start time. To exclude the Schedule start
time from a trend upon export, you must set the package Format
option to export. For information on this, see the description of the
package Format options in“Creating Packages” on page 633.
Imported
Trend End
Time
If the trend is exported without schedule start and end times, the
trend end time specified here is used when the trend is imported.
If the trend is exported without Schedule end time and no value is
specified for Imported Trend End Time, then when the trend is
imported it defaults to using no end time. (With this setting, the
trend runs indefinitely until it is manually disabled or edited to
include an end time.)
Note: The imported trend end time takes effect only if the trend is
exported without Schedule end time. To exclude the Schedule end
time from a trend upon export, you must set the package “Format”
option to “export”. For information on this, see the description of the
package “Format” options in “Creating Packages” on page 633.
Entering data in the Common and Assign sections is optional, depending on
how your environment is configured. For information about the Common and
Assign attributes sections, as well as the read-only attribute fields in Parent
Groups and Creation Information, see “Common Resource Attribute Fields” on
page 630.
324 ArcSight Console User’s Guide
Confidential
11 Building Reports
The Data Fields section is where you build the trend schema. This is populated
automatically when you first select the query to use in this trend. The list shows the data
fields collected by the query you chose. By default, all the query fields are selected for use
in the trend. If you do not want to use a particular data field, uncheck the Use box for that
item. Also, you can select which fields you also want to index. Indexing is done mostly for
query efficiency. It is helpful if the query you are using returns a large amount of data, and
you want to run sub-queries on the data.
The Summary box at the bottom displays a summary of the query interval and the
schedule on which it runs.
Trend Schedule
Click the Trend Schedule tab to review or modify settings for the following parameters:

Schedule Frequency - Specifies how often the query runs and gather data. The
default is to run once every hour on the hour.

Schedule Range - Specifies start and end date/time for the period during which the
trend collects data at the scheduled collection times. By default, the date and time the
trend was created is used as the trend schedule start time. The default is indefinitely;
that is, No End date.
With the default settings, this trend would collect data once every hour on the hour until it
is disabled manually.
Confidential
ArcSight Console User’s Guide 325
11 Building Reports
A Summary of the configured schedule is shown at the bottom of the tab.
Trend Parameters
The Parameters tab lets you further refine the query results in terms of row limits, time
zone restraints, filters, and start and end times. If you set parameters in the base query
used by this trend, those parameters show up on the Trend Parameters tab. In the Trend,
you can specify default parameters.
Then at Report building time, you can opt to run the report with the default parameters or
“all parameters.” You can also further refine parameter details for a specific run of a report.
For more information on specifying parameters in reports, see “Report Parameters: Default
and Custom” on page 351 in Creating Reports.
Trend start/end times and row limits are used for gathering the data, and
overwrite the start/end times and row limits set in the base query. If you do
not customize the Trend Parameters, the defaults on this tab are used (not
the start/end times and row limit on the Query General Attributes tab).
For reporting on the data (once it is collected), you can set new start/end
times and row limit in the Report Parameters tab. The report parameters
prescribe only the “outbound” or publishing data derived from the data
already collected, not the how the data is gathered. (See “Report
Parameters: Default and Custom” on page 351 in Creating Reports and
“Running Reports” on page 377 for more information.)
Trend Actions (Add to Active List)
Trend actions give you the option to send specified columns (fields) in trend results to
Active Lists (see “Managing Active Lists” on page 509). You do this by defining an Add to
326 ArcSight Console User’s Guide
Confidential
11 Building Reports
Active List trend action. On the Actions tab for a trend, you can select to send data from
one or more columns in the trend results to a specified active list.
Trend actions for active lists are similar to the add to active list rule action
described in “Rule Actions Reference” on page 412 and “More Rule Actions”
on page 418. Unlike rules, however, add to active list is the only action
available for trends, and the settings are not as fine-grained as for rules; for
example, thresholds, number of events, time units, and so on do not apply to
trend actions.
How Trend Actions are Useful (Summary Views and Rules)
The Add to Active List trend action provides another mechanism to get information from
trends outside of (and in addition to) reports, and supports summary views of information
from multiple trends.
For example, you can build a single active list that gets updates from multiple trends (each
trend updating different columns in the active list). Also, a single active list can receive
updates and show information from trends as well as from other sources (for example,
rules). Alternatively, you can build multiple active lists that get updates from a single trend.
Perhaps most importantly, the ability to populate active lists with trend data makes trend
results readily available for use in rules, filters, active channels, and so forth. In previous
releases, trends could not be easily leveraged in rules and other such resources.
Example Use Case
Consider the following example use cases for leveraging trend results in active lists:

Taking Action on Event-Based Trends. Suppose an analyst wants to monitor the
logins per hour by users based on their typical hourly login patterns and flag anything
that is above a certain absolute threshold or more than n times a user’s previous
average.
The analyst can set up a trend to update the information in a trend table based on
aggregation of per-user login events. The trend would have an action that updates an
active list with the most recent results. Then, the analyst can configure a rule to
update another active list when a user logs on and another rule to compare the
current login count against what is normal for that user. Any gross discrepancy could
be used to trigger an alarm about a possible threat.

Taking Action on Asset-Based Trends. Suppose an analyst wants to monitor
assets by how vulnerable they are, and watch for “unusual activity” on especially
vulnerable assets.
The analyst can set up a trend to check vulnerability counts on assets and log the top
n most vulnerable assets on a daily basis. The active list would have an action to
update an active list. Incoming events on assets would trigger rules that would check
this active list against the particular device and, if present, trigger extra processing.
Plan and Define Active Lists with Fields Mapped to Trend
As a first step in setting up trend actions, determine which active lists the trend should
populate and with what data. You might have existing active lists to add trend data to, or
you could create new lists specifically for some trend results. (See “Example: Populating
Active Lists with Trend Results” on page 329 for an example of designing an active list
based on the trend fields you want to monitor.)
Confidential
ArcSight Console User’s Guide 327
11 Building Reports
Define a Trend Action
Use the trend Actions tab to configure actions on a new or existing trend.
To define a trend action on an existing trend:
1
Select a trend in the Navigator, right-click and choose Edit Trend.
2
In the Trend Editor, click the Actions tab.
3
Select the action On Trend Run, right-click and choose Add to Active List.
Only a fields-based active list can be used in a trend action (not event-based
lists). For more information on types of active lists, see “Managing Active
Lists” on page 509, especially the description of how to define data for the list
(“Data: Event-based, Fields-based” on page 511).
4
Select an active list from the dialog.
The active list you select here is updated by this trend.
5
On the Add to Active List dialog, select fields from the trend (on the right side) to map
to active list fields (on the left).
What you are doing in this step is mapping trend column names to active list column
names. All the “key” columns required by the active list must have trend columns
mapped to them so that the active list entry (row) is correctly updated by the trend.
328 ArcSight Console User’s Guide
Confidential
11 Building Reports
However, not all of the active list value columns need to have trend columns mapped.
Not specifying all the key columns is an error.
6
Click OK to add the action.
The action shows on the actions tab.
Note that you could add more actions here (by selecting the On Trend Run and
clicking Add), edit this action, or remove it.
You can add multiple actions to a single trend (i.e., configure a single trend to update
particular columns in multiple active lists with trend results).
7
Click Apply or OK to save the Trend Editor to save your changes.
Example: Populating Active Lists with Trend Results
Suppose you want to monitor top failed user logins daily and send that data to an active
list. (You could then configure rules to interact with the active list and trigger an alarm
based on some threshold; for example, a single user with a certain number of failed logins
per day.) To do this, you could create an active list with fields that map to a trend that
monitors “top users with failed logins”. To see the fields in this trend:
Confidential

In the Navigator, choose Reports, click the Trends tab, then navigate to
//Trends/Shared/All Trends/ArcSight Foundation/Intrusion
Monitoring /SANS Top5 Reports/Top Users with Failed Logins per
Day.

Select the trend, right-click and select Data Viewer from the context menu to display
the trend results in the Viewer. Note the columns included by default in this trend table
(TimeStamp, Day, User Name, and Number of Failed Logins).
ArcSight Console User’s Guide 329
11 Building Reports
You would need to have one or more of these fields in your active list to capture relevant
data in the list, as we’ll show in the next section where we define the trend.
To continue with our example, we could create a fields-based active list with fields that
map to the trend “Top Users with Failed Logins per Day” as follows.
Name
Type
Key Field
User Name
String
This is the key field.
Day and Time
Date
Number of Failed Logins
Long
330 ArcSight Console User’s Guide
Confidential
11 Building Reports
When the trend runs, it populates the active list with data on top users with failed logins by
user name, and list the count of failed logins for each user along with date/time
information. This active list could be used as the basis for rules, filters, active channels, etc.
Notes on Trend Action Behavior

When it is mentioned that a trend “updates” the active list entry (row), what is meant
is that either the row is inserted if it is not currently present, or if it is present, it is
updated. Note that the update only populates / overrides the columns specified by the
trend column mapping. Any other active list columns that do not have trend column
mappings preserve their existing values. What this means is that it is possible for a
single active list to be updated by multiple trends, each updating different columns.
The active list is appropriately locked during read-modify-write cycle to avoid data
corruption.

A trend can be executed under a variety of circumstances, including refresh and
backfill. However, for purposes of updating the active list, only the most recent data
are entered into the active list. For example, no backfill data are added to the active
list. A trend refresh run does not normally cause the active list to update, with the only
exception being if it is the most recent data being refreshed.

This trend action never removes entries from the active list. If the you want to have
entries removed, use the active list's TTL (time-to-live) to have them expire. (For
information on the TTL setting, see related information on page 510 under Creating an
Active List.)
Editing a Trend Action
1
Navigate to the trend you want to edit.
2
Click the trend Actions tab.
3
Select the action you want to edit and click Edit.
4
On the Add to Active List dialog, make changes to the field mappings as needed and
click OK.
5
Click Apply or OK to save the Trend Editor to save your changes.
Removing a Trend Action
Confidential
1
Navigate to the trend you want to edit.
2
Click the Trend Actions tab.
ArcSight Console User’s Guide 331
11 Building Reports
3
Select the action you want to remove and click Remove.
4
Click Apply or OK to save the Trend Editor to save your changes.
Testing a Trend
When you are creating a new trend or modifying an existing one, you might want to test it
first to determine if you have defined the trend properly to return the data you want. To
test the results of the schema you selected, make sure you are on the Schedule tab for the
trend you want to test and click Test. Here are navigation instructions in case you are not
already on that tab:
1
Navigate to Reports > Trends in the Navigator panel, and select the trend you want
to test.
2
Do one of the following:

Right-click and choose Test from the context menu
Or

Click Edit Trend to bring up the Trend editor in the Inspect/Edit panel. Within the
editor for the selected trend, click the Test button at the bottom of any of the
editor tabs (Attributes, Schedule, Parameters, and so forth).
This procedure evaluates the current event stream for matching events and populate the
Test Trend pop-up dialog. The message “Success: x rows” at the bottom of the dialog tells
you how many rows your trend returned.
The Test Trend sample shows a maximum of 25 rows. For interval queries, the sample also
shows data from, at most, the last hour. If there is no match for the data, the trend returns
no rows. This may mean that your current event query data contains no matching events
or resources, or it may mean that your query needs to be refined.
Viewing Trend Data
1
Navigate o Reports > Trends in the Navigator panel, and select the trend for which
you want to view the data.
2
Right-click and select Data Viewer from the context menu. This launches the Trend
Data Viewer in the Viewer panel and shows the query results. As with other ArcSight
332 ArcSight Console User’s Guide
Confidential
11 Building Reports
event viewers, you can select an event or group of events, right-mouse click, and
access various tools from the context menu to use for further investigation.
•
If you are viewing a trend that was created in a previous ESM
release, you may get an error message about inconsistencies with
data types concerning the Timestamp and Char data types. This error
message is seen if your base query is getting data from a multimapped active list or session list with Timestamp fields. If you are
getting this error, in ESM 5.2 or later, re-create the trend using the
same base query. You should then be able to view the trend’s data
without errors.
•
If you recently migrated resources, be aware that resource imports
and exports do not include trend data. Be sure to run the trend to get
new data before attempting to view it, query it, or run reports on it.
Refreshing Trend Data
In addition to relying on the scheduled execution of a query according to its interval trend
schedule, you can manually refresh the trend data at any time by using the trend refresh
feature.
To manually refresh a trend table:
1
Confidential
Do either of the following:

Click the Refresh Trend Runs button on the trend’s Attributes tab for the
selected trend.

In the Navigator, select a trend you want to refresh, right-mouse click and select
Refresh trend runs... from the context menu.
ArcSight Console User’s Guide 333
11 Building Reports
This opens the Refresh Trends dialog which displays the trend query start times of
the selected trend.
2
Select a period consisting of a start and end time stamp under Show Trends From,
select one or more of the trend runs under Choose Trend Runs, and click OK to
refresh the selected trend runs.
This executes the base query and refreshes the trend table on the selected runs. Trend
refresh allows you to manually re-run a trend to compensate for events that arrive to
the Manager late, either from a time zone lag or other data collection lag.
Also, you can configure data collection to be offset by some time period
to compensate for late arrival of events. For more information, see
Advanced settings for trends in this Help topic.
Editing or Viewing a Trend Definition
1
Navigate to Reports in the Navigator panel, select the Trends tab, and select the
trend you want to modify.
2
Double-click the trend, or right-click and select Edit Trend from the context menu.
This launches the Trend Editor in the Inspect/Edit panel, and shows the definition for
the selected trend.
3
Edit the schedule, advanced settings, and so forth as needed and click Apply or OK to
save your changes. (Click Cancel to exit the Trend editor without saving changes.)
The query used for a trend and the schema are set at the time the trend was
created, and cannot be edited later. If you decide to use a different base
query or need to make a change to the schema, delete the trend and start
fresh. You can edit the base query by adding columns to it, but columns
added to the query after the trend is created are not used by the trend. You
can remove columns from the base query that are not used by the trend.
However, if you want to add or remove columns (data fields) in the query that
are used in the trend, create a new trend and select that modified query.
Using a Trend in a Query or Report
Trends can be used as the primary data source for a report. Or, a trend (based on one
query) can be used as the data source to another query that further refines the initial query
result.
For more information on next steps, see Building Queries and “Creating Reports” on
page 335.
334 ArcSight Console User’s Guide
Confidential
11 Building Reports
Creating Reports
Reports are captured views or summaries of data that can be viewed in the ArcSight
Console or exported for sharing in a variety of file formats. You can create reports by
pulling together the result sets from one or more queries or trends.
For information on how to run an existing report, see “Running Reports” on page 377.
Creating Reports is a component of ArcSight Reporting resource tools. See also Chapter 11‚
Building Reports‚ on page 279 for an overview of all reporting tasks and tools, including
how to build queries or trends and how to use a provided or custom template.
How Reports Work
When you have source data defined in queries and/or trends, you can design reports to
present the data in charts and tables. You can use one of the templates provided with
ArcSight or design your own template using the Template Designer. This topic explains how
to create a report that binds result data from queries and trends to a template, once you
have one. (For information on accessing stock report templates or designing custom
templates, see “Using Report Templates” on page 283.)
The reports resource defines how query data is bound to a report template. Depending on
the report template you use, the reports editor exposes different parameters, variables,
and conditions that enable you to choose which elements of the query data you want to
show in the report. You can also apply additional functions to run on the data, and set
numerous formatting options.
Confidential
ArcSight Console User’s Guide 335
11 Building Reports
Building a Report
Navigating to Reports
In the Navigator panel, select Reports resource from the drop-down menu and click the
Reports tab.
Creating a New Report
The high-level steps for creating a report are as follows:
1
Right-click a reports group (folder) and select New Report (or New Report from
Template to start with a base template that you can refine later). This launches the
Reports Editor in the Inspect/Edit panel.
As a general rule, it is best to create new content in the user's own
folder.
2
Define Report Attributes such as report name, and optional aliases and
owner/notification details.
3
Select the Report Template you want to use.
4
Choose Report Data by specifying what parts of the query data you want to use for
each report element. Optionally, apply legends and top/bottom functions.
5
Specify Report Parameters output details, such as file format, paper size, and routing
instructions. You can also set limits on the query return, such as row limits, time zone
restraints, apply filters, and specify report start and end times.
6
Click Apply or OK to save settings and create the new report.
Be sure to click Apply or OK frequently to save settings intermittently as
you work through the above steps. Clicking Apply saves settings and
leaves the Editor open. Clicking OK saves settings and closes the Editor
for this query. If you do not apply or accept settings using these buttons,
your settings are not saved.
7
Run the report to test it as described in Running a New or Archived Report.
336 ArcSight Console User’s Guide
Confidential
11 Building Reports
The following sections provide details on how to use the Report editor to define report
attributes, apply a template, choose report data, and specify report parameters.
Defining Report Settings
Report Attributes
The Report Attributes tab is where you define a report name, set alias report name and
notification options, and view tracking details such as when the report was created and last
updated.
The following fields in the Report section are required attributes that must be specified
when creating a new query.
Report Field
Description
Name
Name for the report. Spaces and special characters are OK.
Entering data in the Common and Assign sections is optional, depending on
how your environment is configured. For information about the Common and
Assign attributes sections, as well as the read-only attribute fields in Parent
Groups and Creation Information, see “Common Resource Attribute Fields” on
page 630.
The following example shows the Report Attributes for our VPN Logins Outcome report
Report Templates
The Templates tab is where you specify the template for the report. You can specify
fonts, colors, page headers and footers, and the chart and table combinations and layout
you want to use.
Confidential
ArcSight Console User’s Guide 337
11 Building Reports
Report Template Selection
To populate the editor, select a template from the Report Template drop-down menu.
ArcSight comes with six stock templates in the System templates folder, or you can
navigate to your own template.
The example below shows the system template Three Charts Description Landscape.
338 ArcSight Console User’s Guide
Confidential
11 Building Reports
Text Components
Text Components areas for Header, Footer, and Text sections provides fields to specify
values for each of those sections of the report page.
Attribute
Description
Header
Text
Type in the text you want to use as the header of your the pages in
your report, such as the name of your department, or the series of
reports to which it belongs.
Note: You can use Velocity template references for fields that accept
text, as described in “Velocity References for Reports” on page 966.
Horizontal
Alignment
From the drop-down menu, select where you want the header to
appear in the header area: left, right or center.
Vertical
Alignment
From the drop-down menu, select where you want the header to
appear in the header area: top, center, or bottom.
Font
From the drop-down dialog, select a font from the list of fonts
available on your local system, font size, and style (bold, italic). The
preview window indicates how the font will look.
Foreground
Color
From the drop-down dialog, select a foreground color. This is the
color of the lettering.
Background
Color
From the drop-down dialog, select a background color. This color fills
the header box.
Footer
Text
Type in the text you want to use as the footer of your the pages in
your report, such as the name of your company, a confidentiality
statement, or the date. You can use the variables provided (such as
$currrentpagenumber and $totalpagenumber for page numbers).
These are evaluated when you run the report to populate report
output with appropriate numbering.
Note: You can use Velocity template references for fields that accept
text, as described in “Velocity References for Reports” on page 966.
Horizontal
Alignment
From the drop-down menu, select where you want the footer to
appear in the footer area: left, right or center.
Vertical
Alignment
From the drop-down menu, select where you want the footer to
appear in the footer area: top, center, or bottom.
Font
From the drop-down dialog, select a font from the list of fonts
available on your local system, font size, and style (bold, italic). The
preview window indicates how the font will look.
Foreground
Color
From the drop-down dialog, select a foreground color. This is the
color of the lettering.
Background
Color
From the drop-down dialog, select a background color. This color fills
the footer box.
Text
Confidential
Text
Type in the text you want to use as the title of your report, such Top
10 Attacks per Zone.
Horizontal
Alignment
From the drop-down menu, select where you want the title to appear
in the title area: left, right or center.
ArcSight Console User’s Guide 339
11 Building Reports
Attribute
Description
Vertical
Alignment
From the drop-down menu, select where you want the title to appear
in the title area: top, center, or bottom.
Font
From the drop-down dialog, select a font from the list of fonts
available on your local system, font size, and style (bold, italic). The
preview window indicates how the font will look.
Foreground
Color
From the drop-down dialog, select a foreground color. This is the
color of the lettering.
Background
Color
From the drop-down dialog, select a background color. This color fills
the title box.
Preview Area
The Preview Area shows the layout of the report, and does not show the formatting
updates as you go along. If you have designed other text boxes for your template, the
attributes for those text boxes are displayed here using the same format as those shown
above.
Report Data
Once the template is chosen and formatted, you are ready to populate the elements of the
report with data.
The Data tab is where you choose which parts of the query or filter result data you want to
use for each report element, apply legends and, optionally, top/bottom functions.
Use these options to select the data source (query or trend), chart and table type to use for
the report, columns to include, and details on how the chart presents data.
340 ArcSight Console User’s Guide
Confidential
11 Building Reports
Binding Data to Charts in Reports
Chart Data
Description
Data Source
From the drop-down menu, select an existing data source you want
to use for the chart in your report.
The data source drop-down menu provides a list of existing
resources based on the resource type you selected in the
accompanying drop-down. You can report on queries, trends, active
lists, or session lists.
When the data source is selected, the remaining elements of the
Data tab populate with the data available in the selected resource.
Chart Type
From the drop-down menu, select the type of chart you want to use
for the chart part of the report. Depending on the template you use,
you may have are several types of bar charts available as well as
line charts, pie charts, speedometer, and so forth. The data source
and chart type you choose apply to both the X and Y axes.
Selecting Data for the X-Axis on a Chart
Confidential
ArcSight Console User’s Guide 341
11 Building Reports
If the report template you selected contains a Chart, bind your result data to the chart as
described below.
X-Axis Data
Attribute
Columns and
Label
Available
Columns
Description
Select the data fields from the query you want to
show in the X-axis and use the right-hand arrow to
move it to the Selected Columns area. The data
you select here should be the items you want to
count
For example, to build a trend report showing
number of events over time, use a trend that
captures the number of events per day. Add the
end time to the X-axis to represent the day and
add the count gathered for that day to the Y-axis.
In this case, the X-axis is the data label, and the
Y-axis is the count.
Selected
Columns
X-Axis Title
Label Rotation
The Selected Columns area shows which data
fields you have selected for the X-axis, and
provides the opportunity to change the sort order
of the data. To change the sort order, select an
item to activate the Sort check box. Select A-Z to
sort data in ascending order; select Z-A to sort
data in descending order.
Specify a title for the X-axis.
Select a rotation angle for the by entering a digit
between 0 and 360.
Labels refer to the individual X-axis data points,
which are automatically derived from the data.
The Label Rotation controls the angle of these
labels.
Display
Options
Scale and
Format
Font
From the drop-down menu, select a font for the X
and Y-axis text.
Show Legend
Select this box to show a legend of the data
elements. Keep in mind the number of different
data elements your query may return. If the data
you selected contains many elements, the legend
may be large, which reduces the available space
for the chart itself. If you choose to display the
legend, you can move its location from choices in
the Placement drop-down menu.
Show Axis
Grid
This setting displays the chart results in a table
format along side the chart.
Font
From the drop-down menu, select a font for the X
and Y-axis text.
Show Legend
Select this box to show a legend of the data
elements. Keep in mind the number of different
data elements your query may return. If the data
you selected contains many elements, the legend
may be large, which reduces the available space
for the chart itself. If you choose to display the
legend, you can move its location from choices in
the Placement drop-down menu.
342 ArcSight Console User’s Guide
Confidential
11 Building Reports
X-Axis Data
Attribute
Description
Show Axis
Grid
This setting displays the chart results in a table
format along side the chart.
Selecting Data for the Y-Axis on a Chart
Y-axis data should be numeric. If the data you select is a non-numeric data type, such as a
string, apply a numeric summary function to it, such as Count or Count distinct.
Confidential
Y-Axis Data Attribute
Description
Available Columns
Select the data fields from the query you want to show in
the Y-axis and use the right-hand arrow to move it to the
Selected Columns area. The data you select here should be
the item you want to count by. For example, to show how
many addresses each of your attacker zones have, you
would select the attacker address.
ArcSight Console User’s Guide 343
11 Building Reports
Y-Axis Data Attribute
Description
Summary Function
You can assign a summary function to one or more columns
of data. (In the “Function” row for a column, click in the
column to get a drop-down menu of functions.)
•
Count - Provides a count of all line-items returned by
the query.
Note: The Count function is a simple count of all
events. It takes into consideration the aggregated event
count and counts each event in an aggregated event
individually. For example, if an event has an aggregated
event count of 5, the Count function counts this event
as equivalent to 5 events (with an aggregated event
count of 1 each). Take this into account when
comparing the number of rows in a report with the
“grand total” count based on the Count function.
•
Count Distinct - Provides a count of how many items
are unique. For example, if there are 100 IP addresses
but only 5 of them are unique, the system counts 5.
•
Average - Adds the results of numeric data and divides
by the number of line items.
•
Sum - Adds the results of numeric data.
•
Max - For numeric data, Max calculates the line item
with the highest value.
•
Min - For numeric data, Min calculates the line item
with the lowest value.
•
Median - For numeric data, Median calculates the line
item with the value closest to the middle between high
and low.
•
Standard Deviation - For numeric data, measures the
dispersion of the values in the data set (how spread out
they are). If the data points are all close to the mean,
then the standard deviation is close to zero. If many of
the data points are far from the mean, then the
standard deviation is further from zero. If all the data
values are equal, then the standard deviation is zero.
The Standard Deviation is the square root of the
variance.
•
Variance - For numeric data, measures how spread out
the distribution of data is. The variance is computed as
the average squared deviation of each number from its
mean. The variance and the standard deviation are
closely related measures of dispersion and variability.
Selecting one of these functions activates the Aggregation
tab, where you can set further parameters on these
functions. To set a function, select a column, and choose a
function from the Summary Function drop-down menu.
Y-Axis Title
Type in a title for the Y-axis. Select a rotation angle by
entering a digit between 0 and 360.
Label Rotation
Select a rotation angle for the by entering a digit between 0
and 360.
Labels refer to the individual Y-axis data points, which are
automatically derived from the data. The Label Rotation
controls the angle of these labels.
344 ArcSight Console User’s Guide
Confidential
11 Building Reports
Y-Axis Data Attribute
Description
Sort by
Optionally, choose a sorting order for the data on the Y
axis. You can display data alphabetically (the default),
reverse alphabetical, or sort by count.
Specifying Top/Bottom Filters Aggregation Filters for a Chart
(Optional)
You can also set Top/Bottom Counts for a chart. This tab only becomes active when a
summary function is applied to data in the Y axis. Settings in the Aggregation tab set
top/bottom counts to data with summary functions applied. This is an optional step.
Confidential
ArcSight Console User’s Guide 345
11 Building Reports
On the Chart Aggregation tab, set the top or bottom filter for the chart. If there are more
charts in your report, repeat these processes until data is bound to all the charts and laid
out in your report template.
Aggregation
Top/Bottom Filter
Description
None (Show all)
By default, no top/bottom filter is set.
Top
Select Top if you want to show the a certain number of
entries with the highest values. Enter a digit in the text
box, and from the drop-down list, select an appropriate
Y-axis data column with a function applied.
Bottom
Select Bottom if you want to show a certain number of
entries with the lowest values. Enter a digit in the text box,
and from the drop-down list, select an appropriate Y-axis
data column with a function applied.
Binding Data to Tables in Reports
If the template you selected contains a table, use the Table Fields tab to build a visual
representation of a table in which to display the query result. You can choose the type of
data source (trend, query, active list or session list) and the particular data source (which
query, trend, etc.) to report on. Then you can select which fields from the data result you
want to show up in your report (with the “Use” check box). Use Groups to combine fields
into a single column in your Report table (drag and drop or menu commands).
Table Data
Description
Data Source
From the drop-down menu, select an existing data source you want
to use for the table part of your report.
The data source drop-down menu provides a list of existing
resources based on the resource type you selected in the
accompanying drop-down. You can report on queries, trends, active
lists, or session lists.
When the data source is selected, the remaining elements of the
Data tab populate with the data available in the selected resource.
346 ArcSight Console User’s Guide
Confidential
11 Building Reports
Specifying Fields for a Table
In the Available Columns area, you can select the fields you want to display in the table,
group multiple fields into a single column as needed, assign Alias names for column
headings, specify a data sort order, and set column size and alignment options.
Attribute
Description
Groups
Optionally, you can sort data results from queries by grouping two or
more fields into a single column.
To create a group: Right-click in the Groups row for a column and
choose Make Group. This brings up a dialog where you can name a
new group and add the selected field.
To add fields to a group: Drag fields from the Fields row to the
Groups row. Alternatively, right-click a field and choose Add to
Group. This brings up a dialog where you can name the group to
which you want to add the selected field.
Fields
Confidential
This displays fields as columns for your report. The field name is
displayed as it is referred to in the ArcSight database. This field is
not editable.
ArcSight Console User’s Guide 347
11 Building Reports
Attribute
Description
Use
By default, all data entries are selected for use in the table. If you do
not want to use all the available columns, uncheck the
corresponding check box.
Caution: If you de-select a data entry to indicate you do not want to
use that column in report, the column is automatically pushed to the
far right (the end of the table) to move it out of the way so that you
can focus on the columns you are using. If you then select “Use”
again for that same data entry, its column is inserted back into its
original position along with the other columns you have selected to
use.
Function
To set a function on a field, click in the Function row for that field's
column. Select the function you want to apply to the column from
the Function drop-down menu.
Fields set with functions can be filtered in the Aggregation tab.
Alias
Width
Enter a display name alias for the data column. For example, if the
column is referred to as Source Translated Zone Name in the
ArcSight database, this name can be shortened to Zone Name or Src
Zone for display in the report table. In our example, we provide the
aliases Time instead of Timestamp and Number of Logins for
Category Outcome (Count).
Set column Width to either of the following options:
•
Auto - Automatically divides column width evenly among the
selected columns
•
User Specified Layout - This option requires that you enter
numbers to specify percentage widths for individual columns.
Sort
Indicate the sort order for the data in each column.
H Align
Right-click in the H Align row to get a drop-down menu for specifying
horizontal alignment of text in a given column. You can select for
left- aligned, centered, or right-aligned text in the corresponding
column.
V Align
Right-click in the V Align row to get a drop-down menu for specifying
vertical alignment of text in a given column. You can select for top,
bottom, middle, or baseline text in the corresponding column.
Page Break
Right-click in the Page Break row in a column to get options for
specifying a page break before or after the that column.
With the Custom Layout options, you can specify custom column widths for the data in
the table. By default, the Custom Layout drop-down menu shows User Specified
Layout, which enables you to enter a numeral to specify a percentage for individual
columns. Select one of the following:

Fit content - Adjusts the column width to accommodate its content without
wrapping. If the content is wider than the table, the table is extended to multiple
pages.

Fit content one table area per page - Adjusts the column width to accommodate
its content without wrapping, and breaks each column onto its own page.

Fit content to page - Adjusts the column width to accommodate its content without
wrapping, and stretches the last column to fill the page.

Equal width columns - Each column receives the same width to fit across a single
page.
348 ArcSight Console User’s Guide
Confidential
11 Building Reports

User specified layout - Enables you to enter a numeral that represents a percentage
of the overall page width. You can set a percentage for each column that totals 100%,
or enter a percentage for one column, and the others selected receive an even
percentage of the space remaining.
The Display Options area provides format options for each individual data column. This
enables you to set different font style, size, and color and column background colors for
each data column. To activate the display options, select one or more data columns:

To select one column: click the column by its Field name.

To select one or more contiguous columns: click a field, hold down the Shift key,
and select the remaining fields.

To select one or more non-contiguous columns: click a field, hold down the Ctrl
key and select the remaining fields
Attribute
Description
Font
From the drop-down menu, choose a font for the selected columns.
Foreground
Color
Foreground color for text, any visible lines that describe
rows/columns, and other elements in the foreground. The example
above shows all columns using black (RGB 0,0,0).
Background
Color
Background (field) color for the data column. The example above
shows the Count line with a pale yellow background (RGB 255, 255,
153).
In the Global Options area, you can set formatting options that apply to the whole table
(not just one column).
Attribute
Description
Merge cells
Indicates whether to merge cells for grouped columns. When this
option is enabled, identical values in grouped columns show only
once. When this option is disabled, identical values show as many
times as they are occur (regardless of whether they are grouped).
Show group
header
Indicates whether to show a group header row.
Show group
columns
Enable this option to populate the grouped columns with data. (If
this option is disabled, grouped columns are empty.)
Grand total
If you want to provide a grand total of all the sections, check the
Show grand total box.
Label
If you selected a grand total, you can apply a label for the grand
total. For example, use Total VPN Login Attempts.
This is a group label for when you have a summary function that
adds one more rows at the end of the section. If this option is
enabled, the table includes an extra column with a header derived
from the content by which the section is grouped.
Click the Preview button to preview the report table with the current configuration.
Enabling the Aggregation Tab for a Table
If your report is using the Table template, the Aggregation tab is disabled by default until
the following requirements are met on the report’s Data > Fields tab:

Confidential
At least one of the columns is assigned to a group.
ArcSight Console User’s Guide 349
11 Building Reports

At least one of the columns must be set with a function.
The following scenario describes the process to enable the Aggregation tab.
1
Define the query. For example, you want to look at event names by priority. In the
query’s Fields tab, select the columns you need (Name and Priority in this case). After
selecting the columns, add these same columns to the GROUP BY list. In the
Conditions tab, define the conditions for the query (for example, you are interested in
Priority greater than 3).
2
Create a report. On the Template tab, use one of the table templates (for example,
Simple Table Portrait). In the Data tab, specify the query described in Step 1 above as
your data source. The Fields tab is automatically populated by the columns from the
query, in this case, Name and Priority.
3
On the Fields tab, create a group for one of the columns (for example, for Priority),
then select a function for another column (for example, for Name) from the drop-down
list. Columns with functions can be filtered through the Aggregation tab. For
instructions on how to add columns to groups and how to apply functions to columns,
see related information on page 347.The Aggregation tab is enabled after you click
Apply.
Set Top/Bottom Counts in Table Aggregation Tab (Optional)
If the Aggregation tab is enabled, you can set optional top/bottom counts to data with
functions applied to individual fields. The example shows the format used is
Function(Field). This is an optional step.
On the Aggregation tab, set the top or bottom filter for the table. If there are more tables
in your report, repeat these processes until data is bound to all the tables and laid out in
your report template.
Aggregation
Top/Bottom Filter
Description
None (Show all)
By default, no top/bottom filter is set.
Top
Select Top if you want to show the a certain number of
entries with the highest values. Enter a digit in the text
box, and from the drop-down list, select an appropriate
Y-axis data column with a function applied.
350 ArcSight Console User’s Guide
Confidential
11 Building Reports
Aggregation
Top/Bottom Filter
Bottom
Description
Select Bottom if you want to show a certain number of
entries with the lowest values. Enter a digit in the text box,
and from the drop-down list, select an appropriate Y-axis
data column with a function applied.
Report Parameters: Default and Custom
The Parameters tab is where you set report output details such as file format, paper size,
and routing instructions. From here you can also set limits on the query return such as row
limits and time zone restraints, apply filters, and specify report start and end times.
Report Parameters: Set
report output details.
Custom Parameters: Add
and edit custom parameters.
Query Parameters: Set
override parameters for
query data selected for each
element of the report.
Confidential
ArcSight Console User’s Guide 351
11 Building Reports
In the Report Parameters area, enter the following values. The Use Default checkboxes
do not apply to these items; the default values are used until you uncheck the boxes and
use a new value. Note that users can re-set most of these parameters at report runtime.
Common
Parameters
Report Format
Description
From the drop-down menu, select one of the following report output
formats:
•
pdf - Outputs the report as an Adobe PDF file.
•
xls - Generates a Microsoft Excel file for tables and charts.
Note: XLS reports you run with Microsoft Excel 2002 might have
page break format problems (misalignments, column spillover)
due to default page size settings in Excel. To correct this
problem, open the resulting XLS report in Excel, choose
File > Page Setup from the menus, change the paper size to
Letter (instead of Legal), and click OK to save your changes. The
report has the appropriate page break formatting. This problem
does not occur in newer versions of Microsoft Excel.
Note: XLS report formats display speedometer charts as pie
charts. This is a known limitation in Microsoft Excel.
•
rtf - Produces a rich-text format document.
•
csv - Creates tabular data as a list of comma-separated values.
Note: Reports generated in CSV format are not the full
equivalent of exports to other formats like PDF or HTML. CSV
format is useful for loading report data into a spreadsheet for
further manipulation. Since CSV is meant to contain tabular
data, only the table data of a report is normally useful.
Therefore, ArcSight exports only the table data portion of a
report to CSV format, ignoring any other report information such
as charts or text, including report titles.
•
html - Generates the report in a Web page displayed by the
default web browser.
Your selection affects your choice for e-mail formats. See related
information on page 353.
Page Size
From the drop-down menu, select a paper size.
Run as User
Run the report as a particular user. From the drop-down menu,
select the user name by which you would like to run the report.
For example, this option would allow an administrator for an
Managed Security Service Provider (MSSP) to run report for a
customer. The administrator would need write permissions to the
user.
Email to
You can have the report sent as e-mail to one or more ArcSight
Console users.
From the drop-down menu, select the Console users to whom the
report should be e-mailed. The selection list is read from the Users
resource (see “Managing Users” on page 585).
The recipient will only see his or her user name in the To field even if
there are multiple recipients for this report.
Note: By default, an e-mail is sent even if the report is empty. See
related information on page 353 for details on how to turn off this
setting.
352 ArcSight Console User’s Guide
Confidential
11 Building Reports
Common
Parameters
Email
addresses
Description
Send the report to one or more comma-separated or semicolonseparated e-mail addresses. This option does not require the
recipient to be an ArcSight Console user.
Note: The recipient will only see his or her e-mail address in the To
field even if there are multiple recipients for this report.
Email Format
Specify how the report is to be accessed by the recipient.
•
If the report is large and is saved (archived) to a networkaccessible location, you may want to select Send URL to point
users to the report.
You can provide URLs for all report formats: PDF, XLS, RTF, CSV,
and HTML.
•
If you want to send the report directly to the user's e-mail box,
select Attach Report.
You can only attach PDF, XLS, RTF, and CSV report formats.
•
If you want to display the report on the e-mail message body so
that the recipient immediately sees the report upon opening the
e-mail, select Embed Report.
You can only embed CSV and HTML report formats.
Note: If you select an email format for an unsupported report
format, the notification automatically uses the URL.
Email Subject
Specify the subject on the notification. Defaults to the report’s Name
attribute (denoted by $ReportName). If you want to use a
customized subject, type the text either in addition to the default or
to replace the default entirely.
If you have set reports to be mailed to recipients, empty reports will also be
sent. This is determined by the server default property,
report.scheduler.notify_empty_reports, which is set to true. If you
don’t want empty reports to be sent, change the setting to false. The
property is stored in the server.defaults.properties file. Follow the
instructions in the ESM Administrator’s Guide on how to use this file as a
starting point for your customized properties. The details are in the guide’s
Configuration chapter, topic on Managing and Changing Properties File
Settings.
Adding Custom Parameters for Report Data
To add a custom parameter that applies to the Report data:
1
Confidential
Click the Add button. Parameters added here override those set in the query. For
example, if you want all the report elements to report on events for the past 2 hours,
you can create a start time parameter of $Now-2h, which sets both table and chart
ArcSight Console User’s Guide 353
11 Building Reports
start times to $Now-2h. Custom parameters are saved locally to the report definition,
and are not persisted back in the query.
2
Give the parameter a name and map it to a query parameter.
3
Click OK to apply them to the report definition.
4
Back in the Parameters tab in the Custom Parameters section, enter an override
parameter for the fields you selected from the Add Custom Parameters dialog.
5
In the Query Parameters area, enter any override values for the parameters in your
query data. The Use Default checkboxes are only activated for items where default
parameters exist and override values can be entered.
Enter these override parameters as needed for each chart and table.
Query
Parameters
Description
Time Zone
By default, the Manager Time Zone is used. Choose the Console time
zone, or another of the time zones from the drop-down list.
Filter By
Set a filter to operate on the query conditions.
Row Limit
The report gets its row limits from the settings in the query being
used. By default, row limit for a table is 10000 and row limit for a
chart is 25.
You can change the default to manage row size.
Start Time
To set a start time that overrides the one set in the query, disable
Use Default for this field and specify a start time here.
For example, if you want all the report elements to report on events
for the past 2 hours, you can create a start-time parameter of
$Now-2h, which sets both table and chart start times to $Now-2h.
This setting is saved locally as part of the report definition, not as
part of the original query upon which the report is based.
354 ArcSight Console User’s Guide
Confidential
11 Building Reports
Query
Parameters
End Time
Description
To set an end time that overrides the one set in the query, disable
Use Default for this field and specify an end time here.
This setting is saved locally as part of the report definition, not as
part of the original query or trend upon which the report is based.
6
Click Apply to save settings or OK to save settings and close the Inspect/Edit details
for this report.
Displaying a Custom Parameter Prompt at Report Runtime
You can configure your report to prompt for a value at report runtime. If so, the user is
prompted by the Parameters dialog to enter a value before the report is created. This
prompt will be based on one of the report’s custom parameters. For example, you have a
report which is based on a query on assets, and you want the user to enter the first few
characters of the host name when the report is run, so that the report contains data only
about those hosts. The configuration is a two-step process:

Defining the Prompt in the Query’s Condition Tab

Adding the Prompt as a Custom Parameter in the Report
Defining the Prompt in the Query’s Condition Tab
In the following procedure, you will create a query condition to display the prompt. The
example is based on a query on assets.
Confidential
1
On the Reports resource, select the Queries tab.
2
Locate the query being used by the report, right-click, and choose Edit Query.
3
Go to the query’s Conditions tab.
4
On the Field Set or CCE panel at the bottom of the tab, locate the field for which you
want to display a prompt. Host Name is used in this example.
5
To prompt for a value for the Host Name field:
a
Select a logical operator. This example uses StartsWith.
b
Click the Browse icon (
c
In the Advanced Editor dialog, click the Parameter check box to display the
Prompt and Default Value fields.
d
In the Prompt field, provide a meaningful name for this prompt. For example,
your prompt can say HostName Starts with to match your logical operator.
Notice that spaces are automatically replaced by underscores.
).
ArcSight Console User’s Guide 355
11 Building Reports
e
Enter a default value (case sensitive) which can be changed at report runtime.
The following example uses VA for host names starting with that string.
When specifying default values for the prompt, remember that string
values are case sensitive.
f
Click OK. Click on the field again on the Field Set or CCE panel to save your
condition.
The Console automatically inserts the @ symbol in front of your prompt name,
replaces spaces with underscores, and also adds this condition statement as shown:
The @ symbol is
automatically inserted
and spaces are
replaced by
underscores.
6
Save your query. The condition you just added will be displayed on the report’s query
parameters list. The next step is to add this prompt as a custom parameter in the
report.
Adding the Prompt as a Custom Parameter in the Report
In the following procedure, you will add a custom parameter in your report using the field
for which we created a prompt in the query.
1
On the Reports resource, select the Reports tab.
356 ArcSight Console User’s Guide
Confidential
11 Building Reports
2
Locate the report, right-click, and choose Edit Report.
3
Go to the Parameters tab and verify that the field configured in the base query is
listed in the Query Parameters list.
4
Click the Add button (
5
Under Map to Parameters, check the parameter corresponding to the prompt name,
then enter a meaningful name in the Name field.
) to display the Add Custom Parameter dialog.
The name used here will be displayed to the person running the report, so make sure
the name you use clearly states what the report is expected to display (host names
starting with a specified text string).
In the query condition, spaces are resolved with underscores but not
here, so make sure you insert the underscores as required.
Click OK.
The custom parameter is added to the Report Parameters section. Notice that the
default value for the custom parameter in the Query Parameters section is not picked
up in the Report Parameters section. If you want the default value to be displayed by
the prompt, enter the value in the Report Parameters section.
6
Confidential
Click Apply or OK to save the report.
ArcSight Console User’s Guide 357
11 Building Reports
The next time you run the report, the custom parameter will be displayed in a dialog as in
the following example:
Based on the example, you can then enter the starting character strings (case-sensitive) of
host names to be included in the report. If a default value is displayed, choose to run the
report with the default or replace the value before running. See “Running and Managing
Reports” on page 377 for more details on how to run a report.
To remove the prompt:
If the report no longer requires a prompt, undo your configurations in this sequence:
1
Remove the custom parameter from your report by selecting it on the report’s
Parameters tab and clicking Remove.
2
Remove the condition for the prompt from your query by right-clicking it on the
query’s Conditions tab and selecting Delete.
Running Large or Complex Reports
A very large report (for example, a 500 MB PDF report) might require so much virtual
machine (VM) memory that it can cause the ArcSight Manager to crash and re-start. To
prevent this scenario, you can set up the Manager to expose a special report parameter for
generating the report in a separate process. The separate process has its own VM and
heap, so the report is more likely to finish. Even if the memory allocated is still not enough,
the report failure will not crash the Manager. This option must be set up on the Manager to
expose it in the ArcSight Console report parameters list.
The default server property is
report.canarchivereportinseparateprocess=false. You need to change this to
true.
The steps are as follows:
1
Refer to the ESM Administrator’s Guide. In the Configuration chapter, follow the
instructions in the topic on Managing and Changing Properties File Settings, Editing
Properties. Make sure to restart the Manager after making changes.
After setting the property to true, you will now have the ability to set the report
parameter on the ArcSight Console.
2
On the ArcSight Console, open the report that you want to run in a separate process in
the Report Editor, and click the Parameters tab. Set the parameter Generate
Report In Separate Process to true.
358 ArcSight Console User’s Guide
Confidential
11 Building Reports
3
Run the report. The report should run like a normal report, but it does not consume
the resources of the Manager VM. See notes below for more information.
Tips:
•
If a report is saved with the parameter set to true, the report is archived
as a separate process even if the property
report.canarchivereportinseparateprocess in server.properties is
set back to false later on.
•
This property indicates whether reports are allowed to be archived in a
separate process. When this property is set to true, the option to run and
archive the report in a separate process is available in the common
properties in the Report Editor. Setting the value to true causes the report
to be archived in a separate process. The benefit of archiving a report in a
separate process is to avoid consuming Manager resources and potentially
crashing the Manager.
•
Use this parameter only in special circumstances as needed. For example,
if archiving a report is causing the Manager to crash then you might apply
this solution. Generally, if a report contains tables that have more than
500,000 rows with 4 or 5 columns per row it is likely that the report is
large enough over-tax the Manager VM memory. However, the tipping
point may vary depending on the Manager heap size and the details and
data in the tables so it is best to only resort to this solution if you
encounter problems archiving a particular report.
Reports that query over a large time range with complex joins run much faster if the query
contains a full scan database hint. This option must be set up on the Manager to expose it
in the ArcSight Console report parameters list.
The default server property is report.canquerywithfullscanhint=false. You need
to change this to true.
The steps are as follows:
1
Refer to the ESM Administrator’s Guide. In the Configuration chapter, follow the
instructions in the topic on Managing and Changing Properties File Settings, Editing
Properties. Make sure to restart the Manager after making changes.
After setting the property to true, you will now have the ability to set the report
parameter on the ArcSight Console.
2
On the ArcSight Console, open the report that you want to contain the full scan hint in
the Report Editor, and click the Parameters tab. Set the parameter Query with Full
Scan Hint to true.
3
Run the report.
If a report is saved with the parameter true, the full database optimization
hint is applied even if the property report.canquerywithfullscanhint in
server.properties is set back to false later on.
When the property is set to true, the report uses the FULL_SCAN hint in the
SQL queries it generates to query the database. The content of the report
does not change, but the queries logged in server.report.log contain the
hint. FULL_SCAN hint can significantly reduce the runtime for SQL queries
that query events within a large time range and contain complex joins.
Use this parameter only in special circumstances if your organization has
determined with the help of customer support or professional services that it
is appropriate.
Confidential
ArcSight Console User’s Guide 359
11 Building Reports
Setup to Generate Reports with Asian Fonts
To generate reports that properly display Asian character sets, use the following procedure:
1
Configure the operating system and the ArcSight Manager to support the Language
you are using.
2
Make sure you have the Adobe Acrobat Reader 9 or later to view the PDF report.
If the Manager is running on Linux, do the following:
1
Download ARIALUNI.TTF font from the Linux support site.
2
Go to the /usr/share/fonts/ directory and create a subdirectory called /arial.
3
Copy ARIALUNI.TTF to /usr/share/fonts/arial.
4
Make a backup of the $ARCSIGHT_HOME/reports/sree.properties file.
5
Add this property to sree.properties:
font.truetype.path=/usr/share/fonts/arial.
To generate a report in PDF format to display Chinese, Japanese, Korean (CJK), or
Romanian characters:
1
Log in to the ArcSight Console and open the report.
2
Find the template used by the report.
3
Edit the template and select Open in Designer.
4
Edit the fields that need to display these characters.
5
Set the fonts to Arial Unicode for the fields that display these characters
6
Save the template and click Apply.
7
Run the report with PDF format.
8
Open the generated report (using Adobe Acrobat Reader 9 or later for PDF) to see
these characters.
To generate a report in RTF format to display Chinese, Japanese, Korean (CJK), or
Romanian characters:
1
Log in to the ArcSight Console.
2
Select Edit > Preferences > Global Options.
3
Set the font to Arial Unicode MS.
Editing a Report
1
Navigate to Reports in the Navigator panel, select the Report tab, and select the
report you want to modify.
2
Double-click the report, or right-click and select Edit Report from the context menu.
This launches the Report Editor in the Inspect/Edit panel, and shows the definition for
the selected report.
3
Edit the report definition as needed and click Apply or OK to save your changes.
(Click Cancel to exit the Query editor without saving changes.)
360 ArcSight Console User’s Guide
Confidential
11 Building Reports
End-to-End Reporting Examples
This topic includes two examples:
Quick-start example with Report Wizard - An introductory example of how to create
a simple report on the results of a single, stock query with the Report Wizard.
Advanced example - A more in-depth example reporting on the results of several trendqueries and using a heavily-modified 3-charts template. This example walks you through
creating the following resources for example queries, trend, and report:

A base query that captures data about number of VPN login attempts per hour.

A trend that takes the base query as input, executes it, and stores captured data per a
schedule you define.

Queries that build on the trend to filter on various VPN login outcomes.

A report that uses the complex queries as data sources and provides visual
representations of query results in charts and tables based on an ArcSight provided
template.
Even if you do not anticipate immediately having to create these elements from scratch
(ArcSight provides a starter set of stock reporting content), we suggest working through
both the simple example and the more complex one to gain an understanding of how
queries, trends, and templates work together in the context of reporting.
Refer also to other topics in Chapter 11‚ Building Reports‚ on page 279 for an overview of
all reporting tasks and tools.
Example of Creating a Simple Report with the Wizard
1
Navigate to the Reports resource in the Navigator panel and click the Reports tab.
Right-click your user folder and choose Start Report Wizard.
Click Next.
Confidential
2
On the Report Name page, enter a name for your report. Click Next.
3
On the Data Sources page, select the Queries tab (if not already selected, and
navigate the Queries tree to choose an existing query. For this example, we select the
ArcSight Console User’s Guide 361
11 Building Reports
Top 10 Events query, which you can find in Queries/Shared/All Queries/ArcSight
Administration/ESM/System Health/Events/Top N Activity Reports/.
Click Next.
4
On the Template page, select a template. For this example, select the Simple Table
Portrait template under /Report Templates Shared/All Report Templates/ArcSight
System/.
Click Next.
362 ArcSight Console User’s Guide
Confidential
11 Building Reports
5
On the Bind page, select a template. For this example, select the Simple Table
Portrait template under /Report Templates Shared/All Report Templates/ArcSight
System/.
Click Next.
Confidential
6
Review the report configuration summary.
7
When you are satisfied with the report configuration, click Finish on the last page of
the Report Wizard.
ArcSight Console User’s Guide 363
11 Building Reports
The Report Editor is automatically displayed on the Attributes tab.
8
Click Apply or OK on the Report editor to apply the report name and create the
report.
9
The new report is added to your Reports folder shown in the Navigator.
10 On the Navigator panel Reports tree, open your Reports folder, right-click the new
report and select Run > Report with defaults.
Advanced Reporting Example Overview
We build an example query that shows the number of login attempts on a virtual private
network (VPN). Then, we use the query in a trend to collect data on VPN login attempts on
an hourly basis. Next, we build several more focused queries on top of the trend to get
views into particular slices of the data (all login attempts, successful logins, and failed
logins).
Finally, we use the data results from the queries and trends to create a report. To format
the report, we use one of the ArcSight provided templates.
Start by navigating to the Reports resource in the Navigator panel, then follow these steps
to build the example report:
You need a set of canned VPN login events to properly verify the query and
trend resources created for this example.
364 ArcSight Console User’s Guide
Confidential
11 Building Reports
Step 1 - Build the VPN Logins Outcome Query
Start by building a base query that captures VPN Login Data to return a count of hourly
VPN login attempts. Following is a summary of configuration details you can use to create
this query. (If you need more general help on creating queries, refer to Building Queries.)
Query Name and Other General Attributes
Create a new query, name it, and set the required attributes for it on the Query General
tab as shown.
Query Attributes
Value
Name
VPN Logins Outcome - Hourly
Query on
Event
Start Time
$Now - 1d
End Time
$Now
Use as Timestamp
End Time
Row Limit
10000 (this is the default)
Fields to Include in Query Result
On the Query Fields tab, select fields and apply functions as shown to populate columns in
the table of result data.
Selected
Fields
Category
Outcome
Description
Add the Category Outcome field to the Query Structure list by
clicking the Add SELECT columns link. This enables the Query
Structure’s toolbar icons and also opens the SELECT panel.
From the Field Sets panel at the bottom, select Category\Category
Outcome to add it to the list. This column contains the outcome of
each login attempt (success or failure).
Confidential
ArcSight Console User’s Guide 365
11 Building Reports
Selected
Fields
Category
Outcome
(COUNT)
Description
Add a second Category Column to the Query Structure list to which
you will apply the Count function.
To get this, click the Category Outcome column you just added,
then click the Duplicate Column icon on the toolbar. While this
duplicate is still selected, click on it to display the column’s edit
panel. Select COUNT from the Function drop-down menu (the first
field), then click the checkmark icon to apply your changes.
Click to save
Move this column to the top of the list using the arrow on the toobar.
Hour
Add the variable called Hour which returns the hour value based on
the end time of the event.
To get this variable, on the SELECT panel click the Fields & Global
Variables tab. Expand All Fields\ArcSight Foundation\Variables
Library\Timestamp Formats and select Hour. This column contains
the date and time of the login attempt.
After you click Apply, the Group By list is automatically populated with Category Outcome
and Hour.
Query Conditions
On the Query Conditions tab, define some logical conditions for the login data that
narrow the query result to return only the data you are interested in. Filter on VPN Logins
by specifying that each login attempt must be categorized in a specific event category and
device group:
Category Behavior = /Authentication/Verify
Category Device Group = /VPN
Also, each login attempt must have a target user name value:
366 ArcSight Console User’s Guide
Confidential
11 Building Reports
Target User Name Is NOT NULL
Here is how the Field Conditions on this query should look in the display:
Click Apply or OK in the Query Editor to save the new query.
Step 2 - Build the VPN Logins Outcome Hourly Trend
Next, create a new trend, name it, and set general attributes for it on the trend Attributes
tab as shown. This trend uses the data results from the VPN Logins Outcome Query you
just created. Keep the defaults for trend interval (1 hour to collect data on an hourly basis)
and row limit at 1,000 (it stops collecting data when the table is filled at that limit).
Confidential
Trend
Attributes
Value
Name
VPN Logins Outcome - Hourly
Query
VPN Logins Outcome - Hourly
Enabled
On
Trend Interval
1 hour (default)
Row Limit
1000 (default)
ArcSight Console User’s Guide 367
11 Building Reports
Under Data Fields, you can see the fields the trend is getting from the query initially
reflected with the original field names: TimeStamp, Count(Category Outcome), Category
Outcome, and Hour. For readability, change the first two fields to the aliases Time and
Number of Logins as shown below (double-click on the actual field name and type over the
existing name).
From here, you can test the trend to ensure you are getting correct data. To do this, click
the Test button on the trend Attributes tab. The Test Trend dialog returns an example
result set. For each row, the Trend should return Timestamp, count of login attempts,
Category Outcome (Attempt or Failure), Hour (from the Hour variable).
Trends also have schedules. On the Trend Schedule tab, define a schedule that specifies
how often you want to run the trend. For the example, define this one to run every hour on
the hour (Hourly, every 1 hour at “0 minutes after”).
A trend's range defines when to start and terminate the data collection.
The trend starts as you specified and keep going until it is manually terminated.
368 ArcSight Console User’s Guide
Confidential
11 Building Reports
Here is the data collected from a trend that ran hourly for a few days. You can view result
data from your trend in the grid view by selecting the trend in the Navigator and clicking
the Data Viewer for it in the right-click menu.
When you are satisfied that the trend is set up correctly, click Apply or OK in the trend
Editor to save the trend.
Step 3 - Filter the Trend Data (Login Attempts, Successes,
Failures)
You can further refine the VPN login query data by creating separate queries based on the
trend, each of which capture information a particular aspect of VPN login events.
Developing several trend-based queries like this (to show different data slices of common
scenarios), gives you a rich set of data views from which to run reports later.
Create three more queries all of which use the original trend as their data source, and then
further filter the data to show only attempts, failures, or successes, respectively. Use each
of these queries, Attempt, Failure, and Success, to further filter the login data captured
in the trend:

Login Outcome Trend Query - Attempt

Login Outcome Trend Query - Failure

Login Outcome Trend Query - Success
As an example of how this is done, here are the details for creating one of these; the
Failure Query definition.
Create a new query and name it Login Outcome Trend Query - Failure.
As the query's data source type, choose Trend and select the “VPN Logins Outcome Hourly” trend.
Confidential
ArcSight Console User’s Guide 369
11 Building Reports
In the Query Fields tab, choose the same fields as in the original query to populate
columns.
On the Conditions tab, specify Category Outcome = /Failure. The query only returns
the login attempts that failed.
Save your changes. You have now built a query that reports on failed VPN login trends.
Create the other two queries (Login Outcome Trend Query - Attempt and Login Outcome
Trend Query - Success) the same way specifying the appropriate Category Outcome
condition for each.
Now you are ready to report on the trend data.
Step 4 - Create the VPN Logins Outcome Report on Trend Data
You can leverage multiple data sources in your report. For this example, you can use all
three of the VPN Login trend-based queries you just built to create a report.
370 ArcSight Console User’s Guide
Confidential
11 Building Reports
On the Reports tab, create a new report in your user folder and name it VPN Login
Outcome Trend.
Choose a Template and Bind it to Result Data
A Template defines the visual constructs of a report such as layout, portrait or landscape,
number of tables, number and types of charts, placeholders for text areas, and so on. You
can find the ArcSight provided templates under Report Templates/Shared/All Report
Templates/Arcsight System/.
In the Editor (Inspect/Edit panel) for your new report, click the Template tab and select
the Three Charts Description Landscape to use as the Report Template. (Look in the
drop-down tree under 3 charts/Without Table/ to find this template). In the preview panel
you can see what the report template looks like. Double-click the template preview to open
it in the viewer. Here you can see what the report looks like before adding the data.
On the Reports Data tab, you can bind each of the three charts in the template to each of
the VPN login “trend” queries. (The data source type for each of these charts is a query,
but remember that each of the queries uses a trend as its data source, which, in turn, was
built on our original query.)
Confidential
ArcSight Console User’s Guide 371
11 Building Reports
Chart
Description
Chart 1
On the Report Data Chart 1 tab, select Login Outcome Trend
Query - Attempt as the Data Source for the first chart. This query
returns the number of login attempts over the last hour.
On the X-Axis (horizontal) tab, add the Hour value to the Selected
Columns. We'll show the Hour value on the X axis of the chart.
On the Y-Axis (vertical) tab, place the Number of Logins (Category
Outcome with “Count” applied to it) in Selected Columns. This shows
on the Y axis of the chart.
For Chart Type select a line chart.
Chart 2
On the Report Data Chart 2 tab, select Login Outcome Trend
Query - Failure as the data source for the second chart. This query
returns the number of failed logins per hour.
Configure this chart also to show the Hour value on the X
(horizontal) axis, and the number of failed logins on the Y (vertical)
axis.
Chart 3
On the Report Data Chart 3 tab, select Login Outcome Trend
Query - Success as the data source for the third chart. This Query
returns the number of successful logins per hour.
Specify the same assignments as the other charts for X and Y axis.
At this point since you have selected some data for the report, you can click
Apply to create the new Report and then continue working. It is a good idea
to save frequently.
Using Custom Parameters
On the Report Parameters tab, you can view all the common parameters for the report
(in Report parameters area), and all the parameters required for each chart (in Query
Parameters area).
You can also provide Custom parameters. You can use Custom parameters to tie together
similar parameters from multiple queries for one consistent value. For example, we could
do this with Start Time and End Time.
372 ArcSight Console User’s Guide
Confidential
11 Building Reports
Create a new Custom parameter called “start_time”.
Click the Add button on the Parameters tab, and create a new parameter called
start_time to prompt for Start Time field values. Map it to “Start Time” for all three charts
(Chart 1, Chart 2, and Chart 3).
The custom parameter is added to the list of report parameters under Custom Parameters.
Similarly, add an End Time by adding a new parameter called “end_time” and map it to End
Time for all three charts.
On the Parameters tab under Custom Parameters, use the drop down menus to choose the
following values for your new parameters:
Confidential

Set start_time to $Now-1d

Set end_time to $Now
ArcSight Console User’s Guide 373
11 Building Reports
Click Apply or OK in the Report Editor to save the new report.
Step 5 - Run the Report
To run the report, select the VPN Login Outcome Trend report in the Navigator panel and
choose Run > Report with defaults from the right-click menu to run and view the
report.
In the Web Viewer we now have a report with three charts each showing a different slice of
the data:

Number of login attempts

Number of failed logins

Number of successful logins
374 ArcSight Console User’s Guide
Confidential
11 Building Reports
Confidential
ArcSight Console User’s Guide 375
11 Building Reports
376 ArcSight Console User’s Guide
Confidential
Chapter 12
Running and Managing Reports
This topic describes how run and manage various types of reports. Information is included
on working with ad hoc reports, archived reports, focused reports, delta reports, and
scheduled reports. The topic on Running Reports includes detail on setting report
parameters at run-time. Also included is information on how to import and export reports,
and work with report groups.
“Running Reports” on page 377
“Managing Reports” on page 381
“Archiving and Scheduling Reports” on page 384
Running Reports
Defined reports are usually run on a schedule and their output archived automatically. But
there are also many occasions when you need to run the basic report types directly.
See also Chapter 11‚ Building Reports‚ on page 279 for an overview of all reporting tasks
and tools, including how to develop new reports, queries, or trends using a provided or
custom template.
Tips:
•
No more than 5 reports can be run at the same time. The number of
reports allowed to run simultaneously is a configurable parameter on the
Manager in ARCSIGHT_HOME/config/server.properties.
•
If you are having problems running a large or complex report, refer to the
topic ““Running Large or Complex Reports” on page 358.
•
If you are having problems running PDF reports with Asian fonts, see the
topic “Setup to Generate Reports with Asian Fonts” on page 360“.
•
If a report does not show up as expected, try restarting the Console and
running the report again.
Running a New or Archived Report
When you run reports, you most often use an existing report definition, or a copy of a
report already defined, run, and archived for later use. Defining new reports is a separate
Confidential
ArcSight Console User’s Guide 377
12 Running and Managing Reports
topic described in Creating a Report. Please see also “Archiving a Report” on page 384 and
“Scheduling Report Tasks” on page 387.
If you are having problems running a large or complex report, refer to the
topic “Running Large or Complex Reports” on page 358.
If you are having problems running PDF reports with Asian fonts, see the
topic “Setup to Generate Reports with Asian Fonts” on page 360.
Running a Defined Report
1
In the Navigator panel, choose the Reports resource tree.
2
Click the Reports tab.
3
Navigate the Reports tree, and select the report you want to run.
4
Right-click the selected report to bring up the Context menu, and select Run with one
of the report-type options described in Run-Report Options below.
5
Select Save Output if you want to save a copy of the report to disk.
If this option is selected, additional archive parameters are displayed. You can override
any of these defaults also. You can select a group in which to archive the report,
provide a report name, and specify an expiration time at which to discard the report
from the archive. By default, the report is saved in the archive for 6 months from the
time it was run.
You can use Velocity template references for fields that accept text, such
as Archive Report Name and Archive Report Expiration Time. See
“Velocity References for Reports” on page 966 for details.
6
In the Report Parameters dialog box, enter new parameters if available and
appropriate.
7
Click OK.
378 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
8
In the options dialog box click Open to open the report, Save to choose a location
and format for the output file, or Cancel to quit. The Save option applies to all but
HTML files.
Run-Report Options
To run a report, right-click a report in the Navigation panel, select Run from the Context
menu, and choose one of these report-type options.
Report Type
Description
Report
Run the report, but with the opportunity to edit its current
parameters (if present). If you choose this option, the Report
Parameters dialog is displayed before the report is run. You can
override the default report parameters for just this run of the report.
Report with
defaults
Run the report directly, using its defined parameters, if present. For
focused reports, this is the only option.
Report with
selected event
Run the report using as parameters the fields of an event selected in
a Viewer panel grid view.
Delta report
For reports based on bar charts, run the report after selecting
another report as the comparison for the delta.
Report Parameters
You can override the existing report parameters at the time you run a report. Other
parameters are set when the report was created as described in “Creating Reports” on
page 335. For a list of report parameters that you can change, see “Report Parameters:
Default and Custom” on page 351.
Displaying an Archived Report
1
In the Navigator panel, choose the Reports resource tree.
2
On the Archives tab, right-click a report and choose Show Archive Report.
Running a Delta Report
Delta reports show the difference between two sets of parameters, within a single
comparative report. Defining new reports is a separate topic described in Creating a
Report. In order to run a delta report, you must have an existing report first. You can also
set up a delta report to run and archive on a schedule. Please see also “Archiving and
Scheduling Reports” on page 384 and “Scheduling Report Tasks” on page 387 for more
information.
1
From the Navigator panel drop-down menu, select the Reports resource.
2
On the Reports tab, right-click a report and choose Run, then Delta Report.
The Run Delta Reports option is available only for reports with a bar,
3D bar, or inverted bar chart. The report must contain one chart only (no
tables). The X and Y axis must have at least one column each, and no Zaxis. The chart must not have any summary function or top N filter
applied. For more information about creating reports with these
characteristics, see the “Report Data” on page 340 section (under
“Creating Reports” on page 335).
Confidential
ArcSight Console User’s Guide 379
12 Running and Managing Reports
3
Select the parameters for the first report, select a report format from the drop-down
menu, and click OK.
4
Select the parameters for the second report and click OK.
5
Select Save Output if you want to save a copy of the report to disk.
If this option is selected, additional archive parameters are displayed. You can override
any of these defaults also. You can select a group in which to archive the report,
provide a report name, and specify an expiration time at which to discard the report
from the archive. By default, the report is saved in the archive for 6 months from the
time it was run.
You can use Velocity template references for fields that accept text, such
as Archive Report Name and Archive Report Expiration Time. See
“Velocity References for Reports” on page 966 for details.
The Report Viewer appears and displays the delta report. The report shows the difference
between two sets of parameters used on a single report. The report also shows the data
for each of the parameters.
When a delta report is run or archived, an internal event is sent to the ArcSight Manager.
This event contains the following data fields and values:
Delta Report Eventdata Field
Event Name
Description
Delta Report Generated (Report: <ReportName>), where
<ReportName> is the name of the report.
Rules can be created using the delta report data fields.
Running Reports from a Grid View
You can define reports on-the-fly based on specific events in grid views in the Viewer
panel.
Running a Rule-Context Report from a Grid View
1
In a grid view, select a correlation event.
2
Right-click it and choose Report > Rule Context Report.
3
In the Report Parameters dialog box, enter the time, in minutes, before and after
this event's occurrence and click OK.
4
You can choose to Open or Save the report file.
In the grid view, a correlation event is marked with a Flash icon (
). A report showing
the correlation event and the events that triggered the rule appear.
Running an Event Context Report from a Grid View
1
In a grid view, select an event.
2
Right-click and choose Report > Event Context Report.
3
In the Report Parameters dialog box, enter the time, in minutes, before and after
this event's occurrence and click OK.
380 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
4
You can choose to Open or Save the report file.
The report shows the events that occurred, within the specified time before and after this
event appears.
Running a Channel Report from a Grid View
1
In a grid view, select an event.
2
Right-click and choose Report > Channel Report.
3
The Report Parameters dialog is displayed, and its fields are automatically populated
with the event data fields. You can enter new parameters to limit or extend the report.
4
Choose a Report File Format from the drop-down menu.
5
Click OK.
6
You can choose to Open or Save the report file.
The channel report exports all of the events in the channel into a report. A
channel report refers to the whole channel, not the selected event. However,
you do need to select an event in the grid view in order to “select” the
channel and get the Report > Channel Report menu option.
Managing Reports
Managing reports includes editing existing reports, importing/exporting, and organizing
reports into groups.
Editing a Report
Over time, reports often need to be adjusted to keep them appropriate and useful. For
more information, see “Creating Reports” on page 335.
1
Navigate to Reports in the Navigator panel, select the Report sub-tab, and select the
report you want to modify.
2
Double-click the report, or right-click and select Edit Report from the context menu.
This launches the Report Editor in the Inspect/Edit panel, and shows the definition for
the selected report.
3
Edit the report definition as needed and click Apply or OK to save your changes.
(Click Cancel to exit the Query editor without saving changes.)
Creating Focused Reports
In addition to using the reports already available in the Navigator panel's Reports resource
tree, you can easily make and save refinements to these definitions. These more narrowly
defined or focused reports are also stored in the resource tree, so other people can also
use them.
Focused reports are identical to other reports. They differ only in being useful variations on
already defined reports. You create focused reports when you want to make a special
variation available to other ArcSight users through the Reports resource tree.
Creating a Focused Report
Confidential
1
In the Navigator panel, choose the Reports resource tree.
2
On the Reports tab, right-click a report and choose New Focused Report.
ArcSight Console User’s Guide 381
12 Running and Managing Reports
3
In the Focused Report Editor, select the Attributes tab and name the report. Name
focused reports in a fashion that properly distinguishes them from their originals.
4
Click the Parameters tab and change any of the values as appropriate. These values
are the same ones you set when Running a New or Archived Report.
You can use Velocity template references for parameter fields that accept
text, as described in “Velocity References for Reports” on page 966.
5
Click Apply to make changes and keep the editor open. Click OK to store the
definition in the resource tree in the same folder as the original report and close the
editor.
A focused report reflects changes made to the report on which it is based.
Importing and Exporting Reports
To import and export reports, use the packages feature. Since the reporting
capabilities i involve using queries, trends, and templates as a part of building
reports, the import/export tool must track and manage dependencies across
resources. Packages gives you this capability. Packages supersedes the
import/export facility provided in previous releases and offers enhanced
functionality, including version support, dependency management, and
import/export capabilities. Portable ArcSight packages can automatically
manage dependencies across resources and other packages. Please see the
information on packages in “Managing Packages” on page 633.
You can import or export reports by following these procedures.
Importing Reports
1
In the Reports resource tree, select the Reports tab.
2
On the Reports tab, right-click a report group where you want the imported report to
be placed and select Import Report.
3
In the window, select a file to import to the report group.
4
Click Open.
Exporting Reports
1
In the Reports resource tree, select the Report tab.
2
On the Reports tab, right-click a report and select Export Report.
3
In the window, select the directory to save the report.
4
Click Save.
Moving or Copying a Report
You may need to move or duplicate report definitions to better organize your work, to
publish your definitions, or to make editable copies of enterprise reports.
382 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
1
In the Reports resource tree, navigate to a report and drag and drop it into another
group.
2
Select Move to move the report, Copy to make a separate copy of the report, or Link
to create a copy of the report that is linked to the original report.
If you select Copy, you create a separate copy of the report that is not affected when the
original report is edited. If you select Link, you create a copy of the report that is linked to
the original report. Therefore, if you edit a linked report, whether it be the original or the
copy, all links are edited as well. When deleting linked reports, you can either delete the
selected report or all linked report copies.
Managing Report Groups
Report groups store similar reports, and control access to reports, using access control lists
(ACLs). When editing access control permissions, permissions given to a report group are
also given to all groups and reports within that group.
Groups and reports can be managed with drag and drop functionality. You can move or
copy groups and reports into other groups from the Reports resource tree. If a group is
deleted, the reports within that group are also deleted.
To copy multiple resources at once, use Copy and Paste. You can drag and
drop only one resource at a time.
Creating a Report Group
1
On the Navigator Panel drop-down menu, select Reports.
2
In the Reports resource tree, right-click a group and select New Group.
3
Enter a report group name in the “name” text field.
4
Press Enter.
Renaming a Report Group
1
In the Reports resource tree, right-click a group and choose Rename.
2
In the “name” text field, rename the group.
3
Press Enter.
Editing a Report Group
1
In the Reports resource tree, right-click a group and select Edit Group.
2
In the Report Editor, edit the Name and Description text field.
3
Click OK.
Moving or Copying a Report Group
1
In the Reports resource tree, navigate to a group and drag and drop it into another
group.
2
Select Move to move the group, Copy to make a separate copy of the group, or Link
to create a copy of the group that is linked to the original group.
If you select Copy, you create a separate copy of the group that is not affected when the
original group is edited. If you select Link, you create a copy of the group that is linked to
Confidential
ArcSight Console User’s Guide 383
12 Running and Managing Reports
the original group. Therefore, if you edit a linked group, whether it be the original or the
copy, all links are edited as well. When deleting linked groups, you can either delete the
selected group or all linked groups.
Deleting a Report Group
1
In the Reports resource tree, right-click a group and select Delete Group.
2
Click Yes in the dialog box.
Archiving and Scheduling Reports
You can schedule reports to archive automatically with the scheduler. The scheduler
accepts multiple schedules by year, month, week, day, or hour. For example, a report can
be archived automatically on the first of January at both 5 AM and 6 PM. The scheduler
also sends e-mail notifications informing users when a scheduled report has been archived.
Report Archiving is a component of ArcSight Reporting resource tools. Be sure to see
Chapter 11‚ Building Reports‚ on page 279 for an overview of all reporting tasks and tools.
Archiving a Report
To archive a report:
1
In the Reports resource tree, select the Reports tab.
2
On the Reports tab, right-click a report and select Schedule for Archiving >
Report. (This opens the report definition in the Editor with the Jobs tab showing.)
3
Click Add on the Jobs tab, and choose either Schedule Report or Schedule Delta
Report.
The option to Schedule a Delta Report job is available only for certain
types of event-based reports, and only when a previously-run report is
available in the archives. Otherwise, clicking Add on the Jobs tab takes
you directly to the job scheduler to schedule a standard report. For more
information about Delta reports, see “Running a Delta Report” on
page 379.
4
Enter a name and description for the job.
384 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
5
In the Jobs scheduler, click the link labeled Click here to set up schedule
frequency to get the Job Frequency dialog, and configure the schedule.
In the Job Parameters section, select or enter values for the parameter fields as
necessary. For date parameters, enter values in the text fields, click the drop-down
arrows or click the time buttons to select a time range. For time data, you can enter a
specific value, such as 8:54:00 AM or you can use special timestamp variables.
Click OK to save changes to the Job schedule.
To view all scheduled jobs, click the Open scheduled jobs list tool button (
The scheduled tasks are listed in the Viewer panel under “Current Jobs.”
).
For more information on setting up and viewing scheduled jobs, see “Scheduling Jobs”
on page 916.
6
Confidential
Back in the report editor Jobs tab, under the Job Parameters section, enter values
for the report parameters by clicking off the “Use Default” check marks, or change
nothing here to keep the defaults. You can set the report format, e-mail options,
ArcSight Console User’s Guide 385
12 Running and Managing Reports
output parameters, start and end times, and so on. These are the same parameters
described in “Report Parameters” on page 379.
7
Click Apply or OK on the report Editor to save your changes for this report.
There is a property in server.defaults.properties:
report.scheduler.archive_empty_reports=
By default, this property is true, the scheduler archives reports even if they
are empty. If you set it to false, do so in server.properties, not
server.default.properties. False means the scheduler does not archive
Empty reports.
Parameterized Report Entries
The top portion of the dialog may or may not exist, depending on whether you chose any
parameterized conditions while creating the report. A typical example of a parameterized
condition is: detect time between $CurrentDate-1d and $CurrentDate. If such
386 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
parameters exist, they are used for both immediate as well as scheduled generation of
reports. While scheduling reports for archiving, these parameters are displayed in the Edit
Parameters dialog. It is possible to independently modify the dates specified in the
parameter text fields. in addition to relative dates, absolute dates can specified as
parameter values. Examples of valid absolute dates are: 01/01/2001 and 01/01/2000
11:00:00 AM.
Viewing an Archived Report
To view an archived report, select the Reports resource in the Navigator (if it is not
already selected) and click the Archives tab. Navigate the Archived Reports tree to find
the archived report you want, then right-click the report and choose Show Archive
Report. The report is displayed in the Viewer.
If you do not find the report you are looking for, you might want to check to see if it has
run yet. To view all scheduled jobs, click the Open scheduled jobs list tool button (
The scheduled tasks are listed in the Viewer panel under “Current Jobs.”
).
Scheduling Report Tasks
You can schedule some tasks to occur automatically. Specifically, this feature is available for
archiving reports individually or by group, for taking pattern discovery snapshots, and for
scheduling rules. This topic discusses the scheduler as it relates to scheduling reports (For
more information on job scheduler in general, see also “Scheduling Jobs” on page 916.)
Scheduling Individual-Report Archiving
Confidential
1
Choose the Reports resource tree in the Navigator panel, select the Reports tab, and
right-click the report you want to schedule.
2
Choose Schedule for archiving, then Report or Delta Report for delta reports.
(This opens the report with the Jobs tab showing.)
ArcSight Console User’s Guide 387
12 Running and Managing Reports
3
Click Add on the Jobs tab.
4
Enter a name and description for the job.
5
In the Job Parameters section, select or enter values for the parameter fields as
necessary.
6
In the Summary section, click the link labeled Click here to set up schedule
frequency.
7
In the Job Scheduler dialog, select the desired frequency and enter the associated
settings.
The following table shows scheduling options.
Option
Description
Schedule
Frequency
Choose a timing for the schedule. The typical choices are selfexplanatory: Hourly, Daily, Weekly, Monthly, and Yearly. For each
timing, enter additional settings such as occurrence (Every) and
time. For Monthly, also specify the day of the month. For Yearly,
specify the month and date.
Caution: If you are scheduling a yearly report on a leap year and
you choose February 29 as the month and date, the Console will not
save your setting. To ensure that yearly reports are covered on leap
years, choose a different date; or choose either February 28 or
March 1 if you want your schedule to be as close as possible to
February 29.
388 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
Option
Description
Schedule
Range
Select the start and end date for the report run.
8
Repeat Step 3 to add another schedule for the same group.
9
Click OK.
Reports can be archived in PDF, HTML, Excel, Comma Separated Value (csv), or Rich
Text Format (rtf). The default PDF format should be used when archiving reports.
Compared to PDF reports, other reports may lose formatting information and appear
differently. In addition, Excel format is more memory-intensive than PDF.
10 Select the e-mail scheduled reports to check box and a user from the drop-down
menu to automatically send an e-mail notification when the report is archived.
The user receives an e-mail notification stating that the report has been successfully
archived. The e-mail also contains a URL to the report so that the user can view the
report from the URL. The e-mail notification is sent to the e-mail address listed in the
user's profile. The user must have an e-mail address in their user profile.
11 For the Archive Folder text field, click the archive report group button to select
where to list the archived report.
12 In the Archive Report Selector, select a report archive group and click OK.
13 In the Report Parameters window, click Update.
14 For delta reports, in the Schedule Summary, right-click Default under the Param Set
2 column and select Edit Parameters to change the second parameter set, if any.
Click Update.
15 In the Schedule Summary, click Close.
You can use Velocity template references for fields that accept text, such as
Archive Folder and Archive Report Selector. See “Velocity References for
Reports” on page 966 for details.
Scheduling Report Archiving by Resource Group
Confidential
1
In the Reports resource tree, navigate to a particular group.
2
Right-click the group and choose Schedule for archiving>Report group. (This
opens the report with the Jobs tab showing.)
3
Click Add on the Jobs tab.
4
Enter a name and description for the job.
5
In the Job Parameters section, select or enter values for the parameter fields as
necessary.
6
In the Jobs scheduler, click the link labeled Click here to set up schedule
frequency.
7
In the Job Scheduler dialog, select the desired frequency and enter the associated
details. Refer to related information on page 388 for guidance.
8
Click OK.
9
Repeat Step 3 to add another schedule for the same group.
ArcSight Console User’s Guide 389
12 Running and Managing Reports
Standard Time Transitions
If the trigger time for a particular scheduled task run happens to fall during the transition
time from daylight savings time (DST) to standard time (ST) or vice versa, the interval for
that particular run will not be the expected interval.
Time zones that honor DST have a period of time that occurs twice during the transition
from DST to ST. For example, in the US when changing from DST to ST, this hour occurs
once while the DST is still in effect and again after switching to the Standard Time. The
transition period occurs at 2 am, therefore 1:00:00 am - 1:59:59 am occurs twice (1:00:00
am PDT - 1:59:59 am PDT and 1:00:00 am PST - 1:59:59 am PST), where 1:00 am PST is
60 minutes after 1:00 am PDT. In this example, if the scheduled task is due to trigger any
time between 1:00:00 am - 1:59:59 am, the interval for that particular run of the
scheduled task will not be as expected.
Similarly, when the time changes from ST to DST, the 1:00:00 am - 1:59:59 am hour does
not occur at all. The local time changes directly from 12:00 am to 2:00 am. So, if your
scheduled task run was scheduled to trigger between 1:00:00 am - 1:59:59 am, the
interval for that particular run will be off by an hour.
The interval calculation for subsequent scheduled runs do not get affected.
Currently, there are four time zones that are not supported in ESM:

Kwajalein

Pacific/Kwajalein

Pacific/Enderbury

Pacific/Kiribati
These time zones fall in two countries, Marshall Islands and Kiribati.
Editing a Report Archiving Schedule
You can change the archiving schedule for report definitions in your Reports resource
folders.
1
In the Reports resource tree, select the Reports tab.
2
On the Reports tab, right-click a report and select Schedule for archiving, then
Report or Delta Report for delta reports.
3
In the Schedule Summary, right-click in the braces { } column and select the
Parameters option to change report parameters set for the specific scheduled report.
To delete a current scheduled archive report, right-click in the braces { } column of an
existing schedule and click Delete.
4
To change the interval scheduling of a report, click the report interval button and
Yearly, Monthly, Weekly, Daily, or Hourly, click the date and time buttons.
5
If editing within the same time frame, click the Month, Date, Day, Hour, Min,
AM/PM buttons to specify changes to the report schedule.
6
When you've finished editing the schedule, click OK.
Editing Report Archiving Parameters
You can change the archiving parameters of the report definitions in your Reports resource
folders.
390 ArcSight Console User’s Guide
Confidential
12 Running and Managing Reports
1
In the Reports resource tree, select the Reports tab.
2
On the Report Definitions tab, right-click a report and select Schedule for archiving,
then Report or Delta Report.
3
Right-click in the braces { } column for a scheduled report and select the
Parameters option.
4
In the Report Parameters window, type in the report parameter text fields, if any.
For date and time data fields, such as Detect Time, you can type an actual date value,
such as 10/12/2002 8:54:00 AM, or you can use special timestamp variables.
5
Select the E-mail scheduled reports to check box, and a user from the drop-down
menu, to automatically send an e-mail notification when the report is generated.
The user receives an e-mail notification stating that the report has been successfully
archived. The e-mail also contains a URL to the report so that the user can view the
report from the URL.
The e-mail notification is sent to the e-mail address listed in the user's profile. The
recipient must have an e-mail address in their user profile.
6
For the Archive Folder text field, click the archive report group button to select where
to list the archived report.
7
In the Archive Report Selector, select a report archive group and click OK.
8
In the Report Parameters window, click Update.
9
For delta reports, in the Schedule Summary, right-click Default under the Param Set
2 column and select Edit Parameters to change the second parameter set, if any.
Click Update.
10 In the Schedule Summary, click Close.
Deleting a Report Archiving Schedule
You can remove individual archiving schedules for reports in the Scheduled Tasks list.
Confidential
1
In the Reports resource tree, select the Reports tab.
2
On the Report Definitions tab, right-click a scheduled report (showing a calendar icon)
and choose Schedule for archiving, then Report or Delta Report.
3
On the line for the schedule to remove, right-click in the braces { } column and
choose Delete.
4
In the confirmation dialog box, click Delete to remove it or Cancel to let it remain.
ArcSight Console User’s Guide 391
12 Running and Managing Reports
392 ArcSight Console User’s Guide
Confidential
Chapter 13
Rules Authoring
This section explains how to use rules to correlate events in your environment.
“Designing Rules” on page 393
“Managing Rules” on page 394
“Managing Rule Groups” on page 396
“Specifying Rule Conditions” on page 397
“Specifying Rule Thresholds and Aggregation” on page 405
“Creating Rule Actions” on page 408
“Applying Rule Actions” on page 418
“Enabling and Disabling Rules” on page 419
“Importing and Exporting Rules” on page 421
“Scheduling Rules” on page 421
“Verifying Rule(s) with Events” on page 428
“Deploying Real-time Rules” on page 431
“Loading Rules” on page 432
Designing Rules
Creating rules involves defining the events the rule evaluates, thresholds, and
actions you want the rule to trigger. Conditions define which events trigger the
rule, thresholds determine when a condition is met and a correlation event is
generated, and actions state what responses are taken when a correlation event
is generated. To define rule events and conditions, thresholds, and actions, begin by
determining:

Which event occurrences do I want to be aware of? This determines the rule's events
and conditions.

How many times do I want the event or events to occur and within what time frame?
This determines the rule's threshold.

What actions should automatically occur when an event is generated? When should
those actions occur? This determines the rule's actions.
Before you create rules, determine which events you want to monitor. Be specific and as
clear as possible. For example, monitoring all events from a Cisco Router would not be as
useful as monitoring all denied events from that Cisco Router. In addition, the more
conditions you add to a rule, the more specific the rule becomes. Use the ArcSight data
Confidential
ArcSight Console User’s Guide 393
13 Rules Authoring
fields to guide you in selecting and specifying conditions. For more information, see “Data
Fields” on page 803.
Managing Rules
Like other resources, the rule-management tasks include creating, changing, deleting, and
placing them.
Creating Rules
Before creating rules, determine which events you want to monitor. Be as specific and as
clear as possible. For example, monitoring all events from a Cisco Router would not be as
useful as monitoring all denied events from that Cisco Router. In addition, the more
conditions you add to a rule, the more specific the rule becomes.
Use the ArcSight data fields to guide you in selecting and specifying conditions.
Requirements for lightweight rules
You have the option to create a lightweight rule to simplify rule processing. A
lightweight rule:
•
Has one event condition (no joins).
•
Has a fixed aggregation threshold of 1. The Aggregation tab is disabled;
data fields are not aggregated.
•
Only allows active list and session list actions.
•
Triggers actions only on every event that matches the condition.
•
Does not generate correlation or audit events (although failures are
logged).
•
Is processed earlier in the flow than normal rules.
To create a rule:
1
From the Navigator Panel drop-down menu, select Rules.
2
Right-click a group and select New Rule.
3
On the General tab, type a name in the Rule Name text field.
The Rule Name text field is required and restricted to 25 characters. The Rule Name
should be as descriptive as possible. It is stored in the Event Name data field and if the
rule has a Send to Console action, the Rule Name appears in the Event Name column
of the grid view.
4
Select a Rule Type:

Standard Rule: Enables all features for rule creation such as multiple event
conditions, field aggregation, and rule actions based on different triggers.

Lightweight Rule: Enables a small set of features for rule creation for faster and
simpler rule processing. See “Requirements for lightweight rules” on page 394.
Entering data in the Common and Assign sections is optional, depending
on how your environment is configured. For information about the
Common and Assign attributes sections, as well as the read-only
attribute fields in Parent Groups and Creation Information, see “Common
Resource Attribute Fields” on page 630.
394 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
5
Define conditions on the Conditions tab following instructions See “Specifying Rule
Conditions” on page 397.
6
For normal rules, add correlating events, specify thresholds and time windows to
qualify events, and aggregate incoming event data based on matching fields on the
Aggregation tab. Not available for lightweight rules. See “Common Conditions Editor
(CCE)” on page 782, and “Specifying Rule Thresholds and Aggregation” on page 405
for more information.
7
Click OK to save and close the rule. You can also click Apply to save changes but keep
the rule open.
Editing Rules
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Attributes tab to edit the rule name and other
attributes. To change the Rule Type, see “Converting Standard and Lightweight Rules”
on page 395 for specific details.
3
Select the Conditions tab to edit events, logical operators, and condition statements
as described in Common Condition Editor.
4
Select the Aggregation tab to edit. See “Specifying Rule Thresholds and Aggregation”
on page 405 for details.
5
After editing the conditions and other elements of the rule, click OK to save and close
the rule. You can also click Apply to save changes but keep the rule open.
Moving or Copying Rules
1
In the Rules view, navigate to a rule and drag and drop it into another group.
2
Select Move to move the rule, Copy to make a separate copy of the rule, or Link to
create a copy of the rule that is linked to the original rule.
If you select Copy, you create a separate copy of the rule that is not affected when the
original rule is edited. If you select Link, you create a copy of the rule that is linked to the
original rule. Therefore, if you edit a linked rule, whether it be the original or the copy, all
links are edited as well. When deleting linked rules, you can either delete the selected rule
or all linked rule copies.
Converting Standard and Lightweight Rules
Converting a lightweight rule to standard is straightforward: change the rule type on the
rule editor’s Attributes tab, then add join conditions, perform aggregation, and define
actions on various types of triggers as required.
Converting a standard rule to lightweight requires that the rule must meet the lightweight
rule’s requirements; otherwise, the rule you are converting will not be saved.
To convert a standard rule to lightweight:
Confidential
1
Make sure your standard rule already complies with all the requirements for
lightweight rules. Refer to “Requirements for lightweight rules” on page 394.
2
In the Rules resource tree, right-click the standard rule you want to convert and
choose Edit Rule.
3
In the Rules Editor, select the Attributes tab and change the Rule Type to
Lightweight Rule.
ArcSight Console User’s Guide 395
13 Rules Authoring
4
In the Conditions tab, make sure that only one condition exists. Joins are not
supported in lightweight rules.
The Aggregation tab is automatically disabled.
5
In the Actions tab:
a
Make sure that On Every Event is active and the other triggers are inactive.
b
Make sure that the action is on an active or session list. Disable other actions.
De-activated triggers and disabled actions will be available once the
lightweight rule is converted back to standard.
Deleting Rules
1
In the Rules resource tree of the Navigator panel, right-click a rule and choose
Delete Rule.
2
Click Yes in the confirmation dialog box.
Managing Rule Groups
Rule groups are created to store similar groups or rules in a single location. Groups can be
created within groups to meet enterprise needs.
Groups and rules can be managed with drag and drop functionality. You can move or copy
groups and rules into other groups from the Navigator panel's Rules resource tree. If a
group is deleted, the rules within that group are also deleted.
To copy multiple resources at once, use Copy and Paste. You can drag and
drop only one resource at a time.
Creating Rule Groups
1
In the Navigator panel's drop-down menu, choose Rules.
2
In the Rules resource tree, right-click a group and choose New Group.
A New Group text field appears under the group you selected.
3
Type the new group’s name in the text field.
4
Press Enter.
5
Refer to “Scheduling Rules” on page 421 to add entries in the group’s Jobs tab.
Renaming Rule Groups
1
In the Rules resource tree, right-click a group and choose Rename.
2
In the text field, enter the group’s new name.
3
Press Enter.
396 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Editing Rule Groups
1
In the Rules resource tree, right-click a group and choose Edit Group.
2
In the Group Editor, edit the Name and Description text fields.
3
Optionally, you can designate owners of a rule, and specify user groups that are
notified of rules changes.
4
Click OK.
5
Refer to “Scheduling Rules” on page 421 to add or edit entries in the group’s Jobs tab.
Moving or Copying Rule Groups
1
In the Rules resource tree, navigate to a group and drag and drop it into another
group.
2
Choose Move to move the group, Copy to make a separate copy of the group, or
Link to create a copy of the group that is linked to the original group.
If you select Copy, you create a separate copy of the group that is not affected when the
original group is edited. If you select Link, you create a copy of the group that is linked to
the original group. Therefore, if you edit a linked group, whether it be the original or the
copy, all links are edited as well. When deleting linked groups, you can either delete the
selected group or all linked groups.
Deleting Rule Groups
1
In the Rules resource tree, right-click a group and choose Delete Group.
2
In the dialog box, click Yes.
Specifying Rule Conditions
After creating a new rule or opening an existing rule for editing, you can specify conditions
on which a rule triggers, based on specific event, filter, asset, or vulnerability criteria. Like
other ArcSight analysis components, rules editing uses the Common Conditions Editor
(CCE). See also Condition Tree Command Buttons, Condition Tree Context Menu
Commands, and Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Creating New Rule Conditions
The Conditions tab provides a default event alias, event1, which you edit and to which you
add condition statements for evaluation. Standard rules support multiple event conditions
while lightweight rules support only one event condition.
To specify rule conditions:
1
In the Rules Editor, select the Conditions tab.
2
To edit the event alias (give it a name), right-click event1 and select Edit. Type a new
name for the alias in the text field and click OK.
Since rules can have numerous events, aliases should be unique and descriptive. For
example, if monitoring Cisco Router denied events, Cisco Router denied could be
the alias name. The name appears as a branch under the Event conditions tree.
Confidential
ArcSight Console User’s Guide 397
13 Rules Authoring
3
Add a condition statement to the event alias using the Common Conditions Editor table
(usage rules and features of this editor are described in “Common Conditions Editor
(CCE)” on page 782):
a
Locate the event name you want to use as in the condition statement.
b
Choose the logical operator (for example, =) to be used for comparing values. If
you need help, see “Logical Operators” on page 884 for descriptions.
c
Choose the value from the drop-down list under the Condition column to use as
the basis for comparison.
If you want to use a global variable for the condition statement, you
can attach one by clicking the +/- Global Variables button and
then choosing the global variable from the selector dialog. The
selected global variable will be added to the Common Conditions
Editor table at the bottom. See “Global Variables” on page 881 for
more information.
4
For standard rules only: To add more event aliases, select Event conditions and click
the New Event Definition button; or right-click Event conditions and choose New
Event Definition. Type an event name in the Alias text field and click OK.
If you have more than one event alias, a Matching Event branch appears. This
enables you to define a join relationship on the multiple event aliases. For more
information on joining two events, see “Creating Matching or Join Conditions” on
page 402. Other important references are Logical Operators and Conditional
Expressions.
If you are working on a lightweight rule, you will not be able to save the rule if you
have more than one event condition.
5
On the Conditions tab, click Apply.
The rule with the default threshold and action is created and listed in the Rules
resource tree.
For standard rules only, see “Specifying Rule Thresholds and Aggregation” on page 405 for
aggregation time-frame options.
Adding Filter Conditions
You add filters to rules as new conditions. It is usually more desirable to use an existing
filter resource, if possible.
If there are other conditions in the rule, you choose whether to tie them to the filter
condition with AND, OR, or NOT logical operators. For more information on filters, see
Chapter 8‚ Filtering Events‚ on page 173.
To add a filter condition to a rule:
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Conditions tab and select the event alias to which you
want to add a filter condition.
3
Click the And, Or, or Not button; or right-click a logical operator and choose New
Logical Operator, then And, Or, or Not.
4
Right-click the logical operator and select New Matches Filter Condition.
5
In the Filter Selector, select a filter and click OK.
398 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
6
On the Conditions tab, click OK.
The Common Condition Editor's buttons and commands are discussed further in “Creating
Filters” on page 173.
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Adding Asset Conditions
Asset conditions state whether your enterprise assets are targets or sources of events. An
asset condition states “if an event occurs and the selected asset is the source or target,
generate a correlation event.” For more information on assets, see Chapter 24‚ Modeling
the Network‚ on page 679.
To add an asset condition to a rule:
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Conditions tab.
3
Click the And, Or, or Not button, or right-click a logical operator and choose New
Logical Operator, then And, Or, or Not.
If there are existing conditions, you can tie them to the asset condition with either the
AND, OR, or NOT logic operator. If AND is used, all the existing conditions and the
asset condition must occur in the event. If OR is used, either the existing conditions or
the asset condition must occur. If NOT is used, all but the asset condition must occur.
4
Select the logical operator and click the Assets button or right-click the logical operator
and select New Assets Condition.
5
In the Assets panel below, select Source Asset ID to monitor if an asset is the source
of an event or Target Asset ID to monitor if an asset is the target.
6
Select an asset or group and click Apply.
The asset condition appears in the Correlate section and is tied to any existing
condition statements with the logic operator selected.
7
On the Conditions tab, click OK.
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Adding Vulnerability Conditions
You can use an existing enterprise vulnerability to create a rule condition. A vulnerability
condition states “if an event occurs with the vulnerability selected, generate a correlation
event”. For more information on vulnerabilities, see Chapter 24‚ Modeling the Network‚ on
page 679.
To add a vulnerability condition to a rule:
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Conditions tab.
3
Click the And, Or, or Not button or right-click a logical operator and choose New
Logical Operator, then And, Or, or Not.
If there are existing conditions, you can tie them to the vulnerability condition with
either the AND, OR, or NOT logic operator. If AND is used, all the existing conditions
Confidential
ArcSight Console User’s Guide 399
13 Rules Authoring
and the vulnerability condition must occur in the event. If OR is used, either the
existing conditions or the vulnerability condition must occur. If NOT is used, all but the
vulnerability condition must occur.
4
Choose the logical operator and click the Has Vulnerability button or right-click the
logical operator and choose New Has Vulnerability.
5
In the Vulnerability Selector, select a vulnerability and click OK.
The vulnerability appears on the Conditions tab and is tied to any existing condition
statements with the logic operator selected.
6
On the Conditions tab, click OK.
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Adding Active List (InActiveList) Conditions
Use the Active List selector
to identify a particular active list that contains the
argument for a condition. This condition evaluates whether an item or list of items is in an
active list. You can use this to map a field or a global variable in the event schema to a
corresponding field in an active list. It does not evaluate items in other non-event schemas
(such as cases or assets).
When the InActiveList condition is used to compare values in two lists, an additional option
is shown where you can specify whether All values in list field must match.

If All values in list field must match is checked (selected), the Active List condition
evaluates to true only if all values in both lists match (that is, all values must be in
both lists for the condition to be true).
400 ArcSight Console User’s Guide
Confidential
13 Rules Authoring

If “All values in list field must match” is not checked (de-selected), then if any field
matches (is in both lists), the condition statement evaluates to true. (This is the
default behavior for queries.)
For example, suppose you have a fields-based multi-mapped active list that has User
Name as a key field and accepts entries with multiple roles for the same user in the
Role Name field.
Confidential
ArcSight Console User’s Guide 401
13 Rules Authoring
Then suppose you set up an Active List (InActiveList) rule condition to compare the
value of Role Name to a list type string field, like ActorByAccountID.FullName. If
you then get list entries in your active list (for example, user “Samantha Stevens” with
roles as both “Administrator” and “Development Lead”), then your rule results in a
comparison of two lists:

The list of Samantha Steven’s roles

The ActorByAccountID.FullName list
This product ships with several global variables that deal with actor-based lists. (See
“Actor Resource Framework Global Variables” on page 224.)
•
The InActiveList operator option evaluates single-value attributes and
multi-value attributes. The field you map could return multiple values (for
example, a user could have multiple roles). In the case of multi-value
attributes, if any one value matches, the condition evaluates to true.
•
A condition that tests for whether all or any values in a list match is only
available to specify on in-memory operations (for example, in rules,
filters, data monitors).
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Creating Matching or Join Conditions
This topic applies to standard rules. A matching or join condition is a condition statement
that joins two data fields with the Matching or Join condition logic operator on the
Conditions tab. Creating matching or join conditions using data fields provides the flexibility
of creating conditions without knowing the specific data field's values. The following join
data field conditions can be created:

Same data field for two events: EventOne <data field A> <logic operator>
EventTwo <data field A>. For example, EventOne Source Address =
EventTwo Source Address. In this example, both event data field must have the
same value. This rule is useful when monitoring activity from an unknown Source
Address that is generating numerous events.

Different data fields for two events: EventOne <data field A> <logic
operator> EventTwo <data field B>. For example, EventOne Source
Address = EventTwo Target Address. In this example, the Source Address of
the first event must equal the Target Address of the second event.

Different data fields for the same event: EventOne <data field A> <logic
operator> EventOne <data field B>. For example, EventOne Source
Address = EventOne Target Address. In this example, the Source Address
must equal the Target Address of the same event.
There is a relatively high memory cost for join rules with low-selectivity
join conditions (such as same source IP or same target IP). Just like
queries in SQL, the more selective the conditions (the conditions on the
individual events as well as the join conditions), the less expensive it is
to execute, because fewer conditions match.
You can dramatically reduce the memory consumption by the correlation engine, by as
much as 50% in some cases, through some techniques. When authoring a rule you should
order conditions on the events to be correlated (or joined) by placing the most restrictive
conditions first; for example, adding join conditions like event1's Source Address =
402 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
event2's Source Address or event2's Detect Time = event1's Detect
Time.
If you have more than one event alias, you can set any or all of them with the Consume
After Match flag. This means that if a matching event is found and the rule is triggered,
the event is not be correlated further by that rule. Without the Consume After Match flag,
the event is kept in working memory even after a matching event is found and the rule has
been triggered. The event alias continues to be combined with events matching other
aliases until the event itself expires.
If enabled, the Consume flag appears next to the event alias on the Conditions tab:
<EventName> (Consume after match)
The following procedure can only be used with rules that involve two or more events.
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Conditions tab.
3
Select the Matching Event branch and select New Logical Operator, then And,
Or, or Not.
When adding join conditions, you need to decide how the new condition ties to the
existing events in the rule. If And is used, the new join condition must occur, in
addition to the existing events, to trigger the rule. If Or is used, the new join condition
or the existing events must occur. If Not is used, all but the new join condition must
occur. The logical operator appears as a branch under Joins.
4
Click the Join Condition button or right-click the logical operator and select New
Join Condition.
A condition statement appears displaying event, data field, and logic operator text
fields. These fields are combined to create <event> <data field> <logic operator>
<event> <data field> condition statements. For example, if monitoring for the same
Source Address data field in EventOne and EventTwo, the condition statement would
be EventOne Source Address = EventTwo Source Address.
5
6
Select one of the following join data field conditions to use in the following steps:

When monitoring for the same data fields for two events use EventOne <data
field A> <logic operator> EventTwo <data field A>.

When monitoring for different data fields for two events use EventOne <data
field A> <logic operator> EventTwo <data field B>.
In the text fields, choose an event and data field from the drop-down menus.
Select data fields that you want to monitor but for which you don't have values. For
more information, see “Data Fields” on page 803.
7
Choose a logic operator from the drop-down menu.
8
Choose an event and data field from the drop-down menus.
9
Optionally right-click and select Consume After Match on one, some, or all of the
event aliases.
Doing so reduces the number of rule firings by using the matching event in only one
join.
10 Click OK.
Confidential
ArcSight Console User’s Guide 403
13 Rules Authoring
The join data field condition appears as a branch under the Matching Event logical
operator.
11 On the Conditions tab, click OK.
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Editing or Deleting Join Data Field Conditions
1
In the Rules resource tree, right-click a rule and select Edit Rule.
2
In the Rules Editor, select the Conditions tab and do the following:
3

To edit the logical operator, right-click the logical operator and select Edit or
select the logical operator and press Enter. In the text field, select a logical
operator and click OK.

To edit the condition statement, right-click the condition statement and select
Edit or select the condition statement and press Enter. In the text field, make
edits and click OK. For more information, see “Creating Rules” on page 394.

To delete the Matching Event event, right-click Matching Event and select
Delete. In the dialog box, click Yes. The event, its logical operators, and
condition statements are deleted.

To delete the logical operator, right-click the logical operator and select Delete. In
the dialog box, click Yes. The logical operator and all its condition statements are
deleted.

To delete the condition statement, right-click the condition statement and select
Delete. In the dialog box, click Yes.
Click OK.
Negating Event Conditions
In addition to monitoring event conditions that occur, you can monitor event conditions if
they don’t occur by negating these conditions. For example, if you want to monitor badge
scans (for which you defined an event alias called BadgeScan) before an application is
accessed (for which you defined an event alias called Login), you negate the BadgeScan
event and set the rule to trigger if BadgeScan does not happen before the Login event is
reported. For such a rule, the events must have had happened (they are past events)
before the rule is triggered.
You can also negate a future event condition. For example, consider these sequence of
events you want to monitor:
1
A server reboots (ServerReboot event).
2
The server successfully comes up and is available again (ServerUp event).
3
If the server does not come up, you want to be notified.
In this case, you will negate the ServerUp event condition so that the rule is triggered if
that event is not received (the server does not come up from a reboot) on the same device.
A time out property is used in conjunction with negating an event condition. If the
negated event is not received within the specified timeout, then the rule is triggered. For
purposes of discussion, we will use the term “positive events” for events that are not
negated.
404 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
To negate event conditions:
Prior to using the following procedures, make sure the rule has multiple event
conditions so you can negate at least one. To create event conditions, see
“Creating Rules” on page 394.
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Conditions tab.
3
Right-click an event alias and select Negated.
4
In the dialog, enter a Time Out value and specify the time unit in Seconds, Minutes, or
Hours. Then click OK.
Time Out is the amount of time to wait between the occurrence of the positive event
and the non-occurrence of the negated event, after which the rule is triggered.
•
For the rule to fire, the Alias Expiration time for all positive event
conditions must be greater than the negated event condition’s time
out value.
•
Once you have saved the time out value, you cannot change it unless
you right-click the negated event, uncheck Negated, right click the
same event, and select Negated again.
•
If multiple negated events have time out values, the time out values
are cumulative; that is, the rule will wait for the sum of the event
timeouts before firing. Consider specifying a time out value for only
one negated event.
On the Conditions tab, the negated event is preceded by an exclamation point (!)and
the time out period appears next to the event. The following example shows a fiveminute time out period. (In the example, Consume After Match is manually set.)
!<EventName> (Consume after match) (Time Out: 5m)
5
To remove the Negated flag, right-click the negated event and select Negated again.
See also Condition Tree Command Buttons, Condition Tree Context Menu Commands, and
Adding Conditions under “Common Conditions Editor (CCE)” on page 782.
Specifying Rule Thresholds and Aggregation
Thresholds are defined as an aggregate number of occurrences within a time span. When a
threshold is met, the rule triggers.
In a lightweight rule, the Aggregation tab is not available.
Setting or Changing Rule Thresholds
Confidential
1
In the Rules Editor, select the Aggregation tab.
2
In the Number of Matches field, enter a number if you want more than one
matching event.
3
In the Time Frame field, enter an appropriate value and choose a time unit.
ArcSight Console User’s Guide 405
13 Rules Authoring
4
If you want to aggregate on the basis of certain fields' content being distinct, click
Add under the Aggregate only if these fields are unique pane to select the fields
to use. Select fields from global variables, field sets, and local variables.
Fields are unique only when the combined value of all fields is unique.
For example, suppose you wanted to aggregate on three fields: Event
Name, Event Message, and Category Outcome, with a threshold of two
matches. If you got two events both with values of Failed Login,
Attempt, and Failure for these fields, respectively, these events would
be aggregated.
However, if you got only one event like this, and another with values of
Failed Login, Attempt, and Success, these two events would not be
aggregated because the combined value is not the same for the given
threshold number of events.
5
If you want to aggregate on the basis of certain fields' content being identical, click
Add under the Aggregate only if these fields are identical pane to select the
fields to use. Select fields from global variables, field sets, and local variables.
6
Click OK.
The choices you make are expressed as a conditional statement in the Summary panel.
Aggregation Time Criteria
The ArcSight Console provides time-evaluation criteria that can affect event-occurrence
aggregation and rule-triggering. You apply these to rules through the Aggregation tab and
the statement panel of the Conditions tab.
If you set a rule to aggregate over fields of a multi-mapped active list or
overlapping session list, the rule might fire multiple times, once for each
field value in the corresponding list entries. The Console displays a warning to
this effect when such a list field is selected in the Aggregation tab.
We recommend that you do not set rules to aggregate over multi-mapped
active list or overlapping session list fields, and also add entries to the same
list in a rule action (“Adding a Rule Action” on page 408). Setting both
aggregation and rule actions to add entries to the same multi-mapped or
overlapped list can cause the number of rules triggered to increase to an
unmanageable level.
See also “Allow multi-mappings” on page 510 in Active List topics and
“Overlapping Entries” on page 520 in Session List topics.
Criteria
Application
Time Frame
Set on the Aggregation tab, Time Frame establishes the time
span for occurrence aggregation. Event-occurrence aggregation is
always controlled by Time Frame. Secondarily, Time Frame becomes
the default for global and alias expiration time, if these are not set
separately.
Note: The Rule Action trigger On Time Unit can be set in conjunction
with the Aggregation Time Frame to limit the number of times a rule
is triggered. (See related information on page 411.)
406 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Criteria
Application
Global
Expiration
Set on the Conditions tab, a global expiration applies to an entire
rule. This is the amount of time that qualifying events for all aliases
are retained in memory for evaluation, based on Manager receipttime. Setting an alias expiration overrides a global expiration, if
present. To set Global Expiration, right-click the rule's root node
(Correlate) in the Conditions tab and choose Set Global Expiration
Time.
Alias
Expiration
Set on the Conditions tab, an alias expiration applies to a single
event alias within a rule. This is the amount of time that a qualifying
event for this alias (only) is retained in memory for evaluation,
based on Manager receipt time. Setting an alias expiration overrides
a global expiration, if present. To set Alias Expiration, right-click an
event alias in the Conditions tab and choose Set Alias Expiration
Time.
An event with an expiration time is displayed with an indicator, for
example:
event1 (Wait time: 5m)
To remove the alias expiration time, right-click the event alias and
change the time to 0.
Matching Time
Set on the Conditions tab, a matching time creates a timeproximity comparison for multiple-alias rules, based on events'
actual creation times. When two or more rule-condition aliases are
present, a Matching Event node appears. You can right-click this
node and choose Set Matching Time to require events' original
timestamps (specifically, the event's original end-time) to fall within
a range. Note that this time-proximity test is independent of and
different than the memory-retention parameter set by global or alias
expiration.
Timeout
Set on the Conditions tab, you are prompted to set a time out
value in seconds, minutes, or hours when you set an event alias to
Negated. The time out begins after receipt of all positive events. If a
negated event is not received within this time out period, then the
rule is triggered.
Note: If you have multiple negated events with different time out
settings, the longest time out period takes precedence.
Deleting Aggregation from a Rule
Confidential
1
In the Rules resource tree, right-click a rule and choose Edit Rule.
2
In the Rules Editor, select the Aggregation tab.
3
In the Aggregate only if these fields are unique or Aggregate only if these
fields are identical lists select the fields to delete and click Remove.
4
Click OK.
ArcSight Console User’s Guide 407
13 Rules Authoring
Creating Rule Actions
The Actions tab of the Rules Editor offers a consistent interface for defining actions to take
based on the thresholds of the events that trigger them.
In the Actions tab, you click the buttons in the top row to Add, Edit, or Remove eventaction sets for rules. Click Hide Empty Triggers to hide or show triggers not currently
used.
Rules, rule triggers, and rule actions can be enabled or disabled at various
levels. The rule itself can be enabled or disabled, the trigger on a particular
rule can be activated or deactivated, and a rule action associated with a
particular trigger can be enabled or disabled. Details on rule triggers and rule
actions are described in this topic. For more information and a summary, see
also “Enabling and Disabling Rules” on page 419.
Adding a Rule Action
You add rule actions by choosing an event threshold trigger, clicking Add, choosing an
action, then setting the action's parameters.
To add a rule action:
1
Create a new rule (“Creating Rules” on page 394) or edit a rule (“Editing Rules” on
page 395).
2
In the Rules Editor, click the Actions tab.
408 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
By default, the first trigger, On First Event, is active.
3
Select an applicable threshold trigger that is active. If not active, right-click and select
Activate Trigger. If you are creating a lightweight rule, de-activate On First Event
and activate On Every Event.
For lightweight rules, only the On Every Event trigger is available for
activation.
4
Click Add ( ), then choose an action from the menu. For lightweight rules, choose
either Active List or Session List.
5
In the Add “Action Name” Action dialog box, set the action's parameters, if
present. See “Rule Actions Reference” on page 412 for information about rule actions.
6
Click OK to add the new action to the rule's threshold trigger.
Editing a Rule Action
You edit rule actions by choosing an event threshold trigger, clicking Edit, then changing
the action's parameters.
To edit a rule action:
1
In the Navigator panel, right-click a rule and choose Edit Rule.
2
In the Rules Editor, click the Action tab.
3
Select an action below a threshold trigger.
4
Click Edit to open that action's Add Action dialog box.
5
Change the action's parameters as appropriate.
You can use references to Velocity Templates as parameters for rule
actions to derive values from event fields and variables. (See “Velocity
Templates” on page 962.)
6
Optionally, right-click the trigger and choose De-activate Trigger to stop generating
a descriptive event each time this rule action occurs.
7
Click OK to record the changes.
Removing a Rule Action
To remove a rule action, select an action below a trigger in the Actions tab and click
Remove.
Activating or De-activating a Rule Trigger
When a trigger is activated, all enabled rule actions it contains are triggered when
conditions are met.

Confidential
To activate a rule trigger, select the trigger in the Actions tab and click Activate
Trigger.
ArcSight Console User’s Guide 409
13 Rules Authoring

To de-activate a rule trigger, select the trigger in the Actions tab and click DeActivate Trigger.
Enabling or Disabling a Rule Action
For finer-grained control over which rules are triggered when, you can enable or disable a
rule action associated with any of the triggers.

To disable an action, select an action below a trigger in the Actions tab and click
Disable.

To enable an action, select an action below a trigger in the Actions tab and click
Enable.
Threshold Triggering Options
Consider the following points when you are determining your triggering options:

The minimum threshold value you can set is 1.

Triggering actions on every or subsequent occurrence can quickly use up resources.
Use these options conservatively.

For threshold-based triggers only a single correlation event are triggered on receipt
of any single incoming event, even if that event has an aggregated event count high
enough to trigger multiple firings. This is by design to prevent excessive firings. For
example, if a rule has a threshold of 10, an event with an aggregated event count of
200 triggers only one rule firing (not 20).
Trigger
Threshold
On First Event
The first time rule conditions are met, overriding aggregation
threshold settings.
On
Subsequent
Events
The second and subsequent times rule conditions are met (not the
first), overriding aggregation threshold settings.
On Every
Event
Every time rule conditions are met, overriding aggregation threshold
settings.
Note: For lightweight rules, this is the only available triggering
option. The other triggers are disabled.
On First
Threshold
For the number of matches greater than 1, the first time rule
conditions and threshold settings are met.
On
Subsequent
Thresholds
For the number of matches greater than 1, the second and
subsequent times rule conditions and threshold setting are met, not
the first.
On Every
Threshold
Every time rule conditions and threshold settings are met.
410 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Trigger
Threshold
On Time Unit
Defines an action to take if the given threshold is met in the
specified number of minutes specified. (When: On Time Unit: Every
<NumberOfMinutes>).
Note: With On Time Unit, the minimum threshold value you must
set is 2.
This setting can be configured to work in conjunction with
aggregation to limit the number of times a rule is triggered. For
example, if aggregation is set to 2 matches in 1 minute and you get
50 matches in 1 minute (depending on how you set the rule
actions). If you then specify the rule to trigger “On Time Unit” of one
minute for example, then even if there were 50 matches in 1
minute, the rule would only trigger once per minute when the
aggregation threshold is met.
Notes:
•
The list of correlated events attached to the On Time Unit trigger
excludes the events composing the first threshold. For example,
if the threshold is 2 and 5 matching events are found, the first 2
events are excluded and only the remaining 3 are included in the
list of correlated events.
If you want to include the missing first two events for the
threshold rule firing, you can additionally use On First Threshold
or On Every Threshold in conjunction with On Time Unit. In this
case, you will not see the first two events as part of On Time
Unit. Instead, the first two events will be part of On First
Threshold or On Every Threshold.
Confidential
•
Activating On Time Unit does not imply that a rule is triggered on
the first event, on subsequent events, or on every event that
meets conditions. This specifically sets the rule to trigger for
every given time unit if aggregation thresholds are met.
•
Be sure to set On Time Unit to less than or the same value as the
Aggregation “Time Frame” (related information on page 406) to
prevent getting an extra correlation event for the rule itself.
ArcSight Console User’s Guide 411
13 Rules Authoring
Trigger
Threshold
On Time
Window
Expiration
When the threshold settings have expired.
Note: When the On Time Window Expiration (TWE) trigger is
activated, it includes an option to display a cumulative rule chain
(a summary of triggered rules) at the end of the triggered rules list.
By default, the cumulative rule chain option on an activated TWE
trigger is off. To toggle the option on or off:
1
Click the Rule Editor Actions tab for a selected rule.
2
Make sure the On Time Window Expiration trigger is active.
(See “Activating or De-activating a Rule Trigger” on page 409 for
information on activating triggers.)
3
Right-click the active TWE trigger and select On or Off on the
cumulative rule chain option as needed.
When a TWE trigger activates a rule, a Correlation Event is
generated. If the cumulative rule chain option is on, the correlation
event contains all the base events from the first threshold to the
TWE.
If the cumulative rule chain option is off, the generated correlation
event contains events from the last threshold to the TWE.
Rule Actions Reference
Consider the following points:
Action sequence
Always add actions in the order in which you want them to be executed. For example, to
set a static value in an active list with values, first add the action to Set Event Field, then
add the action to Add to Active List.
Note that the Editor display does not always match the internal representation of the
specified order of rule actions. However, if you add rule actions in the proper order, that
order is maintained internally.
Actions added to a rule show up the first time in the order you add them. You can continue
to modify these and they show up in this order. After you click Apply, the display reorders
the actions so that Add to Active List shows up first even though the internal
representation has not been modified. Even so, rule actions continue to work as expected
unless you change the order. For example, if you delete the Set Event Field action then add
it back in after Add to Active List action is already configured, the rule actions are misordered and do not trigger as expected.
Use of velocity expressions in rule actions involving lists
You can use references to Velocity Templates as parameters for rule actions to derive
values from event fields and variables. (For additional details, see “Velocity Templates” on
page 962.)
If you are using velocity expressions to derive values from variables and your rule is acting
on an active or session list, perform these extra steps in conjunction with your action:
1
Aggregate over the fields of interest on the rule’s Aggregation tab.
412 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
2
Use the SetEventField action to set unused fields to the fields in Step 1. Start with
the $ symbol followed by the exact name of the variable but without any special
characters like spaces and dots. For example, if the variable is
ActorByAccountID.Last Name, you may use something like:
$ActorByAccountIDLast_Name
3
Continue by specifying the list to be acted on by the rule.
The following table contains rule actions that are available if you right-click a trigger on a
rule’s Actions tab and select Add.
If you are creating or editing a lightweight rule, you can only add actions on
active and session lists.
Table 13-1
Rule Actions
Action
Description
Set Event Field
Fill in a data field value for correlation events generated by the
rule. You specify the data field and the value to place in the
field. If the correlation event already has a value for the
selected data field, that value is overridden with this rule action.
Send to
OpenView
Operations
Send the triggered rule's associated events to a special ArcSight
SmartConnector within the Manager. The connector forwards
the information to an HP OpenView Operations installation.
This applies only where you have specifically integrated
OpenView with ArcSight. Request the ArcSight Tech Note
concerning HP OpenView Operations for more information.
Send
Notification
Confidential
Send e-mail, pager, or cell phone messages to the ArcSight
users in the notification group when rules are triggered. Specify
a notification group in the Destination Group drop-down menu,
then enter the notification text in the Message box.
•
Click Ack Required if you want to begin an escalation
chain. In this case those notified must acknowledge that
they received the notification.
•
If you do not select Ack Required, the message is for
information purposes only.
•
For more information, see “Managing Notifications” on
page 603.
ArcSight Console User’s Guide 413
13 Rules Authoring
Table 13-1
Rule Actions (Continued)
Action
Description
Execute
Command
Execute a command when the rule triggers. Select an operating
system platform from the drop-down menu.
•
Enter the command string in the Command field.
•
Enter any required parameters in the Parameters field.
Otherwise the command cannot execute without user
intervention.
Caution: Using parameters of Date/Time with Execute
Command requires that the variable name be within double
quotes. For example, to use $endTime as a parameter to a
command to be executed on a rule action, enter the
parameter as “$endTime”.
•
Select the Action Type:
Automatically run on manager: Execute the command at
the ArcSight Manager without further intervention.
Run on Manager with Console confirmation: Require an
operator at a Console to approve the command before it
executes.
Run on connector(s): Send the command to the
connectors that report the events.
Execute
Connector
Command
Execute a SmartConnector command applicable to the device
reporting the events.
Export to
External
System
Send the rule and the triggering events to an external system
that is integrated with ArcSight. The export is in the form of
XML on the ArcSight Manager's archive/exports directory.
414 ArcSight Console User’s Guide
Select the SmartConnector to execute the command. After you
select a connector, the command field is populated with the
commands available for that connector. Only certain
SmartConnectors can process commands beyond the basic set
that all SmartConnectors support (start, stop, pause, continue,
and terminate). This is similar to “Sending Control Commands
to SmartConnectors” on page 663.
Confidential
13 Rules Authoring
Table 13-1
Rule Actions (Continued)
Action
Case
Description
Create New
Case
Create a new case when the rule is triggered. Specify a case
name, optional description, case group, consequence severity,
and owner.
The maximum number of rule-associated events a case can hold
is 1000. If this limit is reached, the Console sends a warning
message and disables the action until the number of events in
the case drops below the maximum. To decrease the number of
events, manually remove them from the case.
You can create a case in conjunction with an existing field value
from an event. For example, you want your action to create a
new case called Suspicious Login Attempts based on a value in
the event field, Attacker Address. For this scenario, your case
name’s format will be Suspicious Login Attempts
$attackerAddress. The example shows that case creation is
based on the On First Event trigger for this rule.
You have the option to include the base events (non-correlation
events) in the case or not.
Tip: A suggested approach for updating cases based on
triggered rules is to:
Confidential
1
Configure an action to create a case on first event or some
threshold, and then
2
Add to that same case when subsequent events or
thresholds are triggered for that same rule. (For more on
this, see the following information on the rule action to “Add
to Existing Case” on page 416.)
ArcSight Console User’s Guide 415
13 Rules Authoring
Table 13-1
Rule Actions (Continued)
Action
Description
Add to
Existing Case
Adds the associated events to an already-defined case.
The maximum number of rule-associated events a case can hold
is 1000. If this limit is reached, the Console sends a warning
message and disables the action until the number of events in
the case drops below the maximum. To decrease the number of
events, manually remove them from the case.
You can choose one of two main options:
•
Select an existing case. Use the Case drop-down menu to
navigate the Cases resource tree and select a case.
•
Select Calculate case name dynamically to specify a case
defined in another rule action. This setting inherently
depends on another rule action to first create the case. In
this scenario, the referenced case will not be available until
the rule action set to create it is triggered.
To specify Case Group, browse to the group you defined as
the case location in the other rule action that creates the
case.
For Case Name, specify the dynamic name based on the
same case name you provided in the other rule action that
creates the case. An example of a dynamic case name is one
that includes a variable. In the example, GetMonth is a
variable name, and so the entry is Suspicious Login
Attempts $GetMonth. If your variable name has spaces,
replace the spaces with the underscore character. For
example, if your variable is Get Month instead of GetMonth,
then your case name is Suspicious Login Attempts
$Get_Month. To calculate the case name, the rule action
evaluates this dynamic case name and picks the existing
case with the matching name. (See also the information on
rule actions to “Create New Case” on page 415.) You also
have the option to include base events (non-correlation
events) in the case or not.
416 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Table 13-1
Rule Actions (Continued)
Action
Active List
Description
Add to Active
List
Add the associated events to an existing active list that you
select.
When you are specifying fields to be added to the active list,
you have the option to select local variables from the Fields tab
or global variables from the Global Variables tab.
Remove from
Active List
Remove the associated events from an existing active list that
you select.
When you are specifying fields to be removed from the active
list, you have the option to select local variables from the Fields
tab or global variables from the Global Variables tab.
Notes:
•
For lightweight rules, only the Active List and Session List actions are enabled.
•
See related information on page 406 about aggregation settings combined with rule actions that
add entries to multi-mapped active lists and overlapping session lists.
•
See related information on page 412 about using velocity expressions in rules that act on lists.
Session List
Add to Session
List
Add the associated events to an existing session list that you
select.
When you are specifying fields to be added to the session list,
you have the option to select local variables from the Fields tab
or global variables from the Global Variables tab.
Terminate
Session List
•
Add the events to the session list when a session
terminates. When you are specifying events to be
terminated, you have the option to select local variables
from the Fields tab or global variables from the Global
Variables tab.
•
Terminate the oldest session. If checked, the oldest session
is added to the “terminate” session list. Oldest time is based
on the session's Start Time.
Notes:
•
For lightweight rules, only the Active List and Session List actions are enabled.
•
See related information on page 406 about aggregation settings combined with rule actions that
add entries to multi-mapped active lists and overlapping session lists.
•
See related information on page 412 about using velocity expressions in rules that act on lists.
Asset
Confidential
Add Asset
Category To
Asset
Add the asset category to the associated asset.
This supports the automated discovery and categorization of
assets (web servers, mail servers, firewalls, etc.) based on the
type of events each asset is sending. Rules can be constructed
to listen for certain types of events, and then categorize the
associated asset appropriately. (You also set up a condition
based on which to Remove Asset Category From Asset.)
ArcSight Console User’s Guide 417
13 Rules Authoring
Table 13-1
Rule Actions (Continued)
Action
Description
Remove Asset
Category From
Asset
Remove the asset category from the associated asset.
This supports automated categorization (or de-categorization)
of assets along with the Add Asset Category To Asset rule
action.
Applying Rule Actions
Rule actions are automatic procedures that occur when all rule conditions and threshold
settings have been met. You can choose to be notified of a triggered rule at the ArcSight
Console or through the Notifier, have information about the events that triggered the rule
sent to a case or an active list, or automatically execute a command-line function. You can
also assign more than one rule action to any rule.
More Rule Actions
Lightweight rules can only act on active and session lists and the action is
triggered by On Every Event.
Defining a New Rule Action
To define a new rule action, select the Actions tab of the rule you're creating or editing.
Select an active trigger or activate an inactive one. Then right-click in the activated trigger
and choose Add. The Console now displays a list of options for each of the action types
you may want to add, for example, Set Event Field, Send Notification, Execute
Command, Add to Active List or to Session List, Create New Case, and so on.
Some additional actions you can specify for a rule include the following.

Add To Active List, Add to Session List - When triggered, adds the qualifying item
to the specified active or session list.

Remove From Active List - When triggered, clears the qualifying item from the
active list.
Add To Active List and Remove From Active List either take no arguments (if
acting on an event-bound active list) or a list of event fields (if not dealing with an
event-bound active list). The values from the specified fields (those specified either by
an event-bound active list or by the argument list) form an item that is added to, or
removed from, the active list. Removing an item that is not present does not cause an
exception. Adding an item that is already present simply increments that item's
counter. You can see this counter in the Active Lists Editor. (See “Active Lists” on
page 735 and “Managing Active Lists” on page 509 for more information.)

Add to Existing Case: Adds to a case all the events that have triggered the rule.
When the rule is triggered, all events associated with the rule are sent to a case for
further investigation. The maximum number of rule-associated events a case can hold
is 1000 (as controlled by rules.max_events_in_case server property).
When this limit is reached, a warning message goes to the ArcSight Console. The Add
to Case action deactivates and further events are not sent to the case. When the
number of events in the case reduces, the Add to Case action re-activates, and it
resumes sending events to the case.
418 ArcSight Console User’s Guide
Confidential
13 Rules Authoring

Create New Case: Creates a new case and adds all events that have triggered the
rule to the case. When the rule triggers, all events associated with the rule are sent to
a case for further investigation. The maximum number of rule-associated events a
case can hold is 1000.
Once this limit is reached, a warning message is sent to the ArcSight Console and the
Create New Case action deactivates and further events are not sent to the case. When
the number of events in the case reduces, the Create New Case action reactivates, and
it resumes sending events to the case.

Execute Command: Executes a command-line function when the rule triggers. The
command-line function can be executed immediately or sent to the ArcSight Console
prior to execution. For example, you could specify an action to perform the bin/ping
command on a specific IP address.
In the ArcSight Console, you can decide whether to execute or clear the rule action
during real-time monitoring.

Export to External System: Sends the rule and the triggering events to an external
system that is integrated with ArcSight. The export is in the form of XML, in the
ArcSight Manager's archive/exports directory.

Send to Console: Sends a correlation event to the ArcSight Console when the rule
triggers. A correlation event is generated by a rule when its conditions and threshold
settings are met. The Send to Console rule action should always be used. Setting this
action displays the “flash” triggered-rule event on the Console.

Send Notification: Sends e-mail, pager, or cell phone messages to ArcSight users
when rules are triggered. The Send Notification rule action can send an informative
message or can begin an escalation chain that requires an acknowledgment from a
user. Informative notifications are sent to all destinations in a notification group to
relay a message. They do not need to be acknowledged. If the Ack Required check
box is selected, the notification must be acknowledged. For more information, see
“Managing Notifications” on page 603.
To generate a correlation event the rule is triggered. You can specify a Set Event Field rule
action. This rule action fills in a data field value for correlation events generated by the
rule. You specify the data field and the value to place in that field. If the correlation event
already has a value for the data field selected, that value is overridden with this rule action.
See “Creating Rule Actions” on page 408 for more information on defining rule actions and
associated triggers.
Enabling and Disabling Rules
You can enable (set to on) or disable (set to off) rules. Rules can also be automatically
disabled by ArcSight.
Keep in mind that only rules deployed in Real-time Rules show up in a live
channel when they are triggered. Therefore, once you have created and
verified rules and are ready to deploy them on real-time events, move or
copy the rules to your user folder under Real-time Rules as described in
Deploying Real-time Rules.
Enabling Rules
In the Navigator panel's Rules resource tree, right-click the rule and choose Enable
Rule. The rule is displayed as enabled or on (
Confidential
) in the Navigator.
ArcSight Console User’s Guide 419
13 Rules Authoring
Disabling Rules
In the Rules resource tree, right-click a rule and choose Disable Rule. The rule is
displayed as disabled or off (
) in the Navigator.
Automatically and Manually Disabled Rules
If a rule is disabled or off (
Rules resource tree.
), the rule is grayed out on the Navigator panel in the
A rule can be manually disabled by an administrator or automatically disabled by the
ArcSight system. A rule is disabled by the ArcSight system for either of the following
reasons. When a rule is automatically disabled, it generates an audit event indicating that
this happened so that administrators can follow up as needed.
Cause for Automatically
Disabled Rule
Description
Rule is invalid
An invalid rule is automatically disabled and displayed as broken
in the Navigator.
If an administrator configures a rule or related resource in a way
that “breaks” the rule and leaves it in an invalid state, the system
automatically disables the rule.
If a rule is disabled automatically due to an invalid configuration, an
“Invalid Reason” is displayed in the Rule Editor on the
Inspect/Edit panel. When the rule is reconfigured to a valid state
and enabled, the “Invalid Reason” field is no longer displayed.
The “Invalid Reason” field is not displayed for rules that are
manually disabled.
Rule is recursive
Rules that trigger themselves in a recursive loop is automatically
disabled temporarily. A rule that is automatically disabled due to
recursion is re-activated after a time frame that matches the
aggregation time frame for the rule. (The default aggregation time
frame is 2 minutes.)
An auto-disabled rule is displayed with a special icon
in the
Navigator. (It shows with the “broken” symbol, overlaid by an
ArcSight logo to indicate that the system disabled it.)
A rule can be inherently recursive due to a flaw in its design, or
temporarily recursive because of some particular events involved. In
the first case, temporarily disabling the rule often clears out the
problem, and allows the rule to run normally when it is re-activated.
If the rule is inherently recursive, it is continuously re-enabled and
auto-disabled. The solution in this case is to redefine the rule logic
and redeploy it, since it is effectively a “broken” rule.
420 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Cause for Automatically
Disabled Rule
Number of rule triggers
exceeds configured limits
Description
Number of rule triggers exceeds configured limits A rule that
)in the Navigator,
exceeds configured limits show as disabled (
and offer a right-click option for the user to manually disable it
permanently.
The system disables a rule if the rule exceeds the configured limits
on number of rules triggered per minute or ratio of base events to
triggered rules, as defined in the file
ARCSIGHT_HOME/config/server.defaults.properties on the
Manager.
A rule in this state continues to attempt to run until the user disables
it permanently by right-clicking it in the Navigator and choosing
Disable.
For rules that are disabled automatically by ArcSight, right-clicking the disabled rule in the
Navigator provides a manual Disable option so that users can permanently disable the
rule until it is fixed. If these rules are not manually disabled, they make continued attempts
to run and get intermittently enabled/disabled by the system. This can impact system
performance.
Disabling Rule Components
You can also disable certain components of a rule, such as particular rule triggers or a rule
actions associated with particular triggers. For information on this, see “Activating or Deactivating a Rule Trigger” on page 409 and “Enabling or Disabling a Rule Action” on
page 410 (in “Creating Rule Actions” on page 408).
Importing and Exporting Rules
Rules are created in a readable XML format. You can export a rule or rule group to an
external file to modify it. After modification, you can import it back into the ArcSight
Manager.
To import and export rules, use the packages feature. Packages supersedes
the import/export facility provided in previous releases and offers enhanced
functionality, including version support, dependency management, and
import/export capabilities. Portable ArcSight packages can automatically
manage dependencies across resources and other packages. Please see the
information on packages in “Managing Packages” on page 633.
Scheduling Rules
You can schedule rules to run at a specified time interval (such as hourly, daily, or
monthly).
Scheduled Rules are a useful alternative to real-time rules in situations where you want to
deploy rules that take into account historical data along with live data, or when you simply
want to control when the rules are run. The scheduled rules engine can process historical
data, take real actions, and generate correlated events which are the same as those
generated by the real-time rules engine.
Confidential
ArcSight Console User’s Guide 421
13 Rules Authoring
Scenarios for Using Scheduled Rules

Batched Events. In many environments, certain types of events are not immediately
available to the Manager, but instead are sent in batches infrequently; sometimes once
a day, or once a week. Such events have different Manager receipt times and end
times. Manager receipt times are current (when the batches are submitted), but the
event end times are in the past, since the events actually happened in past. Common
examples of events that are sent in batches are those involving physical security
devices and represent individuals gaining entry to buildings or offices by means of
badge readers and card keys.
Since these events (like an employee entering an office) arrive late to the Manager,
they cannot be effectively correlated with other events (like a user login) by typically
deployed rules that use the real-time rules engine. When the real-time rules engine
receives login events, it waits for 1 minute (or whatever the time window for this rule
is) and then throws out the login event, since the other event did not arrive within
rule's time window. Suppose you have a rule that looks for a badge swipe event and a
login event within 1 minute of each other (aggregates on 1 minute). The login events
are received by the Manager real time as they occur. But the badge swipe events are
collected and submitted only once a day at 10 p.m.
A real time rule would not correlate the two events because it would throw out the
login event before it ever gets the batched event. But if you scheduled your rule to run
at midnight with the scheduled rules engine, it could correlate the actual end times of
batched events and login events that occur within 1 minute of each other. Scheduled
rules can correlate these types of events because (a) rules can be scheduled to run
when both the login and batched events are available within the database and (b)
although the Manager receipt times for these events would be different, their end
times are close together within the aggregation window. Correlations are based on
end times of events.

Historical Data. You may want to capture and correlate other kinds of historical data
(other than batched events). For example, if you have observed a pattern of events
over the last several weeks, decide to write rules to take actions on some of those
events, and correlate not only future occurrences of them but also the past events.
This is possible to do by scheduling rules to run on events with end times in the past.

Optimized Rule Schedules. Another scenario in which you might want to use
scheduled rules is for rules that are more appropriate to run after business hours (for
example, in the middle of the night). The job scheduler on rule groups lets you specify
the appropriate schedule, and the rules are deployed as correlated events but are
executed on off-hours.
In all such cases, scheduled rules generate correlation events and take real actions when
triggered, just like deployed real-time rules.
Although scheduled rules that correlate batched events work in part with
historical data, these are deployed rules (not tests) that take actions as
appropriate and do affect the live system.
Scheduling a Rule Group
1
Click the Rules resources on the Navigator.
2
Identify the rules you want to schedule. (For information on how to create new rules,
see “Managing Rules” on page 394.)
3
If these rules are not already in a rule group, create a new rule group and link or move
rules into it. (For information on how to create and work with rule groups, see
“Managing Rule Groups” on page 396.)
422 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Confidential
4
Select a rule group, right-click, and choose Edit Rule Group from the context menu.
5
Click Jobs in the Rule Group editor.
6
Add a job, name and describe it, and specify a schedule on which to run the rule
group.
7
Specify a filter for these rules. (By default the filter is set to All Events. Click Filter
Results by to refine the filter to display only events relevant to the rule. Narrowing
the filter optimizes performance when the rule is run.)
8
Click Apply or OK to deploy.
ArcSight Console User’s Guide 423
13 Rules Authoring
The rules are deployed according to the schedule specified in the Rule Group editor on the
Jobs tab, and are triggered if the rule conditions are met.
You cannot schedule a single rule outside of a group, but you can schedule it
as a “group of one” contained in a folder. To schedule one or more rules, place
them in a folder. Multiple rules in the same folder run together per the
schedule as part of the rule group.
Example of a Scheduled Rule (Badge Swipes and Logins)
As an example, here are the conditions statements for a rule that correlates Badge
swipe events, which are sent to the Manager in a batch file once per day, with login events
which are sent to the Manager frequently in real-time. The example rule looks for an event
with “swipe” in the name and an event with “login” in the name.
Figure 13-1
Example Scheduled Rule: Condition Statements
424 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
This rule sets an aggregation time window to correlate these events at 2 minutes. This
means that a login event (end time) must occur within 2 minutes of a badge swipe event
(end time) in order for the rule to be triggered.
Figure 13-2
Example Scheduled Rule: Aggregation
Note that if you deploy this rule in real-time rules, the rule is not triggered to capture the
events you want to correlate. Although the badge swipe events are actually occurring
within 2 minutes of login events (according to event end times), the ArcSight Manager
Receipt Time for badge swipe events is always hours later (whenever they are submitted as
batched events). In this kind of scenario, the real-time rules engine would never correlate
these events because the badge swipe events (with late Manager Receipt time) would be
read in so much later.
If, however, you deploy this as a scheduled rule to run on a nightly basis, the rule is
triggered and capture the correlated events. This is because the scheduled rules engine is
designed to correlate historical data with live data.
To configure this as a scheduled rule, you would create a new folder (group) for it under
Rules resources in the Navigator, link or move the rule into the folder, then edit the rule
group to add a scheduled job (on Jobs tab). The job schedule defines when the rule runs.
Once the job schedule is applied to the rule group, the rule is deployed as a scheduled rule.
Confidential
ArcSight Console User’s Guide 425
13 Rules Authoring
To create and test the example rule:
1
Create a rule called “Badge Entry and Logins.”
2
On the Conditions tab for this rule, set a condition to look for two events joined by
AND; an event with “swipe” in the event name and an event with “login” in the event
name.
3
Save the new rule.
4
Create a new rule group folder called “Badge Entry and Logins” and link or move the
rule into that folder.
5
Edit the “Badge Entry and Logins” rule group to add a scheduled job for rule of the
same name.
6
Save the new rule group.
After you save the rule group with the scheduled job, the rule is deployed.
For testing purposes, schedule the job to start in 5 minutes from the current time and then
use the ArcSight Test Alert connector to test sending events to the Manager with end times
within two minutes of each other and different Manager receipt times. (For example, to
model a real-world scenario: set Manager receipt time for badge swipes to several hours
later than for logins.)
Make sure that the start time of your scheduled job is earlier than the event end times on
your test events (so that the scheduled job is running to capture the events). You should
see the scheduled rule triggered on correlated events.
Figure 13-3
Start Time on Example Scheduled Rule is Set Earlier than End Times of Events
As a comparison, deploy the same rule in a real-time rules folder and send the test events
again. Note that the same rule is not triggered by the real-time rules engine because it is
not designed to correlate historical data.
In every scheduled run of a rule, only events arriving between that run and the earlier run
are considered for input.
Testing Rules
You can test rules against copies of active channels for valid conditions logic, verify that
rules are triggered by the events they are supposed to capture, and that they generate
correlated events as expected.
The ArcSight Console provides two different ways of getting to tools for testing and
verifying rules against events before deploying the rules in real time:

Test a single rule from within the rule editor by clicking the Test button

Test rules and rule groups from the navigation tree with the Verify Rules with Events
option
426 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
These options are somewhat similar. They differ in the navigation paths to select or set up
the channels, and more importantly in that from the rule editor you can test only the
selected rule but from the navigation tree you can test several selected rules or rule
groups. This Help topic explains how to test a single rule from the rule editor. See also
“Verifying Rule(s) with Events” on page 428.
Keep in mind that only rules deployed in Real-time Rules act on live events
and show up in a live channel when they are triggered. For more information,
see “Deploying Real-time Rules” on page 431.
Testing a Rule from the Rule Editor
1
Choose the Rules resource in the Navigator, and select the rule you want to test.
2
Right-click and choose Edit Rule to bring up the Rule editor for that rule in the
Inspect/Edit panel.
3
In the editor for the selected rule, click Test.
This brings up the Test Rule dialog where you can choose an existing active channel or
create a new channel in which to verify the rule.
4
Select either New Active Channel or Select an Active Channel depending on
whether you want to test the rule in a new or existing channel.
You can set override channel filters on either a new or existing active channel.
Confidential
ArcSight Console User’s Guide 427
13 Rules Authoring
If you choose Select an Active Channel (which means you are opting to use an
existing channel rather than create a new one), an in-line browser is displayed where
you can navigate to and choose an existing channel.
5
Once you have set up the channel, click OK. (If you need more help on setting up
channels, see “Viewing and Using Channels” on page 78.
The channel is displayed in the Viewer panel.
Showing Rule Errors
If rules have errors, the rule icon (
) changes to indicate it.
In the Rules resource tree, right-click the rule-error icon and choose Show Error. The
error appears in a dialog box.
Verifying Rule(s) with Events
The ArcSight Console provides two different ways to test or verify rules before deploying
them. These options are somewhat similar. They differ in the navigation paths to select or
set up the channels, and more importantly in that from the rule editor you can test only the
selected rule but from the navigation tree you can test several selected rules or rule
groups.
This topic explains how to test multiple rules or rule groups from the navigation tree using
"Verify Rule(s) with Events". See also “Testing Rules” on page 426.
"Verify rule(s) with events" is an enhanced version that replaces "replay with rules" in
previous versions. You can test rules by running them against a set of captured events for
forensic analysis. Now you can replay events to verify rules in existing active channels or,
as before, create new channels for this purpose. Also, you can select a single rule, multiple
rules, or a rule group to verify. (In earlier releases, only the last of these options was
available.)
To verify rules with events, select an existing active channel or create a new one, and then
scan the list of events in the channel to verify that the rule is triggered and that it
generated correlated events as expected.
428 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Existing active channels have a sliding time window for events (based on the channel
filters).
New active channels created as “replay with rules” channels have a fixed time window for
qualifying events, and the events are those that qualify under the rules in the selected
group. These active channels incorporate the conditions, aggregation characteristics, and
actions defined for the rules in the selected group.
Rules tested against pre-existing active channels are actually executed on
copies of active channels the system automatically generates for this
purpose. Rules run in verify mode do not generate real rule actions correlated
with live or historical system events and, therefore, when they are triggered
no real rule actions are impacting the system state. Only real-time rules or
scheduled rules (set up to capture batched and other types of historical data)
trigger real rule actions.
Once you have created and verified rules and are ready to deploy them on
real-time events, move or copy the rules to your user folder under Real-time
Rules. For more information, see “Deploying Real-time Rules” on page 431
and “Scheduling Rules” on page 421.
Verify Rule(s) from the Resource Tree
1
In the Rules resources tree, right-click an appropriate group and choose Verify
Rule(s) with Events.
2
From the sub-menu, choose Most Recent Opened Active Channels, More, or
New Active Channel.

Most Recent Opened Active Channels. Choose from the list of recently
opened channels. The selected channel is displayed in the Viewer panel.

More... This brings up the Active Channel Selector dialog. Use this dialog to
navigate to the channel you want.
If you want to redefine or further narrow the stream of events in the selected
channel, click the Override Channel Filter tab to add filters to it. The Override
Confidential
ArcSight Console User’s Guide 429
13 Rules Authoring
Channel Filter tab shows the conditions on the currently selected channel. You can
add, remove, or modify the filters here.
Click OK to choose the selected channel with filter modifications (if any).
The selected channel is displayed in the Viewer panel.

New Active Channel...
Selecting this option brings up a dialog where you can set up the parameters for
the active channel that displays the rules in action. Provide a name for the new
channel and set the other channel options as described in “Viewing and Using
Channels” on page 78.
430 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
Click OK to create the new channel with your chosen settings. The new channel is
displayed in the Viewer panel.
About Test Channels: A lightening bolt
on a channel indicates it is a
test channel created as a result of choosing Verify Rules with Events on a
rule. Test channels cannot be re-used, even for the same rule. Remove test
channels from the Active Channels folder in the Navigator.
Alternatives to Test Channels: If you would like to re-use a channel to test
various rules, create a standard active channel e.g., “My Rules Test Channel”
(see “Creating an Active Channel” on page 79), then send rules test results to
that channel. You can re-use a standard channel as many times as you want
to test rules (i.e., verify rules with events).
Filters shown on rule verification channels are not designed for copying and
re-use outside of these special rule testing channels. Rule verification
channels show rule-triggered events and other non-correlation events in the
channel, but the complete filtering logic that accomplishes this is not
exposed.
Filter conditions on these channels display the original filter (if one is applied)
and “Session ID > 0". The session ID statement is a simplified representation
of the back-end filtering taking place in the special rule verification channel to
limit this particular channel to show only new rule-triggered events.
Deploying Real-time Rules
Once you have created and verified rules and are ready to deploy them on real-time
events, move or copy the rules to your user folder under Real-time Rules.
Rules run in verify or test rule mode do not generate real rule actions correlated with live or
historical system events and, therefore, when they are triggered no real rule actions are
impacting the system state.
Confidential
ArcSight Console User’s Guide 431
13 Rules Authoring
Only real-time rules show up in a live channel, generate correlation events, and trigger real
rule actions.
A special category of rules called scheduled rules can capture batched and
other types of historical data, generate correlation events, and trigger real
rule actions. These act similar to real-time rules, but are deployed differently.
They are evaluated according to a schedule, and trigger off of historical/past
events. See “Scheduling Rules” on page 421 for more information.
Deploying a Rule
In the Navigator panel's Rules resource tree, right-click a rule or a rule group (folder)
and choose Deploy Realtime Rule(s).
The rules you deploy are linked into the Real-time Rules folder (Shared/All Rules/ Real-time
Rules). This means that if you change something in the working copy of a rule (in your user
folder), those changes also take effect in the deployed rule and vice versa.
You can also manually copy, link, or move rules from your working user folder to a user
folder in Real-time Rules. To do this, click and drag a rule or rule group to the Real-time
Rules folder, then choose an option in the dialog (Copy, Link, or Move). Using this method
of deploying real-time rules is useful if you want to copy or move the rules rather than link
them.
If a rule is already enabled ( ), it is deployed as enabled. If a rule has been disabled ( )
during testing phase, it is deployed into real-time rules but remain disabled until you
enable it. Rules must be both enabled and deployed in real-time rules to take effect in the
live system. (If you enable or disable a deployed, linked rule in the original location it is
also enabled or disabled in real-time rules and vice versa.) For more information, see
“Enabling and Disabling Rules” on page 419.
Removing or Un-deploying a Rule
You can remove rules from the Real-time Rules folder, thereby “un-deploying” them from
the live system.
To un-deploy a rule (beyond disabling it), select the rule in the Real-time Rules folder, rightclick, and choose Delete Rule from the context menu.
Depending on whether the rule was linked, moved, or copied into the Real-time Rules
folder, you get different options at this point.

If the rule has been moved or copied into your working folder, you get an option to
remove it or to cancel the operation.

If the rule is a link to the original rule in your working folder, you get options to remove
it from this group only, delete it entirely from all locations, or cancel the operation. (A
linked file is treated as a single entity, so edit actions taken on the file in any location
affect all instances of it.)
Loading Rules
Creating custom rules does have an effect on the load placed upon the ArcSight Manager.
This load is a function of how many partial and full matches are generated by those rules.
Since partial matches occur when any condition of a rule is met and full matches occur
432 ArcSight Console User’s Guide
Confidential
13 Rules Authoring
once all conditions of a rule have been met, poorly written rules can generate many partial
matches without generating any full matches.
Also, poorly written rules can generate, in a worst case scenario, one additional event for
every incoming event. However, well-written rules have conditions that are restrictive
enough to limit partial matches to those events that are likely to participate in a full match.
Such rules are also likely to generate very meaningful derived events and they also impose
a smaller load on the ArcSight Manager. Therefore is it very important that you carefully
plan, write, and test all your custom rules.
Automatic Disabling
ArcSight automatically disables improperly written rules that would produce excessive or
meaningless events. The conditions that cause rules to be disabled are described below.
The factors that control rule disabling are shown in the table below.
Rule Disabling
Factor
Operation
Alias Matches
If an alias is defined in the rule, this is the number of events
matching that alias, independent of other defined aliases.
Partial Matches
If more than one alias is defined in the rule, this is the number
of events matching the aliases defined before the current one,
and for the current one, and for their join condition (if present).
Generated Events
Counts
The number of correlation events generated.
Base Event Counts
The number of base events used by the rule to generate
correlation events.
Time Unit Counts
The number of time units (minutes) that passed since the
current rule activated.
Therefore, the conditions that can result in rule disabling are:

The number of matching aliases would exceed the default limit of 100000.

The number of partial matches for any of the aliases would exceed the default limit of
100000.

The rule generates more than five correlation events for each base event it processes.

The rule generates more than 1000 correlation events in one time unit.
The above values are defaults that may be adjusted differently for your enterprise.
Confidential
ArcSight Console User’s Guide 433
13 Rules Authoring
434 ArcSight Console User’s Guide
Confidential
Chapter 14
Global Variables
This topic describes global variables, which enable you to create a variable that derives
data from fields in the resource and event schema and can be used and re-used in
monitoring and authoring contexts throughout the Console.
“About Global Variables” on page 435
“Creating a Global Variable” on page 436
“Promoting a Local Variable to a Global Variable” on page 438
“Editing a Global Variable” on page 441
“Navigating to Global Variables” on page 442
“Adding a Global Variable to a Resource” on page 442
“Chaining a Global Variable” on page 446
“Global Variables in Standard Content” on page 447
About Global Variables
ArcSight™ provides the ability to create variables that derive values from existing data
fields that you can create locally in the resource you’re working on to make monitoring and
correlation more specific to particular scenarios.
In addition to these local variables, there is a global variable resource that makes it
possible to define a variable once, then re-use it in multiple places wherever conditions can
be expressed (active channels, rules, filters, data monitors, and queries), and wherever
fields can be selected (CCE, field sets).
Global variables are centralized and reusable, which makes them an essential building
block for user correlation in the Actors feature and other advanced correlation scenarios.
Once created, global variables can be selected in the Common Conditions Editor (CCE) as
additional fields on the Filters or Conditions tabs, as Group By arguments for data
monitors and queries, and in rule conditions and actions. You can add variables to field sets
in the Field Set Editor to extend the event and resource schema with values derived from
other data fields.
The global variables feature also makes it possible to easily promote local variables defined
for a particular resource into a global variable, where it can be re-used in other condition
statements.
Confidential
ArcSight Console User’s Guide 435
14 Global Variables
Global variable dependencies
Global variables depend on a pre-defined schema, so ad hoc data gathered during run-time
in active channels, active lists, session lists, query viewers, queries, domain fields, and
trends cannot be used to define a global variable.
Ad-hoc (in-memory) global variables can be displayed as columns in active channels, but
not used as part of a condition or filter (for example, to derive a list or query result).
This topic describes how to use Console tools to create global variables, and how to
leverage them in other resources. For details about the supported variable types and
functions, see “Variables” on page 947.
Creating a Global Variable
Here are the high-level steps for creating a global variable:
1
In the Navigator panel, go to Field Sets and click the Fields & Global Variables
tab.
2
In the Fields tree, right-click the group to which you want to add the global variable,
such as <user’s> Fields, and select New Global Variable.
3
In the Global Variable Editor in the Inspect/Edit panel, define the global variable.
4
a
In the Attributes tab, name the global variable, specify its type, and specify the
group in which to place it to help others find it in pick lists. For details, see “Global
Variable Editor: Attributes Tab” on page 437.
b
In the Parameters tab, define the parameters the variable use and the functions it
performs. For details, see “Global Variable Editor: Parameters Tab” on page 437.
c
In the Local Variables tab, you can optionally add a local variable, which extracts
data from a field that can be used for the overall global variable. For details, see
“Global Variable Editor: Local Variables Tab” on page 437.
Click Apply to apply the changes and keep the editor open; click OK to save changes
and close the editor.
436 ArcSight Console User’s Guide
Confidential
14
Global Variables
Global Variable Editor: Attributes Tab
Field
Description
Name
Enter the variable name (which must be unique in the containing
group). Global variable names cannot be SQL keywords.
NOTE: The value you enter here cannot be changed once the global
variable is saved. If you want to change the name of the global
variable after it is saved, make note of the variable attributes and
re-create the variable with the desired name.
Type
Group
From the drop-down selector, select the type of global variable you
want to create: The type you choose here determines the type of
fields available to this variable, and which resources can use the
data derived from it.
•
Event Global Variable. Select this default option if you want
the global variable to operate on event fields.
•
Asset Global Variable. Select this option if you want the global
variable to operate on fields associated with assets in the
network model.
•
Case Global Variable. Select this option if you want the global
variable to operate on fields associated with cases.
•
Actor Global Variable. Select this option if you want the global
variable to operate on fields associated with actors.
From the drop-down menu, select the group in which to place your
global variable. This is the group where you find the global variable
in field pick lists in the CCE and Field Sets editor. The Variables
group is selected by default, which means if you want to select this
global variable in the pick lists, you scroll down to the Variables
group. If you want to position this variable to the top group of the
pick list, you select root.
For a description of what to enter in the Common fields, see “Common Resource Attribute
Fields” on page 630.
Global Variable Editor: Parameters Tab
1
On the parameters tab in the Function field, select the function that the variable
evaluates.
2
In the Arguments fields, specify the arguments (number and type parameters
depending on the function), each of which may be a constant value, a field from the
parent field set, or another global variable (see “Chaining a Global Variable” on
page 446).
3
For relevant functions, you can verify that the arguments you entered in the Function
and Arguments fields return the values you want by entering sample parameters in the
Preview fields.
For details about how to fill out the Function and Arguments fields, see “Variable Definition
Fields” on page 950.
Global Variable Editor: Local Variables Tab
Use the Local Variables tab to extract a value from a field that you want to use in the
overall Global Variable.
Confidential
ArcSight Console User’s Guide 437
14 Global Variables
1
Click Add. This launches the Add Local Variable editor.
2
In the Add Local Variable editor, enter a name for the local variable, specify a function,
and add arguments (number and type parameters depending on the function).
3
Verify that the arguments you entered in the Function and Arguments fields return the
values you want by entering sample parameters in the Preview fields.
For details about what to enter in the Function and Arguments fields, see “Variable
Definition Fields” on page 950.
Promoting a Local Variable to a Global Variable
If you have an existing resource (such as a field set or rule) that contains one or more local
variables that you want to re-use in other resources, it is easy to convert that variable to a
global variable.
This feature is available in the following resource editors: active channels, data monitors,
field sets, filters, rules, and queries.
Promoting local variables for resources
Local variables defined for data from events, actors, cases, and assets can be
promoted to a global variables.
Local variables defined for query viewers cannot be promoted to global
variables. Query viewers operate on queries, which have their own distinct
schema for each instance. A local variable defined for a query viewer is likely
only applicable to the specific query viewer it applies to.
To promote a local variable:
1
At the Local Variables tab in the resource editor, select the local variable you want to
promote. This activates the Make Global button in the local variable toolbar.
438 ArcSight Console User’s Guide
Confidential
14
Confidential
Global Variables
2
Click the Make Global button. This launches the Fields Selector, where you can
choose the group to which you want to save the global variable.
3
The system prompts you to decide whether to use the global variable you just
promoted in the resource.

Click Yes to promote the local variable to a global variable. This removes the
variable from the local variables list and makes it available to the resource as a
global variable.

Click No to keep the variable local in the host resource.
ArcSight Console User’s Guide 439
14 Global Variables
If you opted to replace the local variable with the global version, you can see it by
viewing the condition or selected fields tab, depending on what type of resource you
are working in.
440 ArcSight Console User’s Guide
Confidential
14
4
Global Variables
You can find the new global variable you just promoted from the global variables tree.
Go to Field Sets > Fields & Global Variables and navigate to the group in which
you saved the global variable.
The new global variable appears in the Variables hierarchy and be available for use in other
resources.
A global variable may also chain (use as parameters) other variables that are local to a
resource. A common use case is to create a complex chain of variables, and expose only
the variable representing the final result as a global variable, keeping the chained
intermediate variables local to their host resource.
Editing a Global Variable
To edit an existing global variable:
1
In the Navigator panel, go to Field Sets > Fields & Global Variables. Right-click
the global variable you want to edit and select Edit Field.
2
In the Global Variable editor, you can only make edits to the group in which the global
variable is stored, and the function parameters, since changes to the variable name
and type could impact other resources that link to the variable.
3
Click Apply to save the global variable and leave the editor open, or click OK to save
and close the editor.
Moving or Linking a Global Variable
A global variable can be moved or linked in the Navigator the same way other resources
can be moved or linked. Global variables cannot be copied. For details, see “Move, Copy, or
Link a Resource” on page 69.
Deleting a Global Variable
To delete a global variable:
Confidential
1
In the Navigator panel, right-click the global variable and select Delete Field.
2
At the confirmation dialog box, click Delete.
ArcSight Console User’s Guide 441
14 Global Variables
If any resources depend on this variable, a warning is displayed containing the URI of the
impacted resources. You can override the warning and force-delete the variable. In such
cases, the dependent resources are marked invalid; you can then edit those resources and
remove any orphaned references.
Navigating to Global Variables
The console Navigator contains a new resource tab called Field Sets with a tab called
Fields & Global Variables. This tab displays:

Global variable resources defined by users and in standard content

Standard event schema fields
To view fields in the standard schema, including device custom fields, go to Fields & Global
Variables > All Fields/ArcSight System/Event Fields.
Adding a Global Variable to a Resource
You can add a global variable to any resource in which you can express a condition in any
resource that uses the Common Conditions Editor (CCE), as well as data monitors and field
sets. Global variables are made available to query viewers through the queries the query
viewer is based upon.
442 ArcSight Console User’s Guide
Confidential
14
Global Variables
Accessing a Global Variable Using the CCE
Resources that use the CCE provide a button that enables you to access and add a global
variable to a condition statement.
To add a global variable using the CCE:
1
In the CCE for a given resource, click the +/- Global Variable button.
2
On the Global Variable Selector dialog, select one or more variables you want to add
and click OK.
Only variables whose schema type matches the given resource are displayed. For
example, an actor-based global variable can be added to an actor-based query, not an
event-based or other resource-based queries.
3
The added variables appear in the field list under the group selected for it in the Global
Variables editor (such as the Variables group). You can use these variables in condition
statements for this resource.
For details, see “Adding or Removing Global Variables Using the CCE” on page 793 in the
reference topic on the Common Conditions Editor (CCE).
If the resource you are working in uses a field set that contains global variables, any global
variable fields included in the selected field set are also available for selection in the CCE.
Adding a Global Variable to a Data Monitor
You can add a global variable to any fields-based data monitor on the attributes tab where
fields are selected. Field-based data monitors include:
Confidential

Event graph

Hierarchy Map

Last N Events

Last State

Moving Average
ArcSight Console User’s Guide 443
14 Global Variables

Statistics

Top Value Counts (bucketized)
To add a global variable to a data monitor:
1
Go to Dashboards > Data Monitors. Either create a new data monitor (right-click >
New Data Monitor) or edit an existing data monitor (right-click > Edit Data
Monitor).
2
In the Data Monitor editor where you can select fields, click the value field to launch
the field selector. The available fields vary depending on the type of data monitor you
selected.
3
In the field selector, click the Fields & Global Variables tab and select an available
global variable. Click OK.
For details about how to use the data monitor editor, see “Using Custom View Dashboards”
on page 116.
444 ArcSight Console User’s Guide
Confidential
14
Global Variables
Adding a Global Variable to a Field Set
You can also add a global variable to a field set. Once you add a global variable to a field
set, whenever you apply that field set in a resource, you can select the global variable
directly without having to add it first.
There are five different types of field sets:

Actor field set. An actor field set contains only actor-related fields. Only a global
variable created using actor fields can be added to an actor field set.

Asset field set. An asset field set contains only asset-related fields. Only a global
variable created using asset fields can be added to an asset field set.

Case field set. A case field set contains only case-related fields. Only a global
variable created using case fields can be added to a case field set.

Event field set. An event field set is a named subset of available data fields from the
security event schema.
There are also domain field sets, but you cannot create a global variable
using domain fields and you cannot add a global variable to a domain field
set.
To add a global variable to a field set:
Confidential
1
Go to Field Sets > Field Sets. Either create a new field set (right-click > New Field
Set) or edit an existing field set (right-click > Edit Field Set).
2
In the Field Set editor Fields tab where you can select fields, click the Fields & Global
Variables tab and select an available global variable. Click OK.
ArcSight Console User’s Guide 445
14 Global Variables
For details about creating a field set, see “Creating a Field Set” on page 154.
Adding Global Variables to an Active Channel
When you initially create an active channel, you can only apply fields that are defined as a
field set, either an existing one, or an ad hoc one you define one when setting up the
active channel.
Global variables can only be added to an active channel from an existing field set that
contains them. If an existing field set contains one or more global variables, those global
variable fields become part of your active channel.
However, if you are defining the fields ad hoc from the New Active Channel dialog, the
Define Grid Fields selector does not present global variable fields.
Viewing global variables in the Event Inspector
When you view events in an active channel and open an event that contains a
global variable field in the Event Inspector, you may need to refresh the Event
Inspector view to see the global variable fields, because the Manager
processes global variable data differently from regular event data.
•
If the Hide Empty Rows icon
is on (so empty rows are not displayed),
you may not see the global variable fields in the event inspector.
•
To refresh the view, de-select, then re-select the Hide Empty Rows icon.
Chaining a Global Variable
You can “chain” variables, that is, use one variable as a function parameter for another. The
parent (outer) variable doing the chaining can be either a local or global variable.
A variable (local or global) may be chained inside another variable only if the child (inner)
variable’s return type is compatible with the outer variable's parameter type. For example,
an ADD function variable can be chained inside a variable that takes a numeric parameter.
Create the inner variable first, and verify that its data type is
compatible with the outer variable
Before making one variable a function parameter of another variable, create
the inner variable first, and make sure that its data type is compatible with
the function you want the outer variable to perform.
These steps assume you are chaining two global variables. You can also chain a global
variable in the parameters of a local variable defined in the Local Variable tab of the Global
Variable editor.
446 ArcSight Console User’s Guide
Confidential
14
Global Variables
1
In the Global Variable Editor: Parameters tab, select a function that matches the data
type of the global variable function you want to chain. For example, if you want to
perform an arithmetic function, the child (inner) variable should be a NUMBER.
2
In the Arguments section, select the inner global variable from the Global tab.
3
Verify that the arguments you entered in the Function and Arguments fields return the
values you want by entering sample parameters in the Preview fields.
In the case of global variables that perform lookups from Active or Session Lists, the nested
sub-fields (representing the list columns) are also available for selection, provided the subfields are the required data type.
Global Variables in Standard Content
There is a library of global variables already defined that support actors and that cover
basic event throughput scenarios.
Actors Global Variables
Standard content provides global variables for the actors feature in All
Fields/ArcSight System/Actor Variables. These variables support the actors
infrastructure, and are described in more detail in “Actor Resource Framework Global
Variables” on page 224.
Confidential
ArcSight Console User’s Guide 447
14 Global Variables
Variables Library
There is a library of variables that deal with basic event throughput in All
Fields/ArcSight Foundation/Variables Library.
Device, Protocol, and Total Bytes Global Variables
The Device, Protocol and TotalBytes variables operate on commonly used root event fields,
and are used in v5.0 and later standard content resources to reduce the number of
columns processed while still returning all the relevant event data.
Asset Information Global Variables
Asset Information global variables present information related to a given asset (for
example, zone, address, host/asset name, and so on).
Host Information Global Variables
Host Information global variables provide asset details for devices that are either not
modeled in the network model as individual assets, or are represented in an asset range,
and whose traffic is processed by devices that report to the Manager through Connectors.
Timestamp Formats Global Variables
Timestamp Formats global variables provide a consistent way of displaying various
timestamp data in some consistent formats, since different installations may use different
formats (even from Console to Console in the same installation).
User Information Global Variables
User Information global variables are similar to the Asset and Host Information global
variables, but are focused on the user, rather than a system. Since user information can be
mapped to user name, user ID or both, it is useful to have the information combined for
display and processing, so that you don't have reports with a lot of blank fields.
Remote Variables
Variables using Group, List, and Category Model functions are evaluated on the Manager,
not directly on the Console, and are referred to as “remote” variables.
These remote variables are evaluated only once on the console for any given event or
resource. Therefore, the value of the variable on the Console does not change even if the
underlying data is modified that would result in a different value for the variable. New
events (in events channels) and resources (in resource channels) evaluate the variable
again, and you see the updated value.
Because not all variables can be calculated on the Console, there may be a delay in
returning values from variables calculated “remotely” on the Manager.
448 ArcSight Console User’s Guide
Confidential
Chapter 15
Use Cases
Use cases are a way to view, configure, and transport specially developed sets of related
resources that address specific security issues and business requirements.
“About Use Cases” on page 449
“Navigating to Use Cases” on page 451
“Master Use Cases” on page 451
“Standard Use Cases” on page 452
“Installing Use Cases” on page 453
“Viewing and Using Use Cases” on page 454
“Configuring Use Cases” on page 455
“Configuration Panels” on page 462
About Use Cases
Use cases are special ArcSight content groupings that provide an integrated console-based
alternative for viewing and interacting with resources to the standard one-resource-at-atime viewing method offered in the Resource tree of the Navigator panel. Use cases also
make it easy to configure shared resources in a single operation, and to export related
resources in an ArcSight Resource Bundle for use in other ArcSight instances. Use cases are
currently available only for ArcSight-provided content.
The example below shows all the resources that make up a comprehensive use case for
monitoring inactive users. The resources are organized into the function they serve:
monitoring resources, a library of correlation resources that drive the use case, and a
toolbox of supporting tools, including event sources.
Confidential
ArcSight Console User’s Guide 449
15 Use Cases
From this centralized home page, you can monitor the dashboards and channels, edit the
filters, field sets, and data monitors, view the associated event sources and notification
destinations, and perform other relevant workflow tasks related to the use case.
ArcSight provides use cases delivered in ArcSight Resource Bundles (.arb) ready to be
installed from the ARCSIGHT_HOME/current/jumpstart directory. The Jumpstart
directory delivers ArcSight start-up content designed to streamline the process of getting
your environment customized and online analyzing events quickly. Learn more about use
cases and those provided in the jumpstart directory in “Standard Use Cases” on page 452.
For resources that require configuration with values specific to your operating environment,
the Use Cases feature provides a Use Case configuration wizard to configure them in a
simple, centralized operation as described in “Configuring Use Cases” on page 455.
Users with Admin privileges should use Configuration wizard
Because many different types of resources are included in a given use case
from many different locations in the individual resource trees, ArcSight
recommends that only users with Admin privileges run the use case
configuration wizard. This ensures that the user performing the configuration
has adequate permissions to access the configurable resources.
450 ArcSight Console User’s Guide
Confidential
15 Use Cases
Navigating to Use Cases
Like packages, use cases span resources, so they are presented in their own tab in the
Navigator panel parallel with resources and packages. The example below shows the
standard use case resources installed automatically in the ArcSight Foundation tree, and
the Perimeter Monitoring use case available for installation as a Jumpstart package.
When a use case resource is installed, the resources that make up a use case are
distributed in different locations throughout the individual resource trees in the Resources
tab. When a use case home page is opened in the Viewer panel, the use case home page
provides a right-click option that enables you to locate a given resource in the individual
resource navigator.
Master Use Cases
For scenarios that call for multiple related use cases, any common resources shared by a
group of related use cases can be managed by a master use case. A master use case is
simply another use case that contains resources shared by other related use cases. Master
use cases help centralize any configuration required to tailor the use case to your operating
environment.
Confidential
ArcSight Console User’s Guide 451
15 Use Cases
How Master Use Cases Work
A use case may contain several related use cases. Common resources that serve all the use
cases are contained in a master use case. Running the use case configuration wizard on
any use case configures that single use case as well as the master use case resources, if
they are not already configured. The diagram below illustrates the use cases that make up
the ArcSight Jumpstart for Perimeter Monitoring family of use cases.
When a master use case is present, the Use Case configuration wizard for the master use
case is automatically launched when the ARB containing the group of related use cases is
installed. The individual use cases that are part of that group all reference the
configurations set in the master use case.
Standard Use Cases
The use cases provided with the product are designed to get it customized quickly to your
environment and analyzing events quickly.
ArcSight provides use cases delivered in ArcSight Resource Bundles (.arb) ready to be
installed from the ARCSIGHT_HOME/current/jumpstart directory. The Jumpstart
directory delivers ArcSight start-up content designed to streamline the process of getting
your environment customized and online analyzing events for perimeter monitoring and
user monitoring, and addressing regulatory requirements for PCI and SOX. See “Installing
Use Cases” on page 453 for details on installing Jumpstart use cases.
Use Case Bundle
Description
ArcSight-JumpStart-forPCI.1.0.5787.arb
Resources that can help determine when user
accounts become inactive on PCI-regulated
systems, part of a larger program for complying
with Payment Card Industry regulations.
452 ArcSight Console User’s Guide
Confidential
15 Use Cases
Use Case Bundle
Description
ArcSight-JumpStart-forPerimeterMonitoring.1.0.5788.arb
Resources that address activity coming into and
going out of the network, such as VPN logins,
outbound protocols, top firewall activity, blocked
addresses, and P2P tracking.
ArcSight-JumpStart-forSOX.1.0.5789.arb
Resources that address example accounting
oversight use cases, part of a larger program for
complying with the Sarbanes-Oxley act.
ArcSight-JumpStart-forUserMonitoring.1.0.5790.arb
Resources that address general use cases relating
to user activity on the network.
Once installed, the jumpstart use cases appear in the Jumpstart group in the Navigator
panel.
Installing Use Cases
This topic describes how to install a use case from an ARB file in the
ARCSIGHT_HOME/current/jumpstart directory.
1
Log into the ArcSight ESM Console as the ArcSight ESM Administrator.
Only Admin users should use the Configuration wizard
Because many different types of resources are included in a given use
case from many different locations in the individual resource trees,
ArcSight recommends that only users with Admin privileges run the use
case configuration wizard. This ensures that the user performing the
configuration has adequate permissions to access the configurable
resources.
2
In the Packages tab in the Navigator panel, click Import(
).
3
Browse to the ARCSIGHT_HOME/current/jumpstart directory, select a use case
ARB file to import, and click Open.
When the import is complete, the Results tab of the Importing Packages dialog is
displayed as well as the Packages for Installation dialog.
4
In the Packages for Installation dialog box, verify that the package Install checkbox is
selected and click Next.
The progress of the install is displayed in the Progress tab of the Installing Packages
dialog. When the install is complete, the Results tab of the Installing Packages dialog
displays the Summary Report.
5
In the Installing Packages dialog, click OK.
6
In the Importing Packages dialog, click OK.
If a master use case is associated with a use case group in the ARB file, the Use Case
wizard launches and starts configuring the master use case associated with the use
case group. The master use case is provided so you can configure the common
resources used by the use cases in the group in a single process using the
configuration. For more information, see “Master Use Cases” on page 451. For
instructions on using the Use Case wizard, see “Configuring Use Cases” on page 455.
Confidential
ArcSight Console User’s Guide 453
15 Use Cases
For more information, see “Importing Packages” on page 636 and “Installing Packages” on
page 639.
Viewing and Using Use Cases
To open a use case in the Viewer panel, double-click the use case in the Use Cases tab of
the Navigator panel, or right-click the use case and select Open Use Case. The Use Case
opens in the Viewer panel.
The use case viewer is organized into the following sections:
Section
Description
The Configure button launches the Use Case configuration wizard.
The information section contains a description of the use case.
Monitor
The Monitor section contains monitoring-related resources: active
channels, dashboards, reports, focused reports, and query viewers.
Library
The Library section contains a section for every type of correlation
resource that drives the use case: active lists, session lists, field
sets, filters, queries, rules, trends, actors, fields, and data monitors.
454 ArcSight Console User’s Guide
Confidential
15 Use Cases
Section
Description
Toolbox
The Toolbox section contains event sources and supporting
resources, such as notification destinations, groups, and other use
cases.
Supporting
Tools
The Supporting Tools section contains any other resource types
included by the content author.
View the use case and its associated resources in a resource graph
You can view a resource graph of the use case and its associated resources by
selecting the Graph View tab at the bottom of the Viewer panel.
Accessing Resources from the Viewer Panel
When a use case is open in the List View tab of the Viewer panel, you can view, edit,
navigate, or graph a use case resource by right-clicking the resource and selecting from
one of the following options:

View—Open the resource in the Viewer panel to view the contents of the resource.
This option is not available for all resources.

Edit—Open the resource for editing in the Inspect/Edit panel. For more information,
see “Inspecting and Editing” on page 52.

Find in Navigator—Open the resource in the Navigator panel. For more information,
see “Navigating” on page 44”.

Graph View—View the association between this resource with other resources using
a graphical viewer. For more information, see “Visualizing Resources” on page 620.

Rule—Enable or disable the rule. This option is available with a rule resource.

Trend—Schedule the trend. This option is available with a trend resource.
View the use case and its associated resources in a resource graph
You can view a resource graph of the use case and its associated resources by
selecting the Graph View tab at the bottom of the Viewer panel.
Configuring Use Cases
ArcSight provides a Use Case configuration wizard to assist you in configuring all the
resources in the use case to reflect your operating environment in a single operation.
You can still configure resources individually
If you need to change the configuration for a single resource in the use case,
you can always use the individual resource editor.
Only Admin users should use the Configuration wizard
Because many different types of resources are included in a given use case
from many different locations in the individual resource trees, ArcSight
recommends that only users with Admin privileges run the Use Case
configuration wizard. This ensures that the user performing the configuration
has adequate permissions to access the configurable resources.
Confidential
ArcSight Console User’s Guide 455
15 Use Cases
Navigating the Use Case Configuration Wizard
The Use Case configuration wizard consists of the following features:
To use the Use Case wizard:
“Step 1 - Model Your Network” on page 456
“Step 2 - Install Use Case Package Bundles” on page 457
“Step 3 - Launch the Use Case Wizard” on page 457
“Step 4 - Introduction Panel” on page 457
“Step 5 - Prerequisites Panel” on page 458
“Step 6 - Confirm Event Sources Panel” on page 458
“Step 7 - Configuration Panels” on page 459
“Step 8 - Summary of Settings to Apply Panel” on page 460
Step 1 - Model Your Network
Model your network first as a part of the initial configuration of ArcSight ESM. Use case
configuration requires having a network model in place. So, model your network before
running the Use Case wizard.
To assist in modeling your network, a Network Model wizard is provided on the ArcSight
ESM Console (menu option Tools > Network Model). For more information, see “About
the Network Model” on page 679.
456 ArcSight Console User’s Guide
Confidential
15 Use Cases
Step 2 - Install Use Case Package Bundles
Do this step only if you plan to use one of the use cases supplied in the ArcSight jumpstart
directory.
Import and install the use case package bundle that contains the use case (if it is not
already installed). For more information, see “Installing Use Cases” on page 453.
Step 3 - Launch the Use Case Wizard
Launch the Use Case wizard using one of the following methods:

Browse from the Navigator panel—In the Navigator panel, select the Use Cases
tab, right-click a use case and select Configure Use Case.

From the ArcSight ESM Console menus—Choose Tools > Use Case from the
menus. Select a use case from the tree in the wizard and click Next.

From the Viewer panel—In the Navigator panel, select the Use Cases tab, rightclick a use, and select Open Use Case. In the Viewer panel, click Configure Use
Case.
The Introduction panel of the Use Case wizard displays.
Step 4 - Introduction Panel
The Introduction panel describes the purpose of the use case. If you are configuring a
master use case, the introduction specifies if there are essential common resources that
can only be configured using the master use case. For more information, see “Master Use
Cases” on page 451.
Click Next.
The Prerequisites panel is displayed as shown in Step 5 - Prerequisites Panel.
Confidential
ArcSight Console User’s Guide 457
15 Use Cases
Step 5 - Prerequisites Panel
The Prerequisites panel describes required actions or information needed before continuing
with the Use Case wizard:

Any actions that should be completed before running the Use Case wizard.
For example, your network should be modeled before using the Use Case wizard to
configure the use case. A Network Model wizard is provided from the ArcSight ESM
Console (menu option Tools > Network Model). For more information, see “About
the Network Model” on page 679. Complete these actions before continuing with the
Use Case wizard.

The information that needs to be provided when running the Use Case
wizard to configure the use case. For example, the number of days before a user
is required to change their passwords or the network devices on your network that are
subject to the PCI regulation. Gather this information before continuing with the Use
Case wizard.
Click Next.
The Confirm Event Sources panel is displayed as shown in Step 6 - Confirm Event Sources
Panel.
Step 6 - Confirm Event Sources Panel
The Confirm Event Sources panel lists the event sources that send events to the Manager
through a SmartConnector for the use case. SmartConnectors collect log data from event
458 ArcSight Console User’s Guide
Confidential
15 Use Cases
sources (such as firewalls and operating systems) and generate events that are sent to
ArcSight ESM as shown in the following diagram:
The resources in the use case are driven by these events and without the event sources,
the use case does not generate output. For more information, see Devices and Connectors
in a Network in the ESM 101 Guide and Chapter 23‚ Managing SmartConnectors‚ on page
643”.
For your environment, confirm the event sources that are configured with a
SmartConnector and supplying events to ArcSight ESM for this use case. For most use
cases, you are asked to confirm that at least one of the listed event source is
configured with a SmartConnector and sending events to ArcSight ESM.
Confirm the event sources and click Next.
After the Confirm Event Sources panel, a series of configuration panels are displayed.
Step 7 - Configuration Panels
The series of configuration panels displayed depends on the resources that make up the
use case and are different for each use case.
Confidential
ArcSight Console User’s Guide 459
15 Use Cases
In these configuration panels, you are prompted to supply values that reflect your
environment. The values you provide are used to populate the settings in the resources
that make up the use case. After the series of configuration panels, the Summary of
Settings to Apply panel appears. The settings are not actually saved to the resources until
the Next button is clicked in the Summary of Settings to Apply panel. If you click Cancel in
any of the configuration panels or in the Summary of Settings to Apply panel, none of the
configuration settings specified in any of the configuration panels are saved.
The Use Case wizard displays the following types of configuration panels:
“Categorize Assets/Zones Panels” on page 463
“Populate Active List” on page 464
“Specify the Notification E-mail Address Panel” on page 466
“Set the Inactivity Time Period Panel” on page 468
“Set the Notification Rate Panel” on page 468
“Schedule Daily Report Panels” on page 469
“Schedule Weekly Report Panels” on page 471
“Schedule Monthly Report Panels” on page 473
“Schedule Yearly Report Panels” on page 475
For each configuration panel, follow the instructions in the appropriate configuration panel
and Help topic and click Next. Repeat until the Summary of Settings to Apply panel
appears as shown in “Step 8 - Summary of Settings to Apply Panel” on page 460.
Step 8 - Summary of Settings to Apply Panel
The Summary of Settings to Apply panel displays a summary of the settings you specified
in the previous configuration panels.
Choose one of the following options:

To apply the settings specified in the previous configuration panels to the use case
resources, click Next.

To cancel without applying settings, click Cancel.
460 ArcSight Console User’s Guide
Confidential
15 Use Cases

To go back to the previous panel, click Previous.
After you click Next, the settings are applied to the resources in the use case. If the use
case contains data monitors, the data monitors are enabled.
A Commit Changes dialog briefly displays as the settings are applied to the use case
resources. After the settings have been applied, a Configuration Complete panel displays as
shown in the next step: Step 9 - Configuration Complete Panel.
Confidential
ArcSight Console User’s Guide 461
15 Use Cases
Step 9 - Configuration Complete Panel
The Configuration Complete panel displays a message indicating that you have completed
configuration of the use case.
Leave the Open use case in Viewer panel checkbox selected and click Finish.
The Console displays the use case in the Viewer panel, and use case configuration is
complete. If the event sources for this use case are configured with a SmartConnector and
are sending events to ArcSight ESM, the following actions occur:

The “library” resources in this use case, such as rules, data monitors, and queries,
start processing events.

If the conditions in the use case are met, data is provided to the output resources of
the use case such as reports, active channels, dashboards, and cases.
In the future, you can reconfigure the use case resources, using either of the following
methods:

Run the Use Case wizard again—For more information, see “Step 3 - Launch the Use
Case Wizard” on page 457.

Edit the resource directly in the Navigator panel—For more information, see
“Navigating” on page 44.
Configuration Panels
After the Confirm Event Sources panel, the configuration wizard presents a series of
configuration panels. The set of configuration panels displayed depends on the content of
the use case and is different for each use case.
462 ArcSight Console User’s Guide
Confidential
15 Use Cases
“Categorize Assets/Zones Panels” on page 463
“Populate Active List” on page 464
“Specify the Notification E-mail Address Panel” on page 466
“Set the Inactivity Time Period Panel” on page 468
“Set the Notification Rate Panel” on page 468
“Schedule Daily Report Panels” on page 469
“Schedule Weekly Report Panels” on page 471
“Schedule Monthly Report Panels” on page 473
“Schedule Yearly Report Panels” on page 475
“Enable Rules Panel” on page 476
“Enable Rule Actions Panel” on page 477
“Set Session List Entry Expiry Panel” on page 478
After going through the series of configuration panels, the Summary of Settings to Apply
panel is displayed. Return to “Step 8 - Summary of Settings to Apply Panel” on page 460.
Categorize Assets/Zones Panels
In the Categorize Assets or Zones panels, you are asked to classify assets or zones into an
ArcSight ESM category. A logical category (such as PCI or SOX) can be applied to assets,
asset ranges, asset groups, zones, or zone groups. These categories provide a crossreferencing capability that makes it possible to track and filter network activity based on
business relevance. Using these categories, the events processed by the use case
resources can be restricted.
For example, classifying assets into the PCI group can limit the set of events processed by
the use case resources to only those events that originate from PCI assets. For example, a
rule in a PCI use case may be configured to only process events originating from assets
categorized as PCI as shown in the following diagram:
Confidential
ArcSight Console User’s Guide 463
15 Use Cases
In the Categorized PCI Assets panel, you are prompted to supply the network devices
(assets) that should be regulated by the Payment Card Industry (PCI) standard and
therefore categorized as a PCI asset, as shown in the following example. The assets and
asset groups you select in this panel are classified as a PCI asset in ArcSight ESM.
For more information, see “Network Model” on page 680, “Categories” on page 781, and
“Asset Model” in the ESM 101 Guide. If any assets/zones have already been categorized, a
check mark displays next to the asset/zone name. If your assets/zones are already
categorized and no revisions need to be made, click Next to skip this step. For example, if
you already categorized your assets/zones in the master use case, you do not need to
categorize your assets/zones again. You can however, revise your asset/zone
categorization while configuring the individual use case.
Select the assets that should be categorized and click Next.
The new categorization is not applied until Next is clicked in the Summary of
Settings to Apply panel as described in “Step 8 - Summary of Settings to
Apply Panel” on page 460.
The categorization of assets, assets groups, zones, or zone groups is global in ArcSight
ESM and not specific to a use case. Any categorization changes made in this panel (while
configuring either an individual use case or the master use case) affect any resources that
reference this category in any use case. The last set of categorization changes, applied by
clicking Next in the Summary of Settings to Apply panel, overrides any previous settings.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Populate Active List
If your use case includes one or more field-based (static) active lists for looking up nonevent related data, the use case configuration wizard includes the Populate Active List
panels.
464 ArcSight Console User’s Guide
Confidential
15 Use Cases
In the Populate Active List panels, you are prompted for sets of data that are used to
populate Fields-based active lists. Active lists store data over a period of time. Resources
such as rules and data monitors can reference the data stored in active lists. For example,
an active list could store the port numbers that are allowed access to the PCI Card Holder
Data Environment (CDE). For more information, see How Active Lists Work in the ESM 101
Guide.
You may be prompted for a single column of data or multi-column sets of data. For
example, you might be prompted to supply a set of trusted port numbers (one column of
data) or a set of default User Accounts and associated Vendor Names (two columns of
data). The data you provide in the panels is added to the data that may already exist in the
active list.
To define the input data:
Confidential
1
If you plan to import the data using a CSV file, create the CSV file to import. The data
types of the columns and the number of columns in the CSV file must match the
columns in the active list. For example, in the Define Default User Accounts panel, you
are prompted to provide a set of default User Accounts and associated Vendor Names.
The Default User Account-Vendor List active list is a two column active list that expects
default User Accounts in the first column and associated Vendor Names in the second
column.
2
Select a method for populating the active list. In the first Define Data Sets panel,
select one of the following options:

Import CSV file—Provide the data by importing a Comma-Separated Value
(CSV) file

Manual data entry—Provide the data by typing the values directly into a table
3
If the Import CSV file option is selected, click... and browse for a CSV file to import.
Select the file and click OK.
4
Click Next.
ArcSight Console User’s Guide 465
15 Use Cases
The second define data panel displays as shown.
If you imported data using a CSV file, the data is displayed in the panel.
5
Enter values.
6
Add additional rows as needed:
7
a
Click Add.
b
Enter the data into the new row.
Click Next.
When Next is clicked in the Summary of Settings to Apply panel as described in “Step 8 Summary of Settings to Apply Panel” on page 460, the new values are added to the
existing values already present in the active list. If you specify a value that already exists in
the active list, an additional entry is added and the Count for that entry is increased by
one.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Specify the Notification E-mail Address Panel
In the Specify the Notification E-mail Address panel, you are prompted to supply an e-mail
address or an e-mail alias (distribution list). If an e-mail address is specified, a notification
(alert) is sent to the specified e-mail address when the conditions described in the panel
are satisfied. For example, the use case could contain a rule that tests when default system
466 ArcSight Console User’s Guide
Confidential
15 Use Cases
accounts are used. Once the rule is triggered, an e-mail notification is sent to the specified
e-mail address or distribution list.
The e-mail address does not have to be an ArcSight ESM user.
In order for notifications to be sent to specified e-mail address, notifications must be
configured. For more information, see “Managing Notifications” on page 603 and
“Acknowledging Notifications” on page 59.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Confidential
ArcSight Console User’s Guide 467
15 Use Cases
Set the Inactivity Time Period Panel
In the Inactivity Time Period panel, you are prompted to supply an expiration time period
as shown. In this example, an account expires if no logins have occurred within the
specified time period.
The numeric value you specify sets the expiration time period in days. This expiration time
period is the Time To Live (TTL) in days for an active list. Entries in the active list expire
when the Time To Live (TTL) has been reached. This expiration causes an event to be
generated. This event can be used by other ArcSight ESM resources such as filters and
rules. For more information, see “Managing Active Lists” on page 509.
For example, in the PCI 8.5 - Identify Inactive User Accounts use case, you are prompted
to supply the Inactivity Time Period. If you answer 45 days, the Time To Live (TTL) for the
Users Who Accessed Cardholder Data active list is set to 45 days which means once an
account has been on the active list (indicating no activity) for more than 45 days, it expires.
This expiration generates an event which triggers the Inactive User Account Detected rule.
The value specified in this panel is saved as Time To Live (TTL) in days for the
active list. If other resources reference this active list, the change to the TTL
value can affect the behavior of other resources listed in different use cases.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Set the Notification Rate Panel
In the Set the Notification Rate panel, you are prompted to specify how often a notification
e-mail should be sent—the notification rate. This rate is used to throttle the number of alert
notifications sent. The rate specified in this panel sets the Time To Live (TTL) in days for
the Rate Controlled Notifications active list.
468 ArcSight Console User’s Guide
Confidential
15 Use Cases
If the notification rate is set to 0, only one e-mail is sent for every issue until the entry is
manually removed from the Rate Controlled Notifications active list.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Schedule Daily Report Panels
In the Schedule Daily Report panel, you are prompted to schedule a daily report, as shown
below.
Confidential
ArcSight Console User’s Guide 469
15 Use Cases
If you answer Yes, another panel displays as shown below.
In the Run and send at field, select a time during the day when the report should run.
When a report runs, the output of the report is stored on the ArcSight ESM Manager. You
can elect to send the report to the e-mail address associated with the ArcSight ESM user.
For best performance, schedule reports to run at different times during the
day.
In the Send report to field, browse for an ArcSight ESM user.
In order for the report to be sent, an e-mail address must be specified for the
selected ArcSight ESM user. For more information about creating an ArcSight
ESM user or specifying an e-mail account for an ArcSight ESM user, see
“Managing Users” on page 585”. If no e-mail address is specified, the report
is archived on the ArcSight ESM Manager.
When the Next button is clicked in the Summary of Settings to Apply panel, the Use Case
wizard creates a job for the report called Use Case Scheduled Job that is scheduled to
run daily. If you edit or remove the Use Case Scheduled Job, this can cause
inconsistencies between the report and the wizard.
For more information, see Chapter 12‚ Running and Managing Reports‚ on page 377.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
470 ArcSight Console User’s Guide
Confidential
15 Use Cases
Schedule Weekly Report Panels
In the Schedule Weekly Report panel, you are prompted to schedule a weekly report,
as shown below.
If you answer Yes, another panel displays as shown below.
In the Run and send on field, select the day of the week when the report should run.
Confidential
ArcSight Console User’s Guide 471
15 Use Cases
In the At field, select a time during the day when the report should run.
For best performance, schedule reports to run at different times during the
day.
When a report runs, the output of the report is stored on the ArcSight ESM Manager. You
can elect to send the report to the e-mail address associated with the ArcSight ESM user.
In the Send report to field, browse for an ArcSight ESM user.
In order for the report to be sent, an e-mail address must be specified for the
selected ArcSight ESM user. For more information about creating an ArcSight
ESM user or specifying an e-mail account for an ArcSight ESM user, see
“Managing Users” on page 585. If no e-mail address is specified, the report is
archived on the ArcSight ESM Manager.
When the Next button is clicked in the Summary of Settings to Apply panel, the Use Case
wizard creates a job for the report called Use Case Scheduled Job that is scheduled to
run weekly. If you edit or remove the Use Case Scheduled Job, this can cause
inconsistencies between the report and the wizard.
Weekly reports do not display results immediately. It can take up to twenty
four hours for the report to display results and results are only displayed if the
conditions in the query invoked by the report are satisfied.
For more information, see Chapter 12‚ Running and Managing Reports‚ on page 377.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
472 ArcSight Console User’s Guide
Confidential
15 Use Cases
Schedule Monthly Report Panels
In the Schedule Monthly Report panel, you are prompted to schedule a monthly report,
as shown below.
If you answer Yes, another panel displays as shown below.
In the Run and send on __ day of each month field, specify the day of the month
when the report should run. When a report runs, the output of the report is stored on the
ArcSight ESM Manager. You can elect to send the report to the e-mail address associated
with the ArcSight ESM user.
Confidential
ArcSight Console User’s Guide 473
15 Use Cases
In the At field, specify a time during the day when the report should run.
For best performance, schedule reports to run at different times during the
day.
In the Send report to field, browse for an ArcSight ESM user.
In order for the report to be sent, an e-mail address must be specified for the
selected ArcSight ESM user. For more information about creating an ArcSight
ESM user or specifying an e-mail account for an ArcSight ESM user, see
“Managing Users” on page 585“. If no e-mail address is specified, the report
is archived on the ArcSight ESM Manager.
When the Next button is clicked in the Summary of Settings to Apply panel, the Use Case
wizard creates a job for the report called Use Case Scheduled Job that is scheduled to
run monthly. If you edit or remove the Use Case Scheduled Job, this can cause
inconsistencies between the report and the wizard.
Monthly reports do not display results immediately. It can take up to twenty
four hours for the report to display results and results are only displayed if the
conditions in the query invoked by the report are satisfied.
For more information, see Chapter 12‚ Running and Managing Reports‚ on page 377.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
474 ArcSight Console User’s Guide
Confidential
15 Use Cases
Schedule Yearly Report Panels
In the Schedule Yearly Report panel, you are prompted to schedule a yearly report, as
shown below.
If you select Yes, another panel displays as shown in .
In the Run and send on field, specify the day of the month when the report should run.
When a report runs, the output of the report is stored on the ArcSight ESM Manager. You
can elect to send the report to the e-mail address associated with the ArcSight ESM user.
In the On the _ day field, specify the day of the month when the report should run.
Confidential
ArcSight Console User’s Guide 475
15 Use Cases
In the At field, specify a time during the day when the report should run.
For best performance, schedule reports to run at different times during the
day.
In the Send report to field, browse for an ArcSight ESM user.
In order for the report to be sent, an e-mail address must be specified for the
selected ArcSight ESM user. For more information about creating an ArcSight
ESM user or specifying an e-mail account for an ArcSight ESM user, see
“Managing Users” on page 585. If no e-mail address is specified, the report is
archived on the ArcSight ESM Manager.
When the Next button is clicked in the Summary of Settings to Apply panel, the Use Case
wizard creates a job for the report called Use Case Scheduled Job that is scheduled to
run yearly. If you edit or remove the Use Case Scheduled Job, this can cause
inconsistencies between the report and the wizard.
Yearly reports do not display results immediately. It can take up to twenty four
hours for the report to display results and results are only displayed if the
conditions in the query invoked by the report are satisfied.
For more information, see Chapter 12‚ Running and Managing Reports‚ on page 377.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Enable Rules Panel
The Enable Rules panel provides the opportunity to enable (or disable) the rules associated
with this use case in a single operation.
The Enable Rules panel of the use case configuration wizard presents a list of all the rules
included in the use case. Some rules may be enabled by default, as shown in the example.
In this panel, you can:

Enable them all: Selecting this option enables all the rules in the use case.

Disable them all: Disables all the rules in the use case, including those that are
enabled by default.
476 ArcSight Console User’s Guide
Confidential
15 Use Cases

Leave them as they are: Keeps the rules as they are shown.
Changes appear after the configuration wizard is completed
Changes you make in this panel won’t be visible in the list of rules until after
the configuration wizard is completed.
You can also enable and disable rules individually outside of the use case configuration
wizard. You can access the rule editor by right-clicking the rule list from the use case home
page (right-click > Edit Rule) or from the Resources tree in the Navigator panel
(Resources > Rules > right-click > Edit Rule). For instructions, see “Enabling and
Disabling Rules” on page 419.
For more about rules, see Chapter 13‚ Rules Authoring‚ on page 393.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Enable Rule Actions Panel
The Enable Rule Actions panel provides the opportunity to enable (or disable) certain rule
actions that require configuration for your environment for rules associated with this use
case. This panel appears after the Enable Rules Panel panel.
Changes appear after the configuration wizard is completed
The changes you make in this panel and the Rule Action panel won’t be
visible in the list of rules until after the configuration wizard is completed.
The Enable Rule Actions panel of the use case configuration wizard presents a list of the
rules in the use case that have actions that require local configuration, such as
Notifications, as shown in this example. In this panel, you can:
Confidential
ArcSight Console User’s Guide 477
15 Use Cases

Enable them all: Selecting this option enables the action for all the rules that have
configurable actions associated with them.

Disable them all: Disables the Notification action for all the rules that have
configurable actions associated with them.

Leave them as they are: Keeps the rule actions as they are shown.
You can also enable and disable rule actions individually outside of the use case
configuration wizard. You can access the rule editor by right-clicking the rule list from the
use case dashboard (right-click > Edit Rule) or from the Resources tree in the Navigator
panel (Resources > Rules > right-click > Edit Rule). For instructions, see “Enabling or
Disabling a Rule Action” on page 410.
For more about rules, see Chapter 13‚ Rules Authoring‚ on page 393.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Set Session List Entry Expiry Panel
The Set Session List Entry Expiry panel provides the opportunity to set the expiration time
on session lists that don’t already have a specific end time already defined. The default
expiration is 5 days. You can further refine this by adjusting the days, hours, minutes, and
seconds.
The example shown in this topic comes from the Identity Management use case included
with the ArcSight™ Express use cases (Use Cases > All Use Cases/ArcSight
Foundation/ArcSight Express).
In this panel, you can use the up/down arrows to set the end-time parameters (days,
hours, minutes, and seconds) for all the session lists in the use case.
478 ArcSight Console User’s Guide
Confidential
15 Use Cases
Expiration time is calculated from the time the entry was made. For example, if an entry is
made on Tuesday at 3 p.m. and the default is not changed, the entry would expire on
Sunday at 3 p.m.
You can also set the session list entry expiration time individually outside the use case
configuration wizard. You can access the session list editor by right-clicking the session list
from the use case dashboard (right-click > Edit Session List) or from the Resources tree
in the Navigator panel (Resources > Lists > Session Lists > right-click > Edit Session
List). For details, see “Terminating a Session List Entry” on page 489.
For more about session lists, see Chapter 16‚ Identity Correlation‚ on page 481.
Return to the list of configuration panels in “Step 7 - Configuration Panels” on page 459.
Confidential
ArcSight Console User’s Guide 479
15 Use Cases
480 ArcSight Console User’s Guide
Confidential
Chapter 16
Identity Correlation
Identity correlation provides the ability to model users and associate them with events.
Identity correlation can be accomplished using session lists for some scenarios (session
correlation) and active lists for others (user or device correlation).
You can capture and record session-related data in a user-defined session list where it can
be used for a number of purposes in identifying and tracking users in relation to MAC
addresses, IP addresses, machines, network logons, and so forth.
Also, you can use a pre-populated active list to find a value and then use the value (as a
variable) in a rule. You can use this strategy to identify entities or objects in a variety of
scenarios such as correlating various user IDs (logins, e-mail addresses, badge IDs) to
unique IDs; mapping unique user IDs to user roles; and even finding the status of a
machine by its host name.
The following topics describe scenarios for using both resources, and include step-by-step
examples of using sessions lists and active lists with rules and variables for identity
correlation.
“Understanding Session Correlation” on page 481
“Managing Session Lists” on page 485
“Using Session Lists to Correlate Session Data on User Logins (Example)” on page 489
“Using Active Lists to Correlate Users (Example)” on page 499
Understanding Session Correlation
You can leverage ArcSight™-provided resources (pre-defined Session Lists and Rules) or
develop customized session lists to use for identity correlation, as described here.
How Session Correlation Works
Session correlation captures and records session-related data in a user-defined list, where
it can be used by ArcSight's Correlation Engine to:
Confidential

Resolve event endpoints against DHCP sessions to identify which device was located at
the reported IP address at the time of the event

Utilize existing maps that link MAC addresses and/or host names to users, if available

Attribute actions originating from a specific device to its owner

Extract and resolve user information from VPN logins, including the VPN user name
and session characteristics
ArcSight Console User’s Guide 481
16 Identity Correlation

Track who accesses a given network node at a given time to trace events that
originate from this device to users that were logged in at the time
Session correlation is a three-step process that involves three or more ArcSight resources.
The user defines a session list, then creates a rule to populate it. The results written to the
session list can be used anywhere variables are used, such as to trigger other rules, or to
populate active channels, dashboards, and reports.
The high-level steps are:
1
Create a session list (as described in “Creating a Session List” on page 485).
2
Create a rule to populate the session list (as described in “Creating a Session List Rule”
on page 482).
3
Use the session list output wherever needed (as described in “Using the Session List
Output” on page 484).
See also “Using Session Lists to Correlate Session Data on User Logins (Example)” on
page 489 for a walkthrough of creating and populating a session list with Windows session
information.
Creating a Session List Rule
To create a rule that writes new sessions into your session list or that re-sends session start
times to your session list:
1
In the Navigator panel's drop-down menu, choose Rules.
2
In the Rules resource tree, right-click a group and select New Rule. The Rules Editor
displays in the Inspect/Edit panel.
3
At the General tab, enter the following values:
In this
field...
...enter this
Name
Enter a name in the Rule Name text field. The Rule Name should
be as descriptive as possible. It is stored in the Event Name
data field and if the rule has a Send to Console action, the Rule
Name appears in the Event Name column of the grid view. The
Rule Name text field is required and restricted to 25 characters.
Common:
External ID,
Alias
If this rule is referenced by an external system, such as Remedy
or vulnerability scanner, enter the pertinent external ID
information here. If not, leave these fields blank.
Description
Enter a description in the Description text field. The description
should be meaningful and detailed. For example, This rule
creates an entry to the DHCP session list when a new DHCP
session starts.
482 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
In this
field...
...enter this
Assign:
Owner,
Notification
Groups
If you wish to specify an owner for this resource and to
automatically notify other users when this rule is changed,
select existing users and notification groups from the dropdown menu. This step is optional.
4
At the Conditions tab, enter the conditions that indicate a session start and click
Apply.
5
At the Aggregation tab, specify the event fields from the session list that you want to
have displayed in the event grid when the rule is triggered by the session conditions
specified in the Conditions tab. You should probably aggregate all items you specified
in your session list so that those values get populated when the event occurs.
6
At the Actions tab, set the trigger and the action you wish the rule to take when the
conditions are met.
a
Select the trigger you want to apply to this rule. On First Event is the default
trigger. This determines which occurrence of the session start conditions trigger
the action to write the event to the session list as the session start.
Trigger
Description
On First Event
Triggers the action the first time rule conditions are met.
On
Subsequent
Events
Triggers the action the second and subsequent times rule
conditions are met (not the first).
On Every
Event
Triggers the action every time rule conditions are met. This
overrides threshold settings.
On Time Unit
Triggers the action based on the time increment specified in
the Every… text field in the Add Action dialog box.
On Time
Window
Expiration
Triggers the action when the threshold settings have
expired.
On First
Threshold
Triggers the action the first time rule conditions and
threshold settings are met.
On
Subsequent
Thresholds
Triggers the action the second and subsequent times rule
conditions and threshold settings are met, not the first.
On Every
Threshold
Triggers the action every time rule conditions and threshold
settings are met.
You can use references to Velocity Templates as parameters for rule
actions to derive values from event fields and variables. (See
“Velocity Templates” on page 962.)
Confidential
b
After you have selected a trigger, click Add to add an action. Select Session List
| Add to Session List.
c
In the Add Action dialog box at the Session List drop-down menu, navigate to the
session list you created earlier. The parameters you set for the session list are
displayed in the Session Field Mapping area.
ArcSight Console User’s Guide 483
16 Identity Correlation
d
e
7
In the Session Field Mapping area at the Start Time field, select which event time
stamp you wish to use to record as the official start time.
Start Time
Description
End Time
The time the event ended.
Manager Receipt Time
The time the event arrived at the Manager.
For the remaining fields you specified in your session list that have multiple
choices, select which value you wish to use for your session list and click OK. You
can find a description of the data fields, see “Data Fields” on page 803.
When all parameters are entered, click OK. The relevant events matching this rule
now populate the session list.
Using the Session List Output
Once the session list has been populated by events that trigger the session list rule, the
session data can be accessed anywhere variables can be used:

Active channels

Data monitors

Dashboards

Filters

Reports

Rules
Creating a Variable
From the editor of one of the resources (active channel, data monitors, dashboards, filters,
reports, rules), you can create a variable. This variable is derived from the session timestamp data stored in the session list.
To create a variable:
1
In the Navigator panel's drop-down menu, choose the resource that you wish to
consume the session list data. These steps use Filters as an example. Right-click a
filter group and select New Filter.
2
At the Attributes tab, enter a name for the filter, and optionally, external ID and alias
information, and/or owner and notification group information.
3
At the Variables tab, click Add, then choose either Local Variable or Global Variable
(depending on whether you want this variable shared across all resources). In the
"Add Variable" dialog, enter the following values and click OK:
In this
field...
...enter this
Name
Enter a name for the variable. This name appears in the <Lists>
menu available from the Common Conditions Editor (CCE).
Spaces and special characters are OK.
Function
In the Function pull-down menu, select List Functions >
GetSessionData.
Arguments
In the <field name> pull-down menu, select the session list you
created previously.
484 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
In this
field...
Preview
...enter this
To preview the results, select an asset from the list of assets
reporting events to ArcSight and click Calculate.
4
Perform any necessary Session Field Mapping.
5
In the Filters tab conditions editor, scroll down to the bottom of the Fields list until you
see Variables. Here you see the name of the variable you created in Step 3. In the
Operator field, select an operator appropriate for the GetSessionFunction variable you
created in Step 3. In the Condition field, enter an appropriate value. Session lists that
allow overlapping sessions would take a list of values separated by commas. Session
lists that do not allow session overlapping would take a single value. This instructs the
filter to derive its values from your session list.
6
When you have finished setting all the conditions, click Apply to save changes and
keep the editor open; click OK to save the filter and exit the editor.
Populating a Session List Manually
Session lists are really designed to be populated automatically by rule actions, however,
there may be times when you need to populate the list manually. For example, you may
wish to enter known values to your session list for testing purposes, or to get session
correlation started with known values while you are waiting for the event stream to
populate the list with more session-related values.
To manually add data to the session list you just created, see “Adding a Session List Entry”
on page 488.
Managing Session Lists
While you can manually update session lists, their real value comes when you author
automatic, rule-driven lists with dynamic content.
See also “Understanding Session Correlation” on page 481 and “Using Session Lists to
Correlate Session Data on User Logins (Example)” on page 489.
As described in “Creating a Session List” on page 485, filters improve session
list performance by restricting the number of events that must be evaluated.
Filters, such as DHCP IP address ranges, are installation-specific. Therefore,
consider adding a filter to pre-defined session lists, such as /All Session
Lists/ArcSight Foundation/Network Monitoring/DHCP, to improve
performance.
Creating a Session List
Note that session lists are usually defined in conjunction with rules specifically tailored to
interact with those lists dynamically. Lists not driven by rules are empty or contain only
manually added entries that have not timed out.
Confidential
1
Choose the Lists resource tree in the Navigator panel.
2
Click the Session Lists tab.
3
Right-click a session list group and choose New Session List.
ArcSight Console User’s Guide 485
16 Identity Correlation
4
In the Session List Editor, in the Inspect/Edit panel, define the following values.
In this
field...
...enter this
Name
Enter a name for the session list. This name identifies the
session list in ArcSight pick lists. Spaces and special characters
are OK.
Overlapping
Entries
Check this box to alert the system to allow multiple instances of
key pairings, which keeps the previous session with the same
key field open. For example, you might check this box if the list
tracks activity for an asset that supports multiple-user logins.
In Memory
Capacity
(x1000)
This setting indicates the maximum number of session entries
the system keeps in memory. 10,000 is the default value. For
most cases, 10,000 is appropriate, however, you may wish to
adjust this setting if the devices you are monitoring for this
session list contain a lot of data to ensure you have adequate
memory cache available.
Entry
Expiration
Time
Enter an expiration time for session list entries. This indicates
the time after which entries are marked as terminated (if no
explicit termination event is received previous to this).
The default is 0 seconds, which means the entry never expires.
An entry with no expiry date/time can only be terminated
explicitly (through user action on Console, rule actions, or
archives).
5
Set the Common and Assign fields as appropriate.
6
Define columns for session list entries by clicking the row of the lower panel labeled
“<Enter Name>." Columns for Start Time, End Time, and Creation Time are predefined.
In this
field...
...enter this
Name
Enter a name for each session parameter you wish to track; for
example, IP address, zone, or MAC address. The name you
enter here appears as a label in the session list, and in the
Variable pick list. Names can contain spaces, such as "User
name."
Type
Type indicates the data type of the entry. Data types can be:
Address (IP address or MAC address)
486 ArcSight Console User’s Guide
•
Date
•
Double
•
Integer
•
Long
•
Resource Reference (with appropriate subtype)
•
String
Confidential
16 Identity Correlation
In this
field...
Subtype
Key Field
...enter this
There are only two data types that require subtypes: Address
and Resource reference.
•
Address – Choose IP address or MAC address.
•
Resource reference – A Resource reference can refer to
any resource, such as Asset, Knowledge Base Article, or
Zone.
Select one or more fields that must be unique to indicate a
session start. In most cases, you would select at least two fields
to make a key-value pair. For example, in the case of a DHCP
login event, when a new IP and zone combination are written to
the list, this indicates that a new session has started.
Columns can only be defined when the session list is created. Column definitions
cannot be added, removed, or changed once the new session list is saved.
7
Click the Filter tab in the Session List Editor and define a filter that limits the number
of events considered for the new session list. Session lists without filters must evaluate
every event, which can negatively affect performance. The Filter tab presents the
familiar Common Conditions Editor (CCE). Although the filter editor is similar, session
list filters are not the same as Filter resources. Session list filters use different fields
than Filter resources, for one thing.
Session lists are often concerned with logins to specific machines. In this case, you would
write a filter that would limit evaluation to IP address ranges of interest. By filtering out all
events except those targeting IP addresses in the DHCP server's subnet, for example, you
are effectively limiting session list evaluation to inside traffic, reducing the overhead of
session list evaluation. Other uses of session lists suggest other installation-specific
knowledge that can be used to create session list filters that restrict the number of events
matched against the session list.
Click Apply to save and continue editing or OK to save and close.
You can use the Add Entry button in the Session List Editor to manually create more
entries for the current session list.
Editing Session Lists
1
In the Session Lists resource tree, right-click a session list and choose Edit Session
List.
2
Make appropriate changes to the properties of the session list.
3
Click Apply to save and continue editing or OK to save and close.
Moving or Copying Session Lists
1
In the Session Lists resource tree, navigate to a session list and drag and drop it into
another group.
2
Choose Move to move the session list, Copy to make a separate copy of the session
list, or Link to create a copy of the session list that is linked to the original session list.
If you choose Copy, you create a separate copy of the session list that is not affected when
the original session list is edited. If you choose Link, you create a copy of the session list
that is linked to the original session list. Therefore, if you edit a linked session list, whether
Confidential
ArcSight Console User’s Guide 487
16 Identity Correlation
the original or the copy, all links are edited as well. When deleting linked session lists, you
can either delete the selected session list or all linked session list copies.
Exporting Session Lists
In the session list viewer, you can export selected entries from an session list to a CSV file.
This is useful if you want to manage session list data external to the Console.
1
In the Session Lists resource tree, select a session list, and choose Show Entries.
The data in the session list is displayed in the Viewer panel as session list details.
2
On the session list detail in the Viewer panel, select one or more entries (typically,
rows of events).
3
Right-click and choose either Export CSV - Visible Columns or Export CSV - All
Columns. This brings up a file browser.
4
Browse to the location where you want to save the exported data, enter a file name in
the File Name field, and click Save. The entries you selected for export are saved as a
CSV file in the chosen location.
Deleting Session Lists
1
Right-click a session list and choose Delete Session List.
2
In the dialog box, click Delete.
Adding a Session List Entry
1
Right-click an item in the Session List resource tree and choose Show Entries.
2
In the session list grid view, right-click an entry that is similar to the entry you would
like to add. Choose Edit. The Session List Entry editor appears in the Inspect/Edit
window.
3
Click a row's Value column to make changes. The column type may limit the kind of
data that can be entered.
4
Click Add to post the changed entry as a new one.
Adding a Session List Entry Based on an Existing Entry
1
Right-click an item in the Session List resource tree and choose Edit Session List.
The Session List Entry editor appears in the Inspect/Edit window.
2
Click the Add Entry button.
3
Click a row's Value column to make changes. The column type may limit the kind of
data that can be entered.
4
Click Add to save the new entry. The Reset button clears all values.
Deleting a Session List Entry
1
Right-click an item in the Session List resource tree and choose Show Entries.
2
In the session list grid view, right-click the entry that you would like to delete. Choose
Edit. The Session List Entry editor appears in the Inspect/Edit window.
3
Click the entry's Value to make changes. The column type may limit the kind of data
that can be entered.
488 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
4
Click Add to post the changed entry as a new one.
Terminating a Session List Entry
1
In the Session Lists resource tree, right-click a session list and choose Show Entries.
2
In the session list grid view, right-click the entry that you would like to terminate.
Choose Terminate Session Entry.
3
button for a context
Enter the date and time for the session end time. Click the
menu containing relative times such as Now, 1 hour ago, 1 day from now, and so on.
Click OK.
Using Session Lists to Correlate Session Data on User
Logins (Example)
Using session lists for identity correlation is a three-step process that involves three or
more ArcSight resources. The high-level workflow for creating and using session lists for
identity correlation is:
1
Create a session list.
2
Create a rule to populate it.
3
Use the session list output.
The results written to the session list can be used anywhere variables are used, such as to
trigger other rules, or to populate active channels, dashboards, and reports.
This Help topic steps through an example of building and populating a session list to track
Windows user login sessions.
(For a full explanation of working with session correlation, see the overview list of topics in
Chapter 16‚ Identity Correlation‚ on page 481.)
Example Overview
This example shows you, first, how to create a session list (essentially, a container) with a
schema appropriate for storing information about Windows logins and logoffs.
Next, we create two rules to populate the session list:

A rule that is triggered at start of a successful Windows login and populates the
session list with the successful login event data

A rule that is triggered when a user logs off and populates the session list with the
session termination event data
Then, we verify the rules using the Verify Rules with Events tool to make sure that the rules
are triggered and that your session list is populated appropriately with session logins and
start/end times.
Finally, we create a new report using the session list you just created as the data source,
and run the report.
You need a set of canned or live Windows session events (user logins/logoffs)
to properly verify the resources you create for this example.
Confidential
ArcSight Console User’s Guide 489
16 Identity Correlation
Step 1 - Create a Session List to Store Windows Sessions
Start by creating a session list that serves as a container for Windows login sessions.
Choose the Lists resource in the Navigator, and click the Session List tab. Right-click a
user folder and choose New Session List. (For more detailed help on creating session lists,
see “Creating a Session List” on page 485.)
In the Session List editor, name the session list, and add the fields as shown.
Session List Attributes
Value
Name
Windows Login Sessions
Overlapping Entries
Disabled (leave unchecked)
This example assumes that the Windows server we are
monitoring does not support multiple-user logins,
which is why we leave Overlapping Entries unchecked.
In MemoryCapacity(x1000)
10
Entering data in the Common and Assign sections is optional, depending on
how your environment is configured. For information about the Common and
Assign attributes sections, as well as the read-only attribute fields in Parent
Groups and Creation Information, see “Common Resource Attribute Fields” on
page 630.
Add the following three fields with names and types as shown. Set "Username" as the keyfield.
Field Names for Session Lists
Type
Key Fields
Username
String
Enabled
NT Domain
String
Device
String
490 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
Step 2 - Create Rules to Populate the Session List with
Windows Logins
Create two rules with which to populate the session list:

A rule that triggers on Windows session logins

A rule that triggers when a Windows session terminates
To create a new rule, choose the Rules resource from the Navigator drop-down menu,
right-click a user group, and select New Rule from the context menu. (If you need more
help on creating rules, see “Managing Rules” on page 394. For a general introduction to
working with rules, see Chapter 13‚ Rules Authoring‚ on page 393.)
For this example, first create rules in a user folder under Rules for testing
purposes. Once you have created and verified rules and are ready to deploy
them on real-time events, move or copy the rules to your user folder under
Real-time Rules. Only rules deployed in Real-time Rules filter on live events
and show up in a live channel when they are triggered. See “Deploying Realtime Rules” on page 431 for more information.
Confidential
ArcSight Console User’s Guide 491
16 Identity Correlation
Rule 1: Triggers on Windows Session Logins
Create a rule to populate the session list. Use the following attributes, conditions,
aggregation, and actions as shown below.
Attributes
On the Attributes tab, enter the name of the session login rule as follows.

Name: Successful Windows Login
Conditions
Click the Conditions tab for the login rule, and enter the following conditions.

Target User Name Is NOT NULL

Target Nt Domain Is NOT NULL

Device Host Name Is NOT NULL
Setting these conditions causes the rule to be triggered on any event that includes a device
host name and a user name where the target is a Windows NT domain. (For more
information on using the Common Conditions Editor or “CCE”, see “Common Conditions
Editor (CCE)” on page 782 and “Conditional Statements” on page 796.)
492 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
Aggregation
Click the Aggregation tab for the login rule. Under Aggregate only if these fields are
identical, click Add... to bring up the Add Fields dialog. Select the following fields on
which to aggregate and click OK to add them to the rule.

Target User Name

Target Nt Domain

Device Host Name
Aggregation can be used to combine multiple events (as specified in the number of
matches) into a single entry for the session list. But in this case (where we are aggregating
events with identical fields on only a single match), we are specifying fields in the
Aggregation tab for the purpose of making those same fields available in the Actions tab.
Actions
Click the Actions tab for the login rule.
Select On Every Event, and click Add | Session List | Add to Session List.
In the Session List drop-down menu on the Add dialog, select the Windows Login Sessions
session list you created in the first step.
Confidential
ArcSight Console User’s Guide 493
16 Identity Correlation
Map the fields as follows.

Start Time: End Time

Username: Target User Name

NT Domain: Target Nt Domain

Device: Device Host Name
This prompts the rule to add a login event to the Windows Login Sessions list every time a
matching login event occurs.
Click OK on the Add to Session List dialog to add the actions to the rule. When the actions
are properly configured, they are displayed under the “On Every Event” action as shown.
Windows session logins are added to the session list on every event.
Click OK to save the session login rule.
Rule 2: Triggers on Termination of Windows Sessions
Create a rule to populate the session list with Windows session termination information.
Define this "terminate session list" rule with the same settings as the "add to session list"
rule you just created, with the following differences specific to terminating the session:

On the Attributes tab, Rule Name is Windows User Logoff (instead of Login).

On the Conditions tab, define the same Conditions as in the previous rule.

On the Aggregation tab, aggregate on the same fields as in the previous rule.
494 ArcSight Console User’s Guide
Confidential
16 Identity Correlation

On the Actions tab, define the same actions as in the previous rule but add the actions
to Terminate Session List instead of Add to Session List. (The menu path for adding
the logoff rule is Add | Session List | Terminate Session List.)
The Actions tab for the logoff rule is shown below. Notice that for Windows logoffs, the
rule triggers the action to add an entry to the terminate session list on every logoff event.
Here is an example of the Attributes tab for the logoff rule when it is completely
configured.
Confidential
ArcSight Console User’s Guide 495
16 Identity Correlation
Step 3 - Verify Rules
For each rule, we want to answer some key questions to verify the rules are working as
expected.
Rule
Verify Questions
Add to Session
List
Is the rule triggered when a Windows logon occurs?
Terminate
Session List
Is the rule triggered when a Windows logoff occurs?
Are the values inserted into the Session List?
Is the End Time in the Session List changing according to the rule
(that is, is it terminating the session for this user)?
To test the rules before deploying in real time, we can use an active channel created from
the Verify Rules with Events option, and also view entries in the Windows Login session list
we created in the first step of this example.
1
Select the Rules folder that contains them, right-click, and choose Verify Rule(s)
with Events in the context menu. You can create a New Active Channel to test the
rules.
496 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
The following example shows the login rule triggered for several events.
2
Confidential
Choose the Lists resource in the Navigator, and click the Session Lists tab. Select
your Windows Login Sessions list, right-click, and choose Show Entries from the
context menu.
ArcSight Console User’s Guide 497
16 Identity Correlation
For more information on testing rules, see “Verifying Rule(s) with Events” on page 428
(formerly Replay-with-Rules).
Once you have created and verified rules and are ready to deploy them
on real-time events, move or copy the rules to your user folder under
Real-time Rules. Only rules deployed in Real-time Rules filter on live
events and show up in a live channel when they are triggered. For more
information, see “Deploying Real-time Rules” on page 431.
Step 4 - Use the Session List in a Report
You can leverage session lists in a variety of resources including reports, active lists, active
channels, data monitors, and as input to other rules. (For example, you could use a rule to
correlate multiple failed VPN logins over a short timeframe with a particular user entry in
the session list. You might specify that if both conditions are met, add the user to an active
list such as /Active Lists/Shared/All Active Lists/ArcSight
System/Threat Tracking/Suspicious List.)
For this example, use the session list in a simple report.
Create a new report on the session list for this example. The steps are:

Create a report

Choose a report template

Choose the session list as the data source for the report

Run the report
Here are step-by-step instructions for creating a report showing the Windows logins
1
In the Navigator, choose the Reports resource and click the Templates tab.
2
Expand the folder /Report Templates/Shared/All Report Templates/
ArcSight System/, right-click Simple Table Portrait and choose New Report
from Template.
3
Provide a name for the report (for example, Windows Login Sessions).
4
Click the Data tab and select Session Lists for the Data Source type and the Windows
Login Sessions list for the data source.
5
Click Apply or OK to save the report.
6
Still under the Reports resource in the Navigator, click the Reports tab. The report
you created is displayed under your user folder.
7
Select the new report, right-click and choose Run Report or Run Report with
Defaults from the context menu.
498 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
Following is an example of an HTML version of the Windows Login Sessions report.
For more information on creating and using reports, see “Creating Reports” on page 335
and “Running Reports” on page 377.
Using Active Lists to Correlate Users (Example)
You can use active lists to find a value and then use value (as a variable) in a rule. You can
use this strategy to identify entities or objects in a variety of scenarios; for example:
Confidential

Given that logins from the same attacker are showing up under multiple IP addresses,
find out whether the attacks are coming from the same machine with different IP
addresses.

Correlate user logins (e.g., onto server machines) with physical building or room entry.
A user’s login ID is not the same as badge ID. You use an active list to map various
user identifiers (login, e-mail, badge) to a unique user ID (UUID) for each user.

Map UUIDs to user roles.

Find the current status (e.g., up, down) of a given machine host name.
ArcSight Console User’s Guide 499
16 Identity Correlation

Find the current status (e.g., up, down) of a given SmartConnector.
(The last two can be handled using data monitors also.)
This example shows how to build a rule that leverages unique user ID information from a
pre-populated active list to correlate user logins on critical servers with badge swipe entries
to the server room. The rule is triggered when a server user login does not have a
matching badge swipe ID.
The example highlights how an active list with values can be leveraged for identity
correlation. In this case, the active list collects target user IDs for the same user from
different sources (e.g., user login, badge ID, e-mail address, phone number) and maps
those different IDs to a unique user ID. The rule then uses the unique user ID to correlate
badge swipe IDs with user login IDs.
(For a full explanation of working with identity correlation, see the overview list of topics in
Chapter 16‚ Identity Correlation‚ on page 481. For more about active lists, see also
“Managing Active Lists” on page 509, “Case-Insensitive Lookup in Active Lists” on
page 513, and “Using Rules to Populate an Active List” on page 514.)
Example Overview
For this example, consider a scenario where server machines with critical data reside in a
secure area. Only users in a specialized group are allowed physical access to the server
room (with badge swipe on a card reader) and user login permissions to the servers. This
example assumes a policy against remote logins to the server room machines.
We want to monitor and correlate user access to the server room (badge swipes) and user
logins on the server machines, and take action (e-mail notification) if our access policies
are violated. Some examples of policy violations that we want to catch are:

Cases where someone logged into a server but no badge swipe is registered. This
could indicate policy violations such as remote logins or unauthorized server room
entry (e.g., server room door was left open)

There is no matching badge swipe ID for a server console login (e.g., a user stole
someone’s badge to get into the server room, then logged in to the server with a
different user ID)
This example assumes a pre-populated active list with values with a schema appropriate
for storing information about user IDs. The active list keys off of user identifiers from
various sources (e.g., user login, e-mail address, phone number) and map these variants to
the same unique user ID (UUID).
The UUID can then be used as a variable in a rule for correlating user login IDs with badge
IDs. We’ll show how to create this rule, which leverages the user information collected in
the active list.
Step 1 - Build and Populate the Active List with User IDs
This example assumes that you have a pre-populated active list that maps user identifiers
from various sources (badge ID, user login, e-mail, phone number) to unique user IDs
(UUIDs). For the purposes of the example, we are interested in correlating badge IDs and
user logins for users who log into critical servers. The active list (populated with our list of
users) provides the “User Map” we need to derive each user’s unique ID.
The active list definition includes the following two fields with names and types as shown.
"User Identifier" is set as the key-field. This information is available in incoming events
500 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
(badge swipes and user logins). Each user identifier is mapped to a UUID. Assume, for this
example, that we got this mapping from IT or Human Resources departments. The UUID
value is the information we’ll want to extract from this list via a variable.
Field Names for Session Lists
Type
Key Fields
User Identifier
String
Enabled
UUID
String
Populating an Active List with User Data
There are various ways to populate an active list with this kind of user information:
Confidential

Human Resources (HR) or IT database

Identity management system

Import from a CSV file (in the Navigator, right-click the active list and choose Import
CSV File. See “Importing an Active List” on page 518)
ArcSight Console User’s Guide 501
16 Identity Correlation

Manually add names to the list
Note that this is a different type of task than populating an active list based
on data gleaned from events (e.g., “Using Rules to Populate an Active List” on
page 514).
In this example, we already have the “map” and the values we need (the
unique user IDs) provided in the active list, and we are going to feed them
into a rule as a variable.
In the other example (using rules to populate the active list), we are using a
rule to add items to an active list and to discover and use values as items are
added to the list.
Here is an example of an active list pre-populated with user information.
If you want to follow along with the example but don’t have a database or spreadsheet of
user information handy, you can manually add example data:
1
Build and save the User Map active list definition as described in “Step 1 - Build and
Populate the Active List with User IDs” on page 500.
2
In the Navigator, right-click the User Map active list and choose Show Entries.
The list is shown in the Viewer panel.
3
Click the Add Entry button
Editor.
at the top right of the list to get the Active List Entry
4
Use the Active List Entry Editor to manually add user identifiers and unique user IDs.
Click Add on the editor to add each line of data. To support the example, add at least
two lines for each user. Keep the UUID the same, but the user identifiers different to
illustrate the mapping.
User Identifier
UUID
badge0123
SamanthaStevens
samstevens
SamanthaStevens
badgeID5245
RobertJackson
rjackson
RobertJackson
502 ArcSight Console User’s Guide
Confidential
16 Identity Correlation
Step 2 - Create a Rule that Uses Active List Values to
Correlate User IDs
Now that we have an active list that maps various user IDs to unique user IDs (UUIDs), we
can create a rule that makes use of the active list to correlate events coming from the same
user with different user IDs (such as a badge swipe ID and a server login ID).
The following sections show how to define this example rule.
Attributes
On the Attributes tab, provide a name for the rule.

Name: Server Room Console Login Policy
Variable
Next, we’ll define a variable we can use to find unique user IDs (UUIDs) in the active list
we created in the previous step (“Step 1 - Build and Populate the Active List with User IDs”
on page 500).
Create a variable called UserMap. (Click the Variables tab for your rule and click Add to
begin). Provide these values for the variable definition.
Option
Specify this Value
Name
UserMap
Confidential
ArcSight Console User’s Guide 503
16 Identity Correlation
Option
Specify this Value
Function
GetActiveListValue
Use the drop-down m