Search supports the following types of search queries:
Searches across all columns using a ‘contains’ operation to determine if the value is found.
|
Syntax |
Example |
|---|---|
|
<value> |
ssh |
Searches based on the field and operator designation to determine if the value is found in the specified field.
Your search can reference fields with the Unified Schema to either retrieve the field in results, apply a filter criteria or create a user defined expression. The Unified Schema defines a consistent event model that can be used across all of ArcSight family of products.
|
Syntax |
Example |
|---|---|
|
sourceAddress = 10.0.111.5 |
The Search feature includes several predefined queries out-of-the-box. In the query field, enter a hashtag then select the criteria that you want to use. In addition to these predefined searches, you can use the session searches and save searches in the input field using a hashtag prefix.
|
This predefined query... |
Uses this search criteria... |
|---|---|
|
#Configuration Changes |
categoryBehavior = /Modify/Configuration AND categoryOutcome = /Success |
|
#DGA Events |
deviceCustomNumber1 >= 1 AND deviceCustomNumber1Label contains DNS |
|
#DNS Events |
deviceEventCategory = PACKET |
|
#Failed Logins |
Category Behavior = /Authentication/Verify AND categoryOutcome != /Success |
|
#Failed Logins for User $Username |
Category Behavior = /Authentication/Verify AND categoryOutcome != /Success for user <username> |
|
#Firewall Drop |
categoryDeviceGroup = /Firewall AND categoryObject starts with /Host/Application/Service AND (categoryBehavior starts with /Access OR categoryBehavior = /Communicate/Query) AND categoryOutcome = /Failure |
|
#Firewall Drop for $Ip |
categoryDeviceGroup = /Firewall AND categoryObject starts with /Host/Application/Service AND (categoryBehavior starts with /Access OR categoryBehavior = /Communicate/Query) AND categoryOutcome = /Failure for <IP_address> |
|
#Firewall Events |
categoryDeviceGroup = /Firewall |
|
#Malicious Code Activity |
categoryObject STARTS WITH /Vector, /Host/Infection, /Host/Application/Malware OR categoryObject = /Host/Application/DoS Client, /Host/Application/Backdoor OR categoryTechnique STARTS WITH /Code |
|
#SSH Authentication |
categoryBehavior = /Authentication/Verify AND destinationUserName != Null and contains ssh |
|
#VPN Connections |
categoryDeviceGroup = /VPN AND Category Behavior = /Authentication/Verify AND categoryOutcome = /Success AND destinationUserName != Null |
|
#Windows Account Creation |
deviceVendor = Microsoft AND deviceEventClassId = Microsoft-Windows-Security-Auditing:4720, Security:624 |