Search supports the following types of search queries:
Searches across all columns using a ‘contains’ operation to determine if the value is found.
|
Syntax |
Example |
|---|---|
|
<value> |
ssh |
Searches based on the field and operator designation to determine if the value is found in the specified field.
Your search can reference fields with the Unified Schema to either retrieve the field in results, apply a filter criteria or create a user defined expression. The Unified Schema defines a consistent event model that can be used across all of ArcSight family of products.
|
Syntax |
Example |
|---|---|
|
sourceAddress = 10.0.111.5 |
The Search feature includes several predefined queries out-of-the-box. In the query field, enter a hashtag, and then select the criteria to use. In addition to these predefined searches, you can use the session searches and save searches in the input field using a hashtag prefix.
|
This predefined query... |
Uses this search criteria... |
|---|---|
|
#Configuration Changes |
categoryBehavior = /Modify/Configuration AND categoryOutcome = /Success |
|
#DGA Events |
deviceCustomNumber1 >= 1 AND deviceCustomNumber1Label contains DNS |
|
#DNS Events |
deviceEventCategory = PACKET |
|
#DoS Events |
#Category Technique =/DoS |
|
#ESM Correlation Events |
Type=Correlation |
|
#Failed Logins |
Category Behavior = /Authentication/Verify AND categoryOutcome != /Success |
|
#Failed Logins For User $Username |
Category Behavior = /Authentication/Verify AND categoryOutcome != /Success for user <username> |
|
#Firewall Events |
categoryDeviceGroup = /Firewall |
|
#Firewall Drop |
categoryDeviceGroup = /Firewall AND categoryObject starts with /Host/Application/Service AND (categoryBehavior starts with /Access OR categoryBehavior = /Communicate/Query) AND categoryOutcome = /Failure |
|
#Firewall Drop For $Ip |
categoryDeviceGroup = /Firewall AND categoryObject starts with /Host/Application/Service AND (categoryBehavior starts with /Access OR categoryBehavior = /Communicate/Query) AND categoryOutcome = /Failure for <IP_address> |
|
#Malicious Code Activity |
categoryObject STARTS WITH /Vector, /Host/Infection, /Host/Application/Malware OR categoryObject = /Host/Application/DoS Client, /Host/Application/Backdoor OR categoryTechnique STARTS WITH /Code |
|
#MITRE ATT&CK Events |
Device Custom String1 Label ='MITRE ID' |
|
#Proxy Events |
Category Technique=/Proxy |
|
#SSH Authentication |
categoryBehavior = /Authentication/Verify AND destinationUserName != Null and contains ssh |
|
#VPN Connections |
categoryDeviceGroup = /VPN AND Category Behavior = /Authentication/Verify AND categoryOutcome = /Success AND destinationUserName != Null |
|
#Vulnerabilities Events |
Category Technique= /scanner/device/vulnerability |
|
#Windows Account Creation |
deviceVendor = Microsoft AND deviceEventClassId = Microsoft-Windows-Security-Auditing:4720, Security:624 |
|
#Windows New Service Created |
(deviceEventClassId='Microsoft-Windows-Security-Auditing:4697' or deviceEventClassId=' Service Control Manager:7045' ) and deviceProduct='Microsoft Windows' |