ArcSight Recon 1.2 User Guide
- ArcSight Recon 1.2 User Guide
- Welcome to ArcSight Recon
- Investigating Events
- Searching for Events
- Understanding the Search Feature
- Creating and Saving Searches
- Searching Data Stored by ArcSight Logger
- Initiating a Search from Enterprise Security Manager
- Understanding the Search Progress Indicators
- Managing Your Searches
- Viewing Search Results
- Modifying the Search Settings
- Exporting the Search Results
- Scheduling Regular Runs of a Search
- Managing Completed Runs of a Scheduled Search
- Understanding the Search Parameters
- Understand the Types of Search Queries
- Using GlobalEventID in a Query
- Understand the Query Syntax, Operators, and Functions
- Specify a Group of Fields
- Specify an Alias for a Field
- Specify IP Addresses and Subnets
- Include a Storage Group’s Filter in the Search Query
- Extend the Search with a Lookup List
- Use Specific Sets of Fields for Search Results
- Configure the Time Range
- Configure Preferred Settings for Searches
- Hunting for Undetected Threats
- Viewing Dashboards and Reports
- View a Dashboard
- View a Report
- Choose Default Dashboards for the Reports Portal
- Understanding the MITRE ATT&CK Dashboards and Reports
- MITRE ATT&CK Dashboards
- MITRE ATT&CK Reports
- Understanding the Cloud Security Dashboards and Reports
- Abuse and Nefarious Use of Cloud Services – Dashboards
- Account Hijacking – Dashboards and Reports
- Advanced Persistent Threats – Dashboard
- Data Breaches – Dashboards
- Data Loss – Dashboard and Reports
- Denial of Service – Dashboard
- Insecure Interfaces and APIs – Report
- Insufficient Due Diligence – Reports
- Insufficient Identity Credential and Access Management – Reports
- Malicious Insiders – Report
- System Vulnerabilities – Dashboard and Reports
- Vulnerabilities on Shared Technologies
- Understanding the Foundation Dashboards and Reports
- Entity Monitoring – Dashboards and Reports
- Events Overview – Dashboards
- Hosts Monitoring - Reports
- Malware Monitoring – Dashboard and Reports
- Network Monitoring – Dashboards and Report
- Perimeter Monitoring – Dashboards and Reports
- Vulnerability Monitoring – Dashboard and Reports
- Understanding the OWASP Security Dashboards and Reports
- Broken Access Control
- Broken Authentication
- Cross-site Scripting
- Injections
- Insecure Deserialization – Dashboards and Reports
- Insufficient Logging and Monitoring – Dashboards and Reports
- Security Misconfiguration
- Sensitive Data Exposure
- Using Components with Known Vulnerabilities – Dashboards and Reports
- XML External Entities
- Analyzing Anomalous Data with Outlier Analytics
- Generating Models to View Anomalous Data
- Considerations for Generating Models
- Defining and Building a Model
- Scoring a Model
- Deleting a Model
- Viewing Anomalous Data in a Model
- Understand the Provided Analytics Charts
- Further Investigate Anomalies
- View a Scored Model
- Managing the Quality of Your Data
- Understanding the Data Quality Insights
- Understanding How Data Quality is Calculated
- Analyzing Data Quality
- Ensuring Data Compliance
- Ensuring Compliance with GDPR Standards
- Access Activity
- Admin Activity
- Attack Surface Analysis
- Corporate Governance
- Regulatory Exposure
- Threat Analysis
- Ensuring Compliance with ISO-27002
- 12 – Operations Security
- Ensuring Compliance with PCI DSS
- Firewall Configuration – Requirement 1
- Default Security Parameters – Requirement 2
- Encryption Transmission – Requirement 4
- Track and Monitor Data Access – Requirement 10
- Using Visuals and Reports to Analyze Data
- Accessing Reports and Dashboards
- Scheduling Report Generation
- Designing Dashboards for Data Analysis
- Designing Reports for Data Analysis
- Adding and Removing Report Content
- Import and Export Content
- Supported Data Sources
- Best Practices for the Report Designer and Dashboard Designer
- Using Search Results to Create a Dashboard or Report
- Using Data Models to Build a Worksheet
- Using Data Worksheets to Build a Dashboard or Report
- Creating a Simple Dashboard
- Creating a Simple Scheduled Report
- Creating a Simple Report
- Managing Your Stored Data
- Organizing Your Data
- Use Storage Groups to Organize and Retain Data
- Activate and Deactivate Storage Groups
- Change the Settings of a Storage Group
- Set Retention Policies for the Data
- Use Storage Group Queries in a Search
- Managing User Access and Preferences
- Assigning Permissions for Recon
- Default Roles for Recon
- Configuring User Preferences
- Configure Search Preferences
- Appendices
- Mapping Database Names to their Appropriate Search Fields
- Agent Fields
- Category Fields
- Correlation Fields
- Destination Fields
- Device Fields
- Device Custom Fields
- Event Fields
- Extension Fields
- File Fields
- Flex Fields
- OldField Fields
- Old File Fields
- Request Fields
- Source Fields
- Copyright Notice