ArcSight Recon 1.2 User Guide

  ArcSight Recon 1.2 User Guide

    Welcome to ArcSight Recon

    Investigating Events

      Searching for Events

        Understanding the Search Feature

        Creating and Saving Searches

        Searching Data Stored by ArcSight Logger

        Initiating a Search from Enterprise Security Manager

        Understanding the Search Progress Indicators

      Managing Your Searches

        Viewing Search Results

        Modifying the Search Settings

        Exporting the Search Results

        Scheduling Regular Runs of a Search

        Managing Completed Runs of a Scheduled Search

      Understanding the Search Parameters

        Understand the Types of Search Queries

        Using GlobalEventID in a Query

        Understand the Query Syntax, Operators, and Functions

        Specify a Group of Fields

        Specify an Alias for a Field

        Specify IP Addresses and Subnets

        Include a Storage Group’s Filter in the Search Query

        Extend the Search with a Lookup List

        Use Specific Sets of Fields for Search Results

        Configure the Time Range

        Configure Preferred Settings for Searches

    Hunting for Undetected Threats

      Viewing Dashboards and Reports

        View a Dashboard

        View a Report

        Choose Default Dashboards for the Reports Portal

      Understanding the MITRE ATT&CK Dashboards and Reports

        MITRE ATT&CK Dashboards

        MITRE ATT&CK Reports

      Understanding the Cloud Security Dashboards and Reports

        Abuse and Nefarious Use of Cloud Services – Dashboards

        Account Hijacking – Dashboards and Reports

        Advanced Persistent Threats – Dashboard

        Data Breaches – Dashboards

        Data Loss – Dashboard and Reports

        Denial of Service – Dashboard

        Insecure Interfaces and APIs – Report

        Insufficient Due Diligence – Reports

        Insufficient Identity Credential and Access Management – Reports

        Malicious Insiders – Report

        System Vulnerabilities – Dashboard and Reports

        Vulnerabilities on Shared Technologies

      Understanding the Foundation Dashboards and Reports

        Entity Monitoring – Dashboards and Reports

        Events Overview – Dashboards

        Hosts Monitoring - Reports

        Malware Monitoring – Dashboard and Reports

        Network Monitoring – Dashboards and Report

        Perimeter Monitoring – Dashboards and Reports

        Vulnerability Monitoring – Dashboard and Reports

      Understanding the OWASP Security Dashboards and Reports

        Broken Access Control

        Broken Authentication

        Cross-site Scripting

        Injections

        Insecure Deserialization – Dashboards and Reports

        Insufficient Logging and Monitoring – Dashboards and Reports

        Security Misconfiguration

        Sensitive Data Exposure

        Using Components with Known Vulnerabilities – Dashboards and Reports

        XML External Entities

    Analyzing Anomalous Data with Outlier Analytics

      Generating Models to View Anomalous Data

        Considerations for Generating Models

        Defining and Building a Model

        Scoring a Model

        Deleting a Model

      Viewing Anomalous Data in a Model

        Understand the Provided Analytics Charts

        Further Investigate Anomalies

        View a Scored Model

    Managing the Quality of Your Data

      Understanding the Data Quality Insights

      Understanding How Data Quality is Calculated

      Analyzing Data Quality

    Ensuring Data Compliance

      Ensuring Compliance with GDPR Standards

        Access Activity

        Admin Activity

        Attack Surface Analysis

        Corporate Governance

        Regulatory Exposure

        Threat Analysis

      Ensuring Compliance with ISO-27002

        12 – Operations Security

      Ensuring Compliance with PCI DSS

        Firewall Configuration – Requirement 1

        Default Security Parameters – Requirement 2

        Encryption Transmission – Requirement 4

        Track and Monitor Data Access – Requirement 10

    Using Visuals and Reports to Analyze Data

      Accessing Reports and Dashboards

      Scheduling Report Generation

      Designing Dashboards for Data Analysis

      Designing Reports for Data Analysis

      Adding and Removing Report Content

        Import and Export Content

        Supported Data Sources

      Best Practices for the Report Designer and Dashboard Designer

        Using Search Results to Create a Dashboard or Report

        Using Data Models to Build a Worksheet

        Using Data Worksheets to Build a Dashboard or Report

        Creating a Simple Dashboard

        Creating a Simple Scheduled Report

        Creating a Simple Report

    Managing Your Stored Data

      Organizing Your Data

        Use Storage Groups to Organize and Retain Data

        Activate and Deactivate Storage Groups

        Change the Settings of a Storage Group

        Set Retention Policies for the Data

        Use Storage Group Queries in a Search

    Managing User Access and Preferences

      Assigning Permissions for Recon

      Default Roles for Recon

      Configuring User Preferences

        Configure Search Preferences

    Appendices

      Mapping Database Names to their Appropriate Search Fields

        Agent Fields

        Category Fields

        Correlation Fields

        Destination Fields

        Device Fields

        Device Custom Fields

        Event Fields

        Extension Fields

        File Fields

        Flex Fields

        OldField Fields

        Old File Fields

        Request Fields

        Source Fields

    Copyright Notice