Esm5.5 scg configuration

Configuration Monitoring
for ArcSight ESM 5.5
March 1, 2013
Standard Content Guide

Standard Content Guide - Configuration Monitoring
Copyright © 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard
commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products
and services are set forth in the express warranty statements accompanying such products and services.
Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
Follow this link to see a complete statement of copyrights and acknowledgements:
http://www.arcsight.com/copyrightnotice
The network information used in the examples in this document (including IP addresses and hostnames) is
for illustration purposes only.
This document is confidential.
Revision History
Document template version: 2.1
Contact Information
Date Product Version Description
03/01/2013 Configuration Monitoring 5.5 Final revision for release.
Phone 1-866-535-3285 (North America)
+44 (0)870 141 7487 (EMEA)
Support Web Site http://support.openview.hp.com
Protect 724 Community https://protect724.arcsight.com

Confidential Standard Content Guide 3
Contents
Chapter 1: Configuration Monitoring Overview ................................................................... 5
What is Standard Content? ............................................................................................... 5
Standard Content Packages .............................................................................................. 6
Configuration Monitoring Content ...................................................................................... 7
Chapter 2: Installation and Configuration ........................................................................... 9
Installing the Configuration Monitoring Package ................................................................... 9
Configuring the Configuration Monitoring Content .............................................................. 10
Modeling the Network .............................................................................................. 10
Categorizing Assets ................................................................................................. 11
Configuring Active Lists ............................................................................................ 11
Ensuring Filters Capture Relevant Data ...................................................................... 12
Enabling Rules ........................................................................................................ 12
Configuring Notification Destinations .......................................................................... 13
Configuring Notifications and Cases ........................................................................... 13
Scheduling Reports ................................................................................................. 13
Configuring Trends .................................................................................................. 13
Chapter 3: Configuration Monitoring Content .................................................................... 15
Assets ......................................................................................................................... 16
Resources .............................................................................................................. 16
Configuration Changes Overview .................................................................................... 20
Configuration ......................................................................................................... 20
Resources .............................................................................................................. 20
Device Configuration Changes ......................................................................................... 23
Resources .............................................................................................................. 23
Hosts and Applications Overview .................................................................................... 32
Configuration ......................................................................................................... 32
Resources .............................................................................................................. 32
Security Application and Device Configuration Changes ...................................................... 40
Devices ................................................................................................................. 40
Resources .............................................................................................................. 40
User Configuration Changes ............................................................................................ 49
Resources .............................................................................................................. 49

4 Standard Content Guide Confidential
Vulnerabilities .............................................................................................................. 61
Devices ................................................................................................................. 61
Resources .............................................................................................................. 61
Appendix A: Upgrading Standard Content ......................................................................... 69
Preparing Existing Content for Upgrade ............................................................................ 69
Configurations Preserved During Upgrade ................................................................... 69
Configurations that Require Restoration After Upgrade ................................................. 69
Backing Up Existing Resources Before Upgrade ........................................................... 70
Performing the Upgrade ................................................................................................. 70
Checking and Restoring Content After Upgrade ................................................................. 70
Verifying and Reapplying Configurations ..................................................................... 71
Verifying Customized Content ................................................................................... 71
Fixing Invalid Resources .......................................................................................... 71
Index ...................................................................................................................................................... 73

Chapter 1
Configuration Monitoring Overview
This chapter discusses the following topics.
What is Standard Content?
Standard content is a series of coordinated resources (filters, rules, dashboards, reports,
and so on) that address common security and management tasks. Standard content is
designed to give you comprehensive correlation, monitoring, reporting, alerting, and case
management out of the box with minimal configuration. The content provides a full
spectrum of security, network, and configuration monitoring tasks, as well as a
comprehensive set of tasks that monitor the health of the system.
The standard content is installed using a series of packages, some of which are installed
automatically with the Manager to provide essential system health and status operations.
The remaining packages are presented as install-time options organized by category.
Standard content consists of the following:
 ArcSight System content is installed automatically with the Manager and consists of
resources required for basic security processing functions, such as threat escalation
and priority calculations, as well as basic throughput channels required for
out-of-the-box functionality.
 ArcSight Administration content is installed automatically with the Manager, and
provides statistics about the health and performance of ArcSight products. ArcSight
Administration is essential for managing and tuning the performance of content and
components.
 ArcSight Foundations content (such as Configuration Monitoring, Intrusion
Monitoring, Network Monitoring, NetFlow Monitoring, and Workflow) are presented as
install-time options and provide a coordinated system of resources with real-time
monitoring capabilities for a specific area of focus, as well as after-the-fact analysis in
the form of reports and trends. You can extend these foundations with additional
resources specific to your needs or you can use them as a template for building your
own resources and tasks.
 Shared Libraries - ArcSight Administration and several of the ArcSight Foundations
rely on a series of common resources that provide core functionality for common
“What is Standard Content?” on page 5
“Standard Content Packages” on page 6
“Configuration Monitoring Content” on page 7

1 Configuration Monitoring Overview
security scenarios. Dependencies between these resources and the packages they
support are managed by the Package resource.
 Anti-Virus content is a set of filters, reports, and report queries used by ArcSight
Foundations, such as Configuration Monitoring and Intrusion Monitoring.
 Conditional Variable Filters are a library of filters used by variables in standard
content report queries, filters, and rule definitions. The Conditional Variable Filters
are used by ArcSight Administration and certain ArcSight Foundations, such as
Configuration Monitoring, Intrusion Monitoring, Network Monitoring, and
Workflow.
 Global Variables are a set of variables used to create other resources and to
provide event-based fields that cover common event information, asset, host, and
user information, and commonly used timestamp formats. The Global Variables
are used by ArcSight Administration and certain ArcSight Foundations.
 Network filters are a set of filters required by ArcSight Administration and certain
ArcSight Foundations, such as Intrusion Monitoring and Network Monitoring.
Standard Content Packages
Standard content comes in packages (.arb files) that are either installed automatically or
presented as an install-time option. The following graphic outlines the packages.
Figure 1-1 The ArcSight System and ArcSight Administration packages at the base provide
content required for basic ArcSight functionality. The common packages in the center contain
shared resources that support ArcSight Administration and the ArcSight Foundation packages.
The packages shown on top are ArcSight Foundations that address common network security
and management scenarios.
Depending on the options you install, you will see the ArcSight System resources, the
ArcSight Administration resources, and some or all of the other package content.
The ArcSight Express package is present in ESM installations, but is not
installed by default. The package offers an alternate view of the Foundation
resources. You can install or uninstall the ArcSight Express package without
impact to the system.

Configuration Monitoring Content
The Configuration Monitoring content identifies, analyzes, and remediates undesired
modifications to systems, devices, and applications. These modifications include installing
new applications, adding new systems to the network, anti-virus/network scanner/IDS
engine and signature updates, and asset vulnerability postures. This content helps IT and
security staff pinpoint and resolve problems quickly, and provides essential visibility into the
network configuration so you understand the systems you have, where they are, what they
host, and what vulnerabilities they expose.
Windows systems provide ample user and host account modification information. In most
cases, if an adequate auditing level is enabled, you can see modifications to applications,
changes to user privilege levels, system configuration changes, even file access.
Unix-based systems provide less visibility into internal system activity. Because there is little
consistency to what is reported from system to system, it is often not possible to easily
identify actions, such as software installations. In some cases, auditing can be enabled on
Unix-based systems, although the output might be too granular to be useful during
analysis.
Other network devices, such as routers and firewalls, can be configured to report software
or operating system updates and provide basic log information that is useful to the
Configuration Monitoring content.
This guide describes the Configuration Monitoring content. For information about ArcSight
System or ArcSight Administration content, refer to the Standard Content Guide - ArcSight
System and ArcSight Administration. For information about an optional ArcSight
Foundation, refer to the Standard Content Guide for that Foundation. ESM documentation
is available on Protect 724 (https://protect724.arcsight.com).
When creating your own packages, you can explicitly include or exclude system
resources in the package. Exercise caution if you delete packages that might
have system resources; for example, zones. Make sure the system resources
either belong to a locked group or are themselves locked. For more information
about packages, refer to the ArcSight Console User’s Guide.

Chapter 2
Installation and Configuration
This chapter discusses the following topics.
For information about upgrading standard content, see Appendix A‚ Upgrading Standard
Content‚ on page 69.
Installing the Configuration Monitoring Package
The Configuration Monitoring Foundation is one of the standard content packages that are
presented as install-time options. If you selected all the standard content packages to be
installed at installation time, the packages and their resources will be installed in the
ArcSight database and available in the Navigator panel resource tree. The package icon in
the Navigator panel package view will appear blue.
If you opted to exclude any packages at installation time, the package is imported into the
ESM package view in the Navigator panel, but is not available in the resource view. The
package icon in the package view will appear grey.
If you do not want the package to be available in any form, you can delete the package.
To install a package that is imported, but not installed:
1 In the Navigator panel Package view, navigate to the package you want to install.
2 Right-click the package and select Install Package.
3 In the Install Package dialog, click OK.
4 When the installation is complete, review the summary report and click OK.
The package resources are fully installed to the ArcSight database, the resources are
fully enabled and operational, and available in the Navigator panel resource tree.
To uninstall a package that is installed:
1 In the Navigator Panel Package view, navigate to the package you want to uninstall.
2 Right-click the package and select Uninstall Package.
3 In the Uninstall Package dialog, click OK.
The progress of the uninstall displays in the Progress tab of the Uninstalling Packages
dialog. If a message displays indicating that there is a conflict, select an option in the
Resolution Options area and click OK.
“Installing the Configuration Monitoring Package” on page 9
“Configuring the Configuration Monitoring Content” on page 10

2 Installation and Configuration
4 When uninstall is complete, review the summary and click OK.
The package is removed from the ArcSight database and the Navigator panel resource
tree, but remains available in the Navigator panel package view, and can be re-
installed at another time.
To delete a package and remove it from the Console and the database:
1 In the Navigator Panel Package view, navigate to the package you want to delete.
2 Right-click the package and select Delete Package.
3 When prompted for confirmation of the delete, click Delete.
The package is removed from the Navigator panel package view.
Configuring the Configuration Monitoring Content
Some Configuration Monitoring resources require configuration to be functional, and some
rely on universal configurations. Most require no additional configuration.
The list below shows the general tasks you need to complete to configure Configuration
Monitoring content with values specific to your environment.
 “Modeling the Network” on page 10
 “Categorizing Assets” on page 11
 “Configuring Active Lists” on page 11
 “Enabling Rules” on page 12
 “Ensuring Filters Capture Relevant Data” on page 12
 “Configuring Notification Destinations” on page 13
 “Configuring Notifications and Cases” on page 13
 “Scheduling Reports” on page 13
 “Configuring Trends” on page 13
Modeling the Network
A network model keeps track of the network nodes participating in the event traffic.
Modeling your network and categorizing critical assets using the standard asset categories
is what activates some of the standard content and makes it effective.
There are several ways to model your network. For information about populating the
network model, refer to the ArcSight Console User’s Guide or the ESM online Help. To learn
more about the architecture of the ESM network modeling tools, refer to the ESM 101
guide.

Categorizing Assets
After you have populated your network model with assets, apply the standard asset
categories to activate standard content that uses these categories.
 Categorize all assets (or the zones to which the assets belong) that are internal to the
network with the /All Asset Categories/Site Asset Categories/
Address Spaces/Protected category.
Internal Assets are assets inside the company network. Assets that are not categorized
as internal to the network are considered to be external. Make sure that you also
categorize assets that have public addresses but are controlled by the organization
(such as web servers) as Protected.
 Categorize all assets that are considered critical to protect (including assets that host
proprietary content, financial data, cardholder data, top secret data, or perform
functions critical to basic operations) with the /All Asset Categories/System
Asset Categories/Criticality/High or Very High category.
The asset categories most essential to basic event processing are those used by the
Priority Formula to calculate the criticality of an event. Asset criticality is one of the
four factors used by the Priority Formula to generate an overall event priority rating.
Asset categories can be assigned to assets, zones, asset groups, or zone groups. If
assigned to a group, all resources under that group inherit the categories.
You can assign asset categories individually using the Asset editor or in a batch using the
Network Modeling wizard. For information about how to assign asset categories using the
Console tools, refer to the ArcSight Console User’s Guide or the ESM online Help.
For more about the Priority Formula and how it leverages these asset categories to help
assign priorities to events, refer to the ArcSight Console User’s Guide or the ESM 101 guide.
Configuring Active Lists
The standard content includes active lists. Certain active lists are populated automatically
during run-time by rules. You do not have to add entries to these active lists manually
before you use them. Other active lists are designed to be populated manually with data
specific to your environment. After the lists are populated with values, they are cross-
referenced by active channels, filters, rules, reports, and data monitors to give ESM more
information about the assets in your environment.
You must configure the All Active Lists/ArcSight
Foundation/Configuration Monitoring/Local User Allowed Systems active
list with the IP address, zone, and customer (if applicable) of systems that allow local users
to be created. These are typically systems operated by IT or network development groups.
The entries in this static active list are used by the Local Windows User Creation -
Disallowed Host and the Local Windows User Creation - Allowed Host rules. If this active
list is not configured, or is not relevant to your operating environment, the rules will not
yield appropriate results. This does not affect overall content functionality.
Assets with a private IP address (such as 192.168.0.0) are considered
Protected by the system, even if they are not categorized as such.

You can add entries manually to active lists using the following methods. Both methods are
described in the ArcSight Console User’s Guide.
 One by one using the Active List editor in the ArcSight Console.
 In a batch by importing values from a CSV file.
Ensuring Filters Capture Relevant Data
Standard content relies on specific event field values to identify events of interest. Although
this method applies to most of the events and devices, be sure to test key filters to verify
that they actually capture the required events.
To ensure that a filter captures the relevant events:
1 Generate or identify the required events and verify that they are being processed by
viewing them in an active channel or query viewer.
2 Navigate to the appropriate filter, right-click the filter and choose Create Channel
with Filter. If you see the events of interest in the newly created channel, the filter is
functioning properly.
If you do not see the events of interest:
a Verify that the configuration of the active channel is suitable for the events in
question. For example, ensure that the event time is within the start and end time
of the channel.
b Modify the filter condition to capture the events of interest. After applying the
change, repeat Step 2 to verify that the modified filter captures the required
events.
For a list of the Configuration Monitoring filters you need to configure, refer to the
configuration information for each use case presented in Chapter 3‚ Configuration
Monitoring Content‚ on page 15.
Enabling Rules
ESM rules trigger only if they are deployed in the Real-Time Rules group and are
enabled. All Configuration Monitoring rules are deployed by default in the Real-Time
Rules group and are enabled.
To disable a rule:
1 In the Navigator panel, go to Rules and navigate to the Real-time Rules group.
2 Navigate to the rule you want to disable.
3 Right-click the rule and select Disable Rule.

Configuring Notification Destinations
Configure notification destinations if you want to be notified when some of the standard
content rules are triggered. By default, notifications are disabled in the standard content
rules, so the admin user needs to configure the destinations and enable the notification in
the rules. For details about enabling the notifications in rules, see Configuring Notifications
and Cases, below.
Some Configuration Monitoring rules reference two notification groups: CERT Team and
SOC Operators. Add new destinations for notification levels 1, 2, and 3 as appropriate to
the personnel in your security operations center. Refer to the ArcSight Console User’s Guide
or the ESM online Help for information on how to configure notification destinations.
Configuring Notifications and Cases
Standard content depends on rules to send notifications and open cases when conditions
are met. Notifications and cases are how users can track and resolve the security issues
that the content is designed to find.
By default, the notifications and create case actions are disabled in the standard content
rules that send notifications about security-related events to the Cert Team notification
group.
To enable rules to send notifications and open cases, first configure notification
destinations as described in Configuring Notification Destinations above, then enable the
notification and case actions in the rules.
For more information about working with rule actions in the Rules Editor, refer to the
ArcSight Console User’s Guide or the ESM online Help.
Scheduling Reports
You can run reports on demand, automatically on a regular schedule, or both. By default,
reports are not scheduled to run automatically.
Evaluate the reports that come with Configuration Monitoring, and schedule the reports
that are of interest to your organization and business objectives. For instructions about
how to schedule reports, refer to the ArcSight Console User’s Guide or the ESM online Help.
Configuring Trends
Trends are a type of resource that can gather data over longer periods of time, which can
be leveraged for reports. Trends streamline data gathering to the specific pieces of data
you want to track over a long range, and breaks the data gathering up into periodic
updates. For long-range queries, such as end-of-month summaries, trends greatly reduce
the burden on system resources. Trends can also provide a snapshot of which devices
report on the network over a series of days.
Configuration Monitoring content includes several trends, some of which are enabled by
default. These enabled trends are scheduled to run on an alternating schedule between the
hours of midnight and 7:00 a.m., when network traffic is usually less busy than during peak
daytime business hours. These schedules can be customized to suit your needs using the
Trend scheduler in the Console.

To disable or enable a trend, go to the Navigator panel, right-click the trend and select
Disable Trend or Enable Trend.
For more information about trends, refer to the the ArcSight Console User’s Guide or the
ESM online Help.
To enable a disabled trend, you must first change the default start date in
the Trend editor.
If the start date is not changed, the trend takes the default start date
(derived from when the trend was first installed), and backfills the data from
that time. For example, if you enable the trend six months after the first
install, these trends try to get all the data for the last six months, which
might cause performance problems, overwhelm system resources, or cause
the trend to fail if that event data is not available.

Chapter 3
Configuration Monitoring Content
In this section, the Configuration Monitoring resources are grouped together based on the
functionality they provide. The Configuration Monitoring groups are listed in the table
below.
Resource Group Purpose
“Assets” on page 16 The Assets resources provide information about systems that have been
started, shutdown, or restarted.
“Configuration
Changes Overview” on
page 20
The Configuration Changes Overview resources provide an overview of
the current system configuration, system configuration changes, and
systems with a criticality rating by zone.
“Device Configuration
Changes” on page 23
The Device Configuration Changes resources provide information about
configuration changes to hosts and applications.
“Hosts and
Applications Overview”
on page 32
The Hosts and Applications Overview resources provide an overview of
the configuration of systems with common applications, such as email
servers and databases.
“Security Application
and Device
Configuration
The Security Application and Device Configuration Changes resources
provide information about configuration changes to security applications.
“User Configuration
The User Configuration Changes resources provide information about user
configuration by identifying and monitoring user accounts and the
hosts/addresses associated with them. This ties a user to certain IP
addresses, MAC addresses, host-names, zones, and so on. The reports
cover user account additions, modifications to those accounts, and
account removal.
“Vulnerabilities” on
page 61
The Vulnerabilities resources provide an overview about current
vulnerabilities on systems.

3 Configuration Monitoring Content
Assets
The Assets resources provide information about systems that have been started,
shutdown, or restarted.
Resources
The following table lists all the resources in the Assets resource group and any dependant
resources.
Table 3-1 Resources that Support the Assets Group
Resource Description Type URI
Monitor Resources
User Login
Failures Trend
- Past Week
This report provides aggregate
information about the user
accounts that experience failed
logins most often during the past
7 days.
Report ArcSight
Foundation/Configuration
Monitoring/Operational
Summaries/Access Tracking/
Top User
Logins - Last
Week
This report provides an overview
of the top users attempting logins
during the past week.
Report ArcSight
Critical Asset
Startup and
Shutdown
Event Log -
Last Day
This report provides a listing of
the critical system startup and
shutdown events seen during the
past day.
Report ArcSight
Summaries/Asset Restarts/
Critical Asset
Startup and
Shutdown
Trend
This report displays summary
data from a trend table to
provide a count of how often your
critical systems startup or shut
down. Note: The Critical System
Startup and Shutdown Events -
Daily Trend is not enabled by
default.
Report ArcSight
Asset Startup
and Shutdown
Log - Last
Week
This report queries a trend table
to retrieve a listing of all system
startup and shutdown events
seen during the past week.
Report ArcSight
Assets
Restarting
Twice or More
- Last Week
This report displays a list of
assets that appear to be
restarting twice or more per
week. Depending on the function
of these assets, these events
might indicate a problem and
need to be investigated.
Report ArcSight
Asset Startup
and Shutdown
Event Log -
Last Day
the system startup and shutdown
events seen during the past day.
Report ArcSight

Top User
Logins -
Yesterday
This report displays a summary
of the top N user logins that
occurred yesterday and lists the
login counts by user.
Report ArcSight
Library - Correlation Resources
Critical Host
Shutdown
Detected
This rule detects when a host
with high or very high criticality is
shut down. This rule is a part of
the Configuration Monitoring
content.
Rule ArcSight
Monitoring/
Library Resources
Criticality This is a system asset category. Asset
Category
System Asset Categories
High This is a system asset category. Asset
Category
System Asset
Categories/Criticality
Very High This is a system asset category. Asset
Category
System Asset
User Account
Login
Attempts
This filter uses ArcSight
categories to choose events that
indicate user login attempts.
These might be successful or
failures.
Filter ArcSight
Monitoring/Detail/Configur
ation Changes/User/Access
Tracking/
System
Startup Events
This filter identifies events that
indicate a system has started up.
This is often indicative of a
reboot.
Filter ArcSight
Failed User
Account Login
Attempts
This filter uses the ArcSight event
categories to identify failed user
account login attempts.
Filter ArcSight
Tracking/
System
Shutdown
Events
This filter identifies events that
indicate a system has shutdown.
This is often indicative of a
reboot.
Filter ArcSight
Successful
User Account
Login
Attempts
categories to identify successful
user account login attempts.
Filter ArcSight
Tracking/
All Events Filter that matches all events. Filter ArcSight System/Core
Most Common
Account
Logins by
Target User
(Yesterday)
This query selects events passed
by the Successful User Account
Login Attempts filter.
Query ArcSight
Monitoring/Details/Configu
ration Changes/User/Access
Tracking/

Systems
Restarted
Twice or More
- Last Week
This query checks the system
startup and shutdown trend
table, and retrieves a list of the
systems that have restarted
more than once in the past week.
The query shows the restart
history for each system each day.
Query ArcSight
Most Common
Account Login
Attempts -
Last Day
by the User Account Login
Attempts filter.
Query ArcSight
Tracking/
Critical
System
Startup and
Shutdown
Events - By
Zone and
Asset
This query collects summary data
from a trend table to provide a
count of how often your critical
systems startup or shut down.
Note: The Critical System Startup
and Shutdown Events - Daily
Trend is not enabled by default.
Query ArcSight
Most Common
Account Login
Attempts
Trend - Last
Week
This query retrieves a listing of
the count of target user account
logins by zone for the last seven
days.
Query ArcSight
Tracking/
System
Startups and
Shutdowns
This query collects information
about system startup and
shutdown events that occurred
yesterday. The startup events
typically indicate a system
restart, but may not be reliably
matched with shutdown events.
Query ArcSight
Critical
System
Startups and
Shutdowns -
Trend Query
about critical system startup and
shutdown events that occurred
yesterday. The startup events
typically indicate a system
Query ArcSight
Failed User
Account Login
Attempts
(Yesterday)
by the Failed User Account Login
Attempts filter.
Query ArcSight
Tracking/
User Account
Login Failures
- Weekly Trend
This query retrieves aggregated
information about failed logins
over the past week from a trend
table.
Query ArcSight
Tracking/
Restart Log by
Zone - Last
Week
This query retrieves a list of all
asset startup and shutdown
events over the past week.
Query ArcSight

Most Common
Account Login
Attempts -
Daily Trend
This trend collects daily statistics
about User Account Login
Attempts to track the most
frequent user logins.
Trend ArcSight
Monitoring/User Access
Tracking/
Asset Startup
and Shutdown
Events - Daily
Trend
on shutdown and startup events
from your different assets. The
trend query includes information
on the device product and vendor
so that you can query the trend
for statistics by operating
system.
Trend ArcSight
Monitoring/Asset Restarts/
Critical
System
Startup and
Shutdown
Events - Daily
Trend
about critical system startup and
shutdown events. The startup
events typically indicate a system
This trend is a more focused view
(assets modeled with criticality
categorization) of the Asset
Startup and Shutdown Events -
Daily Trend. Note: This trend is
not enabled by default.
Trend ArcSight
Monitoring/Asset Restarts/
User Account
Login Failures
This trend collects aggregate
information about failed user
account login attempts. It also
collects other information
including the target zone as well
as the target device vendor and
product.
Trend ArcSight
Monitoring/User Access
Tracking/

Configuration Changes Overview
The Configuration Changes Overview resources provide an overview of the current system
configuration, system configuration changes, and systems with a criticality rating by zone.
Configuration
The Configuration Changes Overview resource group requires the following configuration
for your environment:
 Adjust the value of the TTL Days field in the Assets with Recent Configuration
Modifications active list, if needed.
The Assets with Recent Configuration Modifications active list tracks devices and hosts
that have had some sort of configuration modification within the time period specified.
The default value is set to a seven day period.
Resources
The following table lists all the resources in the Configuration Changes Overview resource
group and any dependant resources.
Table 3-2 Resources that Support the Configuration Changes Overview Group
Monitor Resources
Configuration
Changes
Overview
This dashboard shows an
overview of the successful
configuration changes for
databases, firewalls, VPNs, and
network devices.
Dashboard ArcSight
Summaries/
Successful
Configuration
Change
This rule detects events with
successful configuration changes.
This rule only requires one such
event within two minutes. After
this rule has triggered, the target
asset and user information is
added to the Assets with Recent
Configuration Modifications active
list.
Rule ArcSight
Monitoring/
Library Resources
Assets with
Recent
Configuration
Modifications
This active list tracks devices and
hosts that have had some sort of
configuration modification in the
past seven days.
Active List ArcSight
Monitoring/
Last 10
Database
Configuration
Changes
This data monitor shows the last
ten successful database
configuration changes.
Data
Monitor
ArcSight
Summaries/Configuration
Changes Overview/

Last 10
Firewall
Configuration
Changes
ten successful firewall
configuration changes.
Data
Monitor
ArcSight
Changes Overview/
Last 10 VPN
Configuration
Changes
ten successful VPN configuration
changes.
Data
Monitor
ArcSight
Changes Overview/
Last 10
Network
Configuration
Changes
ten successful configuration
changes on network devices.
Data
Monitor
ArcSight
Changes Overview/
Network
Events
This filter identifies events with
the category object starts with
Network or the category device
group starts with Network
Equipment.
Filter ArcSight
Foundation/Common/Device
Class Filters/
VPN Events This filter identifies events with
the category device group of
VPN.
Filter ArcSight
Class Filters/
Configuration
Modifications
This filter identifies configuration
modifications on any system or
device. This resource is a part of
content.
Filter ArcSight
Monitoring/
Network
Configuration
Changes
This filter identifies successful
configuration change events that
match the Network Events filter.
Filter ArcSight
ation
Changes/Device/Network/
VPN
Configuration
Changes
match the VPN Events filter.
Filter ArcSight
ation Changes/Device/VPN/
Firewall
Configuration
Changes
match the Firewall Events filter.
Filter ArcSight
ation
Changes/Device/Firewall/
Successful
Configuration
Changes
the category behavior of
/Modify/Configuration and
category outcome of Success.
Filter ArcSight
ation Changes/
Database
Configuration
Changes
match the Database Events filter.
Filter ArcSight
ation
Changes/Device/Database/

Firewall
Events
This filter retrieves events with
the Firewall category device
group.
Filter ArcSight
Class Filters/
Database
Events
the category object
/Host/Application/Database.
Filter ArcSight
ation
ArcSight
Events
This resource has no description. Filter ArcSight System/Event
Types
Non-ArcSight
Events
Types
Security
Application
and Device
Configuration
Changes
This use case provides
information about configuration
changes on security applications.
Use Case ArcSight
Monitoring/Configuration
Changes/
User
Configuration
Changes
information about user
management.
Use Case ArcSight
Changes/
Device
Configuration
Changes
information about the
configuration changes on hosts
and applications.
Use Case ArcSight
Changes/

Device Configuration Changes
The Device Configuration Changes resources provide information about configuration
changes to hosts and applications.
Resources
The following table lists all the resources in the Device Configuration Changes resource
Table 3-3 Resources that Support the Device Configuration Changes Group
Monitor Resources
Host
Configuration
Modifications
This dashboard shows three data
monitors focusing on host
configuration change events. The
two Top Value Counts
(Bucketized) data monitors show
charts of the event counts by
zone or the most common
events. The Last N Events data
monitor shows the last 20
events.
Dashboard ArcSight
Summaries/
Host
Configuration
Modifications -
Today
This query viewer displays host
related configuration modification
events since midnight of the
current day.
Query
Viewer
ArcSight
ation Changes/
Host
Configuration
Modifications -
Yesterday
This query viewer displays host
related configuration modification
events since midnight of the
previous day.
Query
Viewer
ArcSight
ation Changes/
Zones by
Configuration
Change Count
Past Week
This report provides a summary
chart and table to show the zones
with the most configuration
changes within the past week.
Report ArcSight
ration Changes/Device/
Misconfigurati
ons
This resource has no description. Report ArcSight
ration
Changes/Device/Router/
Misconfigurati
ons
ration
Host
Configuration
Modifications
Summary
of the host configuration
modification activity seen over
the preceding week. Use the
Zone parameter to focus the
report on a certain zone, and
provide a manageable and useful
data set. This report is part of the
Report ArcSight
Summaries/

Misconfigurati
ons
ration
Assets with
Configuration
Changes - Last
Day
the assets that have been
modified within the last day and
the users that made the
modifications. The listing is
sorted first by zone, then by
asset name.
Report ArcSight
Configuration
Changes by
User
This report shows recent
configuration changes in a table.
The table lists all the changes,
grouped by user and type, and
sorts them chronologically. Use
this report to find all the
configuration changes made by a
specific user.
Report ArcSight
ration
Changes/Device/Common/
Database
Errors and
Warnings
database errors and warnings in
a chart and a table. The chart
shows the top 10 errors and
warnings. The table lists all the
errors and warnings
chronologically.
Report ArcSight
ration
Host
Configuration
Modifications
by Customer
This report shows the host
configuration modifications by
customer.
Report ArcSight
Summaries/
Systems With
Criticality
Ratings by
Zone
This report displays a table with
the address, device zone name,
and names of assets that are
modeled under the Criticality
asset category.
Report ArcSight
ration Changes/Critical
Systems/
Assets with
Configuration
Changes - Past
Week
assets that have been modified
within the last week and the user
that made the modifications. The
listing is sorted first by zone,
then by asset name.
Report ArcSight
Host
Configuration
Modifications
by OS
This report shows the host
configuration modifications by
operating system.
Report ArcSight
Summaries/
Configuration
Changes by
Type
grouped by type and user, and
configuration changes of a
certain type.
Report ArcSight
ration

VPN
Configuration
Changes
ration Changes/Device/VPN/
Router
Configuration
Changes
ration
Switch
Configuration
Changes
ration
Changes/Device/Switch/
Current Asset
Configurations
the assets modeled in and
monitored by the ArcSight
system, and the current
configuration information
available to the system regarding
those assets. This report provides
information on the operating
system and the services running
on the selected set of hosts. For
information about vulnerabilities,
see the reports in the
Detail/Vulnerabilities section.
This report is part of the host-
specific Configuration Monitoring
content. Note: This report
contains data on the number of
assets defined by the Row Limit
(10,000 by default). Running this
report might affect performance,
especially if your system contains
several hundred thousand assets.
Report ArcSight
Monitoring/Details/
Cisco - IOS
Configuration
Changed
This rule detects an IOS
configuration change. This rule
looks for events with a Device
Event Class ID of SYS:CONFIG
for Cisco Routers. This rule only
requires one such event within
one minute. After this rule is
triggered, the agentSeverity
event field is set to medium. This
rule is triggered by events
generated by CISCO routers.
Rule ArcSight
Monitoring/Detail/Devices/
Routers/Cisco/
Library Resources
Assets with
Recent
Configuration
Modifications
This active list tracks devices and
hosts that have had some sort of
configuration modification in the
past seven days.
Monitoring/

Category
Scanned This is a site asset category. Asset
Category
Site Asset Categories
Open Port This is a site asset category. Asset
Category
Application This is a site asset category. Asset
Category
Operating
System
This is a site asset category. Asset
Category
Most Common
Host
Configuration
Change Events
This data monitor displays the
top ten most common host
configuration changes. By
default, the data monitor displays
a pie chart. This data monitor is a
part of the Configuration
Monitoring content.
Data
Monitor
ArcSight
Summaries/Host
Configuration
Modifications/
Host
Configuration
Change Event
Counts by
Zone
top ten zones with configuration
changes. By default, the data
monitor displays a pie chart. This
data monitor is a part of the
Data
Monitor
ArcSight
Summaries/Host
Configuration
Modifications/
Last 20 Host
Configuration
Modification
Events
last 20 host configuration events
seen by the system. Events are
noted by customer, system, and
reporting device in addition to the
change type information.
Data
Monitor
ArcSight
Summaries/Host
Configuration
Modifications/
TargetHost This variable returns available
target information from an event.
The format of the information is
targetZoneName. |
<targetHostName> |
<targetAddress>:<targetPort>
Information that is not in the
event will not show a place-
holder. Examples: RFC1918:
192.168.0.0-192.168.255.255 |
Itwiki.sv.arcsight.com |
192.168.10.20:80 RFC1918:
192.168.0.0-192.168.255.255 |
192.168.10.30:53 RFC1918:
192.168.0.0-
192.168.255.255:53
192.168.10.30:53 unknown
Global
Variable
ArcSight
Foundation/Variables
Library/Host Information/

DeviceInfo This variable returns the device
information, including the device
vendor, the device product, and
the device version, if available
within the event. The format is
deviceVendor. | <deviceProduct>
or <deviceVendor> |
<deviceProduct> v.
<deviceVersion>
Global
Variable
ArcSight
Library/
VPN.
Filter ArcSight
Class Filters/
Configuration
Modifications
content.
Filter ArcSight
Monitoring/
Target Address
is NULL
This filter is designed for
conditional expression variables.
The filter identifies events where
the target address is NULL.
Filter ArcSight
Foundation/Common/Conditio
nal Variable Filters/Host/
Target Zone
AND Host are
NULL but
Address is
NOT NULL
This filter identifies events in
which either the target zone or
target address field is NULL, but
not both.
Filter ArcSight
Virtual Private
Network
This resource has no description. Filter ArcSight
Target Host
Name is NULL
the Target Host Name is NULL.
Filter ArcSight
Target
Information is
NULL
which the target zone, target
host name, and target address
fields are NULL.
Filter ArcSight
ArcSight
Events
Types
Target Port is
NULL
which the target port field is
NULL.
Filter ArcSight
Device Version
is NULL
which the device product field is
NULL.
Filter ArcSight
nal Variable
Filters/Device/

All Device
Information is
NULL
which there is no device
information, meaning that the
device vendor, device product,
and device version fields are all
NULL.
Filter ArcSight
nal Variable
Filters/Device/
Device Vendor
OR Product is
NULL
which the device vendor or
device product field is NULL, but
not both.
Filter ArcSight
nal Variable
Filters/Device/
Router This resource has no description. Filter ArcSight
ation
Switch This resource has no description. Filter ArcSight
ation
Host
Configuration
Modifications
This filter provides a more
focused subset of configuration
modification events for use when
monitoring or reporting on host-
specific configuration changes.
This filter is a part of the host-
content.
Filter ArcSight
ation Changes/
Target Zone
OR Host is
NULL
target host name field is NULL.
Filter ArcSight
Device Vendor
AND Product
are NULL
which the device vendor and
device product fields are NULL.
Filter ArcSight
nal Variable
Filters/Device/
Target Zone
AND Host are
NULL
which the target zone and target
host name fields are NULL.
Filter ArcSight
Target Zone is
NULL
the Target Zone is NULL.
Filter ArcSight
Non-ArcSight
Events
Types
Configuration
Changes by
User
This report displays anti-virus
configuration change events
reported the previous day. Use
specific user.
Focused
Report
ArcSight
Foundation/Common/Anti-
Virus/

Configuration
Changes by
Type
This report displays the
configuration change name, the
user making the change, device
information, and the time of the
change for anti-virus
certain type.
Focused
Report
ArcSight
Virus/
Host
Configuration
Modifications
This query retrieves host related
configuration modification events
since midnight of the current day.
Query ArcSight
ration Changes/
Misconfigurati
ons
This resource has no description. Query ArcSight
ration
Host
Configuration
Modifications
by OS
This query retrieves host
configuration modification data
(restricted by the Host
Configuration Modifications
filter).
Query ArcSight
Summaries/
Assets with
Configuration
Modifications-
Last Day
This query retrieves a list of
assets that have had
configuration changes in the last
day. The data is retrieved from
the Assets with Recent
Configuration Modifications active
list.
Query ArcSight
Monitoring/Details/
Router
Configuration
Changes
ration
Systems With
Criticality
Ratings by
Zone
This query returns the address,
device zone name, and names of
assets that are modeled under
the Criticality asset category.
Query ArcSight
Monitoring/Details/Critica
l Systems/
Configuration
Changes by
Zone Last
Week Trend
Query
This query retrieves information
about the total number of
configuration changes that
occurred in your zones over the
past seven days. The events are
counted and grouped by day and
month for ease of use in a chart
or summary table.
Query ArcSight
Monitoring/Details/

Host
Configuration
Modifications
on Trend
This query retrieves data from
the Host Configuration
Modifications trend to provide a
summary of the host
configuration modification
activity. This query is a part of
content.
Query ArcSight
Summaries/
VPN
Configuration
Changes
ration Changes/Device/VPN/
Database
Errors and
Warnings
(Chart)
This query returns the count of
database errors and warnings by
event name.
Query ArcSight
ration
Changes/Device/Database
Errors and Warnings/
Switch
Configuration
Changes
ration
Assets with
Configuration
Modifications-
Last 7 Days
This query retrieves a list of
assets have had configuration
changes within the last 7 days.
This query checks the Assets with
Recent Configuration
Modifications active list.
Query ArcSight
Monitoring/Details/
Misconfigurati
ons
ration
Assets with
Recent
Configuration
Modifications
by Vendor and
Product
about a day's worth of
configuration changes to your
various assets. The data
retrieved includes information
about the asset affected, the
asset causing the change (if
any), and the vendor and product
information about the asset that
was changed.
Query ArcSight
Monitoring/Details/
Configuration
Changes
This query returns all the
successful configuration changes
made to devices. The query
returns the name, the user, the
device, and the time the change
was made.
Query ArcSight
ration Changes/

Host
Configuration
Modifications
Summary
This query retrieves data
providing a summary of the host
activity for the Host Configuration
Modifications trend. This query is
a part of the Configuration
Monitoring content.
Query ArcSight
Summaries/
Misconfigurati
ons
ration
Current Asset
Configurations
This query provides a listing of
the assets modeled in and
monitored by the ArcSight
system and the current
configuration information
available to the system regarding
those assets. It provides
information on the operating
system and services running on
the selected set of hosts. Note:
This query returns data up to the
Row Limit (10,000 by default)
assets. Running this query night
affect performance.
Query ArcSight
Monitoring/Details/
Host
Configuration
Modifications
by Customer
This query returns host
configuration modification data
(restricted by the Host
Configuration Modifications
filter).
Query ArcSight
Summaries/
Database
Errors and
Warnings
This query retrieves all the
database error and warning
events. The query returns the
time, event name, result, user
name, and category significance.
Query ArcSight
ration
Host
Configuration
Modifications
This trend provides a summary of
the host configuration
modification activity.
Trend ArcSight
Monitoring/Asset
Configuration Change
Tracking/
Assets with
Recent
Configuration
Modifications
(Daily)
This trend retrieves changes to
assets within the last day and
stores information about the
change itself as well as who
made the change.
Trend ArcSight
Monitoring/Asset
Tracking/

Hosts and Applications Overview
The Hosts and Applications Overview resources provide an overview of the configuration of
systems with common applications, such as email servers and databases.
Configuration
The Hosts and Applications Overview resource group requires the following configuration
for your environment:
 Categorize the the assets in your environment in the following groups (unless the
assets were categorized automatically by vulnerability scanners):
 Site Asset Categories/Business Impact Analysis/Business Role
 System Asset Categories/Criticality
 Site Asset Categories/Business Impact Analysis/Data Role
 Site Asset Categories/Operating System
 Site Asset Categories/Application/Type/Email
 Site Asset Categories/Application/Type/Web Server
Resources
The following table lists all the resources in the Hosts and Applications Overview resource
Table 3-4 Resources that Support the Hosts and Applications Overview Group
Monitor Resources
Database
Errors
This dashboard shows the most
recent and the top errors
affecting database applications
on the network.
Dashboard ArcSight
Summaries/
Host Problems
Overview
This dashboard shows several
data monitors that focus on host
problem events. The two Top
Value Counts (Bucketized) data
monitors show charts of the
event counts by zone or the most
common events. The Last N
Events data monitor shows the
last 20 events.
Dashboard ArcSight
Summaries/
Configuration
Changes by
User
specific user.
Report ArcSight
ration

Database
Errors and
Warnings
database errors and warnings in
a chart and a table. The chart
shows the top 10 errors and
warnings. The table lists all the
errors and warnings
chronologically.
Report ArcSight
ration
All Revenue
Generating
Assets
Monitoring/Details/Invento
ry/Roles/
Mail Servers This resource has no description. Report ArcSight
ry/Roles/
Web Servers This resource has no description. Report ArcSight
ry/Roles/
Configuration
Changes by
Type
certain type.
Report ArcSight
ration
Host Summary
by Business
Role
pie chart showing the breakdown
of assets by business role. This
chart and others are combined to
produce an overview of the asset
configurations. This report is a
Monitoring content.
Report ArcSight
Monitoring/Executive
Summaries/Overall Host
Configuration/
Host
Configuration
Events By
Zone
of host configuration events by
zone. This chart and others are
combined to produce an overview
of the asset configurations. This
report is a part of the
Report ArcSight
Configuration/
Host Summary
by Criticality
of assets by criticality. This chart
and others are combined to
Monitoring content.
Report ArcSight
Configuration/

Host Summary
by Operating
System
of assets by operating system.
This chart and others are
combined to produce an overview
of the asset configurations. This
report is a part of the
Report ArcSight
Configuration/
Assets with
Applications
all assets that have been scanned
for applications or that have been
categorized manually with
applications. This report is a part
of the Configuration Monitoring
content.
Report ArcSight
ry/
Host Summary
by Data Role
of assets by data role. This chart
and others are combined to
Monitoring content.
Report ArcSight
Configuration/
Library Resources
Email This is a site asset category. Asset
Category
Site Asset
Categories/Application/Typ
e
Data Role This is a site asset category. Asset
Category
Site Asset
Categories/Business Impact
Analysis
Category
Business Role This is a site asset category. Asset
Category
Site Asset
Analysis
Application This is a site asset category. Asset
Category
Web Server This is a site asset category. Asset
Category
Site Asset
e
Operating
System
Category
Revenue
Generation
Category
Site Asset
Analysis/Business Role
Last 10
Database
Errors
most recent database error
events.
Data
Monitor
ArcSight
Summaries/Database Errors/

Last 20 Host
Problems
20 host issues noted by ArcSight.
This data monitor is used in the
Host Problems Overview data
monitor and these resources are
Monitoring content.
Data
Monitor
ArcSight
Summaries/Host Problems
Overview/
Top 10
Database
Errors
This data monitor shows the top
ten systems with events
matching the AV - Found Infected
filter (the Category Device Group
starts with /IDS/Host/Antivirus,
the Category Outcome is /Failure,
and the Category Behavior is
/Found/Vulnerable).
Data
Monitor
ArcSight
Summaries/Database Errors/
Host Problem
Event Counts
by Zone
This data monitor shows host-
specific problems noted by
ArcSight, by Zone. By default this
data monitor displays a pie chart
of the top ten zones by problem
event volume. This data monitor
is a part of the Configuration
Monitoring content.
Data
Monitor
ArcSight
Overview/
Most Common
Host Problem
Events
This data monitor shows the top
ten most common problems seen
on your monitored hosts. This
data monitor is a part of the Host
Problems Overview dashboard
and is a part of the Configuration
Monitoring content.
Data
Monitor
ArcSight
Overview/
TargetHost This variable returns available
target information from an event.
The format of the information is
targetZoneName. |
<targetHostName> |
<targetAddress>:<targetPort>
Information that is not in the
event will not show a place-
holder. Examples: RFC1918:
192.168.0.0-192.168.255.255 |
Itwiki.sv.arcsight.com |
192.168.10.20:80 RFC1918:
192.168.0.0-192.168.255.255 |
192.168.10.30:53 RFC1918:
192.168.0.0-
192.168.255.255:53
192.168.10.30:53 unknown
Global
Variable
ArcSight
Library/Host Information/
DeviceInfo This variable returns the device
information, including the device
vendor, the device product, and
the device version, if available
within the event. The format is
deviceVendor. | <deviceProduct>
or <deviceVendor> |
<deviceProduct> v.
<deviceVersion>
Global
Variable
ArcSight
Library/

Configuration
Modifications
content.
Filter ArcSight
Monitoring/
Host Problems This filter identifies host-related
problems and errors. This filter is
Monitoring content.
Filter ArcSight
Summaries/
Target Address
is NULL
the target address is NULL.
Filter ArcSight
Target Zone
AND Host are
NULL but
Address is
NOT NULL
target address field is NULL, but
not both.
Filter ArcSight
Target Host
Name is NULL
the Target Host Name is NULL.
Filter ArcSight
Target
Information is
NULL
which the target zone, target
host name, and target address
fields are NULL.
Filter ArcSight
Database
Errors
Application, category object of
/Host/Application/Database, and
a category significance of
/Informational/Warning or
/Informational/Error.
Filter ArcSight
ation
Database
Events
the category object
Filter ArcSight
ation
ArcSight
Events
Types
Target Port is
NULL
which the target port field is
NULL.
Filter ArcSight
Device Version
is NULL
which the device product field is
NULL.
Filter ArcSight
nal Variable
Filters/Device/

All Device
Information is
NULL
which there is no device
information, meaning that the
and device version fields are all
NULL.
Filter ArcSight
nal Variable
Filters/Device/
Device Vendor
OR Product is
NULL
which the device vendor or
device product field is NULL, but
not both.
Filter ArcSight
nal Variable
Filters/Device/
Host
Configuration
Modifications
This filter provides a more
focused subset of configuration
modification events for use when
monitoring or reporting on host-
specific configuration changes.
This filter is a part of the host-
content.
Filter ArcSight
ation Changes/
Target Zone
OR Host is
NULL
target host name field is NULL.
Filter ArcSight
Device Vendor
AND Product
are NULL
which the device vendor and
device product fields are NULL.
Filter ArcSight
nal Variable
Filters/Device/
Target Zone
AND Host are
NULL
which the target zone and target
host name fields are NULL.
Filter ArcSight
Target Zone is
NULL
the Target Zone is NULL.
Filter ArcSight
Non-ArcSight
Events
Types
Configuration
Changes by
User
specific user.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
Type
certain type.
Focused
Report
ArcSight
Virus/

Host Summary
by Business
Role
This query returns a breakdown
of assets by Business Role. This
query is a part of the
Query ArcSight
Configuration/
Host Summary
by Data Role
of assets by Data Role. This
query is part of the Configuration
Monitoring content.
Query ArcSight
Configuration/
All Revenue
Generating
Assets
ry/Roles/
Web Servers This resource has no description. Query ArcSight
ry/Roles/
Database
Errors and
Warnings
(Chart)
database errors and warnings by
event name.
Query ArcSight
ration
Host Summary
by Criticality
of assets by Criticality. This query
is part of the Configuration
Monitoring content.
Query ArcSight
Configuration/
Assets with
Applications
This report shows all Assets that
have been scanned for
applications or that have been
manually categorized with
Applications. This report is part of
content.
Query ArcSight
ry/
Host Summary
by Operating
System
of assets by operating system.
This query is part of the
Query ArcSight
Configuration/
Configuration
Changes
was made.
Query ArcSight
ration Changes/
Host
Configuration
Modifications
Summary
This query retrieves data
providing a summary of the host
activity for the Host Configuration
Modifications trend. This query is
Monitoring content.
Query ArcSight
Summaries/

Mail Servers This resource has no description. Query ArcSight
ry/Roles/
Database
Errors and
Warnings
This query retrieves all the
database error and warning
events. The query returns the
time, event name, result, user
name, and category significance.
Query ArcSight
ration
Host
Configuration
Events By
Zone
of host configuration events by
zone from the Host Configuration
Modifications trend.
Query ArcSight
Configuration/
Host
Configuration
Modifications
This trend provides a summary of
the host configuration
modification activity.
Trend ArcSight
Monitoring/Asset
Tracking/

Security Application and Device Configuration
Changes
The Security Application and Device Configuration Changes resources provide information
about configuration changes to security applications.
Devices
The following device types can supply events that apply to the Security Application and
Device Configuration Changes resource group:
 Anti-Virus
 Firewalls
 Intrusion Detection Systems
Resources
The following table lists all the resources in the Security Application and Device
Configuration Changes resource group and any dependant resources.
Table 3-5 Resources that Support the Security Application and Device Configuration Changes Group
Monitor Resources
Firewall
Configuration
Changes
ration
Update
Summary -
Regulated
Systems
This report displays the target
zone name, target host name,
target address, device vendor,
device product, category
outcome, and the sum of the
aggregated event count from
yesterday's events on assets
categorized as having a
regulation requirement.
Report ArcSight
Virus/
Update
Overview
(MSSP)
This report displays the customer,
time, target zone name, target
host name, target address,
category outcome, and the sum
of the aggregated event count of
all events related to virus update
information files for yesterday.
Report ArcSight
Virus/
Failed Anti-
Virus Updates
This report displays a table with
the anti-virus vendor and product
name as well as the hostname,
zone and IP address of the host
on which the update failed. The
time (EndTime) at which the
update failed is also displayed.
This report runs against events
that occurred yesterday.
Report ArcSight
Virus/

Failed Anti-
Virus Updates
(MSSP)
host name, target address, and
device product of all events in the
past 24 hours that have failed to
update virus information files.
Report ArcSight
Virus/
Firewall
Misconfigurati
ons
ration
Failed Anti-
Virus Updates
- Regulated
Systems
This report displays the device
vendor, device product, target
target address, and
minute(EndTime) from events
that match the AV - Failed
Updates filter and target assets
that are categorized in one of the
regulated asset categories for
yesterday.
Report ArcSight
Virus/
Failed Anti-
Virus Updates
- Regulated
Systems
(MSSP)
device vendor, device product
target zone name, target host
name, target address, and
regulated asset categories for
yesterday.
Report ArcSight
Virus/
Update
Summary
This report displays a summary
of the results of anti-virus update
activity by zones since yesterday.
Report ArcSight
Virus/
Errors
Detected in
Anti-Virus
Deployment
This report displays the hosts
reporting the most anti-virus
errors for the previous day and
includes the anti-virus product,
host details, error information,
and the number of errors.
Report ArcSight
Virus/
HIDS
Misconfigurati
ons
ration Changes/Device/IDS/
Configuration
Changes by
User
specific user.
Report ArcSight
ration

Update
Overview -
Regulated
Systems
(MSSP)
name, target address, device
vendor, device product, category
yesterday's events on assets
categorized as having a
regulation requirement.
Report ArcSight
Virus/
Top Infected
Systems
This report displays summaries of
the systems reporting the most
infections in the previous day.
Report ArcSight
Virus/
Configuration
Changes by
Type
certain type.
Report ArcSight
ration
NIDS
Misconfigurati
ons
Library Resources
Compliance
Requirement
Category
Network
Events
the category object starts with
Network or the category device
group starts with Network
Equipment.
Filter ArcSight
Class Filters/
Configuration
Modifications
content.
Filter ArcSight
Monitoring/
Update Events This filter identifies events
related to anti-virus product data
file updates.
Filter ArcSight
Virus/
Host IDS This resource has no description. Filter ArcSight
ation Changes/Device/IDS/
ArcSight
Events
Types
Anti-Virus
Events
/IDS/Host/Antivirus.
Filter ArcSight
Virus/

Network IDS This resource has no description. Filter ArcSight
ation Changes/Device/IDS/
Firewall This resource has no description. Filter ArcSight
ation
Identity
Management
Events
which the Category Device Group
starts with Identity Management.
Filter ArcSight
Class Filters/
AV - Found
Infected
This filter identifies all events
where the Category Device Group
the Category Outcome is Failure
/Found/Vulnerable.
Filter ArcSight
Virus/
Firewall
Events
This filter retrieves events with
the Firewall category device
group.
Filter ArcSight
Class Filters/
AV - Failed
Updates
This filter identifies all anti-virus
update events (based on the
Update Events filter), where the
Category Outcome is Failure.
Filter ArcSight
Virus/
Non-ArcSight
Events
Types
Configuration
Changes by
User
specific user.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
Type
certain type.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
User
specific user.
Focused
Report
ArcSight
Virus/

Configuration
Changes by
Type
certain type.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
Type
certain type.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
Type
certain type.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
User
specific user.
Focused
Report
ArcSight
Virus/
Configuration
Changes by
User
specific user.
Focused
Report
ArcSight
Virus/
Failed Anti-
Virus Updates
This query identifies the device
vendor, device product target
and target address and time
(EndTime) from events that
match the AV - Failed Updates
filter.
Query ArcSight
Virus/
Update
Overview
(MSSP)
This query returns the customer,
host name, target address,
of the aggregated event count of
all events related to virus update
information files.
Query ArcSight
Virus/

Failed Anti-
Virus Updates
Chart -
Regulated
Systems
This query returns the target
zone name and the sum of the
events that match the AV - Failed
Updates filter.
Query ArcSight
Virus/
NIDS
Misconfigurati
ons
Failed Anti-
Virus Updates
- Regulated
Systems
This query returns the device
vendor, device product target
target address, and
regulated asset categories.
Query ArcSight
Virus/
Top Zones
with Anti-Virus
Errors
This query identifies data from
events where the Category
Device Group is
/IDS/Host/Antivirus, the
Category Object starts with
/Host/Application, the Category
Outcome is not Success and the
Category Significance starts with
Informational. The query returns
the zone and the number of
times the error occurred.
Query ArcSight
Virus/Errors/
Update
Summary -
Regulated
Systems
events that have the category
behavior of /Modify/Content, the
category object of
/Host/Application, the category
device group of
/IDS/Host/Antivirus, and target
assets that are categorized in one
of the regulated asset categories.
Query ArcSight
Virus/
Firewall
Configuration
Changes
ration
Failed Anti-
Virus Updates
- Regulated
Systems
(MSSP)
host name, target address, and
device product for all events in
the past 24 hours that have failed
to update virus information files
for any asset categorized with a
regulation compliance
requirement.
Query ArcSight
Virus/

Configuration
Changes
was made.
Query ArcSight
ration Changes/
Update
Summary
This query identifies the target
events that match the Update
Events filter.
Query ArcSight
Virus/
Top Infected
Systems
This query identifies data
matching the AV - Found Infected
filter (the Category Device Group
the Category Outcome is Failure
/Found/Vulnerable), and returns
the host zone and a count of the
infections per zone.
Query ArcSight
Virus/Top Infected
Systems/
Firewall
Misconfigurati
ons
ration
Infected
Systems
This query identifies data
matching the filter the AV - Found
Infected filter (the Category
Device Group starts with
Category Outcome is Failure and
the Category Behavior is
/Found/Vulnerable), and returns
the host information and a count
of the infections per host.
Query ArcSight
Virus/Top Infected
Systems/
Failed Anti-
Virus Updates
(MSSP)
host Name, target address, and
device product for all events in
the past 24 hours that have failed
to update virus information files.
Query ArcSight
Virus/
Update
Overview
Chart (MSSP)
This query returns the customer
name, target zone name,
of the aggregated event count
from events that match the
Update Events filter.
Query ArcSight
Virus/

Anti-Virus
Errors
Device Group is
Outcome is not Success and the
the priority, vendor information,
host information, error name,
and the number of times the
error occurred.
Query ArcSight
Virus/Errors/
Failed Anti-
Virus Updates
Chart (MSSP)
name and the sum of the
Updates filter.
Query ArcSight
Virus/
HIDS
Misconfigurati
ons
Update
Summary
Chart -
Regulated
Systems
zone name, category outcome,
and the sum of the aggregated
event count from events that
match the Update Events filter.
Query ArcSight
Virus/
Failed Anti-
Virus Updates
Chart -
Regulated
Systems
(MSSP)
name and the sum of the
Updates filter.
Query ArcSight
Virus/
Update
Overview
Chart -
Regulated
Systems
(MSSP)
name, target zone name,
of the aggregated event count
from events that match the
Update Events filter.
Query ArcSight
Virus/
Failed Anti-
Virus Updates
Chart
zone name and the sum of the
Updates filter.
Query ArcSight
Virus/

Update
Overview -
Regulated
Systems
(MSSP)
name, target address, device
vendor, device product, category
events that have the category
behavior of /Modify/Content, the
category object of
/Host/Application, the category
device group of
/IDS/Host/Antivirus, and target
assets that are categorized in one
of the regulated asset categories.
Query ArcSight
Virus/
Update
Summary
Chart
zone name, category outcome,
and the sum of the aggregated
event count from events that
match the Update Events filter.
Query ArcSight
Virus/
Top Anti-Virus
Errors
Device Group is
Outcome is not Success, and the
the error name and the number
of times the error occurred.
Query ArcSight
Virus/Errors/

User Configuration Changes
The User Configuration Changes resources provide information about user configuration by
identifying and monitoring user accounts and the hosts/addresses associated with them.
This ties a user to certain IP addresses, MAC addresses, host-names, zones, and so on. The
reports cover user account additions, modifications to those accounts, and account
removal.
Monitoring user account activity can show changes to user privileges and roles, as well as
user account creations or deletions. User account privileges should be associated with
adding or removing access to network resources that the user no longer requires, and
should be done by an administrator with the authority to change those privileges. Random
account modifications by unexpected sources are indications of a security concern.
Random creation or deletions of accounts are also suspect.
Resources
The following table lists all the resources in the User Configuration Changes resource group
and any dependant resources.
Table 3-6 Resources that Support the User Configuration Changes Group
Monitor Resources
User
Configuration
Modifications -
Today
This query viewer shows
related to users for the current
day.
Query
Viewer
ArcSight
ation Changes/
User
Configuration
Modifications -
Yesterday
This query viewer shows
related to users for the previous
day.
Query
Viewer
ArcSight
ation Changes/
Password
Changes by
Zone
the password changes for the
past 30 days.
Report ArcSight
ration
Changes/User/Modification/
Password/
Configuration
Changes per
User by Zone
Last Week
This report provides a view of
users that have made
configuration changes over the
past week (sorted by zone) and
the number of changes each user
made.
Report ArcSight
ration Changes/User/
Accounts
Deleted by
Host
user deletions over the previous
30 days, ordered by customer,
zone, and system. This report is a
Monitoring content.
Report ArcSight
ration
Changes/User/Deletion/

Password
Changes
This report shows password
changes for the previous day and
groups the password changes by
user sorted chronologically.
Report ArcSight
ration
Password/
User Removals
- Last 30 Days
of the user removals over the last
30 days. Focus this report on a
certain zone (use the FilterBy
parameter) to provide a
manageable and useful data set.
Report ArcSight
Summaries/
Most Common
Account Login
Failures by
Attacker User
(Yesterday)
This report displays the category
object, attacker address, attacker
asset name, attacker NT domain,
attacker user ID, attacker user
name, attacker zone name, and
the sum of the aggregated event
count.
Report ArcSight
ration Changes/User/Asset
Tracking/
By User
Account -
Accounts
Deleted
ration
By User
Account -
Accounts
Created
This report generates a table of
all user accounts created in the
last day.
Report ArcSight
ration
Changes/User/Creation/
VPN User
Account
Creation
This report shows all VPN user
account creations for the past 30
days. The fields Target Zone
Name, Target User ID, and
Attacker User Name are renamed
Zone, New Account, and Creator
in the report.
Report ArcSight
ration
Local Windows
User Creation
- Disallowed
Systems
attacker user name, target zone
name, target address, target
asset name, target user ID,
target user name, the day and
count for local Windows user
creations on disallowed systems
from the Local Windows User
Creation - Disallowed Systems
trend. Note: The Local Windows
User Creation - Disallowed
Systems trend is not enabled by
default.
Report ArcSight
ration
Configuration
Changes per
User Last
Week
This report provides a view of
users that have made
configuration changes over the
past week, sorted by the number
of changes each user made.
Report ArcSight

User Account
Modifications
This report shows an overview of
the user account modifications
for the past 30 days.
Report ArcSight
ration
AAA User
Account
Creation
This report shows all AAA user
account creation for the past 30
days.
Report ArcSight
ration
User Account
Creation
ration
AAA User
Account
Deletions -
Last 30 Days
This report displays a table of the
AAA user accounts that have
been deleted over the past 30
days, based on data collected in
the AAA User Account Deletions
trend. Note: The AAA User
Account Deletions Trend is not
enabled by default.
Report ArcSight
ration
User
Administration
This report shows a summary of
user and user group creation,
modification, and deletion.
Report ArcSight
Account
Creation by
Host - Last
Week
the account creation events seen
over the past week on your
monitored assets. Note: This
report detects host-local user
account creations, not
authentication service account
creations; therefore, the report
does not pick up user additions in
the Active Directory. The Account
Creation by Host trend is not
enabled by default. This report is
Monitoring content.
Report ArcSight
ration
Password
Changes by
System
past 30 days.
Report ArcSight
ration
Password/
Password
Changes by
User
past 30 days.
Report ArcSight
ration
Password/

Local Windows
User Creation
- Allowed Host
This rule detects the creation of a
local user on a Windows system.
If this rule triggers, the system
on which the user has been
created is present in the Local
User Allowed Systems active list.
Treat this alert as normal activity.
This rule is a part of the
Rule ArcSight
Monitoring/Detail/
Local Windows
User Creation
- Disallowed
Host
This rule detects the creation of a
local user on a Windows system.
If this rule triggers, the system
on which the user has been
created is not present in the
Local User Allowed Systems
active list. Treat this as
suspicious or hostile activity to be
investigated immediately. This
rule is a part of the Configuration
Monitoring content.
Rule ArcSight
Monitoring/Detail/
Library Resources
Local User
Allowed
Systems
This active list is used to specify
systems on which local user
creation activity is allowed. This
active list is part of the
Monitoring/
Business Role This is a site asset category. Asset
Category
Site Asset
Analysis
Microsoft This is a site asset category. Asset
Category
Site Asset
Categories/Operating
System
VPN.
Filter ArcSight
Class Filters/
User Account
Modifications
This filter identifies user account
modification events. The filter is
Monitoring content.
Filter ArcSight
ation Changes/User/
Configuration
Modifications
content.
Filter ArcSight
Monitoring/
User Account
Login
Attempts
This filter uses ArcSight
categories to choose events that
indicate user login attempts.
These might be successful or
failures.
Filter ArcSight
Tracking/

Failed User
Account Login
Attempts
categories to identify failed user
account login attempts.
Filter ArcSight
Tracking/
Successful
Password
Changes
This resource has no description. Filter ArcSight
ation Changes/User/
AAA User
Account
Creations
creation activity on AAA systems.
This filter is part of the
Filter ArcSight
ation Changes/Device/AAA/
User Account
Creations
addition events. The filter is a
Monitoring content.
Filter ArcSight
ation Changes/User/
Database
Events
the category object
Filter ArcSight
ation
ArcSight
Events
Types
VPN User
Account
Creations
This filter identifies events
showing VPN user account
creation information. The filter
uses the VPN User Configuration
Activity filter and looks for the
/Authentication/Add category
behavior.
Filter ArcSight
Identity
Management
Events
which the Category Device Group
starts with Identity Management.
Filter ArcSight
Class Filters/
Operating
System Events
Operating System.
Filter ArcSight
Class Filters/
AAA User
Configuration
Activity
This filter identifies user
configuration activity on AAA
systems. The filter is a part of the
Filter ArcSight
VPN User
Configuration
Activity
This filter identifies user
configuration activity on VPN
systems. This filter is a part of
content.
Filter ArcSight
AAA User
Account
Deletions
deletion activity on AAA systems.
This filter is part of the
Filter ArcSight

Non-ArcSight
Events
Types
User Account
Deletions
deletion events. This filter is a
Monitoring content.
Filter ArcSight
ation Changes/User/
User Account
Modifications -
Last 30 Days
This resource has no description. Focused
Report
ArcSight
Monitoring/SANS Top 5
Reports/3 - Unauthorized
Changes to Users, Groups
and Services/
Password
Changes
This report shows database
password changes for the
previous day and groups the
password changes by user, sorted
chronologically.
Focused
Report
ArcSight
ration
Password
Changes
chronologically.
Focused
Report
ArcSight
ration
Password
Changes - Last
30 Days
Report
ArcSight
and Services/
Password
Changes
chronologically.
Focused
Report
ArcSight
ration
User Account
Deletions -
Last 30 Days
Report
ArcSight
and Services/
User Account
Creations -
Last 30 Days
Report
ArcSight
and Services/
Password
Changes
chronologically.
Focused
Report
ArcSight
ration

Local Windows
User Creation
- Disallowed
Systems - on
Trend
attacker user name, target zone
name, target address, target
asset name, target user ID,
target user name, the day and
count for local Windows user
creations on disallowed systems
from the Local Windows User
Creation - Disallowed Systems
trend. Note: The Local Windows
User Creation - Disallowed
Systems trend is not enabled by
default.
Query ArcSight
ration
VPN User
Account
Creation Trend
This query on events restricted
by the VPN User Account
Creations filter retrieves the
customer, attacker user name,
attacker zone, target address,
target asset name, target host
name, target Nt domain, target
user ID, target user name, and
target zone for the VPN User
Account Creation trend.
Query ArcSight
ration
AAA User
Account
Deletions
Trend
attacker user name, attacker
zone, target address, target
asset name, target host name,
target Nt domain, target user ID,
and target user name for events
matching the AAA User Account
Deletions filter.
Query ArcSight
ration
Trend on AAA
User Account
Creation
This query on the AAA User
Account Creation trend retrieves
the customer name, attacker
user name, attacker zone name,
target address, target asset
name, target host name, target
Nt domain, target user ID, target
user name, and target zone
name for the AAA User Account
Creation report.
Query ArcSight
ration
User Removals This query retrieves user account
deletion data (restricted by the
User Account Deletions filter).
Query ArcSight
Summaries/
AAA User
Account
Creation Trend
This query retrieves events
passed by the AAA User Account
Creations filter, returning the
target zone for the AAA User
Account Creation trend.
Query ArcSight
ration

User Removals
on Trend
This query retrieves the user
account deletion data (restricted
by the User Account Deletions
filter), grouped by customer.
Query ArcSight
Summaries/
Trend on
Password
Modifications
This query returns data from the
Password Modifications trend for
use in the Password Changes by
<System/User/Zone> reports.
Query ArcSight
ration
Password/
Password
Changes
ration
Password/
Account
Creation by
Host on Trend
This query on the Account
Creation by Host trend provides a
listing of the account creation
events seen within the past week
on your monitored assets. Note:
The Account Creation by Host
trend is not enabled by default.
This query is a part of the
Query ArcSight
ration
User Account
Creation Trend
by the User Account Creations
filter returns the customer,
zone, target address, target
asset name, target host name,
target Nt domain, target user ID,
target user name, and target
zone for the User Account
Creation trend.
Query ArcSight
ration
Account
Creation by
Host
This query provides a listing of
the account creation events seen
within the past day on your
monitored assets. Note: This
query retrieves host-local user
account creations, instead of
creations so that it does not
retrieve user additions in the
Active Directory. This query is a
Monitoring content.
Query ArcSight
ration
User
Configuration
Modifications
This query returns the previous
day of configuration modification
events related to users.
Query ArcSight
ration Changes/
By User
Account -
Accounts
Deleted
ration

Assets with
Recent
Configuration
Modifications
by Vendor and
Product
about a day's worth of
configuration changes to your
various assets. The data
retrieved includes information
about the asset affected, the
asset causing the change (if
any), and the vendor and product
information about the asset that
was changed.
Query ArcSight
Monitoring/Details/
Password
Modifications
Trend
by the Successful Password
Changes filter returns the
attacker user ID, attacker user
name, attacker zone, target
address, target asset ID, target
asset name, target Nt domain,
target user ID, target user name,
target zone, and sums the
aggregated event count for use in
the Password Modifications trend.
Query ArcSight
ration
Password/
Most Common
Account Login
Failures by
Attacker User
(Yesterday)
This query returns the category
object, attacker Address,
attacker asset name, attacker Nt
domain, attacker user ID,
zone name, and the sum of the
aggregated event count for
events matching the Failed User
Account Login Attempts filter.
Query ArcSight
Tracking/
Accounts
Deleted by
Host Trend
by the User Account Deletions
filter provides a listing of the
users deleted over the time
interval by System & Zone for the
Accounts Deleted by Host trend.
Query ArcSight
ration
User Account
Modifications
Trend
The query on events restricted by
the User Account Modifications
filter retrieves the customer,
target zone, target address,
target asset ID, target asset
name, name, target user ID,
target user name, aggregated
event count and end time for the
User Account Modifications trend.
Query ArcSight
ration
Trend on User
Account
Modifications
This query on the User Account
Modifications trend returns data
for use in the User Account
Modifications report.
Query ArcSight
ration

Trend on VPN
User Account
Creation
This query on the VPN User
Account Creation trend retrieves
the customer, target zone name,
target user ID, and attacker user
name for the VPN User Account
Creation report. The fields Target
Zone Name, Target User ID, and
Attacker User Name are renamed
Zone, New Account, and Creator
in the report.
Query ArcSight
ration
Trend on User
Account
Creation
This query on the User Account
Creation trend returns the
target zone for the User Account
Creation report.
Query ArcSight
ration
By User
Account -
Accounts
Created
This query retrieves events
meeting the conditions Category
Behavior = /Authentication/Add
and Category Outcome =
/Success, selecting End Time,
Target User Name, Attacker User
Name, Name, Target Zone Name
and Target Host Name for the By
User Account - Accounts Created
report.
Query ArcSight
ration
User
Administration
(Chart)
user (and user group) creations,
modifications, and deletions.
Query ArcSight
ration
Changes/Device/Operating
System/
Local Windows
User Creation
- Disallowed
Systems
attacker user name, target zone,
name, target user ID, target user
name, the day and the sum of
the aggregated event count for
successful local Windows user
creations on disallowed systems.
Query ArcSight
ration
Users That
Performed
Configuration
Modifications
Past Week
This query retrieves a list of the
users that performed
configuration modifications to
assets in the past week.
Query ArcSight
User
Administration
This query returns the user (and
user group), creation,
modification, and deletion
events.
Query ArcSight
ration
Changes/Device/Operating
System/

AAA User
Account
Deletions on
Trend
This query retrieves the
user ID, and target user name
from AAA User Account Deletions
trend. Note: The AAA User
Account Deletions trend is not
enabled by default.
Query ArcSight
ration
Local Windows
User Creation
- Disallowed
Systems
This trend collects the customer,
attacker user name, target zone,
name, target user ID, target user
name, the day and the sum of
the aggregated event count for
successful local Windows user
creations on disallowed systems.
Note: This trend is not enabled
by default.
Trend ArcSight
Monitoring/User Account
Modifications/
User Removals This trend collects user account
deletion data, restricted by the
User Account Deletions filter.
Trend ArcSight
Modifications/
AAA User
Account
Deletions
This trend collects information
about AAA User Accounts that
have been deleted. Note: This
trend is not enabled by default.
Trend ArcSight
Modifications/
Account
Creation by
Host
This trend collects a listing of the
account creation events seen
over the past day on your
monitored assets. Note: The
query retrieves host-local user
account creations instead of
creations so that the trend does
not collect user additions in the
Active Directory. Note: The trend
data fields are renamed for
clarity when creating reports.
This trend is not enabled by
default.
Trend ArcSight
Modifications/
Password
Modifications
This trend collects data for
monitoring password changes,
including the ID for which the
password was changed and the
ID of the user making the
change. Note: This trend is not
enabled by default.
Trend ArcSight
Modifications/
VPN User
Account
Creation
This trend collects information
about the creation of VPN user
accounts. Note: This trend is not
enabled by default.
Trend ArcSight
Modifications/

User Account
Creation
This trend collects data for the
User Account Creation report.
Trend ArcSight
Modifications/
User Account
Modifications
This trend collects data relevant
to tracking modifications to user
accounts, specifically for the User
Account Modifications report.
Trend ArcSight
Modifications/
Assets with
Recent
Configuration
Modifications
(Daily)
This trend retrieves changes to
assets within the last day and
stores information about the
change itself as well as who
made the change.
Trend ArcSight
Monitoring/Asset
Tracking/
AAA User
Account
Creation
This trend collects data for the
AAA User Account Creation
report. Note: This trend is not
enabled by default.
Trend ArcSight
Modifications/

Vulnerabilities
The Vulnerabilities resources provide an overview about current vulnerabilities on systems.
Devices
The following device type can supply events that apply to the Vulnerabilities resource
group:
 Vulnerability scanners
Resources
The following table lists all the resources in the Vulnerabilities resource group and any
dependant resources.
Table 3-7 Resources that Support the Vulnerabilities Group
Monitor Resources
High-Priority
Scan Events
Directed
Toward High-
Criticality
Assets - Today
This query viewer displays
today's scan results for a view
into high-priority vulnerabilities
detected on highly-critical assets.
Query
Viewer
ArcSight
Summaries/Asset
Vulnerability Scans/
High-Priority
Scan Events
Directed
Toward High-
Criticality
Assets -
Yesterday
This query viewer displays
yesterday's scan results for a
view into high-priority
vulnerabilities detected on
highly-critical assets.
Query
Viewer
ArcSight
Summaries/Asset
10 Most
Vulnerable
Assets in
Confidential
Data Group
Monitoring/Details/Vulnera
bilities/
Exposed
Vulnerabilities
by Zone Trend
- Last 90 Days
This report provides a chart view
of the exposed vulnerabilities
across your top vulnerable zones
over the course of a week. If you
patch on a monthly or longer
basis, use the reports with longer
periods.
Report ArcSight
bilities/Critical Assets/
High-Priority
Vulnerabilities
Detected on
Critical Assets
- Yesterday
This report displays scan events
from yesterday where the priority
of the scan event is greater than
5 (fairly severe) and the target
asset has been categorized with a
high or very-high criticality.
Report ArcSight
bilities/
Exposed
Vulnerabilities
by Asset
This report shows a table of
exposed vulnerabilities by asset.
Report ArcSight
bilities/

Top 10 Assets
by Exposed
Vulnerability
Counts
bilities/
Vulnerability
Exposure by
Asset
Criticality -
Current Month
This report provides a weekly
view into the vulnerability
exposure trend of your critical
assets for the current month.
Note: If you run this report
before the first trend run of the
month, there will be no data.
Report ArcSight
Exposed
Vulnerability
Count by
Asset
This report lists the count of
vulnerabilities per asset and the
ten assets with the most exposed
vulnerabilities.
Report ArcSight
bilities/
All
Vulnerabilities
in Email and
Web Server
Assets
bilities/
Exposed
Vulnerabilities
by Zone Trend
- Last Month
over the course of a month. If
you patch on a monthly or longer
basis, use the reports with longer
periods.
Report ArcSight
Exposed
Vulnerabilities
by Zone Trend
- Last Week
over the course of a week. If you
patch on a monthly or longer
basis use the reports with longer
periods.
Report ArcSight
Top 10
Exposed
Vulnerabilities
by Asset
Counts
bilities/
Blaster
Vulnerable
Hosts
bilities/
All Exposed
Vulnerabilities
bilities/

Top
Vulnerability
Exposure of
Critical Assets
This report displays the top 1000
assets by vulnerability count for
the past seven days from the Top
Vulnerability Exposure of Critical
Assets trend. Note: If you have
fewer than 1000 assets, there
might be more than seven days
worth of data selected.
Report ArcSight
Vulnerabilities
of Assets in
North America
bilities/
Warning -
Vulnerable
Software
This rule detects vulnerable
software. The rule triggers
whenever a vulnerable
application or operating system is
found. The vulnerability should
not be a scan vulnerability. On
the first event, a notification is
sent to SOC operators.
Rule ArcSight
Monitoring/Detail/Vulnerab
ilities/
Warning -
Insecure
Configuration
This rule detects insecure object
configuration. The rule triggers
whenever an insecure object is
found or a security check fails.
On the first event, a notification
is sent to SOC operators.
Rule ArcSight
ilities/
Library Resources
Address
Spaces
Category
Protected This is a site asset category. Asset
Category
Site Asset
Categories/Address Spaces
Port 135 This is a site asset category. Asset
Category
Site Asset Categories/Open
Port/TCP
Web Server This is a site asset category. Asset
Category
Site Asset
e
Category
Port/TCP
Email This is a site asset category. Asset
Category
Site Asset
e
Category
Port/TCP
Category
Confidential
Data
Category
Site Asset
Analysis/Data Role

High This is a system asset category. Asset
Category
System Asset
North America This is a site asset category. Asset
Category
Site Asset
Categories/Location
Very High This is a system asset category. Asset
Category
System Asset
High-Priority
Scan Event for
Critical Asset
This filter identifies vulnerability
scan events that indicate that a
high-priority vulnerability was
detected on a system you have
marked with high or very-high
criticality.
Filter ArcSight
ilities/
Vulnerability
Exposure by
Asset
Criticality -
Last 3 Months
assets for the previous 3 months.
This report is based on the
Vulnerability Exposure by Asset
Criticality - Current Month report.
Focused
Report
ArcSight
Exposed
Vulnerability
Count by
Critical Asset
This report shows a table of
exposed vulnerabilities on assets
categorized as high criticality.
Focused
Report
ArcSight
Vulnerability
Exposure by
Asset
Criticality -
Last 6 Months
assets for the previous 6 months.
The report is based on the
Criticality - Current Month report,
Focused
Report
ArcSight
Vulnerability
Exposure by
Asset
Criticality -
Trend Query -
Snapshot
This query on assets that have
been categorized under /All Asset
Categories/System Asset
Categories/Criticality, returns the
address, device zone ID, device
zone name, name, a count of
vulnerability, and the
GetCriticality variable for the
Criticality trend. Note: This query
returns up to 10,000 (the default
Row Limit) assets with the
highest number of vulnerabilities
(ORDER BY COUNT(Vulnerability)
DESC. If you are using this query
to populate a trend (as in the
Criticality trend that is part of the
Configuration Monitoring
Standard Content), this Row
Limit will be overridden by the
Row Limit of the trend when it
runs.
Query ArcSight

10 Most
Vulnerable
Assets in
Confidential
Data Group
bilities/
Top 10 Assets
by Exposed
Vulnerability
Counts
bilities/
High-Priority
Scan Events
Directed
Toward High-
Criticality
Assets
This query returns yesterday's
scan results for a view into high-
priority vulnerabilities detected
on highly-critical assets.
Query ArcSight
Summaries/Asset
Vulnerability
Exposure of
Critical Assets
on Trend
This query retrieves the top 1000
assets by vulnerability count from
the Vulnerability Exposure of
Critical Assets trend, to be used
in the Top Vulnerability Exposure
of Critical Assets trend.
Query ArcSight
Exposed
Vulnerabilities
by Zone Trend
- Last Week
This query on the Vulnerability
Exposure of High and Very-High
Criticality Assets by Zone - Trend
Query returns the count of
vulnerability, device zone name,
and timeStamp for the Exposed
Vulnerabilities by Zone Trend -
<various time periods> reports.
Query ArcSight
All Exposed
Vulnerabilities
bilities/
Top 10
Exposed
Vulnerabilities
by Asset
Counts
bilities/
Vulnerabilities
of Assets in
North America
bilities/
Exposed
Vulnerabilities
- High and
Very High
Criticality
Assets by
Zone - Trend
Query
This query tracks how many
vulnerabilities highly and very-
highly critical systems have over
time, by zone. The query is most
often used directly by a trend to
store a daily snapshot of the
information. To reduce storage
requirements, this query only
retrieves a count of the number
of vulnerabilities in these zones,
not the full list of vulnerabilities.
Query ArcSight

Exposed
Vulnerability
Count by
Asset
bilities/
All
Vulnerabilities
in Email and
Web Server
Assets
bilities/
Top
Vulnerability
Exposure of
Critical Assets
on Trend
This query returns the top 1000
assets by vulnerability count for
the past seven days from the Top
Assets trend for the Top
Assets report.
Query ArcSight
Blaster
Vulnerable
Hosts
bilities/
Vulnerability
Exposure by
Asset
Criticality
This query retrieves a set of
snapshot points providing
vulnerability counts for critical
assets.
Query ArcSight
Exposed
Vulnerabilities
by Asset
bilities/
High-Priority
Vulnerabilities
Detected on
Critical Assets
- Yesterday
This query retrieves scan events
from yesterday where the priority
of the scan event is greater than
five (fairly severe) and the target
asset has been categorized as
high or very-high criticality.
Query ArcSight
bilities/
Exposed
Vulnerabilities
- High and
Very High
Criticality
Assets - Trend
Query
This query tracks how many
vulnerabilities highly and very-
highly critical systems have over
time. The query is most often
used directly by a trend to store a
daily snapshots of the
information. To reduce the
storage requirements, this query
only retrieves a count of the
number of vulnerabilities on
these assets, not the full list of
vulnerabilities.
Query ArcSight

Vulnerability
Exposure by
Asset
Criticality
This trend provides a weekly
snapshot of the vulnerability
counts of assets marked as
having criticality. The default
snapshot size (Row Limit) for this
trend is 50,000. If you have
significantly more assets than
this, increase this number to
match your environment. Note:
You do not need to adjust the
Row Limit for the query that
feeds this trend (Vulnerability
Exposure by Asset Criticality -
Trend Query - Snapshot), the
trend overrides the query's Row
Limit parameter when it runs.
Trend ArcSight
Monitoring/Vulnerability
Tracking/
Vulnerability
Exposure of
High and Very-
High Criticality
Assets by
Zone - Daily
Trend
This trend collects a weekly
snapshot of the assets used to
track how many vulnerabilities
highly and very-highly critical
systems have over time, by zone.
To reduce storage requirements,
this trend only collects a count of
the number of vulnerabilities in
these zones, not the full list of
vulnerabilities. Note: This trend is
not enabled by default.
Trend ArcSight
Tracking/
Vulnerability
Exposure of
Critical Assets
on the vulnerability exposure of
your assets that have been
categorized as highly or very-
highly critical. The trend includes
information about the asset and a
count of the number of
vulnerabilities it currently
exposes.
Trend ArcSight
Tracking/
Top
Vulnerability
Exposure of
Critical Assets
This trend collects the top 1000
assets by vulnerability count from
the Vulnerability Exposure of
Critical Assets trend, to be used
in the Top Vulnerability Exposure
of Critical Assets report.
Trend ArcSight
Tracking/
CVE - CAN-
2003-0605
This resource has no description. Vulnerabilit
y
CVE/

Appendix A
Upgrading Standard Content
This appendix discusses the following topics.
Preparing Existing Content for Upgrade
The majority of standard content does not need configuration and does not require special
preparation for upgrade. Upgrade preparation is recommended only for content that has
been configured and for which configuration is not preserved after the upgrade.
Configurations Preserved During Upgrade
The following resource configurations are preserved during the upgrade process. No
restoration is required for these resources after the upgrade.
 Asset modeling for network assets, including:
 Assets, and asset groups and their settings
 Asset categories applied to assets and asset groups
 Vulnerabilities applied to assets
 Custom zones
 SmartConnectors
 Users and user groups
 Report schedules
 Notification destinations and priority settings
 Cases
Configurations that Require Restoration After Upgrade
The following resource configurations require restoration after upgrade.
 Any standard content resource that you have modified, including active lists
 Any custom content or special modifications not already described in this document
(including customizations performed by ArcSight Professional Services)
“Preparing Existing Content for Upgrade” on page 69
“Performing the Upgrade” on page 70
“Checking and Restoring Content After Upgrade” on page 70

A Upgrading Standard Content
Backing Up Existing Resources Before Upgrade
To help the process of reconfiguring resources that require restoration after upgrade, back
up the resources you identify in “Configurations that Require Restoration After Upgrade” on
page 69 and export them in a package. After upgrade, you can re-import the package and
use the existing resources as a reference for restoring the configurations to the upgraded
environment.
To create a backup of the resources that require restoration after upgrade:
1 For each resource type (filter, rule, active list), create a new group under your personal
group. Provide a name that identifies the contents.
 Right-click your group name and select New Group.
2 Copy the resources into the new group. Repeat this process for every resource type
you want to back up.
 Select the resources you want to back up and drag them into the backup folder
you created in Step 1. In the Drag & Drop Options dialog box, select Copy.
3 Export the backup groups in a package.
 In the Navigator panel Packages tab, right-click your group name and select New
Package. In the Packages editor in the Inspect/Edit panel, name the package to
identify the contents.
Performing the Upgrade
After exporting a copy of the configured resources in a backup package, you are ready to
perform the upgrade the process. Refer to the ESM upgrade documentation for upgrade
procedures.
Checking and Restoring Content After Upgrade
After the upgrade is complete, perform the following checks to verify that all your content
has been transferred to the new environment successfully.
Before you back up existing resources, run the resource validator
(resvalidate.bat) located on the ESM Manager in
<ARCSIGHT_HOME>binscripts to check that the resources are working
correctly before the upgrade. This prevents you from attributing broken
resources with the upgrade.
During the upgrade process, the content is run through a resource validator
automatically (see “Fixing Invalid Resources” on page 71).
Copy and paste configurations from the old resources to the new
Instead of overwriting the new resources with backup copies of the old ones,
copy and paste configurations from the old resources one by one into the new
ones. This procedure ensures that you preserve your configurations without
overwriting any improvements provided in the upgrade.

Verifying and Reapplying Configurations
Verify and restore standard content after upgrade.
1 Verify that your configured resources listed in the section “Configurations Preserved
During Upgrade” on page 69 retained their configurations as expected.
2 Reconfigure the resources that require restoration.
a Re-import the package you created in “Backing Up Existing Resources Before
Upgrade” on page 70.
b One resource at a time, copy and paste the configurations preserved in the
package of copied resources into the new resources installed with the upgrade.
Copying your configurations one resource at a time instead of overwriting the new
resources with the old ensures that you retain your configurations without
overwriting any improvements provided with the upgraded content.
Verifying Customized Content
It is possible during upgrade that updates to the standard content cause resources you
created to work in a way that is not intended. For example, a rule might trigger too often
or not at all if it uses a filter in which conditions have been changed.
To verify that the resources you rely upon work as expected, check the following:
 Trigger events. Send events that you know trigger the content through the system
using the Replay with Rules feature. For more about this feature, refer to the ArcSight
Console User’s Guide or the ESM online Help.
 Check Live Events. Check the Live or All Events active channel to verify if the
correlation event is triggered. Check that the data monitors you created are returning
the expected output based on the test events you send through.
 Verify notification destinations. Verify that notifications are sent to the recipients
in your notification destinations as expected.
 Verify active lists. Check that any active lists you have created to support your
content are gathering the replay with rules data as expected.
 Repair any invalid resources. During the upgrade process, the resource validator
identifies any resources that are rendered invalid (conditions that no longer work)
during the upgrade. Find invalid resources and fix their conditions as appropriate. For
more about invalid resources, see Fixing Invalid Resources, below.
Fixing Invalid Resources
During the upgrade process, the content is run through a resource validator, which
verifies that the values expressed in the resource condition statement still apply to
the resource in its new format, and that any resources upon which it depends are
still present and also valid. The resource validator runs on any resource that contains a
condition statement or populates the asset model, such as:
 Active channels
 Filters
 Data Monitors
 Rules
 Report queries and schedules
 Assets and Asset ranges

 Zones
It is possible that during upgrade, the condition statement for a resource you created or
modified becomes invalid. For example, if the schema of an ArcSight-supplied active list
changes from one release to another and a resource you created reads entries from this
list, the condition statement in the created resource no longer matches the schema of the
active list, and the logic is invalid.
When the installer performs the resource validation check and finds an invalid resource, it
identifies why the resource is invalid in the report it generates at the end of the upgrade.
The upgrade installer also lets you choose to save the reason the resource is invalid in the
database (Persist conflicts to the database=TRUE). If you choose this option, the
upgrade installer:
 Saves the reason the resource is found to be invalid in the database so you can
generate a list of invalid resources that you can use later to repair the problems
manually.
 Disables the resource so it does not try to evaluate live events in its invalid state.
If you choose not to save the reasons the resource is invalid in the database (Persist
conflicts to the database=FALSE), the resources remain enabled, which means they try
to evaluate the event stream in their invalid state.
If you choose not to persist conflicts to the database and disable invalid
resources, the Manager might throw exceptions when the invalid resources
try to evaluate live events.

Index
Numerics
10 Most Vulnerable Assets in Confidential Data Group
query 65
10 Most Vulnerable Assets in Confidential Data Group re-
port 61
A
AAA User Account Creation report 51
AAA User Account Creation trend 60
AAA User Account Creation Trend query 55
AAA User Account Creations filter 53
AAA User Account Deletions - Last 30 Days report 51
AAA User Account Deletions filter 53
AAA User Account Deletions on Trend query 59
AAA User Account Deletions trend 59
AAA User Account Deletions Trend query 55
AAA User Configuration Activity filter 53
Account Creation by Host - Last Week report 51
Account Creation by Host on Trend query 56
Account Creation by Host query 56
Account Creation by Host trend 59
Accounts Deleted by Host report 49
Accounts Deleted by Host Trend query 57
active lists
Assets with Recent Configuration Modifications 20,
25
general configuration 11, 13
Local User Allowed Systems 52
Address Spaces asset category 63
All Device Information is NULL filter 28, 37
All Events filter 17, 27, 36, 42, 53, 64
All Exposed Vulnerabilities query 65
All Exposed Vulnerabilities report 62
All Revenue Generating Assets query 38
All Revenue Generating Assets report 33
All Vulnerabilities in Email and Web Server Assets query
66
All Vulnerabilities in Email and Web Server Assets report
62
Anti-Virus Errors query 47
Anti-Virus Events filter 42
Application asset category 26, 34
ArcSight Administration
overview 5
ArcSight Events filter 22, 27, 36, 42, 53
ArcSight Foundations overview 5
ArcSight System
overview 5
asset categories
Address Spaces 63
Application 26, 34
Business Role 34, 52
Compliance Requirement 42
Confidential Data 63
Criticality 17, 26, 34, 63
Data Role 34
Email 34, 63
High 17, 64
Microsoft 52
North America 64
Open Port 26
Operating System 26, 34
Port 135 63
Port 139 63
Port 445 63
Protected 63
Revenue Generation 34
Scanned 26
Very High 17, 64
Web Server 34, 63
Asset Startup and Shutdown Event Log - Last Day report
16
Asset Startup and Shutdown Events - Daily Trend trend
19
Asset Startup and Shutdown Log - Last Week report 16
Assets resource group 16
Assets Restarting Twice or More - Last Week report 16
Assets with Applications query 38
Assets with Applications report 34
Assets with Configuration Changes - Last Day report 24
Assets with Configuration Changes - Past Week report 24
Assets with Configuration Modifications- Last 7 Days
query 30
Assets with Configuration Modifications- Last Day query
29
Assets with Recent Configuration Modifications (Daily)
trend 31, 60
Assets with Recent Configuration Modifications active list
20, 25
Assets with Recent Configuration Modifications by Ven-
dor and Product query 30, 57
AV - Failed Updates filter 43
AV - Found Infected filter 43
B
Blaster Vulnerable Hosts query 66
Blaster Vulnerable Hosts report 62
Business Role asset category 34, 52
By User Account - Accounts Created query 58
By User Account - Accounts Created report 50
By User Account - Accounts Deleted query 56

Index
By User Account - Accounts Deleted report 50
C
Cisco - IOS Configuration Changed rule 25
Compliance Requirement asset category 42
Confidential Data asset category 63
Configuration
Configuration Monitoring Foundation 10
configuration
active lists 11, 13
Configuration Changes by Type focused report 29, 37,
43, 44
Configuration Changes by Type report 24, 33, 42
Configuration Changes by User focused report 28, 37,
43, 44
Configuration Changes by User report 24, 32, 41
Configuration Changes by Zone Last Week Trend Query
query 29
Configuration Changes Overview dashboard 20
Configuration Changes Overview resource group 20
Configuration Changes per User by Zone Last Week re-
port 49
Configuration Changes per User Last Week report 50
Configuration Changes query 30, 38, 46
Configuration Modifications filter 21, 27, 36, 42, 52
Configuration Monitoring Foundation
Configuration 10
content packages 6
Critical Asset Startup and Shutdown Event Log - Last Day
report 16
Critical Asset Startup and Shutdown Trend report 16
Critical Host Shutdown Detected rule 17
Critical System Startup and Shutdown Events - By Zone
and Asset query 18
Critical System Startup and Shutdown Events - Daily
Trend trend 19
Critical System Startups and Shutdowns - Trend Query
query 18
Criticality asset category 17, 26, 34, 63
Current Asset Configurations query 31
Current Asset Configurations report 25
CVE - CAN-2003-0605 vulnerability 67
D
dashboards
Configuration Changes Overview 20
Database Errors 32
Host Configuration Modifications 23
Host Problems Overview 32
data monitors
Host Configuration Change Event Counts by Zone
26
Host Problem Event Counts by Zone 35
Last 10 Database Configuration Changes 20
Last 10 Database Errors 34
Last 10 Firewall Configuration Changes 21
Last 10 Network Configuration Changes 21
Last 10 VPN Configuration Changes 21
Last 20 Host Configuration Modification Events 26
Last 20 Host Problems 35
Most Common Host Configuration Change Events
26
Most Common Host Problem Events 35
Top 10 Database Errors 35
Data Role asset category 34
Database Configuration Changes filter 21
Database Errors and Warnings (Chart) query 30, 38
Database Errors and Warnings query 31, 39
Database Errors and Warnings report 24, 33
Database Errors dashboard 32
Database Errors filter 36
Database Events filter 22, 36, 53
Device Configuration Changes resource group 23
Device Configuration Changes use case 22
Device Vendor AND Product are NULL filter 28, 37
Device Vendor OR Product is NULL filter 28, 37
Device Version is NULL filter 27, 36
DeviceInfo global variable 27, 35
E
Email asset category 34, 63
Errors Detected in Anti-Virus Deployment report 41
Exposed Vulnerabilities - High and Very High Criticality
Assets - Trend Query query 66
Exposed Vulnerabilities - High and Very High Criticality
Assets by Zone - Trend Query query 65
Exposed Vulnerabilities by Asset query 66
Exposed Vulnerabilities by Asset report 61
Exposed Vulnerabilities by Zone Trend - Last 90 Days re-
port 61
Exposed Vulnerabilities by Zone Trend - Last Month re-
port 62
Exposed Vulnerabilities by Zone Trend - Last Week query
65
Exposed Vulnerabilities by Zone Trend - Last Week re-
port 62
Exposed Vulnerability Count by Asset query 66
Exposed Vulnerability Count by Asset report 62
Exposed Vulnerability Count by Critical Asset focused re-
port 64
F
Failed Anti-Virus Updates - Regulated Systems (MSSP)
query 45
Failed Anti-Virus Updates - Regulated Systems (MSSP)
report 41
Failed Anti-Virus Updates - Regulated Systems query 45
Failed Anti-Virus Updates - Regulated Systems report 41
Failed Anti-Virus Updates (MSSP) query 46
Failed Anti-Virus Updates (MSSP) report 41
Failed Anti-Virus Updates Chart - Regulated Systems
(MSSP) query 47
Failed Anti-Virus Updates Chart - Regulated Systems
query 45
Failed Anti-Virus Updates Chart (MSSP) query 47
Failed Anti-Virus Updates Chart query 47
Failed Anti-Virus Updates query 44
Failed Anti-Virus Updates report 40
Failed User Account Login Attempts (Yesterday) query
18
Failed User Account Login Attempts filter 17, 53
filters
AAA User Account Creations 53
AAA User Account Deletions 53
AAA User Configuration Activity 53
All Device Information is NULL 28, 37

Index
All Events 17, 27, 36, 42, 53, 64
Anti-Virus Events 42
ArcSight Events 22, 27, 36, 42, 53
AV - Failed Updates 43
AV - Found Infected 43
Configuration Modifications 21, 27, 36, 42, 52
Database Configuration Changes 21
Database Errors 36
Database Events 22, 36, 53
Device Vendor AND Product are NULL 28, 37
Device Vendor OR Product is NULL 28, 37
Device Version is NULL 27, 36
Failed User Account Login Attempts 17, 53
Firewall 43
Firewall Configuration Changes 21
Firewall Events 22, 43
High-Priority Scan Event for Critical Asset 64
Host Configuration Modifications 28, 37
Host IDS 42
Host Problems 36
Identity Management Events 43, 53
Network Configuration Changes 21
Network Events 21, 42
Network IDS 43
Non-ArcSight Events 22, 28, 37, 43, 54
Operating System Events 53
Router 28
Successful Configuration Changes 21
Successful Password Changes 53
Successful User Account Login Attempts 17
Switch 28
System Shutdown Events 17
System Startup Events 17
Target Address is NULL 27, 36
Target Host Name is NULL 27, 36
Target Information is NULL 27, 36
Target Port is NULL 27, 36
Target Zone AND Host are NULL 28, 37
Target Zone AND Host are NULL but Address is NOT
NULL 27, 36
Target Zone is NULL 28, 37
Target Zone OR Host is NULL 28, 37
Update Events 42
User Account Creations 53
User Account Deletions 54
User Account Login Attempts 17, 52
User Account Modifications 52
Virtual Private Network 27
VPN Configuration Changes 21
VPN Events 21, 27, 52
VPN User Account Creations 53
VPN User Configuration Activity 53
Firewall Configuration Changes filter 21
Firewall Configuration Changes query 45
Firewall Configuration Changes report 40
Firewall Events filter 22, 43
Firewall filter 43
Firewall Misconfigurations query 46
Firewall Misconfigurations report 41
focused reports
Configuration Changes by Type 29, 37, 43, 44
Configuration Changes by User 28, 37, 43, 44
Exposed Vulnerability Count by Critical Asset 64
Password Changes 54
Password Changes - Last 30 Days 54
User Account Creations - Last 30 Days 54
User Account Deletions - Last 30 Days 54
User Account Modifications - Last 30 Days 54
Vulnerability Exposure by Asset Criticality - Last 3
Months 64
Vulnerability Exposure by Asset Criticality - Last 6
Months 64
G
global variables
DeviceInfo 27, 35
TargetHost 26, 35
H
HIDS Misconfigurations query 47
HIDS Misconfigurations report 41
High asset category 17, 64
High-Priority Scan Event for Critical Asset filter 64
High-Priority Scan Events Directed Toward High-Critical-
ity Assets - Today query viewer 61
ity Assets - Yesterday query viewer 61
ity Assets query 65
High-Priority Vulnerabilities Detected on Critical Assets -
Yesterday query 66
High-Priority Vulnerabilities Detected on Critical Assets -
Yesterday report 61
Host Configuration Change Event Counts by Zone data
monitor 26
Host Configuration Events By Zone query 39
Host Configuration Events By Zone report 33
Host Configuration Modifications - Today query viewer
23
Host Configuration Modifications - Yesterday query view-
er 23
Host Configuration Modifications by Customer query 31
Host Configuration Modifications by Customer report 24
Host Configuration Modifications by OS query 29
Host Configuration Modifications by OS report 24
Host Configuration Modifications dashboard 23
Host Configuration Modifications filter 28, 37
Host Configuration Modifications on Trend query 30
Host Configuration Modifications query 29
Host Configuration Modifications Summary query 31, 38
Host Configuration Modifications Summary report 23
Host Configuration Modifications trend 31, 39
Host IDS filter 42
Host Problem Event Counts by Zone data monitor 35
Host Problems filter 36
Host Problems Overview dashboard 32
Host Summary by Business Role query 38
Host Summary by Business Role report 33
Host Summary by Criticality query 38
Host Summary by Criticality report 33
Host Summary by Data Role query 38
Host Summary by Data Role report 34
Host Summary by Operating System query 38
Host Summary by Operating System report 34
Hosts and Applications Overview resource group 32

Index
I
Identity Management Events filter 43, 53
Infected Systems query 46
invalid resources 71
L
Last 10 Database Configuration Changes data monitor
20
Last 10 Database Errors data monitor 34
Last 10 Firewall Configuration Changes data monitor 21
Last 10 Network Configuration Changes data monitor 21
Last 10 VPN Configuration Changes data monitor 21
Last 20 Host Configuration Modification Events data
monitor 26
Last 20 Host Problems data monitor 35
Local User Allowed Systems active list 52
Local Windows User Creation - Allowed Host rule 52
Local Windows User Creation - Disallowed Host rule 52
Local Windows User Creation - Disallowed Systems - on
Trend query 55
Local Windows User Creation - Disallowed Systems query
58
Local Windows User Creation - Disallowed Systems re-
port 50
Local Windows User Creation - Disallowed Systems trend
59
M
Mail Servers query 39
Mail Servers report 33
Microsoft asset category 52
Misconfigurations query 29, 30, 31
Misconfigurations report 23, 24
Most Common Account Login Attempts - Daily Trend
trend 19
Most Common Account Login Attempts - Last Day query
18
Most Common Account Login Attempts Trend - Last
Week query 18
Most Common Account Login Failures by Attacker User
(Yesterday) query 57
Most Common Account Login Failures by Attacker User
(Yesterday) report 50
Most Common Account Logins by Target User (Yester-
day) query 17
Most Common Host Configuration Change Events data
monitor 26
Most Common Host Problem Events data monitor 35
N
Network Configuration Changes filter 21
Network Events filter 21, 42
Network IDS filter 43
NIDS Misconfigurations query 45
NIDS Misconfigurations report 42
Non-ArcSight Events filter 22, 28, 37, 43, 54
North America asset category 64
O
Open Port asset category 26
Operating System asset category 26, 34
Operating System Events filter 53
P
packages
deleting 10
installing 9
uninstalling 9
Password Changes - Last 30 Days focused report 54
Password Changes by System report 51
Password Changes by User report 51
Password Changes by Zone report 49
Password Changes focused report 54
Password Changes query 56
Password Changes report 50
Password Modifications trend 59
Password Modifications Trend query 57
Port 135 asset category 63
Protected asset category 63
Q
queries
10 Most Vulnerable Assets in Confidential Data
Group 65
AAA User Account Creation Trend 55
AAA User Account Deletions on Trend 59
AAA User Account Deletions Trend 55
Account Creation by Host 56
Account Creation by Host on Trend 56
Accounts Deleted by Host Trend 57
All Exposed Vulnerabilities 65
All Revenue Generating Assets 38
All Vulnerabilities in Email and Web Server Assets
66
Anti-Virus Errors 47
Assets with Applications 38
Assets with Configuration Modifications- Last 7
Days 30
Assets with Configuration Modifications- Last Day
29
Assets with Recent Configuration Modifications by
Vendor and Product 30, 57
Blaster Vulnerable Hosts 66
By User Account - Accounts Created 58
By User Account - Accounts Deleted 56
Configuration Changes 30, 38, 46
Configuration Changes by Zone Last Week Trend
Query 29
Critical System Startup and Shutdown Events - By
Zone and Asset 18
Critical System Startups and Shutdowns - Trend
Query 18
Current Asset Configurations 31
Database Errors and Warnings 31, 39
Database Errors and Warnings (Chart) 30, 38
Exposed Vulnerabilities - High and Very High Criti-
cality Assets - Trend Query 66
Exposed Vulnerabilities - High and Very High Criti-
cality Assets by Zone - Trend Query 65
Exposed Vulnerabilities by Asset 66
Exposed Vulnerabilities by Zone Trend - Last Week
65

Index
Exposed Vulnerability Count by Asset 66
Failed Anti-Virus Updates 44
Failed Anti-Virus Updates - Regulated Systems 45
Failed Anti-Virus Updates - Regulated Systems (MS-
SP) 45
Failed Anti-Virus Updates (MSSP) 46
Failed Anti-Virus Updates Chart 47
Failed Anti-Virus Updates Chart - Regulated Sys-
tems 45
Failed Anti-Virus Updates Chart - Regulated Sys-
tems (MSSP) 47
Failed Anti-Virus Updates Chart (MSSP) 47
Failed User Account Login Attempts (Yesterday) 18
Firewall Misconfigurations 46
HIDS Misconfigurations 47
High-Priority Scan Events Directed Toward High-
Criticality Assets 65
High-Priority Vulnerabilities Detected on Critical As-
sets - Yesterday 66
Host Configuration Events By Zone 39
Host Configuration Modifications 29
Host Configuration Modifications by Customer 31
Host Configuration Modifications by OS 29
Host Configuration Modifications on Trend 30
Host Configuration Modifications Summary 31, 38
Host Summary by Business Role 38
Host Summary by Criticality 38
Host Summary by Data Role 38
Host Summary by Operating System 38
Infected Systems 46
Local Windows User Creation - Disallowed Systems
58
- on Trend 55
Mail Servers 39
Misconfigurations 29, 30, 31
Most Common Account Login Attempts - Last Day
18
Most Common Account Login Attempts Trend - Last
Week 18
Most Common Account Login Failures by Attacker
User (Yesterday) 57
Most Common Account Logins by Target User (Yes-
terday) 17
NIDS Misconfigurations 45
Password Changes 56
Password Modifications Trend 57
Restart Log by Zone - Last Week 18
Router Configuration Changes 29
Switch Configuration Changes 30
System Startups and Shutdowns 18
Systems Restarted Twice or More - Last Week 18
Systems With Criticality Ratings by Zone 29
Top 10 Assets by Exposed Vulnerability Counts 65
Top 10 Exposed Vulnerabilities by Asset Counts 65
Top Anti-Virus Errors 48
Top Infected Systems 46
Top Vulnerability Exposure of Critical Assets on
Trend 66
Top Zones with Anti-Virus Errors 45
Trend on AAA User Account Creation 55
Trend on Password Modifications 56
Trend on User Account Creation 58
Trend on User Account Modifications 57
Trend on VPN User Account Creation 58
Update Overview - Regulated Systems (MSSP) 48
Update Overview (MSSP) 44
Update Overview Chart - Regulated Systems (MS-
SP) 47
Update Overview Chart (MSSP) 46
Update Summary 46
Update Summary - Regulated Systems 45
Update Summary Chart 48
Update Summary Chart - Regulated Systems 47
User Account Creation Trend 56
User Account Login Failures - Weekly Trend 18
User Account Modifications Trend 57
User Administration 58
User Administration (Chart) 58
User Configuration Modifications 56
User Removals 55
User Removals on Trend 56
Users That Performed Configuration Modifications
Past Week 58
VPN User Account Creation Trend 55
Vulnerabilities of Assets in North America 65
Vulnerability Exposure by Asset Criticality 66
Vulnerability Exposure by Asset Criticality - Trend
Query - Snapshot 64
Vulnerability Exposure of Critical Assets on Trend
65
Web Servers 38
query viewers
Criticality Assets - Today 61
Criticality Assets - Yesterday 61
Host Configuration Modifications - Today 23
Host Configuration Modifications - Yesterday 23
User Configuration Modifications - Today 49
User Configuration Modifications - Yesterday 49
R
reports
10 Most Vulnerable Assets in Confidential Data
Group 61
AAA User Account Creation 51
AAA User Account Deletions - Last 30 Days 51
Account Creation by Host - Last Week 51
Accounts Deleted by Host 49
All Exposed Vulnerabilities 62
All Revenue Generating Assets 33
All Vulnerabilities in Email and Web Server Assets
62
Asset Startup and Shutdown Event Log - Last Day
16
Asset Startup and Shutdown Log - Last Week 16
Assets Restarting Twice or More - Last Week 16
Assets with Applications 34
Assets with Configuration Changes - Last Day 24
Assets with Configuration Changes - Past Week 24
Blaster Vulnerable Hosts 62
By User Account - Accounts Created 50
By User Account - Accounts Deleted 50
Configuration Changes by Type 24, 33, 42
Configuration Changes by User 24, 32, 41
Configuration Changes per User by Zone Last Week

Index
49
Configuration Changes per User Last Week 50
Critical Asset Startup and Shutdown Event Log -
Last Day 16
Critical Asset Startup and Shutdown Trend 16
Current Asset Configurations 25
Database Errors and Warnings 24, 33
Errors Detected in Anti-Virus Deployment 41
Exposed Vulnerabilities by Asset 61
Exposed Vulnerabilities by Zone Trend - Last 90
Days 61
Exposed Vulnerabilities by Zone Trend - Last Month
62
Exposed Vulnerabilities by Zone Trend - Last Week
62
Exposed Vulnerability Count by Asset 62
Failed Anti-Virus Updates 40
Failed Anti-Virus Updates - Regulated Systems 41
Failed Anti-Virus Updates - Regulated Systems (MS-
SP) 41
Failed Anti-Virus Updates (MSSP) 41
Firewall Misconfigurations 41
HIDS Misconfigurations 41
High-Priority Vulnerabilities Detected on Critical As-
sets - Yesterday 61
Host Configuration Events By Zone 33
Host Configuration Modifications by Customer 24
Host Configuration Modifications by OS 24
Host Configuration Modifications Summary 23
Host Summary by Business Role 33
Host Summary by Criticality 33
Host Summary by Data Role 34
Host Summary by Operating System 34
50
Mail Servers 33
Misconfigurations 23, 24
Most Common Account Login Failures by Attacker
User (Yesterday) 50
NIDS Misconfigurations 42
Password Changes 50
Password Changes by System 51
Password Changes by User 51
Password Changes by Zone 49
Router Configuration Changes 25
Switch Configuration Changes 25
Systems With Criticality Ratings by Zone 24
Top 10 Assets by Exposed Vulnerability Counts 62
Top 10 Exposed Vulnerabilities by Asset Counts 62
Top Infected Systems 42
Top User Logins - Last Week 16
Top User Logins - Yesterday 17
Top Vulnerability Exposure of Critical Assets 63
Update Overview - Regulated Systems (MSSP) 42
Update Overview (MSSP) 40
Update Summary 41
Update Summary - Regulated Systems 40
User Account Creation 51
User Administration 51
User Login Failures Trend - Past Week 16
User Removals - Last 30 Days 50
VPN User Account Creation 50
Vulnerabilities of Assets in North America 63
Vulnerability Exposure by Asset Criticality - Current
Month 62
Web Servers 33
Zones by Configuration Change Count Past Week
23
resource groups
Assets 16
Configuration Changes Overview 20
Device Configuration Changes 23
Hosts and Applications Overview 32
Changes 40
User Configuration Changes 49
Vulnerabilities 61
Restart Log by Zone - Last Week query 18
Revenue Generation asset category 34
Router Configuration Changes query 29
Router Configuration Changes report 25
Router filter 28
rules
Cisco - IOS Configuration Changed 25
Critical Host Shutdown Detected 17
Local Windows User Creation - Allowed Host 52
Local Windows User Creation - Disallowed Host 52
Successful Configuration Change 20
Warning - Insecure Configuration 63
Warning - Vulnerable Software 63
S
Scanned asset category 26
Security Application and Device Configuration Changes
resource group 40
Security Application and Device Configuration Changes
use case 22
shared libraries 5
Successful Configuration Change rule 20
Successful Configuration Changes filter 21
Successful Password Changes filter 53
Successful User Account Login Attempts filter 17
Switch Configuration Changes query 30
Switch Configuration Changes report 25
Switch filter 28
System Shutdown Events filter 17
System Startup Events filter 17
System Startups and Shutdowns query 18
Systems Restarted Twice or More - Last Week query 18
Systems With Criticality Ratings by Zone query 29
Systems With Criticality Ratings by Zone report 24
T
Target Address is NULL filter 27, 36
Target Host Name is NULL filter 27, 36
Target Information is NULL filter 27, 36
Target Port is NULL filter 27, 36
Target Zone AND Host are NULL but Address is NOT
NULL filter 27, 36
Target Zone AND Host are NULL filter 28, 37
Target Zone is NULL filter 28, 37
Target Zone OR Host is NULL filter 28, 37
TargetHost global variable 26, 35
Top 10 Assets by Exposed Vulnerability Counts query 65
Top 10 Assets by Exposed Vulnerability Counts report 62

Index
Top 10 Database Errors data monitor 35
Top 10 Exposed Vulnerabilities by Asset Counts query 65
Top 10 Exposed Vulnerabilities by Asset Counts report 62
Top Anti-Virus Errors query 48
Top Infected Systems query 46
Top Infected Systems report 42
Top User Logins - Last Week report 16
Top User Logins - Yesterday report 17
Top Vulnerability Exposure of Critical Assets on Trend
query 66
Top Vulnerability Exposure of Critical Assets report 63
Top Vulnerability Exposure of Critical Assets trend 67
Top Zones with Anti-Virus Errors query 45
Trend on AAA User Account Creation query 55
Trend on Password Modifications query 56
Trend on User Account Creation query 58
Trend on User Account Modifications query 57
Trend on VPN User Account Creation query 58
trends
AAA User Account Creation 60
AAA User Account Deletions 59
Account Creation by Host 59
Asset Startup and Shutdown Events - Daily Trend
19
Assets with Recent Configuration Modifications
(Daily) 31, 60
Critical System Startup and Shutdown Events - Dai-
ly Trend 19
Host Configuration Modifications 31, 39
59
Most Common Account Login Attempts - Daily
Trend 19
Password Modifications 59
Top Vulnerability Exposure of Critical Assets 67
User Account Creation 60
User Account Login Failures 19
User Removals 59
VPN User Account Creation 59
Vulnerability Exposure by Asset Criticality 67
Vulnerability Exposure of Critical Assets 67
Vulnerability Exposure of High and Very-High Criti-
cality Assets by Zone - Daily Trend 67
U
Update Events filter 42
Update Overview - Regulated Systems (MSSP) query 48
Update Overview - Regulated Systems (MSSP) report 42
Update Overview (MSSP) query 44
Update Overview (MSSP) report 40
Update Overview Chart - Regulated Systems (MSSP)
query 47
Update Overview Chart (MSSP) query 46
Update Summary - Regulated Systems query 45
Update Summary - Regulated Systems report 40
Update Summary Chart - Regulated Systems query 47
Update Summary Chart query 48
Update Summary query 46
Update Summary report 41
upgrade
invalid resources 71
preparing for upgrade 69
restoring content 70
verify customer content 71
use cases
Device Configuration Changes 22
Changes 22
User Configuration Changes 22
User Account Creation report 51
User Account Creation trend 60
User Account Creation Trend query 56
User Account Creations - Last 30 Days focused report 54
User Account Creations filter 53
User Account Deletions - Last 30 Days focused report 54
User Account Deletions filter 54
User Account Login Attempts filter 17, 52
User Account Login Failures - Weekly Trend query 18
User Account Login Failures trend 19
User Account Modifications - Last 30 Days focused report
54
User Account Modifications filter 52
User Account Modifications report 51
User Account Modifications trend 60
User Account Modifications Trend query 57
User Administration (Chart) query 58
User Administration query 58
User Administration report 51
User Configuration Changes resource group 49
User Configuration Changes use case 22
User Configuration Modifications - Today query viewer
49
User Configuration Modifications - Yesterday query view-
er 49
User Configuration Modifications query 56
User Login Failures Trend - Past Week report 16
User Removals - Last 30 Days report 50
User Removals on Trend query 56
User Removals query 55
User Removals trend 59
Users That Performed Configuration Modifications Past
Week query 58
V
Very High asset category 17, 64
Virtual Private Network filter 27
VPN Configuration Changes filter 21
VPN Configuration Changes query 30
VPN Configuration Changes report 25
VPN Events filter 21, 27, 52
VPN User Account Creation report 50
VPN User Account Creation trend 59
VPN User Account Creation Trend query 55
VPN User Account Creations filter 53
VPN User Configuration Activity filter 53
Vulnerabilities of Assets in North America query 65
Vulnerabilities of Assets in North America report 63
Vulnerabilities resource group 61
Vulnerability Exposure by Asset Criticality - Current
Month report 62
Vulnerability Exposure by Asset Criticality - Last 3 Months
focused report 64
Vulnerability Exposure by Asset Criticality - Last 6 Months
focused report 64
Vulnerability Exposure by Asset Criticality - Trend Query
- Snapshot query 64
Vulnerability Exposure by Asset Criticality query 66

Index
Vulnerability Exposure by Asset Criticality trend 67
Vulnerability Exposure of Critical Assets on Trend query
65
Vulnerability Exposure of Critical Assets trend 67
Vulnerability Exposure of High and Very-High Criticality
Assets by Zone - Daily Trend trend 67
vulnerabilitys
CVE - CAN-2003-0605 67
W
Warning - Insecure Configuration rule 63
Warning - Vulnerable Software rule 63
Web Server asset category 34, 63
Web Servers query 38
Web Servers report 33
Z
Zones by Configuration Change Count Past Week report
23

Esm5.5 scg configuration

More Related Content

What's hot (15)

Similar to Esm5.5 scg configuration (20)

More from Protect724v2 (20)

Recently uploaded (20)

Esm5.5 scg configuration