Next Generation Visualizations with ArcSight€¦ · Client Restricted Page 5 2. Let’s build VISUALIZATION 2.1. Pre-requisites 1. Knowledge on ArcSight ESM a. Sound working knowledge

Client Restricted Page 1

Next Generation Visualizations with ArcSight


Contents 1. Introduction 4

1.1. Purpose and Scope 4 1.2. Background 4 1.3. Version Control 4

2. Let’s build VISUALIZATION 5

2.1. Pre-requisites 5 1. Knowledge on ArcSight ESM 5 2. ArcSight ESM running with Valid License 5 3. ArcSight Java Based Console 5 4. 3rd Party SQL Clients 5 5. 3rd Party Visualization Software 6

2.2. Logging in to your ESM Database 6 2.3. ESM Resources 8 2.4. Using 3rd Party SQL Client to establish connection with ESM 10 2.5. Validating the resources within ESM Console. 17 2.6. Validating the resources from the SQL Client. 19 2.7. Using 3rd Party Visualization software to build dashboards 20 2.8. Sample Dashboards 23

3. Annexure A -- ArcSight Enterprise Security Management (ESM) 28

4. Annexure B -- Accessing ArcSight ESM 29

4.1. Console 29 4.2. ArcSight Command Center 29 4.3. ESM Service Layer [API] 29 4.4. ESM MySQL DB 30

5. Annexure C -- ESM CORRe 31

5.1. CORRe Overview 31 5.2. MySQL 32 5.3. Event storage in CORRe 32

6. Annexure D -- ESM Resources 34

7. FEEDBACK 36


Table of Figures Figure 1: MySQL Location in ESM ........................................................................................... 6 Figure 2 : Logging in to MYSQL ............................................................................................... 7 Figure 3: Executing Sample SQL Statement 1 ........................................................................... 7 Figure 4: Executing Sample SQL Statement 2 ........................................................................... 7 Figure 5: DBEAVER Console 1 ............................................................................................... 10 Figure 6: DBEAVER Console 2 ............................................................................................... 10 Figure 7: DBEAVER MYSQL Connection 1 ............................................................................... 11 Figure 8 : DBEAVER MYSQL Connection 2 .............................................................................. 12 Figure 9: DBEAVER MYSQL Connection 3 ............................................................................... 12 Figure 10: DBEAVER MYSQL Connection 4 ............................................................................. 13 Figure 11: DBEAVER MYSQL Connection 5 ............................................................................. 13 Figure 12: DBEAVER MYSQL Connection 6 ............................................................................. 13 Figure 13: DBEAVER Listing Tables 1 ..................................................................................... 14 Figure 14: DBEAVER Listing Tables 2 ..................................................................................... 15 Figure 15: DBEAVER Listing Tables 3 ..................................................................................... 15 Figure 16: DBEAVER Listing Tables 4 ..................................................................................... 16 Figure 17: DBEAVER Table Properties 1 ................................................................................. 16 Figure 18: DBEAVER SQL Statement 1 ................................................................................... 16 Figure 19: DBEAVER SQL Statement 2 ................................................................................... 17 Figure 20: DBEAVER Table Properties 2 ................................................................................. 17 Figure 21: ESM Console 1 .................................................................................................... 18 Figure 22: ESM Console 2 .................................................................................................... 18 Figure 23: ESM Console 3 .................................................................................................... 18 Figure 24: ESM Console 4 .................................................................................................... 19 Figure 25: ESM Console 5 .................................................................................................... 19 Figure 26: DBEAVER resource verification 1 ........................................................................... 20 Figure 27: DBEAVER resource verification 2 ........................................................................... 20 Figure 28: DBEAVER Export Data .......................................................................................... 20 Figure 29: iDashboards Version ............................................................................................ 21 Figure 30: Dashboard Templates .......................................................................................... 22 Figure 31: iDashboards Sample 1 ......................................................................................... 22 Figure 32: iDashboards Sample 2 ......................................................................................... 23 Figure 33: iDashboards Sample 3 ......................................................................................... 24 Figure 34: iDashboards Sample 4 ......................................................................................... 24 Figure 35: iDashboards Sample 5 ......................................................................................... 25 Figure 36: iDashboards Sample 6 ......................................................................................... 25 Figure 37 : iDashboards Sample 7 ........................................................................................ 26 Figure 38: iDashboards Sample 8 ......................................................................................... 26 Figure 39: iDashboards Sample 9 ......................................................................................... 27 Figure 40 : Event Flow in ESM ............................................................................................. 28 Figure 41 : Events & Resources Flow ................................................................................... 31


1. Introduction

1.1. Purpose and Scope

The purpose of this document is to provide details on how to access the ArcSight ESM database this would in turn help in accessing different resources within the database and to build dashboards/representations using external visualization software’s.

1.2. Background

This document and its respective content was created by Pavan Raja, ArcSight Specialist for MEA. Contact details are as follows: Pavan Raja ArcSight Specialist & Pre-Sales, MEA +971 565381117 [email protected]

1.3. Version Control

Version Author Change

0.1 Pavan Raja Initial


2. Let’s build VISUALIZATION

2.1. Pre-requisites

1. Knowledge on ArcSight ESM a. Sound working knowledge on Arcsight ESM. b. Please refer to Annexure – A for general information on ArcSight ESM.

2. ArcSight ESM running with Valid License

a. Make sure you have ESM with all the services running in a healthy

condition. b. You have the ESM OS credentials c. You have the ESM Database credentials. d. You have the details of the SQL Schema Name. e. You have the ESM Database Port used to connect to the database.

3. ArcSight Java Based Console

a. Make sure you have the connectivity from Console Desktop machine to

the ESM Manager server. b. You have valid console account to login to the console. c. You have the Console credentials. d. To know more on different ways of connecting to ESM, please refer to

Annexure - B

4. 3rd Party SQL Clients

a. There are many SQL clients available in the Internet. b. Freeware [limited features and functionalities] c. Enterprise versions [Paid and support scripting, scheduling etc.,] d. If the environment has a Microsoft SQL deployment, then you can use

the SQL Server Management Studio (SSMS) in order to create a connection to the ESM database.

e. Some of the examples of SQL clients are Squirrel, HeidiSQL, DBeaver, RazorSQL etc.,

f. The SQL clients supports different platforms such as Windows, Mac, Linux.


g. Make sure you have the necessary libraries accessible. These libraries are required to access the database. Some examples for JAR files for JDBC connections, MYSQL JAR file etc.,

h. Make sure you have access to one such SQL client software.

5. 3rd Party Visualization Software

a. There is many visualization software available in the market which can used for creating stunning dashboards, reporting’s and consuming data in different formats.

b. Make sure you have access to one such visualization software. c. Some of the examples of such software’s are SiSense, Looker, Zoho

Analytics, Tableau, Domo, Microsoft Power BI etc.,

2.2. Logging in to your ESM Database

To make sure we have the access to the database, we will login to the MYSQL from within the ESM Server From within the location “/opt/arcsight/logger/current/arcsight/bin” as shown below:

Figure 1: MySQL Location in ESM

Connect to mysql we use mysql command

• shell> mysql db_name Or:

• shell> mysql --user=<user_name> --password=<your password> db_name


Figure 2 : Logging in to MYSQL

Once the correct credentials are entered, you should see the “mysql>” prompt. This means, you now have access to the MYSQL database. Let’s execute some SQL Statements. show variables;

Figure 3: Executing Sample SQL Statement 1

show variables where Variable_name = '<ENTER_VARIABLE_NAME>';

Figure 4: Executing Sample SQL Statement 2


To know more about how CORRe, MySQL, InnoDB work together within the ESM, please refer to ANNEXURE - C

2.3. ESM Resources

ESM manages the logic used to process events using objects called resources. A resource defines the properties, values, and relationships used to configure the functions ESM performs. Resources can also be the output of a configuration that has been executed on events (such as archived reports, or Pattern Discovery snapshots and patterns). Resources are used for displaying and analyzing events and contribute to generating additional events that are used internally by ESM for correlation or administration. ESM resources are accessed in the Navigator panel of the ArcSight Console. Resources appear as objects in the navigation panel of the ArcSight Console and are stored in the database. The most commonly used resources which can be focused to build resources are listed below:

Resource Name Description

ARC_ACTIVE_LIST

Active Lists are used to record correlation state over a long period of time. For instance, the system tracks all IP addresses that have scanned or attacked the protected network over the last month.

ARC_ARCSIGHT_QUERY This table stores query resources.

ARC_CUSTOMER

A Customer resource describes a distinct organization, usually a customer of a managed security software provider (MSSP). Using the ARC_RELATIONSHIP table, user resources can have Is employee of and Is account manager of relationships with customer resources.

ARC_DATAMONITOR A data monitor is a visual component of a dashboard, used for monitoring and reviewing events.

ARC_DEVICE

An Asset resource describes a specific network device. Using the ARC_RELATIONSHIP table, Asset resources can have Has vulnerability, In zone, Is asset of, and In category relationships with vulnerability, zone, connector, and asset category group resources, respectively. An asset resource can also be the target of an Is scanner report of relationship with a scanner report.

ARC_DYNA_CHANNEL This table stores active channel resources.

ARC_EVENT

Security event records are the core of the ArcSight database schema. The implementation consists of large records in the master ARC_EVENT table, which includes references to several side tables such as ARC_EVENT_CATEGORY (ARC_EVENT_CATEGORY_MAP ?). Other, ancillary tables, such as ARC_EVENT_ANNOTATION , relate to the ARC_EVENT table using the EVENT_ID. The master ARC_EVENT table and the ancillary tables are partitioned based on END_TIME. This table, the ARC_EVENT table, stores events.

ARC_QUERY_VIEWER This table stores query viewer resources.


ARC_REPORT_ARCHIVE Archived reports represent the document that results from running a report.

ARC_RULES Description of all correlation rules, whether supplied by ArcSight or defined by users.

ARC_DASHBOARD

Dashboards are collections of viewers with associated layout information. These are the graphical panels that the Console uses to display data monitor statistics. Elements of a dashboard are aligned to a grid. Using the ARC_RELATIONSHIP table, User resources can have Has start view relationships with dashboard resources.

ARC_REPORT Report resources are templates that describe the information that should be included in a report and how it should be formatted.

ARC_RESOURCE

ArcSight resources, such as user and asset, are modeled by a base resource table, common to all resources, and a type-specific table, such as ARC_USER . As in object-oriented programming, a specific resource type, such as User, “inherits” the attributes of the resource table along with its own. Some resources are used internally, but many are reflected in the user interface. User interface terminology is given precedence in this document, because the actual database table names are not always clear. The mapping between table name (such as ARC_SENSOR ) and user interface name (such as Connector) is described where necessary. This table contains the set of common attributes shared by all resources. All other resource tables have a foreign key that points to the ID column of this table.

ARC_SESSION_LIST This table stores the session-list resource attributes.

ARC_TREND

This is the table for all the ESM trends and contains information about all the things that can be set or changed from the UI editor. It is NOT the data gathered by the trend.

ARC_VULNERABILITY

A vulnerability resource represents a vulnerability that relates a known issue with a set of vulnerable assets. Using the ARC_RELATIONSHIP table, asset and asset range resources can have Has vulnerability relationships with vulnerability resources.

ARC_USER

All users who can access ESM. Using the ARC_RELATIONSHIP table, User resources have Can read, can write, and Can execute relationships with other resources. Users can have relationships with filter resources (Has enforced filter, has hotlist filter), rule groups (Uses group of rules for replay), customers (Is employee of, Is account manager of ), and active channels or dashboards (Has start view). Other resources have relationships with user (Created by, Last modified by, owned by, Locked by)

ARC_ZONE

Filters are used to specify events going into data monitors, as part of rule and report conditions, to limit the events that a user can review, and to specify events to include in an active channel, among other uses. Using the ARC_RELATIONSHIP table, user resources can have has enforced filter and has hotlist filter relationships with filter resources.

ARC_NETWORK

A zone resource represents a logical subset of a network, such as a location, an organizational unit, or a specific network. Using the ARC_RELATIONSHIP table, asset, asset range, asset group, or asset range group resources can have in zone relationships with zone resources.

For more information on the complete list of resource which are available in the ESM, please refer to ANNEXURE -D


2.4. Using 3rd Party SQL Client to establish connection with ESM

In this exercise am using DBeaver version 6.11 Windows 64-bit version SQL Client. This is a freely available SQL client and provides lot of inbuilt features and functionality. You can access the installer from the below link: https://dbeaver.io/download/ Once its downloaded, you can go ahead and install the installer. The first time you run the DBeaver SQL Client, you would see the below screens.

Figure 5: DBEAVER Console 1

The below screenshots show the main software page and different options that the SQL client can perform.

Figure 6: DBEAVER Console 2

From the Menu click on “FILE” and Select “NEW” This will start the database connection wizard.

https://dbeaver.io/download/


Figure 7: DBEAVER MYSQL Connection 1

From the wizard screen Select the “Database Connection” In the next screen, the wizard shows the different methods or different databases with which it can establish connections. In our case, we are establishing connection with MySQL database, so you can Select “MySQL” under Popular connections


Figure 8 : DBEAVER MYSQL Connection 2

In the next screen, you need to enter the details for establishing connection. As mentioned previously, you need to know the details of the ESM server, Database

name and respective credentials.



In the network section of the Connection Settings, you need to enter the details of the server where the database in installed. In our case we are logging into “172.16.100.109” using “root” user and its credentials.


The SQL client will login to the server using the network settings. The same can be tested using the “TEST TUNNEL CONFIGURATION” You would see the below if the test connection is successful.


In the Connection settings, we provided the server host IP as the localhost or loop back address. That is because the network setting will come into effect first and then the SQL Client uses the Connection settings to login to the Database.



Once, the connection setting details are provided, then you can test the connection as well. You would see the above screen if the test is successful. NOTE→ If you not sure of the MYSQL database name or PORT configured on your ESM server, then you can validate, or cross verify by looking at the “server.properties” within the “/opt/arcsight/manager/config” If you open the server.properties file, then look for the below configuration line item: dbconmanager.provider.logger.url=jdbc:mysql://127.0.0.1:3306/arcsight?useCursorFetch=true&useTimezone=true&useLegacyDatetimeCode=false&serverTimezone=UTC mysql://127.0.0.1:3306/arcsight → This information tells us about the MySQL database name and the IP & Port configured to access it. Once the connection is successfully tested and saved, you would now have access to all the databases of ArcSight ESM. As shown below, ArcSight ESM has different database configured like “arcsight”, “arcsight_report_repository”,”test”

Figure 13: DBEAVER Listing Tables 1

Our database where we can access all the tables are under “arcsight” database. As shown below, “arcsight” database shows all the Tables, Views, Events etc.,



Further expanding the Tables, will show the Active Lists, Reports, Trends and all other resources listed here.


As shown below, there are many resources and each resource has its own naming convention.



For Example, all the active list is named after arc_ald_XXXXXX All the Trends is name after arc_trend_XXXXXX Just by expanding any Table, you will be able to see the properties of the Table itself. For example, here we can see the different columns used in building this ACTIVE LIST.

Figure 17: DBEAVER Table Properties 1

Now with this information, we can write simple queries, to see the data within those tables. SELECT user__name, creation_time, last_modified_time, count, hash_code FROM arcsight.arc_ald_153p33;

Figure 18: DBEAVER SQL Statement 1


Output of the Select statement.

Figure 19: DBEAVER SQL Statement 2

2.5. Validating the resources within ESM Console.

If we observe, that each table has a unique identifier, which is the last 6 alphanumeric identifiers. In this example, We have selected the arc_ald_153p33 Active list, and “153p33” is the alphanumeric identifier.

Figure 20: DBEAVER Table Properties 2

Since we have so many resources created from the ESM Console, it’s very difficult to identify the Active List that we are working on from the SQL client. As shown below, there are many Active lists, and it’s difficult to validate which Active List → arc_ald_153p33 corresponds to.


Figure 21: ESM Console 1

You can use these 6 alphanumeric identifiers to search for the resource within the ArcSight Console.


So am using the “153p33” which is the alphanumeric identifier for the Active List “arc_ald_153p33”.



The system however has the cross reference between the alphanumeric identifier “153p33” and the RESOURCE ID → “HqWatJhABABDKatmAmqrZ4Q==”



2.6. Validating the resources from the SQL Client.

As an alternative solution to the above mentioned example, you can run SQL commands which can combine details from multiple tables to show us the resource, resource_ID and the location of where the resources is stored within the console can be achieved, this reduced lot of manual work. Below is an example for showing all the TRENDS and its respective information. SELECT 'ARC_TREND_'||T.TABLE_ID Trend_Name, R.ID ResourceID, f.URI || '/' || r.name FULL_URI FROM ARC_TREND T, ARC_RESOURCE R, ARC_RESOURCE_REF F;


Figure 26: DBEAVER resource verification 1

The above query will render full information about the resource, resourceID and the location.

Figure 27: DBEAVER resource verification 2

2.7. Using 3rd Party Visualization software to build dashboards

The data from the SQL client can be exported to external system by using many options, DBeaver also provides many options as shown below:

Figure 28: DBEAVER Export Data


So, in this exercise the data is exported from an Active channel to external system using XML and CSV format. For building Visualizations, iDashboards version 1.4.4 Windows Desktop client evaluation version has been used. Details are shown below:

Figure 29: iDashboards Version

iDashboards building different types of dashboards, and data manipulation or management is simple. Below are supported dashboards that can built out of the box.


Figure 30: Dashboard Templates

The data from the Active list which has been exported to CSV File is used to create a sample dashboard as shown below:

Figure 31: iDashboards Sample 1


Similarly, you can use the data within the resources to access through SQL Client and build many dashboards. Few sample dashboards are shown in the next section.

2.8. Sample Dashboards

Some of the dashboards which can be created are shown below: Geo View DASHBOARD




Top Exploit Types Dashboard



IT MANAGEMENT DASHBOARD


TICKET ANALYSIS DASHBOARD



NETWORK RESOURCES MONITORING DASHBOARD

Figure 37 : iDashboards Sample 7

ENERGY SECTOR – ENERGY SAVINGS DASHBOARD


BOT TRACKING DASHBOARD




3. Annexure A -- ArcSight Enterprise Security Management (ESM)

ArcSight Enterprise Security Management (ESM) is a comprehensive software solution that combines traditional security event monitoring with network intelligence, context correlation, anomaly detection, historical analysis tools, and automated remediation. ESM is a multi-level solution that provides tools for network security analysts, system administrators, and business users. ESM delivers comprehensive enterprise security management, advanced analysis and investigation, and options for remediation and expanded solutions, that are ready to configure and use right out of the box. ESM normalizes and aggregates data from devices across your enterprise network, provides tools for advanced analysis and investigation, and offers options for automatic and workflow-managed remediation. ESM gives you a holistic view of the security status of all relevant IT systems and integrates security into your existing management processes and workflows. ESM includes the Correlation Optimized Retention and Retrieval (CORR) Engine, a data storage and retrieval framework that receives and processes events at high rates and performs high-speed searches. ESM organizes events by date and stores them in the CORR-Engine (Correlation Optimized Retention and Retrieval Engine) for rapid evaluation by the ESM correlation engine and for archiving.

Figure 40 : Event Flow in ESM

Events are stored in the CORR-Engine’s event retention period, where correlation operations take place, then copied daily into archives for long-term storage.


4. Annexure B -- Accessing ArcSight ESM

The ESM can be accessed by using multiple methods such as Console’s, API & accessing the ESM Database. The most commonly used methods are through the out of the box consoles. There are two types of consoles: ➢ Java Console [Thick Client] ➢ ArcSight Command Center

4.1. Console

The Console serves as the control point for administrators to: ➢ Configure ESM content and resources ➢ Manage, monitor, and respond to network security issues across the

enterprise A Network Model Wizard is provided to facilitate the process of describing network devices and assets in ESM. A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address common security and management tasks. The set of standard content is designed to give you comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with minimal configuration required on the Console.

4.2. ArcSight Command Center

The ArcSight Command Center is a web-based user interface that enables you to perform many of the functions found in the ArcSight Console. ArcSight Command Center provides dashboards, several kinds of searches, reports, case management, notifications, and administrative functions for managing active channels, content, connectors, storage, archives, search filters, saved searches, peer configuration, and system logs.

4.3. ESM Service Layer [API]

The ESM Service Layer APIs expose ESM functionalities as web services. By consuming the exposed


web services, you can integrate ESM functionality in your own applications. The Service Layer APIs use a service-oriented architecture (SOA) that supports multiple web service clients written in different languages. Specifically, you will have the ability to: ➢ Run an ESM report and feed it back to your third-party home-grown system ➢ Create and update cases ➢ Manage resource groups

The SOA approach enables ESM Service Layer APIs to support multiple options, for example:

• Developers applying Representational State Transfer (REST) principles can achieve their goals by writing scripts that send HTTP requests, and then parse the responses.

• Java developers can take advantage of the Service Layer APIs SDK to create REST clients.

You can use any client-side technology, for example: URL Connection, Apache’s Http Client, or URL tunneling through any Web browser. Regardless of the client technology you choose, make sure to identify the proper methods, their arguments, and the accepted Content-Type format for your http requests. You can work with REST and SOAP API’s to expose the Service layer and access the ESM Resources.

4.4. ESM MySQL DB

The database entry point for CORRe is MySQL, even though not everything is stored there. All resources are stored in MySQL directly, in an InnoDB database. Events, however, are stored in flat files, but they are reached via a custom plugin engine for MySQL called ARC_LOGGER. The key feature of MySQL that benefits CORRe is that it is not just a database package, but a database framework. MySQL lets you create your own type of database storage and have it accessible through the SQL language in MySQL.


5. Annexure C -- ESM CORRe

5.1. CORRe Overview

Here are the key facts about how CORRe works: ➢ All resources are stored in an InnoDB database in MySQL ➢ All events are stored in flat files, with the contents indexed by PostgreSQL ➢ All queries, whether related to resources or events, are initially processed by

MySQL. ➢ All fields are indexed. ➢ Event storage is arranged by columns rather than rows. This means that the

contents of all the name fields are stored together, the same with messages, end times, etc. This improves performance and compression.

➢ Daily partitions are arranged by the Manager Receipt Time rather than the End Time.

➢ Partitions are archived the day after they are created. ➢ Archives include their indexes.

Below diagram shows the architecture from the database perspective.

Figure 41 : Events & Resources Flow


5.2. MySQL

The database entry point for CORRe is MySQL, even though not everything is stored there. All resources are stored in MySQL directly, in an InnoDB database. Events, however, are stored in flat files, but they are reached via a custom plugin engine for MySQL called ARC_LOGGER. The key feature of MySQL that benefits CORRe is that it is not just a database package, but a database framework. MySQL lets you create your own type of database storage and have it accessible through the SQL language in MySQL. ArcSight created the ARC_LOGGER engine plugin for MySQL that achieves this. Therefore, from the high level in ESM everything looks like MySQL.

5.3. Event storage in CORRe

With CORRe events are stored in flat files rather than in the database. The location of the data in the files, though, is stored in a Postgres database so the data can be quickly accessed. One question would be why Postgres is used for the underlying database rather than MySQL, but I do not know the answer to that one. The data files are stored in /opt/arcsight/logger/data/logger. While they are flat files, they are not easily read apart from CORRe as they are compressed. One thing that is new in the storage mechanism is that data is stored in columns rather than in rows. So instead of just writing an event all together, the fields are split up and each one gets added to a chunk for just that column. All the Names are in one chunk, Messages in another, etc. This arrangement is called Read Optimized Storage. This works well in ESM because the schema has lots of fields but most of the time only a small subset of them is needed. By grabbing just, the required columns the database does not need to read the other fields. Events are only written once and not updated, but they can be read multiple times so optimizing for reads makes the most sense. Another benefit of the column-based storage is in compression efficiency. Compression typically works by finding more common bytes and encoding them with bit-strings smaller than a byte. For example, the event type field in ESM has only 4 possible values: Base, Aggregated, Action, and Correlation. This information can be compressed down to a conceptual 2 bits. Since many database columns have a limited set of values like this example, compression can be much more efficient than it would be if it were done across rows where the entropy is higher. Therefore 10-1 compression is possible, even though it sounds like an optimistic number.


Another feature of CORRe is that all fields that are not LOBs are indexed. This is a major improvement over Oracle, where only a small set of the fields were indexed, and often not the ones you needed. This makes queries much faster. This architecture leads to the following considerations: The more conditions you include in your query, the faster the execution, as the query optimizer will have more choices to make the most efficient execution plan.

Because each field is stored separately, the more fields that you select in your query, the longer the query will take. This is not caused to be stingy about including fields, but do not include them just because you can.

Because all fields are indexed, the benefit of using trends as event storage is reduced. For example, in the past if one wanted to report on VPN events over a week, they might create a trend that contains a subset of fields for each VPN event. They would then create a report against the trend. With all fields being indexed, though, creating a query that takes advantage of this indexing may be fast enough, and trends can then be used more for metrics rather than event collections.


6. Annexure D -- ESM Resources

Resources that can be viewed in CORRe database

ARC_ACTIVE_LIST ARC_ACTOR ARC_ARCSIGHT_QUERY

ARC_CATEGORY_MODEL ARC_CATEGORY_MODEL_ELEMENTS ARC_CATEGORY_MODEL_ELEMENTS_TC

ARC_CONFIGURATION_ITEM ARC_COUNTRYCODES ARC_CUSTOMER

ARC_DATAMONITOR ARC_DB_TABLE_SCHEMA ARC_DBFILE

ARC_DEVICE ARC_DEVICE_RANGE ARC_DRILLDOWN

ARC_DYNA_CHANNEL ARC_EVENT ARC_EVENT_ANNOTATION

ARC_EVENT_CATEGORY_MAP ARC_EVENT_PATH_INFO ARC_EVENT_PAYLOAD

ARC_EXTENDED_CASE ARC_FILE ARC_FILE_CONTENT

ARC_INTEGRATION_COMMAND ARC_INTEGRATION_CONFIGURATION ARC_INTEGRATION_TARGET

ARC_KBARTICLE_OBJECT_MAP ARC_LOCATION ARC_LUCENE_BUFFER

ARC_MGR_VERSION ARC_NAMED_COLUMN ARC_NAMED_COLUMN_LIST

ARC_NETWORK_CATEGORY_VIEW ARC_NETWORK_SET ARC_NODE_SUPPORT

ARC_NOTIFICATION_EMAIL_SETUP ARC_NOTIFICATION_HISTORY ARC_NOTIFICATION_PAGE_CONFIRM

ARC_NOTIFICATION_REGISTRY ARC_NOTIFICATION_VIEW ARC_NOTIFICATION_WAITTIME

ARC_PACKAGE_CONTENT ARC_PACKAGE_CONTENT_REF ARC_PACKAGE_REQUIREMENT

ARC_PARTITION_CMP_STATUS ARC_PARTITION_CONFIG ARC_PARTITION_SHADOW

ARC_PATTERN ARC_PATTERN_HASH ARC_PATTERN_NODES

ARC_PDE ARC_PDE_CORDER ARC_PDE_PERM

ARC_PERMISSION ARC_PORTLET ARC_PROPERTY_TABLE

ARC_QUERY_VIEWER ARC_RELATIONSHIP ARC_RELN_PROPS

ARC_REPORT_ARCHIVE ARC_REPORT_TEMPLATE ARC_REPORT_UNION_HR

ARC_RESOURCE_ANNOTATION ARC_RESOURCE_REF ARC_RULES

ARC_SCANNED_REPORT ARC_SCHEDULED_TASK ARC_SEARCH

ARC_SESSION_LIST ARC_SLD_RES56B_ACCTS ARC_SLD_RES56B_DN

ARC_SLD_RES56D_ACCTS ARC_SLD_RES56D_BASE ARC_SLD_RES56D_ROLES

ARC_STAGE ARC_TABLESPACE ARC_TC

ARC_TC_SUSPECT ARC_TC_TRUSTY ARC_TC_TRUSTY_L

ARC_TREND ARC_USER ARC_USE_CASE

ARC_VULNERABILITY ARC_ZONE USER_SEQUENCES

ARC_CASE_EVENT_MAP ARC_NETWORK ARC_RESOURCE

ARC_CMNT_HISTORY ARC_NOTES ARC_SAVED_SEARCH

ARC_DASHBOARD ARC_NOTIFICATION_PAGING_SETUP ARC_SENSOR

ARC_DESTINATION ARC_PACKAGE ARC_SLD_RES56B_UUID

ARC_DRILLDOWN_LIST ARC_PARTITION ARC_SRP_REPORT

ARC_EVENT_ANNOTATION_P ARC_PARTITION_VIEWS ARC_TC_NEW

ARC_EVENT_PAYLOAD_P ARC_PD_RUN ARC_TC_TRUSTY_R

ARC_GROUP ARC_PDERUN_NODES ARC_VIEWCONF

ARC_KBARTICLE ARC_QUERY_GROUP

ARC_LUCENE_FILE ARC_REPORT


All the above-mentioned resource or resource groups can be accessed from the Database and specific resource would provide respective data which can used for different purposes.


7. FEEDBACK

If you have comments about this document, you can contact the author by email. Please send your email with the subject mentioned as “Feedback on Access to ESM Database for External Visualization” Feedback to be sent to [email protected] Your feedback will help make this document more beneficial to everyone! Pavan Raja C|EH, CCSK

Documents

Next Generation Visualizations with ArcSight€¦ · Client Restricted Page 5 2. Let’s build VISUALIZATION 2.1. Pre-requisites 1. Knowledge on ArcSight ESM a. Sound working knowledge