HP ArcSight Logger In 2 Hours

Summary:

Based on the detailed examples and summaries provided, it appears that the text is focused on various methods of querying and analyzing network traffic and log data using a specific system or software tool (referred to as "ArcSight Logger" in the context). The main functions seem to involve extracting specific fields from events for more detailed analysis, performing quick overviews, and generating charts based on different criteria. Here's a breakdown of how these functionalities can be categorized: ### 1. Event Queries and Analysis - **NetFlow Traffic Analysis**: - Users perform queries to extract specific fields such as destination ports or byte counts for network traffic data, which is then used to create charts or graphs for better visualization and analysis of the traffic patterns. - **Firewall Traffic Analysis**: - The tool allows users to query source addresses for firewall traffic, summing up bytes attributed to these addresses and displaying them in a chart. This aids in understanding network usage by specific devices or IPs. - **Blue Coat Events**: - Users can perform searches related to Blue Coat events and extract search terms from those events which are particularly useful for understanding user queries via network traffic data. ### 2. Quick Overviews - **Device Vendor and Product Identification**: - The tool provides quick overviews that list top device vendors and products using simple commands, helping in identifying the hardware and software infrastructure involved in the network setup. - **Connector Versions**: - It also lists versions of connectors (data collection interfaces) to ensure compatibility and update status across various devices or systems feeding data into the logging tool. ### 3. Data Aggregation and Visualization - **Chart Commands for NetFlow Traffic**: - Users can generate charts based on count of events by destination port, sorting them if needed, which aids in understanding where most traffic is directed. - **Byte Count Charts**: - Average byte counts (in and out) are plotted every 30 seconds, providing a real-time or near-real-time view of network bandwidth usage. - **Source Address Summaries**: - Total bytes attributed to source addresses are summed up and displayed in charts, useful for auditing purposes and understanding the data flow from different origins. ### 4. Specific Searches and Extractions - **Blue Coat Events on Google Search Query**: - Extracts search terms from Blue Coat events related to Google searches, which is valuable for interpreting user behavior through network traffic without directly monitoring browser activity. ### Summary of Commands and Queries: The text outlines various commands and queries used within the ArcSight Logger tool to analyze netflow traffic, firewall logs, and authentication details. These include: - **TippingPoint Events per Hour**: Sums up events from TippingPoint devices over an hourly span based on "deviceVersion". - **Failed Logins by User**: Filters for failed login attempts where the authentication category outcome is failure and destination user name is not null. - **Top NetFlow Destination Ports**: Identifies top 20 destination ports in NetFlow data from Cisco devices, filtered by positive destination port numbers. - **Products with Recent Changes**: Finds products modified recently under "/Modify/Configuration" behavior category. - **Events Count by Source**: Aggregates events from different sources per product or device, excluding ArcSight and sorts them based on count of baseEventCount. - **Blue Coat Bytes In/Out**: Extracts data for Blue Coat devices including bytes in and out, filtering out entries with "windowsupdate" destination hosts and sorting results by these metrics. These commands are designed to help users efficiently extract meaningful insights from network traffic logs, providing detailed overviews of system behavior, security events, and user activities through the network.

Details:

"HP ArcSight Logger in 2 Hours" is a guide that introduces the basics of conducting forensic investigations using HP ArcSight, a software tool designed for security information and event management (SIEM). The book covers how to use ArcSight Logger, which helps simplify complex security infrastructures by reducing costs and risks. The document provides a table of contents with sections on deployment scenarios, logger appliance configuration, introduction to the interface, connecting to the user interface, preparing the system for specific use cases like failed logons, configuring connectors, and conducting searches and analyses. The guide is authored by Brian Wolff, who holds credentials as CISSP (Certified Information Systems Security Professional) and MBA (Master of Business Administration). Overall, "HP ArcSight Logger in 2 Hours" serves as a quick reference for users to get started with HP ArcSight's main component for forensic investigations. ArcSight Logger is a free, downloadable software designed for log management and security purposes. It allows users to collect up to 750 MB of log data per day and store up to 500 GB uncompressed logs with an average compression ratio of 10:1. The software provides access to enterprise-class features for a full 12 months, after which users can upgrade to the enterprise version if needed. It collects information from any system generating log data and processes it according to user preference. The document provides an overview of ArcSight Logger, a high-performance log data repository designed to facilitate faster forensic analysis and compliance with multiple regulations. Unlike traditional log management tools that are limited by the type of sources they can analyze, capture, or have restricted search/reporting capabilities, ArcSight Logger is capable of capturing and analyzing all enterprise log data across various infrastructures, making it a versatile solution for different teams within an organization. The document also highlights the differences between traditional log analysis tools and ArcSight Logger, explaining that these legacy systems were asset-centric and often required multiple products for specific functions such as security, compliance reporting, IT operations search, and application development. In contrast, ArcSight Logger is a universal log management solution capable of expanding to cover an entire enterprise when needed, providing comprehensive analytics across all logs without being limited by the type of data sources. Additionally, the document discusses the historical releases and updates for ArcSight Logger, as well as the current models available: software or appliance versions, which can be accessed via a provided link for further specifications. Lastly, it mentions that the product is currently offered as a no-cost limited period demo to allow users to explore its capabilities before purchasing. The provided text is a documentation snippet from an ArcSight Logger product, detailing its deployment scenarios and configuration tasks. It outlines that the Logger should be securely deployed within the network perimeter for optimal data collection, emphasizing it does not require other ArcSight products to function. The Logger collects events from various hardware and software via syslog and log file formats, can interoperate with ArcSight ESM for enhanced security management, and has versatile use cases such as selective forwarding to ESM or long-term storage of raw event data for compliance reasons. The configuration section further details the setup process for a Logger Appliance, including setting up network settings through a graphical user interface accessed by connecting a KVM or similar device with keyboard, monitor, and mouse. The default credentials are provided (username: admin, password: password), along with instructions to display help content and set IP addresses. In summary, the text is about configuring an ArcSight Logger for data collection within network environments, detailing security measures, interoperability, and setup procedures using a pre-defined appliance interface. The summarized text provides a step-by-step guide on how to configure and set up an ArcSight Logger appliance, including network configuration, license deployment, date and time settings, and DNS configuration. Here are the key points from the provided information: 1. **IP Configuration**:

• Set IP address 255.255.255.0 for eth0 interface.

• Verify IP setting with "show ip".

• Set default gateway using "set defaultgw" to 10.0.187.1 for eth0.

• Verify the default gateway with "show defaultgw".

• Connect to the Logger via URL https://10.0.187.38 and check connectivity from a workstation.

2. **License Deployment**:

• Connect to the appliance's user interface at https://10.0.187.38 using default credentials (admin/password).

• Accept legal agreement if necessary.

• Navigate to System Admin > License & Update, browse and upload the license file.

3. **Date and Time Configuration**:

• Set up date and time zone:

• Go to System Admin > Network and set the correct time zone manually or configure an NTP server for automatic updates.

• Adjust settings on the Time/NTP tab, save changes.

4. **DNS Configuration**:

• Navigate to System Admin > Network in the user interface.

• Update DNS settings in the System DNS tab with primary and secondary IP addresses.

This summary captures the essential steps required for basic setup and configuration of the ArcSight Logger appliance, ensuring it is ready for deployment and use. This passage provides a guide to setting up DNS servers and hosts file entries for configuring connectors in the ArcSight Logger system. It explains that configuring these settings is crucial when using Connectors with an ESM or Express destination, as they often rely on hostnames in their certificates. The steps include accessing System Admin from the top-level menu bar, navigating to Network, entering IP addresses and hostnames in the Hosts tab, and saving entries. Additionally, it introduces ArcSight Logger as a log management solution designed for high event throughput and rapid data analysis. It comes in two forms: an appliance and software. The passage also mentions that Logger stores time-stamped text messages called events, which are compressed but retrievable unmodified upon demand. The text discusses the capabilities of an ArcSight Logger system designed to handle both structured and unstructured event data using the ArcSight SmartConnector framework. It explains that the Logger can receive normalized Common Event Format (CEF) events from SmartConnectors or raw, unparsed events. Multiple Loggers can collaborate in a peer network to manage high volumes of events efficiently. The system supports Syslog as a standard for event messages but is agnostic to the type of message it processes. CEF is highlighted as an industry-standard format for interoperability between devices generating log or event data, and raw events consist of details like receipt time, event time, source (host name or IP address), and unparsed message content. The Logger displays events in a tabular form and supports various methods to search and analyze these events. Users can perform full-text searches using plain English keywords, query predefined fields, or utilize regular expressions for more complex queries. The system also offers a flow-based search language that allows the chaining of multiple search commands into a pipeline format. Configuration options include querying only the primary data store by default or distributing queries across peer Loggers as needed. Results from searches can be saved either as filters for future use or as scheduled tasks to export selected events or save results to files. Logger 5.2 introduces a feature that allows saved searches to create customizable dashboards tailored to each user's preferences, enhancing personalization and usability. The interface of Logger is designed to work with modern browsers such as Firefox and Internet Explorer. Key requirements include enabling JavaScript and cookies; for Internet Explorer users, an Adobe Flash Player plug-in is necessary. If the plugin isn't installed, some features may be unavailable. Accessing the user interface requires a secure connection (HTTPS) using the URL format https://:. The initial login credentials for the Logger Limited Use Fee Version are 'admin' and 'password', which should be changed post-first use for security purposes. The navigation across the top of each page in the interface provides essential statistics such as throughput, CPU usage, and displays the current user’s name. Additional options allow users to adjust gauge ranges and collapse the gauge and logo bar to maximize screen space for search results and reports. This text is about a software tool called "v4HP ArcSight Logger" and its user interface features. Here's a summary based on the provided text: The v4HP ArcSight Logger has several functionalities such as expanding or collapsing a bar, full-screen mode in browsers (with F11 shortcut), and displaying relevant context-sensitive help for users. The upper right menu provides options to access more information including Help, Options, Logout, and other features like search history, operator examples, and list of fields with operators. The "Options" feature allows users to customize the Logger settings, such as setting the range for EPS (Events Per Second) In and Out gauges, or selecting default start pages after login based on user preferences. The Logout option is highlighted as a security practice to prevent unauthorized access when not in use. Furthermore, the text mentions that there's a "Summary" page which serves as a global dashboard providing an overview of incoming event activity and indexing status across all Logger features. This dashboard helps users quickly assess the overall performance and health of their Logger system at a glance. Overall, this software provides a comprehensive interface with customizable settings for enhanced usability and security practices. This text is about using Logger for searching and analyzing events, with a focus on its user interface and features. The Logger system allows users to create custom dashboards where they can see various components' status at-a-glance. These dashboards consist of panels such as Search Results and Monitor. The Search Results panel shows events that match specific queries; these queries can be simple or complex, involving keywords and indexed fields with Boolean expressions and regular expressions. Users input their search criteria (queries) into the Logger interface, which then searches through stored events to find matches based on user-defined parameters. Once a query is entered, Logger displays the results right on the same page where the query was typed in. The queries can be as simple or detailed as needed, and they may include constraints for specific device groups or storage groups. In summary, the system supports an intuitive search interface with advanced querying capabilities, enabling users to visualize events of interest through customizable dashboards that provide real-time status updates on Logger components like receivers, forwarders, storage, CPU, and disk. The article provides an overview of how to build and utilize search queries within the Logger software. It outlines three methods for creating a query: typing directly into the Search text box, using the Logger's Search Builder tool, or referencing a previously saved query (filter or saved search). The article also explains that auto-suggest facilities provide suggestions based on fields in the Logger schema and metadata terms, which can help quickly construct query expressions. It then details the elements required for building a query: 1) Query Expression - specifies conditions used to select or reject events. 2) Time range - defines the time period during which events should be searched. 3) Field Set - includes specific event fields that are displayed when matches are found, such as deviceAddress and deviceReceiptTime. Furthermore, the article explains how to save queries for future use in two ways: 1) Saved filter - saves the query expression without time range or field set information. 2) Saved search - includes both the query expression and the time range. Lastly, it mentions that Logger offers tools like the Search Builder to assist with complex queries, providing a graphical interface for Boolean-logic condition editing. The article describes a tool called "Search Helper" which is designed to assist users in creating effective search queries for a logging system. This tool offers several features to streamline the query creation process, including: 1. A visual representation of the conditions included in a query, allowing users to specify keywords, field-based conditions, and regular expressions easily. Additionally, it enables constraints such as device groups and storage groups to be specified within the query. 2. The tool is accessible by clicking "Advanced Search" below the search text box on the Logger interface. Users can refer to the Logger Administrator's Guide for detailed instructions on how to use this tool. 3. Another feature of the Search Helper is the Regex Helper tool, which helps users create regular expressions that can be used with the rex pipeline operator to extract specific fields from an event. This tool simplifies the process and minimizes errors by providing a user-friendly interface. Detailed information about this tool can also be found in the Logger Administrator's Guide. 4. The Search Helper provides several functionalities:

• It allows users to view their recently run queries, enabling them to reuse these queries without typing them again.

• It displays previously used fields with the search operator currently typed into the search text box.

• It offers examples relevant to the latest query operator typed by the user.

• It suggests possible next operators that often follow the current query based on common usage patterns.

• It provides context-sensitive help for the last-listed operator in the query, providing guidance specific to the operator currently being used.

5. Finally, a list of fields and operators is provided depending on the current query, which can be filtered by typing field names or showing available operators related to the latest typed query. This feature helps users refine their search queries more accurately by providing relevant suggestions based on the context of the ongoing query. This text is a guide for configuring a logger to accept events from a Windows Unified Connector. The steps provided are as follows: 1. **Accessing the Logger Configuration**: From the main Logger menu, hover over "Configuration" and select "Settings" from the dropdown. In the left-hand menu, go to "Event Input/Output" and then click on the "Receivers" tab. Click the "Add" button to proceed. 2. **Adding a New Receiver**:

• Name your receiver as "Windows".

• Select "SmartMessage Receiver" as the type.

• Choose "Next" and then select the default encoding, followed by clicking "SAVE".

3. **Enabling the Connector**: Note that after configuration, the receiver is not enabled initially. Click on the toggle button to enable it. The status should change from "No" to a checkmark indicating that it is now enabled and ready to receive events. 4. **Configuring the Windows Unified Connector for Event Collection**: If your logger supports onboard connectors:

• Go to "Configuration > Manage Connectors" to reveal the connector menus.

• Click the "add Connector" icon ( ) to begin adding a new connector.

• Proceed by clicking "Next".

The text provides instructions and screenshots for configuring both the receiver on the logger side and the connector settings on the Windows Unified Connector side, ensuring that events are collected and sent from the source to the Logger as intended. This document provides a guide on how to set up the P ArcSight Logger within two hours, specifically focusing on configuring the Microsoft Windows Event Log – Unified connector. Here’s a summary of the steps and details mentioned in the provided text: 1. **Choose Connector Type:** Select "Microsoft Windows Event Log - Unified" as the type of connector to configure. 2. **Run Through Connector Setup:** Proceed with the setup wizard for this connector. 3. **Skip or Proceed:** If you will be entering devices manually, skip the Windows Host Browser step and click Next. 4. **Enter Devices Manually:** Choose this option by selecting "Enter Devices Manually." 5. **Add Rows for Hosts:** For each host you want to collect events from, click “Add Row” and fill in the following parameters:

• **Domain Name:** This should be filled if using a domain user account; leave blank for local user accounts or workgroup hosts.

• **Host Name:** The hostname or IP address of the target Windows host.

• **User Name:** The username with appropriate privileges to collect events, without the domain name.

• **Password:** Provide the password corresponding to the specified User Name.

6. **Configure Event Types:**

• **Security Logs:** Select this checkbox to collect security events; deselect if not required.

• **System Logs:** Select this checkbox to collect system events; leave unchecked if not needed.

This document is intended for users looking to quickly set up the P ArcSight Logger for Windows event collection, detailing the necessary steps and information required for each host being monitored. The provided text outlines a process for setting up and configuring the ArcSight Logger SmartMessage on a Windows host, focusing specifically on collecting events related to failed logon attempts in Microsoft Windows environments. Here’s a summary of the steps and details mentioned: 1. **Event Collection Settings**:

• Decide whether to collect application events; if not desired, uncheck the box. The default setting is unchecked.

• Select the Microsoft Operating System version (e.g., Windows 2008R2).

• Enter the locale code: possible values include 'en_US' (default), 'ja_JP', 'zh_CN', 'zh_TW', and 'fr_CA'.

2. **Installation Completion**: Click "Next" to proceed with the installation. 3. **Destination Type Selection**: Choose "ArcSight Logger SmartMessage" as the destination type for logging data. 4. **Logger Configuration**:

• Enter the hostname or IP address of the ArcSight Logger and the receiver name, which should already be created on the logger (e.g., "Windows").

5. **Event Code Definition**: Understand the event codes related to failed logon attempts:

• Failed logon attempts are classified by specific numbers including 529 through 540 for various reasons like unknown username/bad password, account disabled, expired password, and others.

• Successful network logons are indicated by code 540.

• Pre-authentication failures are noted under code 675.

• Logon success is recorded with code 4624, while failed attempts are captured by code 4625.

• Events for user logoff and other related activities also have defined codes (4634).

By following these steps, the system will be configured to monitor and record specific events associated with failed logon attempts in a Microsoft Windows environment using the ArcSight Logger SmartMessage solution. This text discusses using ArcSight for log analysis, particularly focusing on security events. It explains how to perform a simple text search for specific event codes like "Security:529" or Windows 2008's "Microsoft-Windows-Security-Auditing:4625". The system is designed to be user-friendly, not requiring expertise in various product security codes; instead, it uses categorization to simplify the process. The text provides step-by-step instructions on how to use ArcSight for searching and analyzing events. It instructs to mouse over "Analyze" and select "Search", then entering the event codes into the search area. The results are displayed after meeting the query criteria, ready for further review or analysis. It also explains how to change the presentation of the search results by choosing a display set in the fields section. To do this, click on the drop-down box next to "Fields:" and select the "Categories" field set. The text mentions that categorization is used to help understand the nature of the information sought after; for example, Security:529 is categorized under various categories including Behaviour/Authentication/Verify, DeviceGroup/Operating System, Object/Host/Operating System, Outcome/Failure, and Significance/Information/Warning. For Windows 2008's specific event (Microsoft-Windows-Security-Auditing:4625), it follows a similar categorization process. The text highlights the usefulness of categorization in simplifying complex log analysis without needing to understand each vendor’s individual coding of events, making it more accessible for users. The text provides a guide for using a search feature within a software tool, specifically designed for security event management (SEM). Here's a summary of the key steps and actions described in the text: 1. **Search Setup**:

• Navigate to a specific section related to authentication failures.

• Replace default placeholder text "Security:529" with "/Authentication/Verify and /Failure".

• Click "Go" to execute the search.

2. **Expanding Search Criteria**:

• The search results now include events from all vendors, not just Microsoft. This includes entries from UNIX and Tipping Point.

• When hovering over an entry (e.g., "Unix"), matching events are highlighted across the interface.

• Clicking on a specific device or product under the column can modify the search to focus on that particular item (e.g., changing to "Microsoft").

3. **Structured Search**:

• Adding a structured search element by typing in the normalized column name after setting up free-form text search.

• Alternatively, using ALT-Click to add a NOT condition if needed.

• This narrows down the results to only those events containing specific device or product names (e.g., "deviceProduct CONTAINS 'Microsoft'").

4. **Saving Searches**:

• Save the modified search query with a meaningful name like "Microsoft Authentication Failures".

• Personalize saved queries by adding initials in the description for easy identification.

5. **Field Summary**:

• The field summary provides a quick overview of returned events without manual counting.

• Expand this window to view detailed information about these events.

This guide helps users efficiently set up and customize searches within the software, making it easier to manage and analyze security-related events from various sources. The provided text describes a process for using an ArcSight Logger to analyze security events, focusing on specific criteria such as Security:533 and user activities like "jimmyj". Here's a summary of the steps outlined in the text: 1. **Filtering by Event Type**: Initially, the analysis is based on different values under deviceEventClassId, with one particular interest being "Security:533". The query automatically adjusts to include only events related to authentication and failures along with devices containing "Microsoft". 2. **Chart Creation**: By selecting "Security:533" in the event type filter, a chart is generated by time based on this specific criteria. To enhance interpretation, switch the chart style from default to "Line" for better visualization. 3. **Restoring Original Query**: The original query can be restored and further explored by toggling between different fields and settings using the interface provided. 4. **Focusing on a Specific User**: To focus on activities related to a particular user, such as "jimmyj", add this username to the search criteria within the destinationUserName field after clearing other filters. This adjusts the query to show all events involving "jimmyj". 5. **Adjusting Display and Timeframe**: Modify the display fields to include all available fields and adjust the start time to cover the last hour for relevant data. 6. **Switching Focus to IP Address**: If interested, switch the analysis from user-based activities to those associated with a specific IP address by entering the IP in the deviceAddress field. This allows tracking of events related to that particular IP across different feeds and devices. 7. **Final Query**: The final query is set up to track all network activity originating from the specified IP address "10.1.1.5", showing comprehensive data for this specific criterion. The text provides a practical guide on how to use ArcSight Logger effectively, adjusting search criteria and visualizing results based on different parameters such as user actions, event types, and device details. The passage provides a guide for using the Live Event Viewer and creating a Data Monitor within the ArcSight Logger tool, as well as saving visualizations for future reference. Here's a summary of the key points: 1. **Live Event Viewer**: Users can view events in real-time similar to UNIX tail -f command by choosing Analyze > Live Event Viewer. They need to enter specific search terms such as "Security:529" to filter relevant events. 2. **Dashboards and Data Monitors**: The passage explains how to create a dashboard for monitoring Windows logon failures, specifically the last 10 logon failures where Microsoft products are involved. This is achieved by setting up a Data Monitor with specific conditions in the behavior category like "/Authentication/Verify" leading to failure ("/Failure"), excluding null destination usernames, and optionally filtering by "deviceProduct CONTAINS "Microsoft"". 3. **Charting**: Users can choose between displaying data as "Values by Time" or "Top Values", which automatically generates a chart based on the search criteria entered: "/Authentication/Verify AND /Failure AND deviceProduct CONTAINS Microsoft". The Field Summary option is available for "Top values" but not for time-based charts. 4. **Saving Visualizations**: Users can save any created visualizations, like the logon failure chart, to use in future dashboards or reports. This is done by clicking on the appropriate icon after setting up the Data Monitor or Live Event Viewer as needed. The passage assumes familiarity with ArcSight Logger and focuses on enhancing real-time monitoring and reporting capabilities through these tools. To summarize, you need to follow these steps for creating a new dashboard in the v4HP ArcSight Logger system: 1. **Access the Dashboard Panel**: Click on "Dashboard" to access the panel where you can manage your dashboards. 2. **Select Saved Search**: Choose "Microsoft Authentication Failures" by reusing the query or create a new one if needed. 3. **Create New Dashboard**:

• Enter "Microsoft Related Events" as the dashboard name.

• Checkmark to add both types of events.

4. **Change Chart Type**: Set the chart type to "Pie." 5. **Save the Dashboard**: Click on "Save," and confirm the message popup by choosing "OK." 6. **View on Search Page**: Click on "View on Search Page" to open the Analyze tab where you can adjust your query:

• Modify the query to: `(/Authentication/Verify and /Failure AND deviceProduct CONTAINS "Microsoft") | top destinationUserName`.

7. **Change Chart Type Again**: Set the chart type back to a Pie Chart. 8. **Save the Changes**: Click on "SAVE" again. 9. **Adjust Display Format**: Go to the Tools section, select "Change Layout," and then choose "Save." 10. **Switch Back to Dashboards**: In the Dashboard tab, change the dropdown to "Microsoft Related Events." By following these steps, you will have successfully created a new dashboard tailored for Microsoft-related events in your v4HP ArcSight Logger system. This text is a guide for customizing a report using ArcSight Logger software. The process involves selecting and modifying an existing report to fit specific needs, such as changing event queries or names. Here’s a summary of the steps: 1. **Run the Default Report**: Click on "Quick Run with default options" and choose "Run Now". You can save this report in various formats like .csv, .pdf, etc., or email/publish it. 2. **Customize the Report**:

• Go to Reports from the Menu, then click on Report Explorer under Navigation.

• Choose "Operating System" and select "OS-Login Errors by User". Click on "Customize Report".

• Save this report as a new name, for example, "OS-Login Failure by User", ensuring it's saved in the Default Reports group to avoid conflicts with supplied updates.

3. **Modify the Query**:

• Go to the Query Editor and save the current query under a new name (e.g., OS-Login Failures by User).

• Change the "Query Object" from Operating System to OS-Login Failures by User, then adjust the where clause:

• Uncheck "Load in New Window", click edit, and update the WHERE clause to filter events related to warnings (from /Informational/Error to /Informational/Warning).

• Add three more conditions for category device group, behavior, significance, outcome, and device vendor.

• Click OK after making changes; since you saved the prior query under a new name, simply click "SAVE" again.

This text appears to be a tutorial or guide on using pipeline operators within a software tool related to security or logging, likely ArcSight Logger from HP (v4HP ArcSight Logger). The purpose of this guide seems to be to explain how to configure and run reports by utilizing various pipeline operators. Here's the summary: 1. **Default Reports Query Group**: Instructions are given on placing specific queries into the "Default Reports" query group in the software interface. After doing so, close the window. 2. **AdHoc Report**: The report should reappear, and you need to change it from its current state to the new query titled "OS-Login Failures by User." 3. **Selecting All Fields**: Click on the fields to select them all for the report. 4. **Save and Run the Report**: Save the changes, click OK, preview the report, and then run it by clicking "Run Now." 5. **Choosing Reports and Running a Specific Report**: In the software interface, navigate to choose "Reports" > "Report Explorer" and select "Operating System" from the reports column. From there, choose "OS-Login Failure by User" under the "Operating System" column and run it with default settings using the "Run Now" option. 6. **Pipeline Operators**: The guide explains that pipeline operators are used to refine searches for specific information within logs or events. These operators include keys, extract, fields, regex, rename, replace, rex, and transaction. Each operator serves a different purpose in processing raw data from security events:

• Keys: Identifies and extracts specific parts of the data based on delimiters.

• Extract: Pulls out key-value pairs from the event data.

• Fields: Includes or excludes certain fields as needed for the search.

• Regex: Selects events that match a defined regular expression pattern.

• Rename: Changes names of CEF or REX extracted fields to more usable terms.

• Replace: Substitutes specified strings within selected fields with new ones.

• Rex: Extracts values based on predefined regex patterns.

• Transaction: Groups events that share similar values in specific fields, useful for tracking related sequences of events (like login attempts).

This guide provides a step-by-step breakdown of how to set up and run reports using pipeline operators within the software tool, emphasizing their importance in refining search results based on various criteria. The summarized content provides an overview and examples of how to use various search expressions within the v4HP ArcSight Logger tool. Here's a breakdown:

• **Event Counts**: This feature displays the number of events in transactions, allowing users to track metrics like destination ports in Netflow traffic or source addresses responsible for firewall traffic.

• **Field-based Operators**: These allow users to perform operations on raw event data using pipeline operators such as rex (regular expression) and extract. This enables more detailed analysis by extracting specific fields from events.

• **Example Searches**:

• **Destination Ports in Netflow Traffic**: Users can chart the count of events by destination port, sorting them if necessary.

• **Byte Counts for Netflow Traffic**: Average byte counts (in and out) are plotted every 30 seconds.

• **Source Addresses for Firewall Traffic**: Total bytes attributed to source addresses are summed up and displayed in a chart.

• **Specific Searches**:

• **Blue Coat Events on Google Search Query**: Extracts the search term from Blue Coat events related to Google searches, useful for understanding user queries through network traffic data.

• **Quick Overviews**:

• **Device Vendors and Products**: Displays top device vendors and products using simple commands.

• **Connector Versions**: Lists versions of connectors that are reporting into the Logger.

These examples demonstrate how to leverage field-based operators, perform specific searches, and generate quick overviews within the ArcSight Logger tool for effective network traffic analysis. The provided text appears to be a summary of various queries and commands used within the context of a system or software tool related to network security and logging. Here's a summarized breakdown of what is discussed: 1. **TippingPoint Events per Hour**:

• A query to sum up the number of events from TippingPoint devices over an hourly span, represented by "deviceVersion" in the text.

2. **Failed Logins by User**:

• A command that retrieves data related to failed login attempts, specifically those where the authentication category outcome is failure and the destination user name is not null. This is done using a specific filter applied to the logs.

3. **Top NetFlow Destination Ports**:

• Another query focuses on identifying the top 20 destination ports used in NetFlow data from Cisco NetFlow devices, filtered by those having a positive destination port number.

4. **Products with Recent Changes**:

• A command to find out which products have undergone modifications recently, specifically within the "/Modify/Configuration" category of behavior. This is done using a regex-based filter applied to the logs.

5. **Top 20 Products by Event Count (Aggregation)**:

• The text provides two methods for finding the top 20 products based on event counts:

• A straightforward count query that lists all products excluding ArcSight, but does not account for aggregation of events.

• A more detailed method using a chart command to aggregate and sort these products by their event counts across various devices.

6. **Events Count by Source**:

• This involves aggregating the number of events from different sources per product or device, excluding ArcSight, and sorting them in descending order based on the count of baseEventCount.

7. **Blue Coat Bytes In/Out**:

• A query that specifically targets data related to Blue Coat devices for network traffic statistics such as bytes in and out (TTLBytesIn and TTLBytesOut), excluding entries with "windowsupdate" in their destination host names, and sorting the results by these metrics.

These commands and queries are crucial for analyzing large volumes of log data efficiently, providing insights into system behavior, security incidents, and network traffic patterns. The provided text outlines a set of criteria and operations for data handling in the context of transaction authentication. Here's a summary: 1. **Criteria**: The analysis focuses on specific aspects of transactions where behavior is linked to "/Authentication/Verify" and has an outcome indicating success, as indicated by "/Success". Additionally, the transaction must involve a non-null value for "destinationUserName". 2. **Data Handling**:

• The data includes information about both "transaction" (presumably including details of transactions) and "deviceProduct".

• For this set of criteria, there's an emphasis on removing duplicates based on the combination of "deviceProduct" and "destinationUserName".

• After deduplication, the results are sorted primarily by "deviceProduct", but secondary to "destinationUserName".

3. **Time Frame**: The operations apply specifically within a time span of up to 2 hours (maxspan=2h). 4. **Copyright Information**: The text is attributed to Brian Wolff and dated April 10, 2014, with a version number v4. This summary captures the core logic and operations encoded in the provided criteria for handling transaction data related to authentication success.