ArcSight

ArcSight
. ArcSight
6.4.5.77.5.5 . 3504
. CentOS 7.3
3504 .

-1-1

ArcSight

Attack Count by Severity

.
Attacks by Attacker

Attacks for a Day

Attacks for a Target

Top 10 Attack Signatures
05
Top 10 Attacked Hosts
05
Top 10 Intruders
05

Trend Report for a Specific Event

Destination IP Address Report

Event Name Report

)Events for an IP (Source or Target
.
Notification Log
.
Severity Trend by Day
.
.

Event Severity Trend Reports:1

Event Type/Category Trend Reports:3

Alerts Trend Reports:4

Rolling Year Summary

.
.
Report modification and authoring

.
.
Bots, Worms, and Virus Reporting
() .
.
Hacker Detection

.
Bandwidth Hogs and Policy Violation Reporting

.
Unauthorized Application and System Access Detection


VPN Sneak Attack Detection


System and User Impact

Compliance Audit Support

.
.

( )




.


.


.

.
.

.

.
0 .

 :0

ArcSight5.3
1-1-

Device Monitoring

AntiVirus
o
o
o
o
o

Errors Detected in Anti-Virus Deployments

Failed Anti-Virus Updates
Top Infected Systems
Update Summary
Virus Activity by Hour

CrossDevice
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o

Bandwidth Usage by Hour

Bandwidth Usage by Protocol
By User Account Accounts Created
Configuration Changes by Type
Configuration Changes by User
Failed Login Attempts
Failed Logins by Destination Address
Failed Logins by Source Address
Failed Logins by User
Login Event Audit
Password Changes
Successful Logins by Destination Address
Successful Logins by Source Address
Successful Logins by User
Top Bandwidth Hosts
Top Hosts by Number of Connections

Database
o Database Errors and Warnings

Firewall
o Denied Connections by Address
o Denied Connections by Port
o Denied Connections per Hour

IDS-IPS
o Alert Counts by Device
o Alert Counts by Port

o
o
o
o
o
o
o

Alert Counts by Severity

Alert Counts by Type
Alert Counts per Hour
Top Alert Destinations
Top Alert Sources
Top Alerts from IDS and IPS
Worm Infected Systems

Identity Management
o Connection Counts by User

Network
o
o
o
o
o
o

Device Critical Events

Device Errors
Device Events
Device Interface Down Notifications
Device Interface Status Messages
Device SNMP Authentication Failures

Operating System
o Login Errors by User
o User Administration

VPN
o
o
o
o
o

2-1-

Authentication Errors
Connection Counts by User
Connections Accepted by Address
Connections Denied by Address
Connections Denied by Hour

Foundation

Configuration Monitoring
o
o
o
o
o
o
o
o
o

Accounts Created by User

Accounts Deleted by User
Accounts Deleted by Host
Anti-Virus Updates-All-Failed
Anti-Virus Updates-All-Summary
Asset Startup and Shutdown Event Log
Device Configuration Changes
Device Configuration Events
Device Misconfiguration Events

o
o
o
o

Device Misconfigurations
Password Changes
Vulnerability Scanner Logs by Host
Vulnerability Scanner Logs by Vulnerability

Intrusion Monitoring

o Device Interface Down Notification

o Firewall Traffic by Service
o Least Common Events
o Most Common Events
o Most Common Events by Severity
o Probes on Blocked Ports by Source
o Security DashBoardReport
o SecurityDBReport
o Top IDS Attack Events
o Top IDS Events
o Top Machines Traversing Firewall
o Top Web Traffic
o Windows Events
o Worm Infected Systems
Attackers
o Bottom Sources
o Source Counts by Destination
o Source Counts by Destination Port
o Source Counts by Device
o Source Counts by Device Severity
o Source Counts by Source Port
o Source Port Counts
o Top 10 Talkers
o Top Attack Sources
o Top Attacker Detail
o Top Attacker Details
o Top Attacker Ports
o Top Attackers
o Top Sources Detected by Snort
o Top Sources Traversing Firewalls
Resource Access
o Access Events by Resources
o Least Common Accessed Ports
o Resource Access by Users Failure
o Resource Access by Users Successes-Attempts

o Top Machines Accessing the Web

Targets
o Attacks Events by Destination
o Bottom Destinations
o Bottom Targets
o Destination Counts by Device Severity
o Destination Counts by Event Name
o Target Counts by Severity
o Target Counts by Source
o Target Counts by Source Port
o Target Counts by Target port
o Target Port Counts
o Top Destination Ports
o Top Destination Across Firewalls
o Top Destination in IDS Events
o Top Targets
User Tracking
o Common Account Login Failures by Source
o Number of Failed Logins
o Top User Logins
o Top Users with Failed Logins
o User Activity

Netflow Monitoring
o
o
o
o
o

Daily Bandwidth Usage

Hourly Bandwidth Usage
Top Bandwidth Usage by Destination
Top Bandwidth Usage by Destination Port
Top Bandwidth Usage by Source

Network Monitoring
o
o
o
o
o
o
o

Top VPN Accesses by User

Top VPN Event Destinations
Top VPN Event Sources
Top VPN Events
Traffic Statistics
VPN Connection Attempts
VPN Connection Failures

3-1-

SANS Top 5

Attempts to Gain Access through Existing Accounts

o Number of Failed Logins
o Top Users with Failed Logins

Failed File or Resource Access Attempts

o Failed Resource Access by User
o Failed Resource Access Events

Unauthorized Changes to Users Groups and Services

o
o
o
o
o

Account Modification
Password Changes
User Account Creations
User Account Deletions
User Account Modifications

Systems Most Vulnerable to Attack

o Vulnerability Scanner Logs by Host
o Vulnerability Scanner Logs by Vulnerability

Suspicious or Unauthorized Network Traffic Patterns

o
o
o
o
o
o
o
o
o
o

Alerts from IDS

IDS Signature Destinations
IDS Signature Sources
Top 10 Talkers
Top 10 Types of Traffic
Top Alerts from IDS
Top Destination IPs
Top IDS Signature Destinations
Top IDS Signature Sources
Top Target IPs