The primary principle of navigating in the ArcSight Console is to use the Navigator panel to locate and manage security resources, and the Viewer and Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources producing the data.
Figure : The Navigator panel showing the Dashboards resource tree
Using the Navigator panel
consists of:
Choosing a resource tree from the drop-down
list.
Expanding (+) and
collapsing (-) resource groups to locate particular subgroups or individual
resources. (You can also use the keyboard right arrow key to expand and left
arrow key to collapse the Navigator resource trees.)
Right-clicking groups or
individual resources to choose from their context menus.
Using the Viewer or
Inspect/Edit panels to see or act on the results of the context menu commands.
The resources available to you in the Navigator panel can be affected by your
user type. As a suggestion, browsing the resource trees established for your
enterprise is a very good way to become familiar with both your environment and
the ArcSight Console's capabilities.
Navigator Panel Resource Tree
Using SmartFolders
ArcSight has special,
automatically maintained folders to track the results of your case searches or
to track your currently selected replay rules and currently running reports.
When you create them, these folders appear just below the root of each resource
type in the Navigator, prefixed with your ArcSight user name.
Creating a Case-Search SmartFolder
To create a case-search
SmartFolder:
1 Right-click a folder in
the Cases tree and choose New Search Group in the context menu to open the
Search Group Editor.
2 Use the Editor to define
a search that updates dynamically each time a change occurs to one of your
cases. A given group contains the result of this search when it is applied to
those cases.
Creating a Reports SmartFolder
The Reports tree in the
Navigator panel shows a folder for each user name and the suffix
"Reports." These folders list the reports that user is applying, and
the right-click context menu offers the commands available for those reports.
These folders are maintained automatically and you cannot change them. You can
use this feature to control report runs. For example, if a report is running
too long and you would like to end it, right-click it and choose Stop Report.
Editing Groups
You can group resource
types in the Navigator panel to help you organize and manage them. Groups can
also be hierarchical, resulting in "trees" of resources. Apart from the
characteristics of the resources involved, such as assets or vulnerabilities,
each group identity has certain properties you can edit in the Group Editor. Editing
a Group To edit a group:
1 In the Navigator panel,
right-click a resource group and choose Edit Group.
2 In the Group Editor,
click the Value fields for the group attributes you want to change.
3 Click Apply to put your
changes into effect but leave the editor open. Click OK to apply your changes
and also close the editor. Fields containing system information (like Creation
Time) are not editable. See “Reference Pages” on page 973 for more about using
the Group Page and Member's Page fields. See “Scheduling Jobs” on page 989 for
information about scheduling tasks or "jobs" for reports (individually
or by group), rules, or pattern discovery snapshots.
Categories Tab
The Group Editor for groups
in the Assets tab of the Assets resource tree has an additional Categories tab.
This tab has two sub panels: Local Asset Categories and Inherited Asset Categories.
"Local" shows assets that are explicitly assigned to categories.
"Inherited" shows assets whose category connections are presumptions
based on a parent's group or a simple asset-range association.
Batch Editing
You can make common edits
to multiple case or SmartConnector resources by selecting a set of either type
in the Navigator panel and changing their common fields in the Case or
Connector Editor.
Batch-Editing Cases or Connectors
To batch-edit cases or
connectors:
1 Ctrl+click or Shift+click
to select a set of individual cases or SmartConnectors in their respective
resource trees in the Navigator panel.
2 Right-click the selected
items and choose Edit.
3 Make changes to the
appropriate common fields, such as Description or Owner.
4 Click Apply to record
your changes and leave the editor open, or click OK to save and close. Saving
affects only the fields you have changed, in each of the selected resources. Cases
Reminder You can also lock and unlock cases in batches, using the Lock Case checkbox.
SmartConnector Reminders
Batch changes affect only
default configurations, not alternates. However, you can add new alternate
configurations by batch editing. Note that if you make changes under the Filters
tab, the entire tab's contents are saved to the selected SmartConnectors. Only
connectors of the same version can be batch-edited. Version is indicated by the
color of the connector icons in the resource tree: blue for pre-v2.5 and green
for v2.5 or later.
Reconnecting to the Manager
If your ArcSight Console
loses its connection to the Manager, a dialog box enables you to Retry the
connection, Relogin, or to Cancel the connection. Try these options in this
order. A connection to the Manager can't be re-established when the Manager has
to be restarted or when a network problem prevents communication with the same
Manager. In such cases click Cancel and start the Console again, using an
appropriate Manager host name.