Understanding Search

The application ingests log data, migrated from ArcSight Logger and SmartConnectors, that has been routed through Transformation Hub and events from ArcSight Enterprise Security Manager. Each entry in a log is referred to as an event. The application accepts events from Transformation Hub and organizes them to maximize search and storage efficiency.

The Search feature enables you to look for and investigate events that meet specified criteria so you can detect anomalies that point to security threats. You enter a search query, the criteria (such as a time window) over which to search, and the fields from the Unified Event Schema. You can use one of the three timestamps the database stores for each event for your time window.

Search displays results in an Events timeline as a histogram chart, which shows the number of events returned over event occurrence time. The Events table shows events returned by search. The table displays columns of fields, each representing a particular categoryof data, such as an IP address or the port where the event originated. When you select an event, you can view its list of field-value pairs in the Event Inspector panel. For ongoing or regular searches, you can save queries, queries plus specific criteria, and search results. You can also schedule searches to run on a regular basis.

For the query’s time range, you can choose a fixed start and end date, where you cannot refresh data, or a predefined date range. For example, for the last 30 minutes predefined search, you receive updates upon re-executing the search based on the most recent 30 minutes. Alternatively, you could specify dynamic dates, such as Midnight on the first day of the current month.

After initiating a search, you can pause, resume, and cancel the process as needed. A progress bar shows you the percent of retrieved data.