Checking the Integrity of Event Data
You must have the Perform Event Integrity Check permission to run a check.
Select > .
When investigating a security incident or hunting for threats, users expect that the search results provide valid and accurate data. However, the data that analysts rely on could be compromised by users who want to hide their activities or who maliciously change content. Data also is vulnerable to human errors, transfer errors, or loss and corruption caused by hardware or software issues. To reduce the chance of data tampering, the ArcSight Database ensures that data written to the database is immutable. You can also run an Event Integrity Check to validate that the event information in your database matches the content sent from the SmartConnectors.
When you run the check, the system searches the database for verification events received within the specified date range, then runs a series of checks to compare content in the database with information supplied by the verification events. The results of an Event Integrity Check help you identify whether event data might be compromised or incomplete. The event integrity checks can involve two different types of verification events: generated for raw events from SmartConnectors or for parsed fields from Transformation Hub. Both types of verification events can be used in the same environment for increased visibility into the integrity of the events in the database.