Checking the Integrity of Event Data
You must have the Perform Event Integrity Check permission to run a check.
Select > .
The ArcSight Database stores all collected events to support event searches and analysis capabilities for the ArcSight Platform. When investigating a security incident or hunting for threats, you expect that the search results provide valid and accurate data. However, the data that you rely on could be compromised by individuals who want to hide their activities or who maliciously change content. Data also is vulnerable to human errors, transfer errors, or loss and corruption caused by hardware or software issues. To reduce the chance of data tampering, the database enforces the immutability of events once they are stored, ensuring that not even the most privileged database administrator can modify or delete an event. You can also run an Event Integrity Check to validate that the event information in your database matches the content sent from the SmartConnectors. The combination of an integrity check with the database's ability to resist tampering provides you an end-to-end, long-term solution for safeguarding the events to be exactly as reported by the device where the activity was observed.
When you run the check, the system searches the database for verification events received within the specified date range, then runs a series of checks to compare content in the database with information supplied by the verification events. The results of an Event Integrity Check help you identify whether event data might be compromised or incomplete. The event integrity checks can involve two different types of verification events: generated for raw events from SmartConnectors or for parsed fields from Transformation Hub. Both types of verification events can be used in the same environment for increased visibility into the integrity of the events in the database.