Understand the System Searches

Search includes the following out-of-the-box system searches that contain a query plus specific criteria. All of these system searches are set in Normalized Event Time. For more information about how to use these queries and criteria, see Load a Saved Search.

Note: You can also search queries by using # and the query name. For example, #Configuration changes or #DGA Events. Additionally, you can run criteria searches as queries using the same method. Additionally, there is a list of reserved words that must be enclosed in quotes (" ") to ensure the system correctly parses the query.
Category Name Use as Description
Application Monitoring Windows New Service Created Query

Lists events indicating new windows services were created from the following event sources:

  • Microsoft-Windows-Security-Auditing:4697

  • Service Control Manager: 7045
Configuration Monitoring Configuration changes

Query

 Lists configuration changes based on ArcSight categorization.
Entity Monitoring Failed logins Query Lists events indicating failed login activity based on ArcSight categorization.
  Failed Login Events

Criteria

 Lists failed login activity events based on ArcSight categorization for the last 30 minutes by default.
  Failed logins for $username Query Lists events indicating failed login activity based on ArcSight categorization for a specific user. The user should be specified before running the search.
  Windows account creation Query

Lists events indicating new windows accounts created based on the following event sources:

  • Microsoft-Windows-Security-Auditing:4720

  • Security:624
Event Monitoring ESM Correlation Events Query Lists ESM correlation events.
Malware Monitoring Malicious code activity Query Lists events indicating malicious code activity based on ArcSight categorization.
MITRE Monitoring MITRE ATT&CK Events

Criteria

Lists correlation events reported from Arcsight ESM content package: https://marketplace.microfocus.com/cyberres/content/esm-default-content.

These events are forwarded to the ArcSight Database using ArcSight Forwarding connector, or any other flex connector which reports this information, using the following mapping:

deviceCustomString6Label=’MITRE ID’

Where deviceCustomString6 contains the actual MITRE ATT&CK technique.
Network Monitoring DGA Events

Criteria

 Lists DGA-related events based on Microsoft Trace Log.
  DNS Events

Query

 Lists DNS-related events.
  DoS Events

Criteria

 Lists events indicating denial of service based on ArcSight categorization.
  Firewall drop Query Lists Drop Firewall events based on Arcsight categorization for a specific IP address. The IP address should be provided at runtime.
  Firewall drop for $ip   Lists Drop Firewall events based on Arcsight categorization.
  Firewall Events

Criteria

 Lists Firewall events based on ArcSight categorization.
  Proxy Events

Criteria

 Lists Proxy events based on ArcSight categorization.
  SSH authentication Query Lists events indicating SSH Authentication events based on ArcSight categorization.
  VPN connections Query Lists events indicating VPN connections based on ArcSight Categorization.
Vulnerability Monitoring Vulnerabilities Events

Criteria

 Lists events indicating vulnerabilities based on ArcSight categorization and Vulnerability Scanner events.