Understand the Types of Search Queries
Search supports the following types of search queries:
Full Text Search
Searches across all fields using a ‘contains’ operation to determine if the value is found.
| Syntax | Example |
|---|---|
| <value> | ssh
|
Field-based Search
Searches based on the field and operator designation to determine if the value is found in the specified field.
Your search can reference fields with the Unified Schema to either retrieve the field in results, apply a filter criteria or create a user defined expression. The Unified Schema defines a consistent event model that can be used across all of ArcSight family of products.
| Syntax | Example |
|---|---|
| <key> <operator> <value> | sourceAddress = 10.0.111.5 |
Hashtag (predefined searches)
The Search feature includes several predefined queries out-of-the-box. In the query field, enter a hashtag, and then select the criteria to use. In addition to these predefined searches, you can use the session searches and save searches in the input field using a hashtag prefix.
To ensure the system correctly parses your query, if your search entity name includes one of the reserved words listed before, you should surround the query name with quotes (" ") in order to avoid ambiguity in the query statement.
| This predefined query... | Description |
|---|---|
| #Configuration Changes | Lists configuration changes based on ArcSight categorization. |
| #DGA Events | Lists DGA-related events based on Microsoft Trace Log. |
| #DNS Events | Lists DNS-related events. |
| #DoS Events | Lists events indicating denial of service based on ArcSight categorization. |
| #ESM Correlation Events | Lists ESM correlation events. |
| #Failed Logins | Lists events indicating failed login activity based on ArcSight categorization. |
| #Failed Logins For User $Username | Lists events indicating failed login activity based on ArcSight categorization for a specific user. The user should be specified before running the search. |
| #Firewall Drop | Lists Drop Firewall events based on Arcsight categorization for a specific IP address. The IP address should be provided at runtime. |
| #Firewall Drop For $Ip | Lists Drop Firewall events based on Arcsight categorization. |
| #Firewall Events | Lists Firewall events based on ArcSight categorization. |
| #Malicious Code Activity | Lists events indicating malicious code activity based on ArcSight categorization. |
| #MITRE ATT&CK Events |
Lists correlation events reported from Arcsight ESM content package: https://marketplace.microfocus.com/cyberres/content/esm-default-content. These events are forwarded to the ArcSight Database using ArcSight Forwarding connector, or any other flex connector which reports this information, using the following mapping: deviceCustomString6Label=’MITRE ID’ Where deviceCustomString6 contains the actual MITRE ATT&CK technique. |
| #Proxy Events | Lists Proxy events based on ArcSight categorization. |
| #SSH Authentication | Lists events indicating SSH Authentication events based on ArcSight categorization. |
| #VPN Connections | Lists events indicating VPN connections based on ArcSight Categorization. |
| #Vulnerabilities Events | Lists events indicating vulnerabilities based on ArcSight categorization and Vulnerability Scanner events. |
| #Windows Account Creation |
Lists events indicating new windows accounts created based on the following event sources:
|
| #Windows New Service Created |
Lists events indicating new windows services were created from the following event sources:
|