Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Discover new search feature within ArcSight Investigate

charles.clawson Respected Contributor.
Respected Contributor.
1 0 1,376

While ArcSight ESM and its powerful correlation engine is still the flagship ArcSight product, there is a newer kid on the block called ArcSight Investigate.  To understand what this product is and what need it fills we need to first look at some of the biggest pain points of the modern SecOps team. 

Investigation Efficiency

Discover new search feature within Arcsight Investigate2.pngEfficiently staffing a SOC is becoming more challenging. This means security teams have to do more with less.  Training for those on the team is also limited due to budgetary reasons, or simply because the team can’t operate one man down for an extended length of time. So how do you defend with less people that are also less qualified?  One step in the right direction is to simply make the tools easier to use. Any new analyst comes to the table already knowing how to do basic web searches and filtering, for example. With Investigate, we’ve made searching through machine data and security events as intuitive as a google search. No longer do analysts need to know the names of every field or all the Boolean operators available. Contextual pop-ups continually guide analysts by showing them recommendations that can be easily selected. Type the word “steve” and you’ll see fields that might contain that string or username.  Click the equals sign to see choices such as “not equal” or “does not contain.” Investigate also doesn’t care about case, either. Type an integer like “22”, and you’ll be shown a short list of fields to choose from, such as Destination Port, Source Port or “any port.” In short, the ease in which even a newly hired analyst can start exploring the data could not be any easier. 

Investigation Speed

Any amount of time an analyst spends waiting for a search to return results is time that could have been spent on other incidents.  Because ArcSight Investigate is built on top of Vertica, a proprietary columnar big data technology that uses massive parallel processing and multi-threaded queries, it returns results faster than any product we’ve ever released and beats many of the leading security search tools by nearly 10 times.  It can scale up into the 100’s of petabyte range, by the way, so this is not your grandmothers database. 

There are many other features that make Investigate a great hunt and investigation tool not covered here, but to see the searching feature in action, check out the video below. With the gained speed, and increased ease of use, Investigate is worth considering as an add-on to your existing toolset.

ArcSight Investigate Searching

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.