User`s guide

Technical white paper

Next we’ll create a query viewer that will be used to execute our Failed Logon Query. We’ve named this Query Viewer “Failed

Logons” and selected our Failed Logon Query in the Query field.

Figure 40. ESM Query Viewer Failed Logon – Attributes

By default the Query data will be refreshed every 15 minutes.

When we execute our Failed Logon Query using the Failed Logon Query Viewer all events that meet our query criteria are

displayed. Below we can see the fields that were selected in the Failed Logon Query.

• Category Outcome

• Category Behavior

• Target Address

• Target Host Name

• Attacker User Name

The Category Outcome must equal “Failure” and the Category Behavior must equal “Authentication / Verify” to meet the

criteria of the query and return events in the Query viewer table.

Figure 41. HP ArcSight ESM Query Viewer Results – Failed Logon

In Figure 41 we can see that we have recorded failed logon attempts against the following servers:

• oo.fog.cloud.internal - Operations Orchestration and Cloud Service Automation host)

• arcmgr.fog.cloud.internal – HP ArcSight ESM Manager and Console

• ucm.fog.cloud.internal – Universal Configuration Management Server

• ORA.fog.cloud.internal – Oracle Database server for UCMDB