D4 - T3 - Reports

Reports*
HP ArcSight Proof of Concept Boot Camp Training

TECHNICAL DAY-3
Philippe Jouvellier - HP ESP | Global Partner Enablement
philippe.jouvellier@hpe.com
* Lab during this session

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Session Objectives
Upon successful completion on this Lab, you will be able to:

• List the components in the Report Workflow
• List the different types of Reports
• Build a custom report
• Set up a scheduled Report Job
2 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reports
Reports are captured views or summaries of data that can be printed or
viewed in the ArcSight Console or ArcSight Command Center viewer in a
variety of formats.
A report binds one or more queries with a report template.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reports
• Use content available “out of the box”
! • PoC environment requires minimum level of effort
• Can be viewed with:
• ESM Console or Arcsight Command Center
• 3rd party utilities: PDF, Excel, RTF and CSV
• Report overall workflow:
1. Gather Report data (Active Lists, Session Lists, Notifications, Cases, Assets, Events, Trends)
2. Develop Report in Reports templates
3. Run as Scheduled Report or On Demand
• Data can be collected by :
• Running Queries on the ESM Database
• Using Trends
Creating Reports - Templates
• Basic report templates are provided as standard
• For testing and basic reporting they are effective !
• Custom report templates can be created
• Very flexible
• Meet most report design requirements
• Requires extended knowledge of template editor
• Custom report TEMPLATE creation not necessary/realistic for POC environment

! • Modifying existing report template for POC is recommended
• Adding a Customer logo improves reporting look and feel
Creating Reports
• Minimum 2 Steps Required

• Recommend 3 Steps
1. Minor edit of template to apply customer logo
2. Create Query that will supply data to the report engine
 Resourced based SQL logic intended to gather information from data sources
3. Associate the Query with a Report
THE FOLLOWING EXAMPLE WILL ILLUSTRATE HOW TO BUILD A REPORT SHOWING TOP 10 FIREWALL EVENTS
Creating Reports
• Use the Navigator panel to Open the REPORTS resource
• Reports resource has 5 tabs

• Let us customize the template
• Select “Templates tab”
• Browse the resources tree

• Select “ArcSight System”
• - “1 Chart”
• - “With Table”
• - “Chart and Table Portrait”
• Left Click and Drag to Admin’s report templates
Creating Reports –Templates
• Select to “Copy”
• Copy to “Admin’s Templates”

• Right Click, select “Edit Template”
• Select “Open in Designer” from “Inspect/Edit”

panel
• Report Designer opens as a separate (embedded) application
• Select the “ArcSight” Logo

• Right Click
• Select Properties
• In the dialogue box

• Uncheck “None”
• Allows to select another Logo
• Select “Browse”
• Select an appropriate logo

• PNG format is recommended
• Smaller images work best
• Use the customer website to grab

their logo
• Check the “Embed” option

• Click OK
• Exit the Report Designer
You will be prompted to save the edit!
• Select “Yes” to save the template

• When back in the Console Inspect/Edit panel select “Apply”
Changes are not saved until you Apply the changes
Creating Reports - Queries
• STOP!
• Before building reports
!
• Know what you want to report on!
• It may sound obvious but think about the data you are
going to report on
• How much will there be
• 1000 page reports do not look sexy
• Consider Fields you will use
• What (if any) aggregation will you use
• We’ve a template, now let us build the Query

to be run on the ESM Data base
• Under “Reports” in the Navigator Panel
• Select the “Queries” Tab
• Right Click and select “New Query”
• Provide a query Name

• Select Query on Events
• Select Start and End Time
• Select the Fields tab
• Queries are based on SQL logic:
• Select
• Group by
• Order by
• Functions available for grouping and sorting:
• Count
• Max
• Min
• Average
• Sum
• Time (grouping by time frame)
• Left Click on “Add ‘SELECT’ columns”
• Select from the Fields that you want included in

the report
• This can (and should) be multiple selections
Use as many fields as required but not too many.

4 or 5 fields will look best in A4 Portrait
• Event ID will be used for aggregation

• Double Click it
• Select the drop down

• Select “Count”
• Click the Green  icon
• Left click on “Add ‘ORDER BY columns”

• Choose the field to order the report by
• Event ID in the example
• Apply the same aggregation as for the Select

component
• Select for the report to Ascend (ASC) or Descend
(DESC)
• Now we need a filter to select

the event data to report on
• Select the “Conditions” Tab
• We could add a new condition

• It’s better here to use (or reuse) a Filter
• Select from Admin’s Filters
• Firewall Events
• Click OK
• Apply the changes
Creating Reports
• We now have:
• a template customized
• a Query
• Now we need to associate our template and our Query
• This will actually create the report
• In the Navigator Panel under Reports
• Select “Reports”
Creating Reports
• Right Click and Select “New Report”
Creating Reports
• Provide a Name for the report
This will appear in the report title
Creating Reports
• Select the “Template” tab

• Select the Template that you created earlier
Creating Reports
• Select the “Data” tab

• Select the Query that you created
Creating Reports
• Select the “Chart” tab

• Select the Query that you created
The same in this example but can be different
Creating Reports
• Select a “Chart Type” from the drop down box
Creating Reports
• Move the appropriate field(s) for the X-Axis
Creating Reports
• Move the appropriate field(s) for the Y-Axis
Creating Reports
• Select the “Parameters” tab
Creating Reports
• Unselect the “Use Default” option for “Row

Limit” for both Table and Chart
• Edit the “Row Limit” to show “10”
Creating Reports
• “Apply” the changes to the report

• Select “Preview”
Creating Reports
• Change the “Start Time” to “$Now – 1h”

• Make sure that data matching the report is in this time window!
• Try to keep the time window short so you are not kept waiting for the result
Creating Reports
• Confirm the report present the data

you expected in the format you
wanted
• Make appropriate changes and
retest
Lab: Create a report showing Top 10 IDS Events
• Include a Chart and Table

• Run the report for all data today
• Why not for yesterday?
• Time permitting
• Group the data by Destination Address or Hostname
• Schedule the report to run every day
• What time should reports run at?
• What factors need to be considered?
Thank You
Questions ?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted. For HP and Partner Internal Use

D4 - T3 - Reports

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D4 - T3 - Reports

Uploaded by

Copyright:

Available Formats

Reports*

HP ArcSight Proof of Concept Boot Camp Training

* Lab during this session

Upon successful completion on this Lab, you will be able to:

A report binds one or more queries with a report template.

• Custom report TEMPLATE creation not necessary/realistic for POC environment

• Minimum 2 Steps Required

• Use the Navigator panel to Open the REPORTS resource

• Reports resource has 5 tabs

• Browse the resources tree

• Copy to “Admin’s Templates”

• Select “Open in Designer” from “Inspect/Edit”

• Report Designer opens as a separate (embedded) application

• Select the “ArcSight” Logo

• In the dialogue box

• Select an appropriate logo

• Use the customer website to grab

• Check the “Embed” option

• Exit the Report Designer

You will be prompted to save the edit!

• Select “Yes” to save the template

Changes are not saved until you Apply the changes

• We’ve a template, now let us build the Query

• Provide a query Name

• Left Click on “Add ‘SELECT’ columns”

• Select from the Fields that you want included in

Use as many fields as required but not too many.

• Event ID will be used for aggregation

• Select the drop down

• Left click on “Add ‘ORDER BY columns”

• Apply the same aggregation as for the Select

• Now we need a filter to select

• We could add a new condition

• Apply the changes

• Right Click and Select “New Report”

• Provide a Name for the report

This will appear in the report title

• Select the “Template” tab

• Select the “Data” tab

• Select the “Chart” tab

• Select a “Chart Type” from the drop down box

• Move the appropriate field(s) for the X-Axis

• Move the appropriate field(s) for the Y-Axis

• Select the “Parameters” tab

• Unselect the “Use Default” option for “Row

• “Apply” the changes to the report

• Change the “Start Time” to “$Now – 1h”

• Confirm the report present the data

• Include a Chart and Table

You might also like