Manualshelf

User`s guide

ManualsBrandsVMware ManualsOtherVCLOUD REQUEST MANAGER 1.0.0
30313233343536373839
Technical white paper
33
Next we’ll create a query viewer that will be used to execute our Failed Logon Query. We’ve named this Query Viewer “Failed
Logons” and selected our Failed Logon Query in the Query field.
Figure 40. ESM Query Viewer Failed Logon Attributes
By default the Query data will be refreshed every 15 minutes.
When we execute our Failed Logon Query using the Failed Logon Query Viewer all events that meet our query criteria are
displayed. Below we can see the fields that were selected in the Failed Logon Query.
Category Outcome
Category Behavior
Target Address
Target Host Name
Attacker User Name
The Category Outcome must equal “Failure” and the Category Behavior must equal “Authentication / Verify” to meet the
criteria of the query and return events in the Query viewer table.
Figure 41. HP ArcSight ESM Query Viewer Results Failed Logon
In Figure 41 we can see that we have recorded failed logon attempts against the following servers:
oo.fog.cloud.internal - Operations Orchestration and Cloud Service Automation host)
arcmgr.fog.cloud.internal HP ArcSight ESM Manager and Console
ucm.fog.cloud.internal Universal Configuration Management Server
ORA.fog.cloud.internal Oracle Database server for UCMDB