Customizing the case report gives you the flexibility of adding and removing case fields.
The basic case report, Selected Case Report, and its underlying query, Selected Case Query, are part of the ArcSight standard content under /All Reports/ArcSight System/Core/Selected Case Report and /All Queries/Arcsight System/Core/Selected Case Report/Selected Case Query. This case report, at a minimum, has a name and a query on a case ID. You can copy this report as a template and change the copy by adding or removing fields in the report.
By default, Selected Case Query includes the following fields for Selected Case Report:
|
Name |
Alias |
Create Time |
Creator |
|
Description |
Modification Time |
Owner |
Consequence Severity |
|
Operational Impact |
Security Classification |
Stage |
Ticket Type |
|
Reporting Level |
Frequency |
Detection Time |
Estimated Restore Time |
|
Estimated Start Time |
Incident Source 1 |
Incident Source 2 |
Incident Source Address |
|
Affected Elements |
Affected Services |
Affected Sites |
Estimated Impact |
|
Action |
Associated Impact |
Attack Agent |
Attack Mechanism |
|
Security Classification Code |
Sensitivity |
Vulnerability |
Actions Taken |
|
Followup Contact |
Planned Actions |
Recommended Actions |
If you want to change fields in the case report, copy both Selected Case Report and Selected Case Query into a resource group of your choice (as shown in the procedures), then modify the copies.
Follow all procedures in this topic according to the sequence: