Query viewers can be used to monitor daily network traffic and get high level summaries of typical activity. Query viewers can also be used to drill down on anomalies or other interesting events.
Following is a brief, conceptual scenario of how an analyst might use query viewers to monitor and investigate certain types of activity.
Also included here is a description of how the query content developer might build and configure the base query and query viewers that the analyst uses.
Tip: In practice, ArcSight ships with pre-built queries and query viewers as standard content. It is likely that the types of resources described here are provided with ArcSight.
Even so, the configuration of the base query and query viewers is described to illustrate and support this example, and show how a content developer might fine tune these resources to gather the information needed.