Running Recon Searches

You can conduct event searches from ESM using Recon. Refer to the Recon User's Guide for details.

Integration with Recon requires specific browser versions. See the ESM Support Matrix for details.

Tip: Events that are not within the latest half hour time range are not displayed in Recon as search results. Events must be within the time range shown in the ArcSight Console in order to be displayed.

Prerequisite:

ESM must be integrated with a deployment of Recon and ArcSight Transformation Hub. If the required setups are done correctly, the following integration commands are enabled on an active channel and from the event details on the Inspect/Edit panel:

Note:  

  • Not all ESM fields are supported in Recon searches. These unsupported fields will appear disabled for selection.

To search a single field:

  1. Open an event viewer such as an active channel, or view an event's details in the Inspect/Edit panel.

  2. Right-click a row and select Recon.

Recon displays the search results in your preferred browser.

To search multiple fields:

  1. Open an event viewer such as an active channel, or view an event's details in the Inspect/Edit panel.

  2. Right-click a row and select Recon (Multiple Fields).

    The Recon panel opens, displaying a list of fields supported for the search. The list is based on the columns that are available on the channel.

    Tip: If you know the field name and prefer not to scroll through the list to locate it, enter the name in Search Fields. Enter the first few characters until the matching field is selected.

  3. Click Add to add the field to the Selected Fields pane. Select up to five fields.
  4. Click OK to begin the search in Recon.

Recon displays the search results in your preferred browser.

See also: