How Your License Affects Available Features
When a user logs in to the ArcSight Platform or attempts to access a function that requires a special license, the system checks the licenses associated with the deployed products.
The common features such as the Reports Portal and SOAR are enabled if at least one license to enable them is valid. For example, the Transformation Hub license on its own does not enable the Reports Portal, but does if the Recon license is also deployed. Both the Recon and Intelligence licenses enable the Reports Portal. Therefore if your Intelligence license were to expire but the Recon license remains valid, the Reports Portal remains enabled on account of the valid Recon license.
The following table shows the functionality available per product license:
| ESM | Intelligence | MSSP | Recon | |
|---|---|---|---|---|
| Data Quality Dashboard |
|
|
||
| Event Integrity Check |
|
|
||
| Outlier Analytics |
|
|
||
| Reports Portal |
|
|
|
|
| ArcMC |
|
|
|
|
| Transformation Hub |
|
|
|
|
| Search |
|
|
|
|
| Storage Groups |
|
|
|
-
Data Quality Dashboard
-
The Data Quality Dashboard provides detailed information about the gap between Device Receipt Time from the raw event itself versus the Normalized Event Time and Database Receipt Time. The dashboard identifies the sources that have a gap. Based on the information analyzed through the dashboard, you can accurately mitigate the problem. This feature also provides history of your data over time. For more information about using this feature, see the Help for > .
-
Event Integrity Check
-
The Event Integrity Check enables you to validate that the event information in your database matches the content sent from SmartConnectors, helping you check whether event data might be compromised. In addition to reviewing the raw event data received from SmartConnectors, you can enable Transformation Hub to generate verification events for more than 20 parsed fields to include in the check. By expanding the number of fields within an event that the check examines, you reduce the opportunities for malicious users to hide their activity. For more information about using this feature, see the Help for > .
-
Outlier Analytics
-
To help you identify anomalous behavior, the Outlier Analytics feature allows you to compare incoming EventCount, BytesIn, and BytesOut values to typical values for your environment. The
EventCount,BytesInandBytesOutvalues are aggregations over certain time periods for each host/IP address. Outlier Analytics can create and persist a baseline of host behavior. To derive outliers, you compare this baseline with aggregations over new time periods. Basically, the lower the anomaly score, the more likely the event is anomalous. For more information about using this feature, see the Help for > . - Reports Portal
-
To help you hunt for undetected threats and vulnerabilities, the Reports Portal includes a set of built-in dashboards and reports associated with industry security standards such as the Cloud Security Alliance and OWASP. Additional reports and dashboards focus on fundamental security issues, such as monitoring firewalls and malware. For more information about using this feature, see the Help for .
-
Search
-
The Search feature enables you to look for and investigate events that meet specified criteria so you can detect anomalies that point to security threats. Each search consists of specifying query input, search result fields, and the time period for which you want to search events. Commonly available Search features include fieldsets, lookup lists, and scheduled searches. Users can save their search results, search queries, or queries plus search criteria. For more information about using this feature, see the Help for .
-
SOAR
-
ArcSight SOAR provides a secure orchestration, automation, and response solution where customers can automate a lot of their incident management activities so analysts can perform more in-depth threat hunting and case response. When a user acceses SOAR features, the system checks for an active ESM, Recon, or Intelligence license. SOAR also supports manual/legacy ESM license types. For example, customers using ESM 6.11 and later can also use the SOAR capability. For more information about using this feature, see the ArcSight SOAR User Guide.
-
Storage Groups
-
You can divide data into storage groups, which allows you to partition the incoming events data and provide different retention periods, based on the query filter. Because you can set data retention policies per storage group, you can retain certain high volume events for a short time period and other important events for longer time period. For more information about using this feature, see the Help for > .
Depending on your license, storage retention might be limited. -