ArcSight Recon 1.2 (Recon) includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input.
We hope you continue to help us ensure that our products meet all your needs. We want to hear your comments and suggestions about the documentation available with this product. If you have suggestions for documentation improvements, click comment on this topic at the bottom of any page in the HTML version of the documentation posted at the Recon Documentation page.
Recon provides a modern log search and hunt solution powered by a high-performance column-oriented, clustered database.
Recon deploys within the ArcSight Platform. For more information about the other products available within the suite, see the Release Notes for ArcSight Platform 21.1.
This release includes the following features, enhancements, and software fixes:
This release enhances the Search function to further help you investigate security issues by viewing search results and identifying outlier events.
As part of enhancing Recon’s capabilities, we are incorporating functionality that previously was available only with ArcSight Logger. In this release, you can view event data in Recon and Logger. Thus, when running a Search, you can choose to search for Logger-based events. You can use the same parameters in Recon to query Logger data, including old events.
To add Logger data to the database, your database admin must migrate the information using a LRM tool to the database from Logger. You can select only the data you want to see in Recon.
You can now schedule a search that runs on a regular interval using the Scheduled Search function. The Scheduled Search function can be scheduled on a hourly, daily, weekly, and monthly basis. You can also set an expiration time can be set for the search results. Search results can be brought into the UI or exported. Each time a scheduled search runs, search adds the results to the list of Completed Searches runs.
You can now specify a fieldset that determines a group of search result fields the system displays in the Events table. Multiple searches can share a fieldset, and new searches display a default fieldset that contains the most common event fields. Use the fieldsets window to view and add the customize and system fieldsets, including lookup lists. You can also create and edit fieldets with the ability to drag and drop fields or type a comma separated list of fields.
The Search function now has the capability to retrieve unique values for certain fields from the Events table.
This release provides three Compliance Packs to help you comply with a broad set of legal and governmental regulations that require your enterprise to organize and manage sensitive data and institute a strong IT governance program. These packs support the following standards:
Designed around best practices, these packages provide a comprehensive method for assessing and monitoring internal controls, such as access control changes, administrative activity, log-in monitoring, and change and risk management. The packages automatically map these technical checks to the relevant standard using policy and risk-relevant operational context so you can focus on key services and business processes and address critical audit points.
You must purchase, then import each Compliance Pack to the Reports repository. For more information about the packs, see the Recon documentation site. For more information about the reports included in the packs, see “Ensuring Data Compliance” in the Help or the User Guide for ArcSight Recon.
This release provides cloud-native deployment in Amazon Web Service (AWS) and Azure.
To help you identify an event that might be seen by multiple ArcSight components, the connectors assign the event a unique 64-bit ID. To include this globally unique event ID (GEID) in your search query, enter globalEventID. You can view the GEID of the event in the Event Details.
For example, an analyst investigating events in ArcSight Intelligence might want to create a search query based on a specific event. The analyst can use the GEID because it represents the same event whether it appears in Intelligence or in Recon, or any other ArcSight product.
The following known issues have been resolved in this release.
This release resolves an issue where Recon added an hour to the start and end time of an outlier model if you specified a custom time range.
This release resolves an issue where Recon allowed you to enter invalid data in the query filter, such as 12345, for a storage group. Recon now checks the filters to reduce the opportunity for saving invalid queries.
This release resolves an issue where when you added a CSV containing IP or MAC address fields, the size of those fields might increase when imported as a Lookup List. As a result, the CSV file might have exceeded the file size limit or the maximum number of records allowed for loading a Lookup List.
This release resolves an issue where Recon, while reindexing, displayed an incorrect completed message even though the process was still running and Recon was not ready for use.
This release resolves an issue where Recon continued to display a deleted saved search after it was deleted.
Micro Focus strives to ensure that our products provide quality solutions for your enterprise software needs. If you need assistance with any issue, visit Micro Focus Support, and then select the appropriate product category.
This release includes functionality designed to support checking the integrity of events for a future release. Some artifacts for that future functionality are exposed in the interface, such as the Perform Event Integrity Check permission listed in the Searches section of the Roles page. Although you can add this permission to a role, currently there are no rights associated with the permission.
Issue: Sometimes when you have ingestion going on, pushing storage groups changes to the system fails as it's unable to acquire lock on events table. (OCTCR33I180085)
Workaround: Stop Ingestion (scheduler) and apply changes to the system and then start the ingestion again.
The following issues affect your use of the Search feature:
Issue: When you run a Scheduled Search where the start and end dates are in a mixed mode (Dynamic + non-Dynamic), Search fails to display the validation message. However, the search will run. (OCTCR33I174139)
Workaround: Search result will display correctly.
Issue: After modifying the date and time format in preferences, the CSV export function for saved searches runs before the preference change fails. (OCTCR33I113040)
Workaround: Run the scheduled search again, then save it. Select the CSV icon to download the file.
Issue: If you change the fieldset after running a search, then leave the Search page or move out of the Search section, Search fails to reset the fieldset to the original setting. For example, you choose the Base Event Fields field set and run the search, then change the fieldset to All Fields. Next you navigate to the Saved Searches page. When you return to the Search page, the fieldset is still All Fields rather than reverting to Base Event Fields as it should. (HERC-9865)
Workaround: To revert the fieldset to its original setting, press F5 while viewing the Search.
Issue: From the Completed tab, when you update the date from All Time > Last Week > All Time, the Start Time is empty visually. However, Search uses the Start Date of 12/31/1969. (OCTCR33I181058)
Workaround: You can ignore the empty date because Search will use a Start Date of 12/31/1969 for the All Time setting.
Issue: In User Preferences, if your preferred Default Time Setting is Static, you cannot use the date picker to quickly change the time range for the search. (OCTCR33I174128)
Workaround: Manually enter the date and time values. Alternatively, change your preferred Default Time Setting to Dynamic or Preset. For more information about configuring your user preferences, see the User's Guide for Fusion.
Issue: When creating a scheduled search, if you select Every 2 hours in the Pattern section, the search runs every two hours, at every even hour, such as 0, 2, 4, 6, etc and appending the minutes setting in Starting From value. The system ignores the hour setting in Starting From value. (OCTCR33I179782)
For example, you might select Every 2 hours and choose Starting From at 01:15 am. Search will run every 2 hours at 2:15 am, 4:15 am, 6:15 am, and so on.
Workaround: Use the Specific Hour setting to run the Search at a selected hour and minutes specified in the Starting From field.
Issue: Normally, when you create a search query, Search warns you if the specified fieldset does not contain any of the fields in the query. However, Scheduled Search does not warn you. (OCTCR33I174141)
Workaround: If you use the listed operators for a Scheduled Search, ensure that the specified fieldset includes all fields that are in the query.
Issue: If you select to Search with a custom fieldset that is deleted, the Create Schedule Searches popup does not display the No Fieldset option. (OCTCR33I174132)
Workaround: Navigate to the Search page, locate the search, and click Search again. Recon updates the field to the default value Base Event Fields.
Issue: On occasion, when you export a completed run of a scheduled search, the CSV file fails to display any data. (OCTCR33I174130)
Workaround: If this issue occurs, view the results of the run. Then, from the Events table, export the data to a CSV file.
Issue: Search displays an error and fails to apply a join if an associated lookup list includes the word “user” for a data value. (HERC-8283)
Workaround: Contact support for help with this issue.
The following issues affect your use of the Reports Portal:
Issue: If you stop or interrupt a scheduled task, the user still receives the email with the report/dashboard. (OCTCR33I171077)
Workaround: Contact support for help with this issue.
Issue: After creating an asset, a report or dashboard, an error displays when you try to save it to the Custom Content folder. (OCTCR33I188143)
Workaround: Contact support for help with this issue.
Issue: When you edit an asset using the Edit Wizard, the preview is unavailable.(OCTCR33I134098)
Workaround: Select the metadata option from the Edit Wizard to use the preview option.
Issue: When importing and exporting reporting content, the My Reports folder is unavailable for exporting. (OCTCR33I186200)
Workaround: Contact support for help with this issue.
Issue: When using running the After Hours Access Activity on GDPR Systems Summary report, when including a longer time frame, the report fails to run. (OCTCR33I186011)
Workaround: Remove the Day of the Week variable by right-clicking on the report and selecting Edit Table. Then, right-click on the dayOfWeek variable and select Remove.
Issue: When using the Export Asset feature, the formatting for the reports might have issues such as dark backgrounds, dark fonts, and dark table cells.
Workaround: You can change the formatting manually for the exported report. (OCTCR33I186007)
Issue: The following reports are not included in the PCI Compliance Packs currently:
Standard Content/PCI/PCI Reports/Requirement 1: Firewall Configuration/Cardholder Data Within the DMZ Replet
Standard Content/PCI/PCI Reports/Requirement 1: Firewall Configuration/Inbound Traffic to the Cardholder Data Environment Replet
Standard Content/PCI/PCI Reports/Requirement 1: Firewall Configuration/Outbound Traffic From Card Holder Data Environment to Internet Replet
Standard Content/PCI/PCI Reports/Requirement 1: Firewall Configuration/Outbound Traffic from the Cardholder Data Environment Replet
Standard Content/PCI/PCI Reports/Requirement 1: Firewall Configuration/Unauthorized Outbound Traffic From Cardholder Data Environment Replet
Workaround: We will include these reports in the future. (OCTCR33I186008)
Issue: When you schedule a task, like reports and dashboards, there are two options, Burst and User Defined, that display; however, these two options are not available at this time. (OCTCR33I142914)
Workaround: Do not use these two options.
Issue: When you change a time setting for charts in the Data Quality dashboard, the charts automatically update as soon as you pick the new value. However, if you change the Start Time or End Time to a dynamic value, the charts fail to update automatically. (HERC-9913)
Workaround: To refresh the charts, click outside the time selection that you just changed. For example, if you changed the End Time to a dynamic value, click either on a chart or on the Start Time.
Issue: In the chart editor, when you remove a field an X or Y field, Reports display an error message. This issue occurs intermittently. (OCTCR33I162021)
Workaround: When this issue occurs, try again or avoid removing fields from the Axis.
Issue: If you try to create a dashboard using the Dashboard Wizard, when the chart is not loading, there is data that cannot be selected at the same time. This issue occurs intermittently. (OCTCR33I161014)
Workaround: When this issue occurs, try again or avoid removing fields from the Axis.
Issue: If you select the Multiple Styles checkbox, the whole area of chart selection displays white with text in the middle that cannot be read. (OCTCR33I141023)
Workaround: To read the text, highlight the text inside the white space.
The following issues affect your use of the fieldsets function:
Issue: After upgrading, the Public Default Fieldset defaults to Base Event Fields. (OCTCR33I178795)
Workaround: In User Preferences, specify the fieldset that you want and set it as default again.
Issue: Search fails to run when the fieldset includes lookup lists fields and the query does not include in list. (OCTCR33I174057)
Workaround: Remove the lookup field from the fieldset and run the search again.
Issue: When you create a fieldset, Search displays the coding-style name for the fields instead of the human-readable names that you see when creating a search query. For example, in a query you can enter or select Agent Address. However, in the fieldsets selection, this same field appears as agentAddressBin.
This issue also occurs when you’re adding queries to a report. (OCTCR33I181059)
Workaround: Refer to “Mapping Database Names to their Appropriate Search Fields” in the Help or the User Guide for ArcSight Recon.
The following issues affect your use of the outlier model function:
Issue: When you apply a timestamp format to an outlier model, and then change the timestamp format, the model fails to appear in Available Models.
For example, you create a model in Configuration > Outlier with the Device Receipt Time of 12/31/19. You then change the timestamp format in My Profile > Preferences > Date/Time Format to YYYY/MM/DD hh:mm:ss:ms. When you access Configuration > Outlier, Recon no longer displays the model with the modified timestamp. (OCTCR33I113036)
Workaround: In My Profile > User Preferences > Date/Time Format, select the original timestamp format for the model. Recon displays the model in Available Models.
Issue: When you apply a timestamp format to an outlier model, and then change the timestamp format, the scoring goes more quickly. (OCTCR33I115030)
Workaround: After setting a different timestamp, restart your analytics pod.
Issue: When you copy a search query to create the filter for an outlier model and the query includes a timestamp, Recon erroneously highlights the specified date as if the date or its format were invalid.
For example, you copy a search query that includes the phrase Normalized Event Time = 29/05/20 16:20:39:288. In Configuration > Outlier, you paste the copied query in the filter field for a new model. The query field underlines the timestamp in red, which is the usual indication that the value is invalid. (OCTCR33I112031)
Workaround: Ignore the highlight that indicates that the copied timestamp value is invalid.
The following issues affect your settings in User Preferences:
Issue: In User Preferences, when you set the Time Zone to Database time zone or Custom Time zone, and then Select Range to Yesterday, Week to Date, Month to Date, and so on, the start time is 6:00 instead of 0:00. Recon also displays the end time incorrectly. (OCTCR33I115040)
Workaround: In User Preferences, set the Time Zone to Browser time zone.
Issue: In User Preferences, when you set the Time Zone to Database time zone, your ability to search might not work properly. (OCTCR33I115046)
Workaround: In User Preferences, set the Time Zone to Browser time zone, then perform the search again.
The following issues affect Lookup Lists:
Issue: When you add a Lookup List field to a fieldset without also adding the field to the query, Search fails to load. This issue occurs because Search expects the Lookup List field to be part of a join in the search query. (HERC-8220)
Workaround: Remove the lookup field(s) from the fieldset or use the Lookup List in the search query.
Issue: If the CSV file for your Lookup List contains invalid data, Recon will successfully create the lookup table. However, because Recon ignores the invalid data, the new lookup table will not have any data. Also, you will not receive a notification about the empty Lookup List. (HERC-7129)
Workaround: Contact support for help with this issue.
Issue: When you attempt to import users from ArcSight Enterprise Security Manager, you will receive a 406 HTTPS Error if one of the following conditions is true you attempt to import the users by using the IP address of the ESM server or if you enter the FQDN (fully qualified domain name) for the ESM server but either the port or admin credentials are incorrect. (HERC-9941)
Workaround: For the ESM server, specify a valid FQDN, as well as the correct port and admin credentials.
For more information about the software and hardware requirements for your deployment and a tuned performance, see the Technical Requirements for ArcSight Platform 21.1.
Before you begin installing Recon, you must download necessary product installation packages. The installation package also includes the respective signature file, for validating that the downloaded software is authentic and not tampered by a third party.
To review the list of the files and versions to download for this release, see the Release Notes for ArcSight Platform.
Micro Focus provides several options for deploying your Recon environment. For more information, see the Administrator’s Guide for ArcSight Platform provided at the Recon Documentation site.
Before installing, please review the following considerations:
When you deploy Recon, the default roles common in the ArcSight Platform all receive the permissions to conduct searches. However, these roles do not receive any of the Report-based permissions. Only the Report User role, specific to Recon, has permission to perform all the reporting actions, including the reporting admin actions.
To ensure that Recon users can access both the Search and Report features, either add one or more of the Report permissions to the default roles or create new roles with the permissions. Ensure that any user assigned a reporting permission also has a Search or Admin permission. For more information about assigning roles and permissions, see the Help in the product.
NOTE:Reports do not function appropriately if a user’s role has only Report-based permissions. For example, the default Report user role must have at least one Search- or Admin-based permission. (HERC-10003)
Before upgrading Recon, be aware of the following issue.
Issue: Some storage groups have queries with a strict Vertica SQL syntax, such as events.sourceHostName ~~* 'n15-214-%'. (OCTCR33I180762)
Workaround: To update the storage groups successfully, when you open the modal you must update it using the new syntax.
For information about activating a new license, see the Administrator’s Guide for ArcSight Platform provided at the Recon Documentation site.
For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.
Additional technical information or advice is available from several sources:
Product documentation, Knowledge Base articles, and videos: https://www.microfocus.com/support-and-services/
The Micro Focus Community pages: https://www.microfocus.com/communities/
© Copyright 2021 Micro Focus or one of its affiliates.
Confidential computer software. Valid license from Micro Focus required for possession, use or copying. The information contained herein is subject to change without notice.
The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.
No portion of this product's documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's internal use, without the express written permission of Micro Focus.
Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software, you may reverse engineer and modify certain open source components of the software in accordance with the license terms for those particular components. See below for the applicable terms.
U.S. Governmental Rights. For purposes of your license to Micro Focus ArcSight software, “commercial computer software” is defined at FAR 2.101. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation (“FAR”) and its successors. If acquired by or on behalf of any agency within the Department of Defense (“DOD”), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR Supplement (“DFARS”) and its successors. This U.S. Government Rights Section 18.11 is in lieu of, and supersedes, any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/about/legal/.