SIEM Analysis Section

Security Information and Event Management (SIEM) analysis allows you to import data from SIEM providers (for example, Splunk) to evaluate events that may warrant re-scanning the affected hosts.

Note: SIEM analysis features are only available for RH/CentOS 7 and RH/CentOS 8. Additionally, discovery mode must be turned off to view SIEM analysis features (see Tenable Nessus Network Monitor Settings Section for more information).
Note: You must deploy Tenable Nessus Network Monitor using the RPM appropriate to your site to activate the SIEM analysis feature.

Note: Tenable recommends that you only use trusted self signed certs for Splunk instances that are used with Tenable Nessus Network Monitor.

The SIEM Analysis section of the Monitoring page shows four charts that help you track and understand SIEM-related events occurring in your system:

  • Top 10 Asset Discovery Subnets

  • SIEM Category Distribution

  • Trending by Asset Discovery

  • Trending by Risk Altering Event

Note: The data collection that creates these charts can be configured in the SIEM Processing Options and SIEM Servers settings. See Tenable Nessus Network Monitor Settings Section for more information.

The SIEM Category Distribution and Trending by Risk Altering Events show data based on the risk-altering events discovered in your system. There are Closedfour risk-altering event types:

Event Type Description
Assets Discovery Instances where assets are discovered using DHCP events.
User Account Activity

Instances where a user account on an asset is modified in one of the following ways:

  • Account is created or deleted

  • Account is added or removed to/from a group

  • Account password modified

  • Policy that affects user accounts is modified (i.e. password policy, lockout policy)
Software Detection

Instances where software is added or removed by a user or the software management system. For example:

  • RPM installations

  • Software added via YUM

  • Installations on Windows using standard install tools

Note: This type does not include instances where binaries are copied on the system and run without execution.
Service Modification

Instances where the software service is modified in one of the following ways:

  • Service starts or stops

  • Service fails to start

  • Service reboots

  • Service is installed or uninstalled