TOC & Recently Viewed

Recently Viewed Topics

Log Correlation Engine

Tenable’s Log Correlation Engine (LCE) product offers many types of event correlation to detect abuse, anomalies compromise, and compliance violations. The LCE normalizes events into a variety of types. For reference, each type and a description for it are listed here.

LCE Event Types and Plugin Families

The LCE plugins are located in the /opt/lce/daemons/plugins directory. To optimize plugin performance, it is suggested that the plugin_manager.sh script be used. The plugin_manager.sh script is located in the /opt/lce/tools directory. When run, it will report on the number of installed plugin libraries that have never been used, and prompt you to disable the associated files. You may choose not to do so if you wish to review a full report prior to making any changes. In this case, the script will list the unused files.

The following table summarizes the LCE event types:

Event Types Description
access-denied Flags attempts to retrieve objects, files, network shares, and other resources that are denied. These events are distinct from authentication failures, blocked firewall connections, and attempts to access web pages that do not exist that are respectively normalized to the login-failure, firewall, and web-error event types.
application Denotes logs from any application such as Nessus, Symantec Anti-Virus, SecurityCenter, the WU-FTP server, Sendmail, etc. that is noteworthy but not indicative of an error, a login failure, a connection, a restart of the application, an operating system event, or a major function of the device.
compliance Denotes logs that indicate a compliance violation event has occurred.
connection Notes any type of audited network connection that is not directly logged via the Tenable NetFlow Monitor (TFM) or the Tenable Network Monitor (TNM). Event sources include allowed connections through firewalls, established VPN sessions, and connections by some types of applications.
continuous The LCE can identify hosts that are generating specific event types for periods of 20 minutes or longer.
data-leak Flags logs from the NNM or other Data Leak Prevention products that indicate the presence of sensitive data such as a credit card or Social Security number.
database Denotes logs generated by the NNM from observed SQL queries.
detected-change The LCE automatically recognizes many types of system events that indicate change and creates secondary higher level events.
dhcp Logs from DHCP servers that indicate new leases are given the DHCP event type.
dns Denotes any type of log from a DNS server or from real-time network monitoring by the NNM that indicates a DNS query or a DNS query lookup failure. LCE summary information as well as Fast Flux detection is also logged here.
dos Denotes logs that indicate a denial of service event has occurred. These typically occur from network IDS detection engines such as Snort.
error Denotes any type of system, application, router, or switch log that indicates some sort of error. Logs that indicate crashes and hung process are sent to the process event type.
file-access Denotes any type of sniffed NNM network session or log that indicates that a file was accessed, modified, or likely retrieved.
firewall Denotes any type of log from a firewall, an intrusion prevention device, a router, or a firewall or application configured at the local host to specifically deny connections.
honeypot Indicates logs that are normalized from applications designed to simulate networks, hosts, and applications for the purpose of detecting intruders.
Indicator The "indicator" event type is used by LCE to track correlations associated with scanning, compromises, anomalies, and other behaviors that indicate the presence of determined attackers, advanced malware, and other forms of potentially malicious activities.
intrusion Denotes logs from network IDS, firewall, application, and operating systems that indicate some sort of network attack. Post scans, denial of service, and logs that indicate virus probes are normalized to their own LCE event types.
lce The LCE includes this distinct event type to assist in tracking information about LCE clients such as the LCE Windows client, LCE Linux client, LCE NetFlow Monitor (TFM), and the LCE Network Monitor (TNM).
login Indicates any type of login event to an application, operating system, VPN, firewall, or other type of device.
login-failure Denotes any type of authentication log that indicates credentials were presented and were incorrect.
logout The LCE normalizes events for applications, operating systems, and devices that detect when a user’s session is finished to the logout event type.
nbs The LCE tracks all normalized events that have occurred for each host. As new normalized events are logged for the host, the LCE will generate secondary events based on the event type.
network Logs from the Tenable NetFlow Monitor (TFM) and the Tenable Network Monitor (TNM) are logged to this LCE event type.
process Logs from Unix process accounting and Windows event logs that indicate process starts and stops, as well as executable crashes, restarts, hung states, and segmentation faults are logged to this LCE event type.
restart The LCE will normalize logs from when applications, services, router, switches, devices, and operating systems reboot, restart, and are shutdown to the restart event type.
scanning Network IDS, firewall, antivirus, and other log sources that detect port scans, port sweeps, and probes are logged to the LCE scanning event type.
social networks Denotes any type of social network log such as Facebook, Twitter, Flickr, LinkedIn, was observed.
spam Logs from email servers, antivirus email tools, SPAM appliances, firewalls, and other sources that indicate spam activity are normalized to the LCE spam event type.
stats For every unique type of event, the LCE will profile the frequency of events and alert when there is a statistical deviation for any event.
system The LCE will normalize operating system, router, switch, or device logs of significance to the event type of system. Login failures, errors, and application events are logged to other event types.
threatlist The LCE maintains a list of hostile IPv4 addresses and domains that are known to be participating in botnets.
usb The LCE windows client can detect USB and CD-ROM insertions and removals. The logs generated by these events are normalized to the USB event type.
virus Logs that indicate the presence of a virus in email, a virus found on a system by an anti-virus agent, virus logs found by network IDS events and firewalls are normalized to the LCE event type of virus.
vulnerability As security issues and new information about systems and networks are reported as part of the vulnerability monitoring process, the LCE normalizes these event types to the vulnerability category.
web-access Any type of log that indicates a successful connection to a web resource is normalized as a web-access LCE event type.
web-error Denotes any type of web access event that is denied because the file does not exist, the server responded with an error or a firewall or web application firewall blocked the access.

The Event Vulnerability plugin families below work along with the other Tenable plugin families. These plugin families use Nessus scan results, NNM results, and LCE host analysis to correlate data together that can then be viewed in SecurityCenter CV.

Plugin Family Description
Cloud Services Plugins that detect the use of cloud services such as Salesforce, Dropbox, and Amazon Cloud.
Database Passive detection of database software and associated vulnerabilities.
DNS Servers Denotes any type of log from a DNS server or from real-time network monitoring by NNM that indicates a DNS query or a DNS query lookup failure. LCE summary information as well as Fast Flux detection is also logged here.
FTP Servers Plugins that detect FTP servers and vulnerabilities associated with it.
Generic This family contains plugins that do not fit in the other families.
IMAP Servers Detection of Internet Message Access Protocol (IMAP) servers and associated vulnerabilities.
IRC Clients A set of plugins to detect traffic and vulnerabilities in IRC client software.
Mobile Devices Checks that look for any traffic or vulnerabilities related to mobile devices such as smart phones and tablets.
Operating System Detection Plugins that monitor traffic to detect the operating system of hosts on the network.
Policy Detects traffic that may violate corporate policy such as pornography, questionable software, or the use of third-party services that may be of concern.
RPC Plugins that detect Remote Procedure Call traffic and associated vulnerabilities.
Samba Checks that look for Samba traffic, for file and print sharing.
SMTP Clients A set of plugins to detect traffic and vulnerabilities in Simple Mail Transfer Protocol (SMTP) client software.
SMTP Servers A set of plugins to detect traffic and vulnerabilities in Simple Mail Transfer Protocol (SMTP) servers.
SNMP Checks related to the Simple Network Management Protocol (SNMP) for a wide variety of vendors and common configuration errors.
SSH Plugins that detect Secure Shell (SSH) traffic.
Web Clients A set of plugins to detect traffic and vulnerabilities in HTTP and HTTPS clients such as web browsers.
Web Servers A set of plugins to detect traffic and vulnerabilities in web servers.

Note: Historically, LCE has used additional families for plugin organization that were deprecated at some point. Their plugins have been integrated into current families.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.