You are here: How To > Event Analysis

Event Analysis

The Events display screen contains an aggregation of security events from Tenable’s Log Correlation Engine. Events can be viewed in a list format with options similar to the “Vulnerability” interface. Clicking through Analysis and Events displays a high-level view screen similar to the following:

Raw Syslog Events

SecurityCenter’s event filters includes a “Syslog Test” field to narrow down the scope of a set of events, and supports the use of keyword searches for active filters. In the example above, a mix of collapsed and expanded events are seen. Selecting the Collapse All or Expand All option from the top right Options menu will perform that action for all of the results en masse. By selecting a particular event and clicking on the “+” or “-” icon on the right side of the event will expand or collapse that one event.

Active vs. Archived

In the Options menu the view can be switched between the Active and Archived data. This selection determines whether the displayed events are pulled from the active or an archived event database. The “Active” view is the default that displays all currently active events. The “Archived” view prompts for the selection of the LCE and an “Archive Silo” from which the event data will be displayed. In the screen capture below, the LCE and Silo date range are displayed to help the user choose the correct archive data for analysis.

Analysis Tools

A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the drop-down menu indicating the current view (“Type Summary” by default) displays a list of analysis tools to choose from:

When viewing the analysis tool results, clicking on result will generally take you to the next level of detail for the analysis. For instance, from the Type summary page clicking on a type will display the Normalized Event Summary. Clicking on an even in that list will display the List of Events page featuring that event. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.

Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions or a view of the vulnerability summary for the affected host, around that item’s result.

The table below contains detailed descriptions of all available analysis tools:

Event Analysis Tools

Tool Description

Asset Summary

 

This tool can be used to see how certain types of activity, remote attackers, or non-compliant events have occurred across different asset groups.

Clicking on the “Total” count for the listed asset displays a “Type Summary” analysis tool.

Connection Summary

 

This tool lists connections made between two different hosts by source and destination IP address and the counts of connections between them.

Clicking on a host will display the Type Summary analysis tool.

Date Summary

 

When analyzing large amounts of data, it is often useful to get a quick summary of how the data set manifests itself across several dates.

For example, when analyzing a suspected attacker’s IP address, creating a filter for that IP and looking at the type of events is simple enough. However, displaying that same data over the last few days or weeks can paint a much more interesting picture of a potential attacker’s activity.

Selecting a date will display the Type Summary analysis tool.

Destination IP Summary

 

This tool displays events listed by the destination IP recorded. The table lists the LCE it was discovered on, the IP address, and the count. Clicking on the information icon next to the IP displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Detailed Event Summary

 

The “Detailed Event Summary” tool displays a summary of the various events based on their full event name and count. Clicking on an event displays the List of Events analysis tool.

Event Trend

 

This analysis tool displays an event trend area graph with total events over the last 24 hours. Modify the filters for this graph to display the desired event trend view.

IP Summary

 

 

Class A Summary

Class B Summary

Class C Summary

SecurityCenter provides the ability to quickly summarize matching IP addresses by single IP, Class A, Class B, and Class C addresses.

The IP Summary tool displays the associated LCE server along with the IP address of the reporting system and about the event count for that system.

Clicking on an IP address displays a Host Detail window for that IP address. Clicking the information icon next to the IP address displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerability severity counts. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address. Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the “ARIN” link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by the administrative user (via the “Manage IP Address Information Links” selection under the “Customization” tab), they will be displayed here.

The Sum by Class A, B, and C tools work by displaying matching addresses. Clicking on the number displayed in the Total column will display the Type Summary for that IP range.

List of Events

 

This tool displays a line of data for each matching event. The line includes many pieces of information such as time, event name, number of correlated vulnerabilities involved IP addresses, and sensor.

Normalized Event Summary

 

This tool summarizes a listing of all normalized events and their count for the chosen time period. Normalized events are “lower-level” events that have been assigned a Tenable name based on LCE scripts parsing of the log records (e.g., Snort-HTTP_Inspect).

Clicking on the event name displays the List of Events analysis tool.

Port Summary

 

A port summary can be invoked. This tool produces a table of the top used ports and combines counts for source and destination ports into one overall count.

Clicking on the port will display a “Type Summary” of events filtered for that port.

Note: Port 0 events are host-based events that are not specific to any particular TCP/UDP port.

Protocol Summary

 

This tool summarizes counts of events based on IP protocols.

Clicking on the event total displays a “Type Summary” view of events filtered by the selected protocol.

Raw Syslog Events

 

Users can choose to view the original log message or IDS event for full forensic analysis.

It is recommended that users attempt some sort of filtering match first before attempting to find their desired event. Users will typically sort their results and drill into the list until they find what they are looking for before attempting to view the raw data.

Sensor Summary

 

The “Sensor Summary” displays the unique event counts for any query from unique sensor types.

When a sensor is clicked on, the Type Summary analysis tool is displayed for events from the selected sensor.

Source IP Summary

 

This tool displays events listed by the source IP recorded. The table lists the LCE it was discovered on, the IP address, and the count. Clicking on the information icon next to the IP displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Type Summary

 

The “Type Summary” tool displays the matching unique event types and the number of corresponding events for each.

The unique event types are based on normalized logs or events such as firewall, system, correlated, network and IDS. These types are “high-level” types used to describe event types (e.g., login or lce).

Clicking on any of the event counts displays the Normalized Event Summary for the type.

User Summary

 

This tool displays the matching unique event types and the number of corresponding events for each user when user tracking is enabled in LCE.

The unique event types are based on normalized logs such as firewall, system, correlated, network, and IDS.

Clicking on any of the event counts under the “Total” column will display the “Type Summary” analysis tool.

Load Query

The “Load Query” option enables users to load a predefined query and display the current dataset against that query. Click on “Load Query” in the filters list to display a box with all available queries. The query names are displayed in alphabetical order. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.

Event Filters

Filters limit the results of the event data displayed and can be added, modified, or reset as desired. The filter selection is accessed by the double arrow link in the top left of the Event Analysis screen. Additional filters may be added using the Select Filters link. Filters may be loaded from previously saved queries or customizing the filters based on a current need. The filter restraints may all be reset using the Clear Filters option or individually using the X button next to the filter.

The screen capture below shows a default search where the only preconfigured filter is for the Timeframe and is set to the last 24 hours based on the time and date of the page load.

The filters may also be applied from the LCE filter bar. While on the Event Analysis page, the filter bar may be displayed or hidden by selecting the option from the Options drop-down menu.

When applying filters either by the sidebar or clicking events to narrow searches, the filter bar is populated with the options in use automatically. These options may be changed by adjusting the terms used in the search bar itself.

Filter options may be entered in the bar by either typing the name of the option (which will offer an autocomplete option as you type) or selecting it by pressing the down arrow on your keyboard and selecting the option from the list with the enter key or a mouse click. Once the filter is selected the operator is entererd. Again, either type the operator or using the down arrow on the keyboard select the operator from the list. This is followed by entering the information to be filtered on. If this is text, it may be entered. If it is predefined options they may be selected by auto completion of entered text or selecting from a list of available options.

Note: The Filter Bar does not display or adjust the time frame filter.

The results are displayed with the filter options collapsed. The number under the double arrows indicates the number of filters currently in use. Selecting the arrows to expand the filter screen will show the filters in use and provide the ability to redefine them as desired.

See the table below for detailed descriptions of these options:

Event Filter Options

Filter Description

Address

Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering 192.168.10.0/24 limits any of the web tools to only show event data from that network. Addresses can be entered on separate lines or comma separated.

Asset

Filter the event by asset list. After clicking in the text field, select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Destination Address

Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering 192.168.10.0/24 limits any of the analysis tools to only show event data with destination IPs in that block. Addresses can be comma separated.

Destination Asset

Filter the destination address of the event data by asset list. After clicking in the text field, select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Destination Port

This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single, comma separated list of ports or range of ports (e.g., 8000-8080).

Detailed Event

This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of “DOUBLE DECODING ATTACK”, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE.

Direction

Filter by event direction of All by default or select Inbound, Outbound, or Internal.

LCEs

Specify the LCE(s) to obtain events from by checking the box next to the choice(s).

Normalized Event

The “Normalized Event” is the name given to the event by the LCE after the LCE runs its PRM and TASL scripts against it.

Port

This filter is in two parts. First the type of filter can be specified to allow matching vulnerabilities with the specified ports (=), excluding ports (≠), ports greater than or equal to (), or ports less than or equal to (). The specified and excluding port filter may specify a single port, comma separated list of ports, or range of ports (e.g., 8000-8080).

Note: All host-based vulnerability checks are reported with a port of 0 (zero).

Protocol

Specify the protocol of the event TCP, UDP, or ICMP.

Repositories

Specify the Repositories to obtain events from. The repositories may be searched using the search filter at the top. Multiple repositories may be selected from the list.

Sensor

Filter the events by sensor using the equal (=) or not equal (!=) operators.

Source Address

Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering 192.168.10.0/24 limits any of the analysis tools to only show event data with source IPs in that block. Addresses can be comma separated.

Source Asset

Filter the source address of the event data by asset list. After clicking in the text field, select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Source Port

This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single port, comma separated list of ports, or range of ports (e.g., 8000-8080).

Syslog Test

(Raw Syslog Events Analysis Tool) String to search for within the filtered event.

Targeted IDS Events

This filter checkbox selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host’s vulnerabilities (CVE, etc.) against those tied to the actual IDS event.

Timeframe

Tip: This filter is always used. By default, it is set for the last 24 hours, based on the time of the page load.

An explicit timeframe using the last 24 hours is displayed by default. Specify either an explicit or relative timeframe for the event filter. Choosing explicit allows for selecting dates and times from a calendar and time sliders for the start and end time. Relative timeframes, available from the drop-down menu, range using various time periods from the last 15 minutes to the last 12 months and All.

Type

Select the event type (e.g., error, lce, login, intrusion, etc.) to be filtered on.

User

Specify only events tied to a particular username.

 

Clicking on “Clear Filters” causes the filters to return to the default settings.

Options Menu

The following options are available under the Options drop-down menu in the upper right-hand corner of the event analysis screen:

Save Query

This option saves the current event view as a query for reuse. If this link is clicked, a dialog similar to the one below is displayed:

The table below describes the available query options:

Query Options

Option Description

Name

Query name

Description

This option enables users to provide a description of the query.

 

Save Asset

Event results can be saved to an asset list for later use by clicking on the “Save Asset” link in the upper right-hand side of the screen.

The table below describes the available asset options:

Asset Options

Option Description

Name

Asset name

Description

Asset description

Save Watchlist

A watchlist is an asset list that is used to maintain lists of IPs not in the user’s managed range of IP addresses. IPs from a watchlist can be filtered on regardless of your IP range configuration. This proves to be beneficial when analyzing event activity originating outside of the user’s managed range. For example, if a block of IP addresses is a known source of malicious activity, it could be added to a watchlist called “malicious IPs” and added to a custom query.

Selecting this option will save a Watchlist based on the current filters in use by the Event Analysis tool.

Option Description

Name

Watchlist name

Description

Asset description

Exclude Managed Hosts

When selected, managed hosts will not be saved to the asset list with the unmanaged hosts.

Open Ticket

Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security events. Use this option to open a ticket based on the current event view.

Click on the “Open Ticket” link and complete the relevant fields as described below:

Ticket Options

Option Description

Name

Ticket name

Description

Ticket description

Notes

Notes to be used within the ticket and read by the ticket assignee.

Assignee

User who is assigned the ticket.

Classification

Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk, Recast Risk, Re-scan Request, False Positive, System Probe, External Probe, Investigation Needed, Compromised System, Virus Incident, Bad Credentials, Unauthorized Software, Unauthorized System, Unauthorized User, or Other.

 

View Settings

When available, this setting controls the columns that are displayed for the selected analysis tool.

Switch to Archived / Switch to Active

The final item on the Options menu shows as either Switch to Archived or Switch to Active and Switch Archive, depending on the current view of event data.

The Switch to Archived item is displayed when viewing active event data and when selected will present a dialog to select the archived event data to display by LCE and date range.

The Switch Archive menu item is displayed when viewing archived event data. Selecting this option displays the same menu and selections as above to select a different archive silo for viewing.

The Switch to Active menu item is displayed when viewing archived data and when selected, changes the view to active event data for analysis.

Export as CSV

Event results can be exported to a comma-separated file for detailed analysis outside of SecurityCenter by clicking on the Options menu and then the “Export as CSV” option. When selected, a window opens with an option to choose the columns to be included in the CSV file.

If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the “Report Results” screen. For CSV exports of under 1,000 records, the browser’s standard “Save As” dialog window is displayed.

Once the appropriate selections are made, click the Submit button to create the CSV file or Cancel to abort the process.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.