TOC & Recently Viewed

Recently Viewed Topics

Event Analysis

The Events display page contains an aggregation of security events from Tenable’s Log Correlation Engine. Events can be viewed in a list format with options similar to the Vulnerability interface. Clicking through Analysis and Events displays a high-level view similar to the following:

Raw Syslog Events

SecurityCenter’s event filters includes a Syslog Test option to narrow down the scope of a set of events, and supports the use of keyword searches for active filters. In the example above, a mix of collapsed and expanded events are seen. Selecting the Collapse All or Expand All option from the top right Options drop-down menu will perform that action for all of the results en masse. By selecting a particular event and clicking on the + or - icon on the right side of the event will expand or collapse that one event.

Active vs. Archived

In the Options drop-down menu the view can be switched between the Active and Archived data. This selection determines whether the displayed events are pulled from the active or an archived event database. The Active view is the default that displays all currently active events. The Archived view prompts for the selection of the LCE and an Archive Silo from which the event data will be displayed. In the example below, the LCE and Silo date range are displayed to help the user choose the correct archive data for analysis.

Analysis Tools

A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the drop-down menu indicating the current view (Type Summary by default) displays a list of analysis tools to choose from:

When viewing the analysis tool results, clicking on result will generally take you to the next level of detail for the analysis. For instance, from the Type summary page clicking on a type will display the Normalized Event Summary. Clicking on an even in that list will display the List of Events page featuring that event. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.

Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions or a view of the vulnerability summary for the affected host, around that item’s result.

The table below contains detailed descriptions of all available analysis tools:

Event Analysis Tools

For more information, see Event Analysis Tools.

Load Query

The Load Query option enables users to load a predefined query and display the current dataset against that query. Click on Load Query in the filters list to display a box with all available queries. The query names are displayed in alphabetical order. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.

Event Analysis Filters

For more information, see Event Analysis Filter Components.

Options Drop-Down Menu

The following options are available under the Options drop-down menu in the top right corner of the event analysis page:

Save Query

This option saves the current event view as a query for reuse. If this link is clicked, a dialog similar to the one below is displayed:

The table below describes the available query options:

Query Options

Option Description

Name

Query name

Description

This option enables users to provide a description of the query.

Save Asset

Event results can be saved to an asset list for later use by clicking on the Save Asset link in the top right side of the page.

The table below describes the available asset options:

Asset Options

Option Description

Name

Asset name

Description

Asset description

Save Watchlist

A watchlist is an asset list that is used to maintain lists of IPs not in the user’s managed range of IP addresses. IPs from a watchlist can be filtered on regardless of your IP range configuration. This proves to be beneficial when analyzing event activity originating outside of the user’s managed range. For example, if a block of IP addresses is a known source of malicious activity, it could be added to a watchlist called Malicious IPs and added to a custom query.

Selecting this option will save a Watchlist based on the current filters in use by the Event Analysis tool.

Option Description

Name

Watchlist name

Description

Asset description

Exclude Managed Hosts

When selected, managed hosts will not be saved to the asset list with the unmanaged hosts.

Open Ticket

Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security events. For more information, see Open a Ticket.

View Settings

When available, this setting controls the columns that are displayed for the selected analysis tool.

Switch to Archived / Switch to Active

The final item on the Options drop-down menu shows as either Switch to Archived or Switch to Active and Switch Archive, depending on the current view of event data.

The Switch to Archived item is displayed when viewing active event data and when selected will present a dialog to choose the archived event data to display by LCE and date range.

The Switch Archive menu item is displayed when viewing archived event data. Selecting this option displays the same menu and selections as above to select a different archive silo for viewing.

The Switch to Active menu item is displayed when viewing archived data and when selected, changes the view to active event data for analysis.

Export as CSV

Event results can be exported to a comma-separated file for detailed analysis outside of SecurityCenter by clicking on the Options drop-down menu and then the Export as CSV option. When selected, a window opens with an option to choose the columns to be included in the CSV file.

If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results page. For CSV exports of under 1,000 records, the browser’s standard Save As dialog window is displayed.

Once the appropriate selections are made, click the Submit button to create the CSV file or Cancel to abort the process.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.