TOC & Recently Viewed

Recently Viewed Topics

Event Analysis Filter Components

Filters limit the results of the event data displayed and can be added, modified, or reset as desired. For more information, see Filters.

The Event Analysis page also supports using a filter bar for filtering. To display the filter bar, click the gear icon Options button and select Show Filter Bar.

To use the filter bar, type the name of a filter component. Then, select an operator from the drop-down that appears (e.g., = or !=). Then, type or select specific filter component criteria and click the checkmark button.

Note: The Filter Bar does not display or adjust the time frame filter.

Filter Component Description

Address

Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering 192.168.10.0/24 limits any of the web tools to only show event data from that network. Addresses can be entered on separate lines or comma separated.

Asset

Filter the event by asset list and select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Destination Address

Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering 192.168.10.0/24 limits any of the analysis tools to only show event data with destination IPs in that block. Addresses can be comma separated.

Destination Asset

Filter the destination address of the event data by asset list and select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Destination Port

This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single, comma separated list of ports or range of ports (e.g., 8000-8080).

Detailed Event

This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE.

Direction

Filter by event direction of All by default or select Inbound, Outbound, or Internal.

LCEs

Specify the LCE(s) to obtain events from by checking the box next to the choice(s).

Normalized Event

The name given to the event by the LCE after the LCE runs its PRM and TASL scripts against it.

Port

This filter is in two parts. First the type of filter can be specified to allow matching vulnerabilities with the specified ports (=), excluding ports (≠), ports greater than or equal to (), or ports less than or equal to (). The specified and excluding port filter may specify a single port, comma separated list of ports, or range of ports (e.g., 8000-8080).

Note: All host-based vulnerability checks are reported with a port of 0 (zero).

Protocol

Specify the protocol of the event TCP, UDP, or ICMP.

Repositories

Specify the Repositories to obtain events from. The repositories may be searched using the search filter at the top. Multiple repositories may be selected from the list.

Sensor

Filter the events by sensor using the equal (=) or not equal (!=) operators.

Source Address

Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering 192.168.10.0/24 limits any of the analysis tools to only show event data with source IPs in that block. Addresses can be comma separated.

Source Asset

Filter the source address of the event data by asset list and select an asset list from those available or the NOT operator to exclude asset lists. After each list is added, the AND or OR operator are available to customize the combining of asset lists.

Source Port

This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single port, comma separated list of ports, or range of ports (e.g., 8000-8080).

Syslog Test

(Raw Syslog Events Analysis Tool) String to search for within the filtered event.

Targeted IDS Events

This filter box selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host’s vulnerabilities (CVE, etc.) against those tied to the actual IDS event.

Timeframe

Tip: This filter is always used. By default, it is set for the last 24 hours, based on the time of the page load.

An explicit timeframe using the last 24 hours is displayed by default. Specify either an explicit or relative timeframe for the event filter. Choosing explicit allows for selecting dates and times from a calendar and time sliders for the start and end time. Relative timeframes, available from the drop-down box, range using various time periods from the last 15 minutes to the last 12 months and All.

Type

The event type (e.g., error, lce, login, intrusion, etc.) to be filtered on.

User

Specify only events tied to a particular username.

Clicking on Clear Filters causes the filters to return to the default settings.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.