Event Analysis

Raw Syslog Events

Tenable Security Center’s event filters includes a Syslog Text option to narrow down the scope of a set of events, and supports the use of keyword searches for active filters.

Active vs. Archived

In the upper-right corner, click Active or Archived to switch between the active and archived data. This selection determines whether the displayed events are pulled from the active or an archived event database. The Active view is the default that displays all currently active events. The Archived view prompts for the selection of the Log Correlation Engine and an Archive Silo from which the event data is displayed. In the example below, the Log Correlation Engine and Silo date range are displayed to help the user choose the correct archive data for analysis.

Analysis Tools

When viewing the analysis tool results, clicking on result will generally take you to the next level of detail for the analysis. For instance, from the Type summary page clicking on a type will display the Normalized Event Summary. Clicking on an even in that list will display the List of Events page featuring that event. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.

Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions or a view of the vulnerability summary for the affected host, around that item’s result.

For more information, see Event Analysis Tools.

Load Query

The Load Query option enables users to load a predefined query and display the current dataset against that query. Click on Load Query in the filters list to display a box with all available queries. The query names are displayed in alphabetical order. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.

Event Analysis Filters

For more information, see Event Analysis Filter Components.

Event Analysis Actions

Save Query

Save Asset

Save Watchlist

Open Ticket

View Settings

Switch to Archived / Switch Archive / Switch to Active

The Switch Archive menu item is displayed when viewing archived event data. Selecting this option displays the same menu and selections as above to select a different archive silo for viewing.

The Switch to Active menu item is displayed when viewing archived data and when selected, changes the view to active event data for analysis.

Export as CSV

Event results can be exported to a comma-separated file for detailed analysis outside of Tenable Security Center by clicking on the Options drop-down menu and then the Export as CSV option. When selected, a window opens with an option to choose the columns to be included in the CSV file.

If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results page. For CSV exports of under 1,000 records, the browser’s standard Save As dialog window is displayed.