Event Analysis Filter Components
Filters limit the results of the event data displayed and can be added, modified, or reset as desired. For more information, see Filters.
The Events page also supports using a filter bar for filtering.
Note: The filter bar does not display or adjust the timeframe filter.
| Filter Component | Description |
|---|---|
|
Address |
Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering 198.51.100.64/24 limits any of the web tools to show only the event data from that network. You can enter addresses on separate lines or comma separated. |
|
Asset |
Filter the event by the specified asset list. Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the view. |
|
Destination Address |
Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering 198.51.100.64/24 limits any of the analysis tools to show only the event data with destination IPs in that block. Addresses can be comma-separated. |
|
Destination Asset |
Filter the destination address of the event data by the specified asset list. Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the view. |
|
Destination Port |
This filter is in two parts. Specify the type of filter to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single, comma separated list of ports or range of ports (for example, 8000-8080). |
|
Detailed Event |
This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the Log Correlation Engine. |
|
Direction |
Filter by event direction of All by default or select Inbound, Outbound, or Internal. |
|
Log Correlation Engines |
Specify one or more Log Correlation Engines to obtain events from by checking the box next to the choices. |
|
Normalized Event |
The name given to the event by the Log Correlation Engine after the Log Correlation Engine runs its PRM and TASL scripts against it. |
|
Port |
This filter is in two parts. Specify the type of filter to allow matching vulnerabilities with the specified ports (=), excluding ports (≠), ports greater than or equal to (≥), or ports less than or equal to (≤). The specified and excluding port filter may specify a single port, comma-separated list of ports, or range of ports (for example, 8000-8080). Note: Tenable Security Center reports all host-based vulnerability checks with a port of 0 (zero). |
|
Protocol |
Specify the protocol of the event TCP, UDP, or ICMP. |
|
Repositories |
Specify the Repositories to obtain events from. You can search the repositories using the search filter at the top. You can select multiple repositories from the list. |
|
Sensor |
Filter the events by sensor using the equal (=) or not equal (!=) operators. |
|
Source Address |
Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering 198.51.100.64/24 limits any of the analysis tools to show only the event data with source IPs in that block. Addresses can be comma separated. |
|
Source Asset |
Filter the source address of the event data by asset list and select an asset list from those available or the NOT operator to exclude asset lists. After you add each list, the AND or OR operators are available to customize the combining of asset lists. |
|
Source Port |
This filter is in two parts. Specify the type of filter to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single port, comma-separated list of ports, or range of ports (for example, 8000-8080). |
|
Syslog Text |
(Raw Syslog Events Analysis Tool) String to search for within the filtered event. |
|
Targeted IDS Events |
This filter box selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host’s vulnerabilities (CVE, etc.) against those tied to the actual IDS event. |
|
Timeframe |
Tip: Tenable Security Center always uses this filter. By default, it is set for the last 24 hours, based on the time of the page load. By default, Tenable Security Center displays an explicit timeframe using the last 24 hours. Specify either an explicit or relative timeframe for the event filter. Choosing explicit allows for selecting dates and times from a calendar and time sliders for the start and end time. Relative timeframes, available from the drop-down box, range using various time periods from the last 15 minutes to the last 12 months and All. |
|
Type |
Use this to filter by the event type (for example, error, lce, login, or intrusion). |
|
User |
Specify only events tied to a particular username. |