Event Analysis Filter Components

Filters limit the results of the event data displayed and can be added, modified, or reset as desired. For more information, see Filters.

The Event Analysis page also supports using a filter bar for filtering. To display the filter bar, click the gear icon Options button and select Show Filter Bar.

Note: The filter bar does not display or adjust the time frame filter.

Filter Component Description

Address

Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering 198.51.100.64/24 limits any of the web tools to show only the event data from that network. You can enter addresses on separate lines or comma separated.

Asset

Filter the event by the specified asset list.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the view.

Destination Address

Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering 198.51.100.64/24 limits any of the analysis tools to show only the event data with destination IPs in that block. Addresses can be comma-separated.

Destination Asset

Filter the destination address of the event data by the specified asset list.

Tip: Use NOT, OR, and AND operators to exclude unwanted assets from the view.

Destination Port

This filter is in two parts. Specify the type of filter to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single, comma separated list of ports or range of ports (e.g., 8000-8080).

Detailed Event

This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE.

Direction

Filter by event direction of All by default or select Inbound, Outbound, or Internal.

LCEs

Specify the LCE(s) to obtain events from by checking the box next to the choices.

Normalized Event

The name given to the event by the LCE after the LCE runs its PRM and TASL scripts against it.

Port

This filter is in two parts. Specify the type of filter to allow matching vulnerabilities with the specified ports (=), excluding ports (≠), ports greater than or equal to (), or ports less than or equal to (). The specified and excluding port filter may specify a single port, comma-separated list of ports, or range of ports (for example, 8000-8080).

Note: Tenable.sc reports all host-based vulnerability checks with a port of 0 (zero).

Protocol

Specify the protocol of the event TCP, UDP, or ICMP.

Repositories

Specify the Repositories to obtain events from. You can search the repositories using the search filter at the top. You can select multiple repositories from the list.

Sensor

Filter the events by sensor using the equal (=) or not equal (!=) operators.

Source Address

Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering 198.51.100.64/24 limits any of the analysis tools to show only the event data with source IPs in that block. Addresses can be comma separated.

Source Asset

Filter the source address of the event data by asset list and select an asset list from those available or the NOT operator to exclude asset lists. After you add each list, the AND or OR operator are available to customize the combining of asset lists.

Source Port

This filter is in two parts. Specify the type of filter to allow matching events with the same ports (=) or different ports (≠). The port filter may specify a single port, comma-separated list of ports, or range of ports (for example, 8000-8080).

Syslog Text

(Raw Syslog Events Analysis Tool) String to search for within the filtered event.

Targeted IDS Events

This filter box selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host’s vulnerabilities (CVE, etc.) against those tied to the actual IDS event.

Timeframe

Tip: Tenable.sc always uses this filter. By default, it is set for the last 24 hours, based on the time of the page load.

By default, Tenable.sc displays an explicit timeframe using the last 24 hours. Specify either an explicit or relative timeframe for the event filter. Choosing explicit allows for selecting dates and times from a calendar and time sliders for the start and end time. Relative timeframes, available from the drop-down box, range using various time periods from the last 15 minutes to the last 12 months and All.

Type

Use this to filter by the event type. For example: error, lce, login, intrusion, etc..

User

Specify only events tied to a particular username.

Note: Clicking on Clear Filters causes the filters to return to the default settings.