Event Analysis Tools

A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the drop-down menu indicating the current view (Type Summary by default) displays a list of analysis tools to choose from.

When viewing the analysis tool results, clicking on result will generally take you to the next level of detail for the analysis. For instance, from the Type summary page clicking on a type will display the Normalized Event Summary. Clicking on an even in that list will display the List of Events page featuring that event. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.

Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions or a view of the vulnerability summary for the affected host, around that item’s result.

Tool Description

Asset Summary

This tool can be used to see how certain types of activity, remote attackers, or non-compliant events have occurred across different asset groups.

Clicking on the Total count for the listed asset displays a Type Summary analysis tool.

Connection Summary

This tool lists connections made between two different hosts by source and destination IP address and the counts of connections between them.

Clicking on a host will display the Type Summary analysis tool.

Date Summary

When analyzing large amounts of data, it is often useful to get a quick summary of how the data set manifests itself across several dates.

For example, when analyzing a suspected attacker’s IP address, creating a filter for that IP address and looking at the type of events is simple enough. However, displaying that same data over the last few days or weeks can paint a much more interesting picture of a potential attacker’s activity.

Selecting a date will display the Type Summary analysis tool.

Destination IP Summary

This tool displays events listed by the destination IP address recorded. The table lists the LCE it was discovered on, the IP address, and the count. Clicking on the information icon next to the IP address displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Detailed Event Summary

This tool displays a summary of the various events based on their full event name and count. Clicking on an event displays the List of Events analysis tool.

Event Trend

This analysis tool displays an event trend area graph with total events over the last 24 hours. Modify the filters for this graph to display the desired event trend view.

IP Summary

Class A Summary

Class B Summary

Class C Summary

Tenable.sc provides the ability to quickly summarize matching IP addresses by single IP address, Class A, Class B, and Class C addresses.

The IP Summary tool displays the associated LCE server along with the IP address of the reporting system and about the event count for that system.

Clicking on an IP address displays a Host Detail window for that IP address. Clicking the information icon next to the IP address displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerability severity counts. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address. Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the ARIN link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by an administrative user (via the Manage IP Address Information Links selection under the Customization tab), they will be displayed here.

The Sum by Class A, B, and C tools work by displaying matching addresses. Clicking on the number displayed in the Total column will display the Type Summary for that IP address range.

List of Events

This tool displays a line of data for each matching event. The line includes many pieces of information such as time, event name, number of correlated vulnerabilities involved IP addresses, and sensor.

Normalized Event Summary

This tool summarizes a listing of all normalized events and their count for the chosen time period. Normalized events are lower-level events that have been assigned a Tenable name based on LCE scripts parsing of the log records (e.g., Snort-HTTP_Inspect).

Clicking on the event name displays the List of Events analysis tool.

Port Summary

A port summary can be invoked. This tool produces a table of the top used ports and combines counts for source and destination ports into one overall count.

Clicking on the port will display a Type Summary of events filtered for that port.

Note: Port 0 events are host-based events that are not specific to any particular TCP/UDP port.

Protocol Summary

This tool summarizes counts of events based on IP protocols.

Clicking on the event total displays a Type Summary view of events filtered by the selected protocol.

Raw Syslog Events

Users can choose to view the original log message or IDS event for full forensic analysis.

It is recommended that users attempt some sort of filtering match first before attempting to find their desired event. Users will typically sort their results and drill into the list until they find what they are looking for before attempting to view the raw data.

Sensor Summary

This tool displays the unique event counts for any query from unique sensor types.

When a sensor is clicked on, the Type Summary analysis tool is displayed for events from the selected sensor.

Source IP Summary

This tool displays events listed by the source IP address recorded. The table lists the LCE it was discovered on, the IP address, and the count. Clicking on the information icon next to the IP address displays the system information pertaining to the host IP address.

Clicking on one of the hosts displays the Type Summary analysis tool.

Type Summary

This tool displays the matching unique event types and the number of corresponding events for each.

The unique event types are based on normalized logs or events such as firewall, system, correlated, network and IDS. These types are high-level types used to describe event types (e.g., login or lce).

Clicking on any of the event counts displays the Normalized Event Summary for the type.

User Summary

This tool displays the matching unique event types and the number of corresponding events for each user when user tracking is enabled in LCE.

The unique event types are based on normalized logs such as firewall, system, correlated, network, and IDS.

Clicking on any of the event counts under the Total column will display the Type Summary analysis tool.