The Events display page contains an aggregation of security events from Log Correlation Engine. Events can be viewed in a list format with options similar to the Vulnerability interface.
Raw Syslog Events
Tenable.sc’s event filters includes a Syslog Test option to narrow down the scope of a set of events, and supports the use of keyword searches for active filters. In the example above, a mix of collapsed and expanded events are seen. Selecting the Collapse All or Expand All option from the top right Options drop-down menu will perform that action for all of the results en masse. By selecting a particular event and clicking on the + or - icon on the right side of the event will expand or collapse that one event.
Active vs. Archived
In the Options drop-down menu the view can be switched between the Active and Archived data. This selection determines whether the displayed events are pulled from the active or an archived event database. The Active view is the default that displays all currently active events. The Archived view prompts for the selection of the LCE and an Archive Silo from which the event data will be displayed. In the example below, the LCE and Silo date range are displayed to help the user choose the correct archive data for analysis.
A wide variety of analysis tools are available for comprehensive event analysis.
When viewing the analysis tool results, clicking on result will generally take you to the next level of detail for the analysis. For instance, from the Type summary page clicking on a type will display the Normalized Event Summary. Clicking on an even in that list will display the List of Events page featuring that event. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.
Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions or a view of the vulnerability summary for the affected host, around that item’s result.
For more information, see Event Analysis Tools.
The Load Query option enables users to load a predefined query and display the current dataset against that query. Click on Load Query in the filters list to display a box with all available queries. The query names are displayed in alphabetical order. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.
Event Analysis Filters
For more information, see Event Analysis Filter Components.
Event Analysis Actions
You can use the Options drop-down menu to perform the following event analysis actions.
You can save the current view as a query for reuse. For more information about queries, see Queries.
Event results can be saved to an asset list for later use. For more information, see Assets.
Event results can be saved to a watchlist asset list for later use. For more information, see Assets.
Tickets are used within Tenable.sc to assist with the assessment and remediation of vulnerabilities and security events. For more information, see Open a Ticket.
When available, this setting controls the columns displayed in your view.
Switch to Archived / Switch Archive / Switch to Active
The Switch to Archived item is displayed when viewing active event data and when selected will present a dialog to choose the archived event data to display by LCE and date range.
The Switch Archive menu item is displayed when viewing archived event data. Selecting this option displays the same menu and selections as above to select a different archive silo for viewing.
The Switch to Active menu item is displayed when viewing archived data and when selected, changes the view to active event data for analysis.
Export as CSV
Event results can be exported to a comma-separated file for detailed analysis outside of Tenable.sc by clicking on the Options drop-down menu and then the Export as CSV option. When selected, a window opens with an option to choose the columns to be included in the CSV file.
If the record count (rows displayed) of any CSV export is greater than 1,000 records, a note is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results page. For CSV exports of under 1,000 records, the browser’s standard Save As dialog window is displayed.
Once the appropriate selections are made, click the Submit button to create the CSV file or Cancel to abort the process.