Daily Host Alerts

by Andrew Freeborn
November 18, 2015

A new host on the network should not be an unexpected nor unplanned activity. This dashboard provides information such as new hosts on the network to help administrators and analysts with situational awareness. The detailed information provided by this dashboard on new hosts and related alerts can help keep analysts knowledgeable of host-based events in the environment.

Many hosts are constantly generating events for a variety of reasons such as normal system events, users logging into a host or an application writing an event to a log. Administrators and analysts can quickly drill-down into details of hosts and their events using this dashboard. Using this detailed information, administrators for example can help troubleshoot issues faster by reviewing logs separate from the host. Analysts for example can review alerts by user to help narrow down information for an investigation. This dashboard can provide many ways to aid investigations or troubleshooting, as well as, provide awareness of new hosts on the network through passive network analysis.

This dashboard presents to analysts an easy way to see data that was collected actively, passively and through log correlation. Actively collected data is shown in the dashboard for instance by displaying the new alerts generated on a host. Passively collected data is shown in the dashboard for instance by displaying the new hosts found in the network. Even though these sources of data collection operate in different ways, this dashboard intelligently displays the combined data in an easy to view manner. This intelligent combination of data is accomplished through log correlation to give administrators and analysts precise and accurate information.

Users typically work a repeatable set of hours in a work-week and generate alerts during those hours. Observing alerts outside of a user’s typical working hours should be investigated for expected activity. Analysts can quickly see this data in the dashboard in an easy to see format to help them perform this job. New user activity on a host should also be investigated as soon as possible to validate appropriate activity. This activity can be expected for routine administrator and analyst activity, but this information should be broad knowledge for situational awareness. Administrators and analysts have access to up to date information in the dashboard and this helps them to more effectively perform their task.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The dashboard requirements are:

  • SecurityCenter 4.8.2
  • PVS 4.4.0
  • LCE 4.6.0

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View (CV), Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). SecurityCenter CV performs log normalization from hundreds of unique data sources. Regardless of whether logs in a SIEM or log data store are sent to SecurityCenter CV or directly from applications and systems, they will be recognized and mined for vulnerabilities, user identification and asset discovery. PVS provides deep packet inspection to continuously discover and track users, applications, cloud infrastructures, trust relationships, and vulnerabilities. LCE performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure.

This dashboard contains the following components:

  • Daily Host Alerts Trend (Last 5 Days): The “Daily Host Alerts Trend” line component displays a count of new alerts generated on hosts and when they were first seen on the network
  • Daily Host Alerts (Last 5 Days): The “Daily Host Alerts” table component displays the new host alerts for the last 5 days
  • Daily Host Alerts by User (Last 5 Days): The “Daily Host Alerts by User” table component displays alerts of user activity for the last five days
  • New Hosts (Last 5 Days): The “New Hosts” table component lists newly discovered hosts seen in the last five days
  • New Users (Last 5 Days): The “New Users” table component shows new user activity in the last five days