Detect Suspicious Activity

by David Schwalenberg
August 6, 2014

SecurityCenter Continuous View, the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE) work together to collect and correlate log data from many sources, providing a centralized view of network activity. This dashboard collects a number of components that highlight potentially unauthorized, suspicious, or malicious activity, including activity spikes, data leakage, questionable content, and more.

Note that this dashboard relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tag anomalies. The dashboard requirements are:

  • SecurityCenter 4.8
  • LCE 4.2.2
  • PVS 4.0.1
  • LCE Client - Tenable Network Monitor
  • LCE Client - Tenable NetFlow Monitor

Listed below are the included components:

  • Potential Suspicious Activity - This matrix displays various indications of network activity over the last 72 hours that departs from the baseline or may otherwise be suspicious. Spikes in event rates can indicate new applications, new types of network usage, and in some cases, abuse. Green indicators signify that the activity has occurred, and further investigation may be warranted to determine if the activity is authorized.
  • Detect Suspicious Activity - Warnings in Last 72 Hours - This matrix presents warning indicators for potentially suspicious network activity detected in the last 72 hours. Each indicator is based on one or more Log Correlation Engine (LCE) events; the indicator is highlighted red if the event occurred in the last 72 hours. Any warnings should be further investigated. More information can be obtained on these events (such as details, time, and IP address) by clicking on the specific indicator and viewing the raw syslog.
  • Web Activity - Suspicious Activity Detected in Last 72 Hours - This matrix presents detections of potentially suspicious web activity that have occurred in the last 72 hours.
  • Detect Suspicious Activity - Inappropriate, Sensitive, Questionable Content - This component presents warning indicators for suspicious web and email content/activity. Each indicator is based on one or more LCE normalized events; if the event is detected, the indicator will change color to purple.
  • Passive Network Forensics - Suspicious Activity Over Last 72 Hours - This matrix presents indicators of suspicious events that have occurred in the last 72 hours, including intrusions, potential data leaks, potentially unwanted long-term activity, threatlist activity (interaction with known botnets), crowd surges, suspicious proxy activity, suspicious server activity, and other suspicious host activity.