Event Analysis

by Josef Weiss
June 24, 2014

This dashboard contains a series of components in a variety of formats that provide an overview of collected events. This provides the analyst with many different methods to quickly locate actionable context in your data. Indicators automatically alert of abnormal activity, such as increased events types, connections, or changes in client behavior, from any device that has its logs aggregated by the Tenable Log Correlation Engine.

This is important, as near-instant visibility can assist in pinpointing threats rapidly.

Displayed in this collection, event data presented to the analyst in the following formats:

  • Pie Chart - This event summary component displays the numerical proportion of the top 10 type summary events in descending order.
  • Trend Data - This event summary component displays a graphical representation of the top 10 events by type summary in a trend. These events are over the past 24 hours and sorted in a descending order by total count.
  • Line Chart - This line chart component displays information on event trends over time. Displayed is a line chart comparison over the last 24 hours of total normalized events versus unnormalized events. This provides the analyst with a quick overview of any current event spike activity.
  • Table - This event summary component displays information on the top event generators by IP address. The top 10 results, displaying the IP address of the host generating the event, the LCE receiving the event, total event count, and sorted descending by count over the last 24 hours are displayed in this table component.
  • Bar Graph - This bar chart component displays information on event type summary top 10 details over the last 7 days. The chart provides visual details of event trends, sorted by count, in descending order.
  • Matrix - This indicator provides a series of indicators for each event type, and is refreshed every 6 hours. The indicators provide a 6-hour view for each event type. This allows for the security administrator to view current events. The color of the indicator reflects the severity: Informational is green, Low is yellow, Medium is orange, High is red, and Critical is purple.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category 'monitoring', and then selecting tags 'events'.

The dashboard requirements are:

  • SecurityCenter 4.8.0
  • LCE 4.2.2