Event Indicator Alert Report

by Cody Dumont
August 1, 2013

This report provides the event summaries of each system that has been identified to have more than one "indicator" event type.  The indicator event is a correlation of specific events associated with scanning, compromises, anomalies and other behaviors indicative of determined attackers, advanced malware and other forms of activities worth investigating.

This report requires:

  • SecurityCenter 4.6.2.2 and higher
  • Log Correlation Engine 4.2 and higher

The corresponding dashboard can be found here:

Event Indicator Alert Dashboard

Chapter Description

The report is broken down into three chapters, one for each directional flow.  The directional flow can be set to four flows:

  • Any - All directions (Default)
  • Inbound – Traffic from IP addresses considered external to your network, going to addresses that are internal to your network
  • Outbound – Traffic from IP addresses considered internal to your network, going to addresses that are external to your network
  • Internal - Traffic between IP addresses that are considered internal

The complexity of traffic flow can spark many conversations.  However, the Tenable LCE team has simplified the overall understanding to ensure easy management and clearer understanding for our customers.

As part of the LCE configuration, there are two options called "include-networks" and "exclude-networks".  The range specified in the "include-networks" is any network that is part of your organization's network.  The range specified in the "exclude-network" is the exception variable.

For example, if the internal network range were 192.168.1.0 - 192.168.10.255, the entry on the "include-networks" would be:

  • 192.168.0.0/21
  • 192.168.8.0/23
  • 192.168.10.0/24

As you can see, the IP address range of 192.168.0.0 - 192.168.0.255 should be excluded, which is the purpose of "exclude-networks".  In this case, "exclude-networks" would be:

  • 192.168.0.0/24

Internal traffic is defined as when an IP address from "include-networks" is communicating with IP addresses also within "include-networks".  This occurs when the source IP address and destination IP address are both found in "include-networks".

Now that we have an understanding of internal traffic, we can better define traffic that is considered inbound and outbound.  Inbound is the traffic that is coming from a network that is not part of the internal network or that is part of the "exclude-networks" range.  The destination IP address of the packet would have an address with the organization's "include-networks" range.

Outbound traffic is the opposite; the source IP address would be a part of the "include-networks" range, while the destination would have an IP address that is not part of the "include-networks" range or that is part of the "exclude-networks" range.

Chapter 1 - Inbound Event Indicator

This chapter covers all traffic destined for the organization’s network, but sourced from a network that is not found in the "include-networks" range or that is part of the "exclude-networks" range.  The iterator report returns a list of IP addresses, and for each address an event summary and raw syslogs are provided.

Chapter 2 - Outbound Event Indicator

This chapter covers all traffic leaving the organization’s network and is sourced from a network that is found in the "include-networks" range, but is not part of the "exclude-networks" range.  The iterator report returns a list of IP addresses, and for each address an event summary and raw syslogs are provided.

Chapter 3 - Internal Event Indicator

This chapter covers all traffic between two IP addresses within the organization’s network.  The source and destination addresses are found in the "include-networks" range, but are not part of the "exclude-networks" range.  The iterator report returns a list of IP addresses, and for each address an event summary and raw syslogs are provided.