icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons

Event Indicator Alert Report

by Andrew Freeborn
February 9, 2016

Analysts have more information to manage and threats to consider as organizations continue to grow. Organizations deploy new software, upgrade existing software, build out new networks and add hardware. As those activities in the network continue to change, analysts need to continually think of the security ramifications. LCE monitors events generated from all of those activities within an organization. LCE intelligently collects the information from network devices and hosts across the network, and understands events generated from software logs.

This report focuses on the indicator events found within LCE to provide analysts an overview of LCE indicator events in the organization. The "indicator" event type is used by LCE to track correlations associated with scanning, compromises, anomalies, and other behaviors that indicate the presence of determined attackers, advanced malware, and other forms of potentially malicious activities.

The tracking occurs for any IP address that has had at least two unique events occurring in a short period of time. The alert level is increased for each new type of event added into the tracking of the IP address. Each time an alert level is increased, a new log is produced summarizing the sequence of events.

LCE tracks various different normalized event types that are shown in the “Indicator” type, including large or medium anomalies. Also included is the threatlist (botnet) inbound, and outbound activity that indicates file transfers or proxy traffic. The “Indicator” type also tracks IDS events, continuous events, changes (network, account), downloads, and other behaviors of interest.

Threats to an organization can come from multiple directions which analysts need to consider. The report has three major sections for analysts to evaluate different threats to the organization. Analysts can configure LCE to identify which networks they want to be included for LCE event monitoring.

As analysts set up network segmentation within repositories, SecurityCenter and LCE will then know what to consider for internal, inbound and outbound network traffic. With the correct configuration, LCE can better tell when traffic from the Internet is coming into the network and vice versa. Identifying various internal networks is an important step for LCE to better assist analysts with complete information. A logout event found in the internal network space has less importance than one found in the inbound network space. Analysts can use the different event families within each network context to make better threat response decisions.

As analysts use this report, they can determine whether or not the flow of events detected with LCE are within an expected norm of activity. A few of the event families, such as virus and threatlist, should be at a minimal number. This report can help analysts stay aware of those events in the organization.

Every IP address monitored by LCE which has indicator events found within each network space is listed in this report. With each IP address, the breakdown of each LCE event family is provided along with a count of the total events. Analysts are provided a count of the events found for each event family within the last 24 hours. The newest ten raw system logs relating to indicator events are also provided. The logs are provided to help the analyst get a quick view of the type of indicator events detected with LCE.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. This report can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:

  • SecurityCenter 4.8.2
  • LCE 4.6.1

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View (CV), Nessus, Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). SecurityCenter CV provides the most comprehensive and integrated view of network health. LCE performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor. These technologies include operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure.

This report contains the following chapters:

  • Executive Summary: This chapter provides an overview of LCE indicator events detected within the organization
  • Inbound LCE indicator events: This chapter covers all traffic destined for the organization’s network, but sourced from a network that is not found in the "include-networks" range or that is part of the "exclude-networks" range
  • Outbound LCE indicator events: This chapter covers all traffic leaving the organization’s network and is sourced from a network that is found in the "include-networks" range, but is not part of the "exclude-networks" range
  • Internal LCE indicator events: This chapter covers all traffic between two IP addresses within the organization’s network