Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Daily Host Alerts Report

by Josef Weiss
October 22, 2015

Monitoring, profiling, and analyzing host alerts within the network can assist in determining if problems exist, policies should be updated, or abnormal activity is present. Systems and users identified by the Daily_Host_Alert LCE event are presented to the analyst to provide information on what devices and users are logging in and when. This report can assist organizations to understand when connections to the network are most likely to occur, making it easier to spot and track anomalies for devices or user accounts.

The LCE event Daily_Host_Alert generates, once per day, an alert the first time an event from a local host is seen, such as a DNS lookup or LCE client connect. For systems that are always on, such as servers, a spike around midnight will be detected. Other computers may start out their day at various times.

Passively detected new hosts that have been identified by the PVS New_Host_Alert and LCE New_MAC event are also reported. The New_MAC event records the first time a new MAC address is ever seen on the network. The New_Host_Alert event records the first time a new IP address is ever passively detected. These events are generated for any new host seen on the network, whereas the Daily_Host_Alert event is only generated for hosts in the “include-network” range. The benefit is being able to report on newly detected MAC addresses, anywhere, even if the host is outside the organization’s defined range.

This report can be used to look for anomalies such as unknown systems or users popping up, or unexpected activity blackouts from known systems.

Note that this report might be very long (hundreds of pages), depending on the number of systems and users on the network. Consider modifying the report definition and filtering on an asset to produce a more specific and more manageable report.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection.

The report requirements are:

  • SecurityCenter 4.8.2
  • LCE 4.4.1
  • PVS 4.4.0

SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. PVS provides deep packet inspection to continuously discover vulnerabilities and Indicators of Compromise (IOC) traveling the wire. LCE correlates real-time events, such as DNS queries, and then performs analysis to discover vulnerabilities and IOC. LCE also has the capability to discover users, operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and other critical infrastructure. SecurityCenter CV allows for the most comprehensive and integrated view of network health.

The report contains the following chapters:

  • Executive Summary - This chapter presents a line graph of Daily_Host_Alert events by time for the last 5 days and a bar chart displaying host alerts by network. Monitoring daily host alerts by network assists in establishing baselines. Anomalies can be analyzed and escalated to the proper administrators.
  • Daily Host Alerts: Hosts (Last 5 Days) - This chapter presents a table of all hosts associated with at least one Daily_Host_Alert event in the last 5 days. Verify that all hosts in this list are authorized to access the network.
  • Daily Host Alerts: Users (Last 5 Days) - This chapter presents a table of all users associated with at least one Daily_Host_Alert event in the last 5 days. Verify that all users in this list are authorized to access the network. Profiling and analyzing these alerts can assist in determining if problems exist or policies should be updated.
  • New Hosts and Users Passively Discovered (Last 5 Days) - This appendix presents tables of new hosts and new users discovered in the last 5 days. These tables can be used to correlate discovered hosts and users with Daily_Host_Alert events.
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs
Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security