by Michael Willison
March 12, 2015
Often a Sophos analyst would like to know what type of Sophos events are occurring on the network. SecurityCenter can query the Log Correlation Engine (LCE) to discover which Sophos events were detected on the network. By performing these queries, an analyst can determine the type of activity that Sophos services are seeing on the network.
The charts in the Sophos Event Detection report can help an analyst understand what Sophos events were generated over the last 7 days. Using this report, an analyst will be able to determine if Sophos is operating properly and what threats are being detected. There are many reasons why Sophos events may be generated. For example, users may cancel Sophos scans because they slow down their systems, Sophos end points can’t receive updates, or there could be malware attempting to load onto the systems. The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:
- SecurityCenter 4.8.1
- LCE 4.4.0
Establish a true threat intelligence with Tenable’s SecurityCenter Continuous View (CV) and the Log Correlation Engine (LCE). SecurityCenter CV is the market leader in providing a unique combination of vulnerability detection, compliance auditing, and reporting. LCE provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.
Description of Chapter:
- Executive Summary: There are 2 charts in the Executive Summary chapter. These are Sophos Event Type Indicators and Trending of Sophos Events over the last 7 day charts. Both of these charts will provide an analyst with a good overview of the different types of activities surrounding Sophos events on the network.
- Sophos Top 10 Users and Systems: The Sophos Top 10 Users and System chapter has 4 charts to display the Sophos event activities associated with users, systems and network subnets. These charts are Top 10 Users with Sophos Events, Summary of Sophos User Events, Top 10 Systems with Sophos Events, and Top 10 Class C Networks with Sophos Events.
- Sophos Event Summary: The Sophos Event Summary chapter will display 2 charts. These are Sophos Event by Category Types and Normalized Sophos Events. The Sophos Event by Category Types will display only the Catogory types that have been detected over the last 7 days. The Normalized Sophos events will display the top 100 Sophos events over the last 7 days.
- Sophos Event Details: The Sophos Event Details chapter will display 1 table. The Sophos Event Detail table will display time of the event, event type, the LCE sensor, and the raw syslog event. This will provide the analyst the last 100 Sophos event over the last 7 days.