To review, email, or print the properties of an Event in an Event Database:
1. | In the side bar, select Events >Event-Database Viewer. |
2. | In the side bar of the Event-Database Viewer, select Events or an Event-field value under Events. For field descriptions, click here. |
3. | In the workspace table, complete one of the following steps. |
Click the Event. TLC presents the Event's properties in the Event Details pane at the bottom of the Event-Database Viewer (see Table 109).
Double-click the Event. TLC opens a new tab (i.e., the Event Details tab) to present the Event's properties (see Table 110).
Tip |
You can sort, group, and filter the contents of tables. For more information, see Working with Tables). |
---|
Tip |
For more information about List Event options, see Working with the Event-Database Viewer. |
---|
Tab |
Description |
---|---|
Overview |
Presents an overview of the selected Event. For field descriptions, click here. Event. The description of the Event. Time. The time when the Event was saved in the Event Database. Legacy Classification. A category for the Event. Type. The type of system on which the Event occurred. Count. The total number of events that comprise the Event, as determined by the Event's Correlation Rule. For example, if the rule creates an Event when 5 failed logins occur, this field will have a value of 5. Sensor. The Log Source's Monitored Asset. Priority. The severity of the Event: High, Medium, Low, or Info. Threat. The Priority specified by the Correlation Rule that created the Event. IDS Details. If the Event was originally stored in an IDS Database, pulls all of the Event's information from the database. Event Details. Opens the Event Details tab (see Table 110). |
Details |
Presents the values of fields in the Event. For field descriptions, click here. Event ID. A unique ID for the Event. Normalization Rule ID. The ID of the Normalization Rule that normalized the Event. To open the rule's properties dialog, clickRule ID (see Working with Normalization Rules). Correlation Rule ID. The ID of the Correlation Rule that correlated the Event (if applicable). To open the rule's properties dialog, clickRule ID (see Working with Correlation Rules). Global ID. A unique ID for the Event that applies to both the Audit Logger and the Event-Database Viewer. Action. The Event action, such as permit, drop or log. User and Process. The user and process identified by the Normalized Message from which TLC created the Event. Reference and Value. The associated event reference and value (if applicable). For more information about event references, see Table 107. |
Classification |
Presents any Classification Tags associated with the Event. |
Source Address |
If the communication Event originated from an IP address in the Src IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following fields. (Otherwise, the Source Address tab is disabled.) IP Address. The IP address in the Src IP field (i.e., the system that initiated the communication). Country. The country in which the system with the IP address is located. Port. The Source Port from which the initiating system sent the communication. Hostname. The system's host name. OS. The system's operating system. . Resolves the values in the IP Address and/or Hostname fields. If resolution is successful, TLC updates these fields with the new value(s). Otherwise, TLC enters N/A. . Adds a new host to the Event Database based on the information in this tab. (If the database already contains the host, this button is disabled.) . If the Event Database contains the host, click this button to populate this tab with further details from the database. Otherwise, this button is disabled. |
Destination Address |
If the communication Event was received by an IP address in the Dst IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following fields. (Otherwise, the Destination Address tab is disabled.) IP Address. The IP address in the Dst IP field (i.e., the system that received the communication). Country. The country in which the system with the IP address is located. Port. The Destination Port on which the system received the communication. Hostname. The system's hostname. OS. The system's operating system. . Resolves the values in the IP Address and/or Hostname fields. If resolution is successful, TLC updates these fields with the new value(s). Otherwise, TLC enters N/A. . Adds a new host to the Event Database based on the information in this tab. (If the database already contains the host, this button is disabled.) . If the Event Database contains the host, click this button to populate this tab with details of the host. Otherwise, this button is disabled. |
Event Tickets |
Presents any Event Tickets associated with the Event. For more information, see: |
Tab |
Description |
---|---|
Overview |
Presents the values of fields in the Event. For field descriptions, click here. Event ID. A unique ID for the Event. Global ID. A unique ID for the Event that applies to both the Audit Logger and the Event-Database Viewer. Normalization Rule ID. The ID of the Normalization Rule that normalized the Event. To open the rule's properties dialog, clickRule ID (see Working with Normalization Rules). Correlation Rule ID. The ID of the Correlation Rule that correlated the Event (if applicable). To open the rule's properties dialog, clickRule ID (see Working with Correlation Rules). Src IP and Port. If an Event involves a communication between two systems, the IP address and port of the system that initiated the communication. Otherwise, the IP address of the system on which the Event occurred. Dst IP and Port. If an Event involves a communication between two systems, the IP address and port of the system that received the communication. Tip: To open an IP address for the Src IP field or Dst IP field in the TLC Internet Tools dialog, click(see Working with Internet Tools). Src DNS and Dst DNS. The DNS names for the systems cited in the Src IP and Dst IP fields. Time. The time when the Event was saved in the Event Database. Protocol. The protocol used if an Event involves a communication between two systems. Sensor. The Log Source's Monitored Asset. Legacy Classification. A category for the Event. Type. The type of system on which the Event occurred. Priority. The severity of the Event: High, Medium, Low, or Info. Threat. The Priority specified by the Correlation Rule that created the Event. Action. The Event action, such as permit, drop or log. User and Process. The user and process identified by the Normalized Message from which TLC created the Event. Count. The total number of events that comprise the Event, as determined by the Event's Correlation Rule. For example, if the rule creates an Event when 5 failed logins occur, this field will have a value of 5. Email. Sends the Event to specified recipients via email. Search. Opens the Search feature in the Task Manager. TLC auto-populates the Filter Wizard tab with conditions for the Event's properties. For further details, see Working with the Task Manager. IDS Details. If the Event was originally stored in an IDS Database, pulls all of the Event's information from the database. Copy Details. Copies the properties of the Event to your clipboard. Print Details. Generates an Event Detail Report. For more information, see Working with Report Output. |
Classification |
Presents any Classification Tags associated with the Event. |
Destination Address |
If the Event has an IP address in the Dst IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following sub-tabs. (Otherwise, the Destination Address tab is disabled.) Overview tab. General information about the Host with the IP address. Applications tab. Applications installed on the Host with the IP address. Vulnerabilities tab. Related Scanner Events (see What are Scanner Events?). Event Tickets tab. Lists any Event Tickets with which the Host is currently associated. |
Source Address |
If the Event has an IP address in the Src IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following sub-tabs. (Otherwise, the Source Address tab is disabled.) Overview tab. General information about the Host with the IP address. Applications tab. Applications installed on the Host with the IP address. Vulnerabilities tab. Related Scanner Events (see What are Scanner Events?). Event Tickets tab. Lists any Event Tickets with which the Host is currently associated. |
Event References |
Opens a built-in browser in which you can query more information about the Event Reference associated with the Event (if applicable). For more information about event references, see Table 107. |