Working with an Event

To review, email, or print the properties of an Event in an Event Database:

1. In the side bar, select Events >Event-Database ViewerEvent-Database Viewer.
2. In the side bar of the Event-Database Viewer, select Events or an Event-field value under Events. For field descriptions, click here.
3. In the workspace table, complete one of the following steps.

Click the Event. TLC presents the Event's properties in the Event Details pane at the bottom of the Event-Database Viewer (see Table 111).

Double-click the Event. TLC opens a new tab (i.e., the Event Details tab) to present the Event's properties (see Table 112).

Tip

You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

Tip 

For more information about List Event options, see Working with the Event-Database Viewer.

Table 111. Tabs in the Event Details pane

Tab

Description

Overview

Presents an overview of the selected Event. For field descriptions, click here.

Event. The description of the Event.

Time. The time when the Event was saved in the Event Database.

Legacy Classification. A category for the Event.

Type. The type of system on which the Event occurred.

Count. The total number of events that comprise the Event, as determined by the Event's Correlation Rule. For example, if the rule creates an Event when 5 failed logins occur, this field will have a value of 5.

Sensor. The Log Source's Monitored Asset.

Priority. The severity of the Event: High, Medium, Low, or Info.

Threat. The Priority specified by the Correlation Rule that created the Event.

IDS DetailsIDS Details. If the Event was originally stored in an IDS Database, pulls all of the Event's information from the database.

IDS DetailsEvent Details. Opens the Event Details tab (see Table 112).

Details

Presents the values of fields in the Event. For field descriptions, click here.

Event ID. A unique ID for the Event.

Normalization Rule ID. The ID of the Normalization Rule that normalized the Event. To open the rule's properties dialog, clickRule IDRule ID (see Working with Normalization Rules).

Correlation Rule ID. The ID of the Correlation Rule that correlated the Event (if applicable). To open the rule's properties dialog, clickCorrelation RulesRule ID (see Working with Correlation Rules).

Global ID. A unique ID for the Event that applies to both the Audit Logger and the Event-Database Viewer.

Action. The Event action, such as permit, drop or log.

User and Process. The user and process identified by the Normalized Message from which TLC created the Event.

Reference and Value. The associated event reference and value (if applicable). For more information about event references, see Table 109

Classification

Presents any Classification Tags associated with the Event.

Source Address

If the communication Event originated from an IP address in the Src IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following fields. (Otherwise, the Source Address tab is disabled.)

IP Address. The IP address in the Src IP field (i.e., the system that initiated the communication).

Country. The country in which the system with the IP address is located.

Port. The Source Port from which the initiating system sent the communication.  

Hostname. The system's host name. 

OS. The system's operating system.

Resolve. Resolves the values in the IP Address and/or Hostname fields.

If resolution is successful, TLC updates these fields with the new value(s).

Otherwise, TLC enters N/A

Add Host. Adds a new host to the Event Database based on the information in this tab. (If the database already contains the host, this button is disabled.)

Host Details. If the Event Database contains the host, click this button to populate this tab with further details from the database. Otherwise, this button is disabled. 

Destination Address

If the communication Event was received by an IP address in the Dst IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following fields. (Otherwise, the Destination Address tab is disabled.)

IP Address. The IP address in the Dst IP field (i.e., the system that received the communication).

Country. The country in which the system with the IP address is located.

Port. The Destination Port on which the system received the communication. 

Hostname. The system's hostname. 

OS. The system's operating system.

Resolve. Resolves the values in the IP Address and/or Hostname fields.

If resolution is successful, TLC updates these fields with the new value(s).

Otherwise, TLC enters N/A

Add Host. Adds a new host to the Event Database based on the information in this tab. (If the database already contains the host, this button is disabled.)

Host Details. If the Event Database contains the host, click this button to populate this tab with details of the host. Otherwise, this button is disabled. 

Event Tickets

Presents any Event Tickets associated with the Event. For more information, see: 

Working with Event Tickets in the Event-Database Viewer

Acknowledging Event Tickets

Table 112. Tabs in the Event Details tab

Tab

Description

Overview

Presents the values of fields in the Event. For field descriptions, click here.

Event ID. A unique ID for the Event.

Global ID. A unique ID for the Event that applies to both the Audit Logger and the Event-Database Viewer.

Normalization Rule ID. The ID of the Normalization Rule that normalized the Event. To open the rule's properties dialog, clickRule IDRule ID (see Working with Normalization Rules).

Correlation Rule ID. The ID of the Correlation Rule that correlated the Event (if applicable). To open the rule's properties dialog, clickCorrelation RulesRule ID (see Working with Correlation Rules).

Src IP and Port. If an Event involves a communication between two systems, the IP address and port of the system that initiated the communication. Otherwise, the IP address of the system on which the Event occurred.

Dst IP and Port. If an Event involves a communication between two systems, the IP address and port of the system that received the communication.

Tip: To open an IP address for the Src IP field or Dst IP field in the TLC Internet Tools dialog, clickInternet Tools(see Working with Internet Tools).

Src DNS and Dst DNS. The DNS names for the systems cited in the Src IP and Dst IP fields.

Time. The time when the Event was saved in the Event Database.

Protocol. The protocol used if an Event involves a communication between two systems.

Sensor. The Log Source's Monitored Asset.

Legacy Classification. A category for the Event.

Type. The type of system on which the Event occurred.

Priority. The severity of the Event: High, Medium, Low, or Info.

Threat. The Priority specified by the Correlation Rule that created the Event.

Action. The Event action, such as permit, drop or log.

User and Process. The user and process identified by the Normalized Message from which TLC created the Event.

Count. The total number of events that comprise the Event, as determined by the Event's Correlation Rule. For example, if the rule creates an Event when 5 failed logins occur, this field will have a value of 5.

EmailEmail. Sends the Event to specified recipients via email.

SearchSearch. Opens the Search feature in the Task Manager. TLC auto-populates the Filter Wizard tab with conditions for the Event's properties. For further details, see Working with the Task Manager.

IDS DetailsIDS Details. If the Event was originally stored in an IDS Database, pulls all of the Event's information from the database.

Copy DetailsCopy Details. Copies the properties of the Event to your clipboard.

Print DetailsPrint Details. Generates an Event Detail Report. For more information, see Working with Report Output.

Classification

Presents any Classification Tags associated with the Event.

Destination Address

If the Event has an IP address in the Dst IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following sub-tabs. (Otherwise, the Destination Address tab is disabled.)

Overview tab. General information about the Host with the IP address.

Applications tab. Applications installed on the Host with the IP address.

Vulnerabilities tab. Related Scanner Events (see What are Scanner Events?).

Event Tickets tab. Lists any Event Tickets with which the Host is currently associated.

Source Address

If the Event has an IP address in the Src IP field and the IP address is in the Hosts group in the Event-Database Viewer (see Working with the Event-Database Viewer), this tab presents the following sub-tabs. (Otherwise, the Source Address tab is disabled.)

Overview tab. General information about the Host with the IP address.

Applications tab. Applications installed on the Host with the IP address.

Vulnerabilities tab. Related Scanner Events (see What are Scanner Events?).

Event Tickets tab. Lists any Event Tickets with which the Host is currently associated.

Event References

Opens a built-in browser in which you can query more information about the Event Reference associated with the Event (if applicable). For more information about event references, see Table 109.