Log Normalization

As logs are sent to the Tenable Log Correlation Engine, they are normalized into a high level event type and a more specific unique event name. For example, two logs indicating login failures to a Windows domain controller as well as a Windows database would both be labeled with "login-failure" event types, but they would also have more specific detailed event names such as Windows-Account_Expired and MSSQLSVR-Login_Failed.

As the Tenable Log Correlation Engine parses logs containing user authentication information, it dynamically learns user names and their source IP addresses. As new logs from firewalls, netflow and other types of sources arrive at the Log Correlation Engine, a cross reference is performed with the list of users as part of the normalization process. This allows each normalized log to be associated with a user ID, even if the user is using multiple IP addresses or has changed IP addresses during a certain time period.

At any given time, a user can work with previously saved or shared queries, change the type of tool they are using to view the data or modify the filtering query. Data can be filtered by IP address, user name, port, time, asset type, direction and many other factors. Data can also be summarized by asset type, port, network addresses and user names.