Alerting on actionable data is a key principal of detecting compliance violations and security issues. Tenable SecurityCenter can be easily configured to alert on events that impact key systems, which indicate system compromises and have network impact. Any alert can be sent to an email account or an in-system ticketing system. This same alerting system is leveraged for notification of new vulnerabilities and system configurations that have been detected.

Users of the Tenable Log Correlation Engine have many types of events to choose from to detect security issues. This includes, but is not limited to:

• First time seen events – any type of event, such as a new type of login failure, can be alerted on. For assets that do not change much, such as a DNS server, this could indicate malicious usage.
• Continuous event streams – buried in the event stream of errors, IDS events, login failures and other event sources are the "low and slow" attackers. The Tenable Log Correlation Engine can find those hosts that have a continuous stream of events such as constantly failing DNS queries or constant system errors.
• Statistical events – each event (netflow, system, user, etc.) is profiled on each host and when there is a statistical increase in the event count, an alert is generated.
• Correlated IDS events – if a system is detected to have a vulnerability in it and an attack against that vulnerability is detected, an alert is generated.
• General correlated events – Tenable's research team constantly updates our library of sophisticated correlation rules. Each rule implements an expert system. For example, we have produced a correlation script that relies solely on web error logs to identify web application scanners.

Tenable SecurityCenter's alerting function is versatile enough to open tickets within SecurityCenter, send syslog messages, send notifications, send emails and/or launch scans. For example, alerts can be set that count the number of IP addresses, open ports, critical vulnerabilities, etc. for specific assets and then if this value goes above a threshold, to send an email. Alerts for events can also be set such as opening up tickets if there is a spike in intrusion detection events. 

Tenable SecurityCenter includes a built-in ticketing system. Alerts can open up tickets and associate vulnerability, log, configuration and event data with each ticket for tracking. Additionally, users have the ability to manually open tickets while performing analysis of vulnerability or event data.