For behavioral monitoring, the Tenable Log Correlation Engine can dynamically associate any user "ID" on your network with their current and past IP address. This allows you to instantly see which users on your network have been associated with port scan events, malware alerts, denied firewall events, login failures and more. Any log source can be tied to a user "ID" from Active Directory, Email, NAC and other types of authentication log sources. Establishing a baseline of normal user activity helps to detect anomalies that can indicate insider activity.

When combined with real-time file sharing logs generated by the Tenable Passive Vulnerability Scanner, all network file sharing and Internet web browsing activity can be tracked per user. This can detail which users have accessed which systems and downloaded specific files. It can also detail exactly what files, images, text, videos, audit and document files have been accessed from the Internet. Social networking activity to sites such as Facebook is also logged.