Event Query

You can use an event query to find out if your system has been attacked. For example, during monitoring, you see numerous Telnet attempts from source IP 10.0.0.1 Telnet attempts could be an attack. Telnet potentially allows an attacker to remotely connect to a remote computer as if they were locally connected. This can lead to unauthorized configuration changes, installation of programs, viruses, and so on.

You can use an event query to determine how often this possible attacker has attempted a Telnet attack by setting up a filter to query for this particular attacker. For example, you know the following:

To perform an event query:

  1. In the Sentinel Control Center, click Event Query (Magnifying Glass icon) and click the Filter drop-down menu.

    A window with a list of filters displays.

  2. Click Add; specify a filter name of Telnet SIP 10.0.0.1. In the field below the filter, specify:

    • SourceIP = 10.0.0.3

    • EventName = Attempted_telnet

    • Severity = 5

    • SensorType = H

    • DestinationIP = 10.0.0.4

    • Match if, select All conditions are met (and)

  3. Click Save. Select your filter and click Select.

  4. Provide your time period of interest, then click Search (Magnifying Glass icon).

    The result of your query displays. If your event query makes a match, you see a result similar to the following illustration.

    If you want to see how often in general this user is attempting a Telnet, remove DestinationIP, SensorType and, Severity from your filter or create a new filter. The results show all the destination IPs this user is attempting to Telnet to.

    If any of your events are correlated events, you can right-click View Trigger Events to find what events triggered that correlated event.

    NOTE:Correlated events have the SensorType column populated with a C.

For trademark and copyright information, see Legal Notices.