To view any events indicating a possible exploitation, you must have the following:
Advisor Feed
Intrusion detection
Vulnerability scanning
Figure 1 Severity, Vulnerability, and AttackId Columns
Within an event, the values in the
field convey the following:When the
field equals 1, the asset or destination device is possibly exploited.When the
field equals 0, the asset or destination device is not being exploited.When the
field is blank, the exploit detection feature of Sentinel is not enabled.To view events that indicate a possible exploitation, create an Active View with a filter where Vulnerability equals 1. For example, if you have Nmap and have run the Nmap Collector, you can view asset information on the exploited asset or any asset.
For more information on how exploit detection works and which intrusion detection systems and vulnerability scanners are supported, see Sentinel Control Center.
For trademark and copyright information, see Legal Notices.