To view any events indicating a possible exploitation, you must have the following:
Advisor Feed
Intrusion detection
Vulnerability scanning
Within an event, the values in the vulnerability field convey the following:
When the Vulnerability field equals 1, the asset or destination device is possibly exploited.
When the vulnerability field equals 0, the asset or destination device is indicated as not being exploited.
When the Vulnerability field is blank, the exploit detection feature of Sentinel is not enabled.
To view events that indicate a possible exploitation, create an Active View with a filter where Vulnerability equals 1. For example, if you have Nmap and have run the Nmap Collector, you can view asset information on the exploited asset or any asset.
For more information on how exploit detection works and which Intrusion Detection Systems and Vulnerability Scanners are supported, see "Sentinel Control Center" section.