Daily Host Alerts Report: Users Accessing Hosts

Analysts need to know who is accessing hosts on the network. For many organizations this is simply an audit requirement, but more importantly, this is a best practice security requirement. Unauthorized access to the network or systems unchecked, can be catastrophic for an organization. This report presents a list of all hosts and the users that have accessed them in the last five days.

The monitoring of host access adds another layer of security for an organization. User accounts can be verified against access checklists to determine if any unauthorized access activity has occurred. Also, auditing user access across the environment assists analysts in understanding which hosts are most often accessed.

SecurityCenter Continuous View (SecurityCenter CV) displays data gathered from the Tenable Log Correlation Engine (LCE). LCE collects and aggregates data from host logs, as well as raw network traffic, application logs and user activity. The LCE event Daily_Host_Alert generates an alert, once per day, the first time an event from a local host (such as a DNS lookup or LCE client connect) is seen. Using this event, this report can provide user access information to host IPs over the last five days. This report enhances the auditing and security process by tracking user access and providing information to help reduce the unauthorized access security risk.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:

• SecurityCenter 5.4.2
• LCE 5.0.0

Tenable SecurityCenter CV provides continuous network monitoring, vulnerability identification and security monitoring. SecurityCenter CV is continuously updated with information about advanced threats, zero-day vulnerabilities and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, enabling decisive action that transforms a security program from reactive to proactive. With this information, analysts have greater insight to monitor and determine if unauthorized access has been gained on any hosts. Tenable enables powerful, yet non-disruptive, continuous monitoring of the organization to ensure valuable information is available to analysts.

This report contains the following chapters:

Executive Summary: Auditing system access is necessary to maintain proper security in an organization. Monitoring host access by users also provides information as to the most used hosts and network segments. This chapter presents summary information about users accessing hosts in the environment over the last five days. 

Users Accessing, by Host: This chapter presents a list of all hosts and the users that have accessed them in the last five days, as recorded by Daily_Host_Alert events. This information can be used to verify that hosts are being accessing only by authorized users.