Table of Contents
Advertisement
13.1.4 Event Query
You can use an event query to find out if your system has been attacked. For example, during
monitoring, you see numerous Telnet attempts from source IP 10.0.0.1 Telnet attempts could be an
attack. Telnet potentially allows an attacker to remotely connect to a remote computer as if they
were locally connected. This can lead to unauthorized configuration changes, installation of
programs, viruses, and so on.
You can use an event query to determine how often this possible attacker has attempted a Telnet
attack by setting up a filter to query for this particular attacker. For example, you know the
following:
Source IP: 10.0.0.1
Destination IP: 10.0.0.2
Severity: 5
Event Name: Attempted_telnet
Sensor Type: H (Host Intrusion Detection)
To perform an event query:
1 In the Sentinel Control Center, click Event Query (Magnifying Glass icon) and click the Filter
drop-down menu.
A window with a list of filters displays.
2 Click Add; specify a filter name of Telnet SIP 10.0.0.1. In the field below the filter, specify:
SourceIP = 10.0.0.3
EventName = Attempted_telnet
Severity = 5
SensorType = H
DestinationIP = 10.0.0.4
Match if, select All conditions are met (and)
3 Click Save. Select your filter and click Select.
4 Provide your time period of interest, then click Search (Magnifying Glass icon).
The result of your query displays. If your event query makes a match, you see a result similar to
the following illustration.
296 Sentinel 6.1 Rapid Deployment User Guide
Advertisement
Table of Contents
