Alerting

How do I set up an alert that triggers someone scans our servers?

kinh
Loves-to-Learn

I want to be able to know when scanning activities are occurring.

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

Tags (4)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's the steps you need to take -

1) Define what you mean by "scanning our servers". How many contacts, looking at how many ports, across how many servers, in what time frame?

2) What do you mean by "someone"? Does it have to come from the same IP address? The same user?

3) Identify what a record looks like that includes each of those two types of event (nessus, dbprotect). Specifically, what fields or terms will be present, what index are they stored in, what sourcetype will they have?

Once you have the above items defined, then we can give you meaningful help.

If possible, if you know when such a scan DID occur, then you can go back and look at the records that make it up, and then craft your search to catch it if it happens again.

mstjohn_splunk
Splunk Employee
Splunk Employee

@kinh

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma

kinh
Loves-to-Learn

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...