How do I set up an alert that triggers someone sca...

kinh · ‎09-26-2018

I want to be able to know when scanning activities are occurring.

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

DalJeanis · ‎09-26-2018

Here's the steps you need to take -

1) Define what you mean by "scanning our servers". How many contacts, looking at how many ports, across how many servers, in what time frame?

2) What do you mean by "someone"? Does it have to come from the same IP address? The same user?

3) Identify what a record looks like that includes each of those two types of event (nessus, dbprotect). Specifically, what fields or terms will be present, what index are they stored in, what sourcetype will they have?

Once you have the above items defined, then we can give you meaningful help.

If possible, if you know when such a scan DID occur, then you can go back and look at the records that make it up, and then craft your search to catch it if it happens again.

mstjohn_splunk · ‎09-26-2018

@kinh

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

kinh · ‎09-26-2018

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

How do I set up an alert that triggers someone scans our servers?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms