Alerting

How do I set up an alert that triggers someone scans our servers?

New Member

I want to be able to know when scanning activities are occurring.

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

Tags (4)
0 Karma

SplunkTrust
SplunkTrust

Here's the steps you need to take -

1) Define what you mean by "scanning our servers". How many contacts, looking at how many ports, across how many servers, in what time frame?

2) What do you mean by "someone"? Does it have to come from the same IP address? The same user?

3) Identify what a record looks like that includes each of those two types of event (nessus, dbprotect). Specifically, what fields or terms will be present, what index are they stored in, what sourcetype will they have?

Once you have the above items defined, then we can give you meaningful help.

If possible, if you know when such a scan DID occur, then you can go back and look at the records that make it up, and then craft your search to catch it if it happens again.

Splunk Employee
Splunk Employee

@kinh

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma

New Member

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

0 Karma