Here's the steps you need to take -
1) Define what you mean by "scanning our servers". How many contacts, looking at how many ports, across how many servers, in what time frame?
2) What do you mean by "someone"? Does it have to come from the same IP address? The same user?
3) Identify what a record looks like that includes each of those two types of event (nessus, dbprotect). Specifically, what fields or terms will be present, what index are they stored in, what sourcetype will they have?
Once you have the above items defined, then we can give you meaningful help.
If possible, if you know when such a scan DID occur, then you can go back and look at the records that make it up, and then craft your search to catch it if it happens again.
Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.