Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I set up an alert that triggers someone scans our servers?

kinh
Loves-to-Learn
‎09-26-2018 11:40 AM

I want to be able to know when scanning activities are occurring.

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎09-26-2018 09:06 PM

Here's the steps you need to take -

1) Define what you mean by "scanning our servers". How many contacts, looking at how many ports, across how many servers, in what time frame?

2) What do you mean by "someone"? Does it have to come from the same IP address? The same user?

3) Identify what a record looks like that includes each of those two types of event (nessus, dbprotect). Specifically, what fields or terms will be present, what index are they stored in, what sourcetype will they have?

Once you have the above items defined, then we can give you meaningful help.

If possible, if you know when such a scan DID occur, then you can go back and look at the records that make it up, and then craft your search to catch it if it happens again.

Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-26-2018 12:53 PM

@kinh

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma
Reply

kinh
Loves-to-Learn
‎09-26-2018 01:07 PM

So I wanted to be able to get an alert if someone is scanning our servers at 2am with Nessus or dbprotect.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...