All Apps and Add-ons

Example of how to detect basic scanning?

Ultra Champion

Does anyone have examples of how to use Splunk to detect basic scanning?

0 Karma
1 Solution

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

Attackers use scanning to discover the attack surface of your organization to prepare for an attack or the next phase of an attack. Make sure that only authorized sources such as vulnerability scanners are scanning your environment.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic Scanning

Load data

How to implement: This search works out-of-the-box with Palo Alto Networks firewalls and with other devices that use the Splunk Common Information Model. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.

Data check: This use case depends on firewall data with the dest_ip and dest_port fields.

Get insights

In this use case, you can explore how use the Splunk platform to detect scanning. Use the searches in this use case to find external, unauthorized hosts that reach out to more than 500 hosts or more than 500 ports in a short period of time.

Use the following search:

index=* tag=network tag=communicate
| stats dc(dest_port) AS num_dest_port dc(dest_ip) AS num_dest_ip BY src_ip
| where num_dest_port > 1000 OR num_dest_ip > 1000

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: A common false positive for this example is not technically a false positive. If your environment has external logs with hosts on the internet that are scanning ports on your public infrastructure, this is scanning.
Many environments add the following to their search strings: | search src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16 OR [your public ranges]. To avoid false positives, exclude any vulnerability scanners that are in your environment because these are paid resources you use to scan the network.

How to respond: If scanning occurs from an internal source, a host might be infected. Therefore, you need to start an incident response to identify the root cause. If scanning occurs from an external source, it can be difficult to do any meaningful response. Therefore, many people add a filter to searches to exclude known false positives.

Help

This example searches for undesired activity using the standardized source types for PAN or the Common Information Model.

This search looks for firewall logs with an added filter to ensure that a dest_ip and dest_port are defined. This search requires firewall or Netflow data to run. By default, you're checking for Common Information Model compliant data and manually specifying the standard source types for Check Point, Palo Alto Networks, and Cisco ASAs. Specify the index and source type in the search to improve performance. You can accelerate with the Common Information Model.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

Attackers use scanning to discover the attack surface of your organization to prepare for an attack or the next phase of an attack. Make sure that only authorized sources such as vulnerability scanners are scanning your environment.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic Scanning

Load data

How to implement: This search works out-of-the-box with Palo Alto Networks firewalls and with other devices that use the Splunk Common Information Model. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.

Data check: This use case depends on firewall data with the dest_ip and dest_port fields.

Get insights

In this use case, you can explore how use the Splunk platform to detect scanning. Use the searches in this use case to find external, unauthorized hosts that reach out to more than 500 hosts or more than 500 ports in a short period of time.

Use the following search:

index=* tag=network tag=communicate
| stats dc(dest_port) AS num_dest_port dc(dest_ip) AS num_dest_ip BY src_ip
| where num_dest_port > 1000 OR num_dest_ip > 1000

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: A common false positive for this example is not technically a false positive. If your environment has external logs with hosts on the internet that are scanning ports on your public infrastructure, this is scanning.
Many environments add the following to their search strings: | search src_ip = 10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16 OR [your public ranges]. To avoid false positives, exclude any vulnerability scanners that are in your environment because these are paid resources you use to scan the network.

How to respond: If scanning occurs from an internal source, a host might be infected. Therefore, you need to start an incident response to identify the root cause. If scanning occurs from an external source, it can be difficult to do any meaningful response. Therefore, many people add a filter to searches to exclude known false positives.

Help

This example searches for undesired activity using the standardized source types for PAN or the Common Information Model.

This search looks for firewall logs with an added filter to ensure that a dest_ip and dest_port are defined. This search requires firewall or Netflow data to run. By default, you're checking for Common Information Model compliant data and manually specifying the standard source types for Check Point, Palo Alto Networks, and Cisco ASAs. Specify the index and source type in the search to improve performance. You can accelerate with the Common Information Model.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

Ultra Champion

Update: I changed the video link to youtube version.

0 Karma