Splunk Search

Unauthorized Vulnerability Scan - External

rashid47010
Communicator

HI everyone,

I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external host using a script or vulnerability tool to probe our network in an attempt to locate an exploitable vulnerability. How can I configure an alert to notify me when someone doing the external vulnerability scan to our network by using different signatures against one or two minute margin.

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m | stats dc(signature),dc(dest_ip) as DEST by src_ip | where DEST>500

I am not sure to put where or search command
Really appreciate any help on this.

Cheers

Rashid

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

0 Karma

rashid47010
Communicator

Thanks wood
Highly appreciate your kind response

0 Karma

rashid47010
Communicator

Thanks wood,
Actually I am new to splunk. I need your further support to finalise my first alert(if results are as required then we can configure it as permanent correlation rule).
I have some question in my mind. appreciate for your kind response on them.

why you use the destDC>500 whereas I have only destination IP.

Final Query:
index=paloalto_pa dest_ip=193.19.90.20 dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

I configure the alert as below:
1- It will run every after 30 minutes for last one hour data.
earliest: -2h@h
latest: -1h@h
cron expression: 0/30 * * * ***
is that right....?
2- As Suggested. I configure the trigger conditions to:
tirgger alert when: number of results is greater than 0
and trigger for each result.
**I select the throttle
and I select src_ip for
the suppress results containing field value
and suppress the trigger for 4 hours.

Please advise. It will give ma a great start to understand the alters and their configuration parameters.

Thanks.

0 Karma

woodcock
Esteemed Legend

I said "LIKE we did with ..." not "EXACTLY AS we did with ...". I man to put the threshold criteria, whatever it is, into the search, not the alert configuration. You have to decide on the alert threshold criteria.

1 - Yes.

2 - Yes, but only if you select to alertonce for every event. Then for every event (which corresponds to any particular src_ip) you will at most get 1 alert ever 4 hours.

0 Karma

rashid47010
Communicator

Thanks wood,

Thanks for your response. the final query is (according to me)(appreciate your comments on that if ay):
index=palxxx src_ip=1xx.x5.xx.xx dest_ip=1x3.x9.xx.xxx dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

now I have multiple IPs destining to dest_ip=1x3.x9.xx.xxx dest_port=80

src_ip |SignatureDC |destDC
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x

I want to create a real time alter.
which option I should select under "trigger condition"--> trigger alert when

0 Karma

woodcock
Esteemed Legend

I highly advise you not to use real-time. Instead I would run run it every 5 or 10 minutes for the last hour. The trigger is the threshold that you desire. It is probably best to put the threshold into the search (like we did with the | where destDC>500 AND signatureDC>1 and then just set the trigger to Number of events (in the final results set of your search) Is greater than 0.

0 Karma

xavierpaul
New Member

can you elaborate your question? what do you mean by "I am not sure to put where or search command"

0 Karma

rashid47010
Communicator

I am talking about where or search command. my requirement is when the number of distinct signature is more than 10 from singly source IP.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...