HI everyone,
I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external host using a script or vulnerability tool to probe our network in an attempt to locate an exploitable vulnerability. How can I configure an alert to notify me when someone doing the external vulnerability scan to our network by using different signatures against one or two minute margin.
index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m | stats dc(signature),dc(dest_ip) as DEST by src_ip | where DEST>500
I am not sure to put where or search command
Really appreciate any help on this.
Cheers
Rashid
Like this:
index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10
The AND
must be all-uppercase.
Like this:
index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10
The AND
must be all-uppercase.
Thanks wood
Highly appreciate your kind response
Thanks wood,
Actually I am new to splunk. I need your further support to finalise my first alert(if results are as required then we can configure it as permanent correlation rule).
I have some question in my mind. appreciate for your kind response on them.
why you use the destDC>500 whereas I have only destination IP.
Final Query:
index=paloalto_pa dest_ip=193.19.90.20 dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6
I configure the alert as below:
1- It will run every after 30 minutes for last one hour data.
earliest: -2h@h
latest: -1h@h
cron expression: 0/30 * * * ***
is that right....?
2- As Suggested. I configure the trigger conditions to:
tirgger alert when: number of results is greater than 0
and trigger for each result.
**I select the throttle and I select src_ip for
the suppress results containing field value
and suppress the trigger for 4 hours.
Please advise. It will give ma a great start to understand the alters and their configuration parameters.
Thanks.
I said "LIKE we did with ..." not "EXACTLY AS we did with ...". I man to put the threshold criteria, whatever it is, into the search, not the alert configuration. You have to decide on the alert threshold criteria.
1 - Yes.
2 - Yes, but only if you select to alertonce for every event
. Then for every event (which corresponds to any particular src_ip) you will at most get 1 alert ever 4 hours.
Thanks wood,
Thanks for your response. the final query is (according to me)(appreciate your comments on that if ay):
index=palxxx src_ip=1xx.x5.xx.xx dest_ip=1x3.x9.xx.xxx dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6
now I have multiple IPs destining to dest_ip=1x3.x9.xx.xxx dest_port=80
src_ip |SignatureDC |destDC
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
I want to create a real time alter.
which option I should select under "trigger condition"--> trigger alert when
I highly advise you not to use real-time. Instead I would run run it every 5 or 10 minutes for the last hour. The trigger is the threshold that you desire. It is probably best to put the threshold into the search (like we did with the | where destDC>500 AND signatureDC>1
and then just set the trigger to Number of events
(in the final results set of your search) Is greater than 0
.
can you elaborate your question? what do you mean by "I am not sure to put where or search command"
I am talking about where or search command. my requirement is when the number of distinct signature is more than 10 from singly source IP.