Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unauthorized Vulnerability Scan - External

rashid47010
Communicator
‎07-05-2016 12:59 AM

HI everyone,

I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external host using a script or vulnerability tool to probe our network in an attempt to locate an exploitable vulnerability. How can I configure an alert to notify me when someone doing the external vulnerability scan to our network by using different signatures against one or two minute margin.

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m | stats dc(signature),dc(dest_ip) as DEST by src_ip | where DEST>500

I am not sure to put where or search command
Really appreciate any help on this.

Cheers

Rashid

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2016 07:24 AM

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-05-2016 07:24 AM

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎07-08-2016 03:54 AM

Thanks wood
Highly appreciate your kind response

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎07-07-2016 04:15 AM

Thanks wood,
Actually I am new to splunk. I need your further support to finalise my first alert(if results are as required then we can configure it as permanent correlation rule).
I have some question in my mind. appreciate for your kind response on them.

why you use the destDC>500 whereas I have only destination IP.

Final Query:
index=paloalto_pa dest_ip=193.19.90.20 dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

I configure the alert as below:
1- It will run every after 30 minutes for last one hour data.
earliest: -2h@h
latest: -1h@h
cron expression: 0/30 * * * ***
is that right....?
2- As Suggested. I configure the trigger conditions to:
tirgger alert when: number of results is greater than 0
and trigger for each result.
**I select the throttle and I select src_ip for
the suppress results containing field value
and suppress the trigger for 4 hours.

Please advise. It will give ma a great start to understand the alters and their configuration parameters.

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-07-2016 05:54 AM

I said "LIKE we did with ..." not "EXACTLY AS we did with ...". I man to put the threshold criteria, whatever it is, into the search, not the alert configuration. You have to decide on the alert threshold criteria.

1 - Yes.

2 - Yes, but only if you select to alertonce for every event. Then for every event (which corresponds to any particular src_ip) you will at most get 1 alert ever 4 hours.

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎07-06-2016 02:32 AM

Thanks wood,

Thanks for your response. the final query is (according to me)(appreciate your comments on that if ay):
index=palxxx src_ip=1xx.x5.xx.xx dest_ip=1x3.x9.xx.xxx dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

now I have multiple IPs destining to dest_ip=1x3.x9.xx.xxx dest_port=80

src_ip |SignatureDC |destDC
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x

I want to create a real time alter.
which option I should select under "trigger condition"--> trigger alert when

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-06-2016 05:50 AM

I highly advise you not to use real-time. Instead I would run run it every 5 or 10 minutes for the last hour. The trigger is the threshold that you desire. It is probably best to put the threshold into the search (like we did with the | where destDC>500 AND signatureDC>1 and then just set the trigger to Number of events (in the final results set of your search) Is greater than 0.

0 Karma
Reply
Solved! Jump to solution

xavierpaul
New Member
‎07-05-2016 01:52 AM

can you elaborate your question? what do you mean by "I am not sure to put where or search command"

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎07-05-2016 02:52 AM

I am talking about where or search command. my requirement is when the number of distinct signature is more than 10 from singly source IP.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...