Splunk Search

Unauthorized Vulnerability Scan - External

rashid47010
Communicator

HI everyone,

I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external host using a script or vulnerability tool to probe our network in an attempt to locate an exploitable vulnerability. How can I configure an alert to notify me when someone doing the external vulnerability scan to our network by using different signatures against one or two minute margin.

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m | stats dc(signature),dc(dest_ip) as DEST by src_ip | where DEST>500

I am not sure to put where or search command
Really appreciate any help on this.

Cheers

Rashid

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=paloxx dest_ip=1xx.1x.x0.x0 | bin _time span=2m
| stats dc(signature) AS signatureDC dc(dest_ip) as destDC by src_ip
| where destDC>500 AND signatureDC>10

The AND must be all-uppercase.

0 Karma

rashid47010
Communicator

Thanks wood
Highly appreciate your kind response

0 Karma

rashid47010
Communicator

Thanks wood,
Actually I am new to splunk. I need your further support to finalise my first alert(if results are as required then we can configure it as permanent correlation rule).
I have some question in my mind. appreciate for your kind response on them.

why you use the destDC>500 whereas I have only destination IP.

Final Query:
index=paloalto_pa dest_ip=193.19.90.20 dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

I configure the alert as below:
1- It will run every after 30 minutes for last one hour data.
earliest: -2h@h
latest: -1h@h
cron expression: 0/30 * * * ***
is that right....?
2- As Suggested. I configure the trigger conditions to:
tirgger alert when: number of results is greater than 0
and trigger for each result.
**I select the throttle
and I select src_ip for
the suppress results containing field value
and suppress the trigger for 4 hours.

Please advise. It will give ma a great start to understand the alters and their configuration parameters.

Thanks.

0 Karma

woodcock
Esteemed Legend

I said "LIKE we did with ..." not "EXACTLY AS we did with ...". I man to put the threshold criteria, whatever it is, into the search, not the alert configuration. You have to decide on the alert threshold criteria.

1 - Yes.

2 - Yes, but only if you select to alertonce for every event. Then for every event (which corresponds to any particular src_ip) you will at most get 1 alert ever 4 hours.

0 Karma

rashid47010
Communicator

Thanks wood,

Thanks for your response. the final query is (according to me)(appreciate your comments on that if ay):
index=palxxx src_ip=1xx.x5.xx.xx dest_ip=1x3.x9.xx.xxx dest_port=80 | bin _time span=1h | stats dc(signature) as signatureDC dc(dest_ip) as destDC by src_ip | where signatureDC>6

now I have multiple IPs destining to dest_ip=1x3.x9.xx.xxx dest_port=80

src_ip |SignatureDC |destDC
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x
xxx.xxx.xxx.xxx x x

I want to create a real time alter.
which option I should select under "trigger condition"--> trigger alert when

0 Karma

woodcock
Esteemed Legend

I highly advise you not to use real-time. Instead I would run run it every 5 or 10 minutes for the last hour. The trigger is the threshold that you desire. It is probably best to put the threshold into the search (like we did with the | where destDC>500 AND signatureDC>1 and then just set the trigger to Number of events (in the final results set of your search) Is greater than 0.

0 Karma

xavierpaul
New Member

can you elaborate your question? what do you mean by "I am not sure to put where or search command"

0 Karma

rashid47010
Communicator

I am talking about where or search command. my requirement is when the number of distinct signature is more than 10 from singly source IP.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...