1.Possible port scanning
Usecase
Sending notifications when there are too many SYN connections per minute(which may be a sign of port scanning), which is identified a by a field "curState".
The desktop computers are identified by the keyword “DESKTOP” contained in the computer name provided by DNS lookup, which will be in a field called "srcHostame"
Need to notify the user
1) If there are an SYN connections more than 50 in 15 minutes
2) notify users with the list of hosts /source IPs and the no of request they sent in 15 minutes (for eg here source hostname is identified by the field "srcHostname"
3) send the selected payload event fields as parameter
Notification Types: Webhook
User Inputs
You can setup the alerts in Skedler-Alert as given below,
You will receive an alert in web-hook as shown below,

Notification received via Web-hook
Explanation on Parameters:
1. message:
"message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"
Replaced parameters
- ${AlertName} - Possible port scanning
- ${TimeStamp} - 27-03-2017 10:38:15
- ${TimeWindow} - Mon Mar 27 2017 10:37:15 IST - Mon Mar 27 2017 10:38:15 IST
- ${Result} - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]
2. data: [ ]
3. payload:
[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]Note - For additional parameters, refer How to setup merge parameters for alert action?
Explanation on Parameters:
1. message :
"message": "Hi,\n Alert has been triggered for alert Possible Port Scanning on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 GMT+0530 (IST) - Thu Aug 03 2017 11:01:05 GMT+0530 (IST) \n [{\"srcHostname\":\"DESKTOP - enos\",\"value\":56},{\"srcHostname\":\"DESKTOP - bethany\",\"value\":51},{\"srcHostname\":\"DESKTOP - jovan\",\"value\":65},{\"srcHostname\":\"DESKTOP - abigayle\",\"value\":74},{\"srcHostname\":\"DESKTOP - alaina\",\"value\":54}] \nThanks"
Replaced parameters
- ${AlertName} - Possible port scanning
- ${TimeStamp} - 27-03-2017 10:38:15
- ${TimeWindow} - Mon Mar 27 2017 10:37:15 GMT+0530 (IST) - Mon Mar 27 2017 10:38:15 GMT+0530
- ${Result} - [{"srcHostname":"DESKTOP - nigel","value":63},{"srcHostname":"DESKTOP - adrien","value":82},{"srcHostname":"DESKTOP - allene","value":55}]
2. data: [ ]
3. payload:
[
        {
            "srcHostname": "DESKTOP - myrtie"
        },
        {
            "srcHostname": "DESKTOP - raymundo"
        },
        {
            "srcHostname": "DESKTOP - mina"
        },
        {
            "srcHostname": "DESKTOP - adam"
        },
        {
            "srcHostname": "DESKTOP - edgar"
        },
        {
            "srcHostname": "DESKTOP - roxane"
        },
        {
            "srcHostname": "DESKTOP - jonathon"
        },
        {
            "srcHostname": "DESKTOP - nora"
        },
        {
            "srcHostname": "DESKTOP - isabell"
        },
        {
            "srcHostname": "DESKTOP - friedrich"
        }
    ]Conclusion
Table below shows the list of SYN connection more than 50
| srcHostname | Count | 
| DESKTOP - nigel | 63 | 
| DESKTOP - adrien | 82 | 
| DESKTOP - allene | 55 | 
2. Unauthorized access attempt to a secure server
Sending notifications when there is any unauthorized access attempt to access a restricted application on a server, which is identified a by a field "AuthorizationStatus" with the keyword "NotAuthorized". The restricted application name will be identified by the field "app".
Need to notify the user with number of unauthorized users count in 15 minutes
Notification Types: Email
User Inputs
You can set up the alerts in Skedler-Alert as given below,

Notification received via Email
Hi,
Alert has been triggered for alert Unauthorized access attempt on 27-03-2017 11:11:00 IST
Time Window - Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST
Number of Unauthorized users count -
| app | count | 
| Skedler-Reports | 10 | 
| Microstrategy | 8 | 
| Power BI | 9 | 
| BI Connector | 6 | 
| Skedler-Alerts | 12 | 
Thanks
Notification received via email attachment
Selected fields app, AuthorizationStatus will be sent in the attachment
[{
    "payload_result1": {
      "total": 4917,
      "max_score": null,
      "hits": [
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hv",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524102729
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mo",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524080521
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_0",
          "_type": "connection",
          "_id": "AV2ZzvbanjJK2YYnw8sH",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524078548
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_45",
          "_type": "connection",
          "_id": "AV2Zz6VenjJK2YYnw9Hu",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524040716
          ]
        },
        {
          "_index": ".data_2017_7_31_23_30_30",
          "_type": "connection",
          "_id": "AV2ZzZTUnjJK2YYnw77F",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501524020598
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83D",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523996465
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_15",
          "_type": "connection",
          "_id": "AV2ZzzDPnjJK2YYnw83F",
          "_score": null,
          "_source": {
            "app": "Skedler-Alerts",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523994484
          ]
        },
        {
          "_index": ".data_2017_7_31_23_32_30",
          "_type": "connection",
          "_id": "AV2Zz2znnjJK2YYnw88y",
          "_score": null,
          "_source": {
            "app": "Skedler-Reports",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523950014
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_0",
          "_type": "connection",
          "_id": "AV2ZzgucnjJK2YYnw8LS",
          "_score": null,
          "_source": {
            "app": "Microstrategy",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523926079
          ]
        },
        {
          "_index": ".data_2017_7_31_23_31_45",
          "_type": "connection",
          "_id": "AV2ZzrwcnjJK2YYnw8mn",
          "_score": null,
          "_source": {
            "app": "BI Connector",
            "AuthorizationStatus": "NotAuthorized"
          },
          "sort": [
            1501523917765
          ]
        }
      ]
    },
    "aggregations_result1": {
      "app": {
        "doc_count_error_upper_bound": 0,
        "sum_other_doc_count": 0,
        "buckets": [
          {
            "key": "BI Connector",
            "doc_count": 1025
          },
          {
            "key": "Power BI",
            "doc_count": 1010
          },
          {
            "key": "Skedler-Alerts",
            "doc_count": 964
          },
          {
            "key": "Microstrategy",
            "doc_count": 959
          },
          {
            "key": "Skedler-Reports",
            "doc_count": 959
          }
        ]
      }
    }
  }
]
Explanation
Parameters configured will be replaced as follows:
- ${AlertName} - Unauthorized access attempt
- ${TimeStamp} - 23-01-2017 11:11:00
- ${TimeWindow} - Mon Mar 27 2017 10:51:45 IST - Mon Mar 27 2017 11:11:00 IST
Note - For additional parameters, refer How to setup merge parameters for alert action?
Conclusion
Below is the list of applications having “AuthorizationStatus” with custom tagging "NotAuthorized"
| app | count | |
| Skedler-Reports | 10 | |
| Microstrategy | 8 | |
| Power BI | 9 | |
| BI Connector | 6 | |
| Skedler-Alerts | 12 | 
3. Too many open connections to application server
Use Case
Sending notifications when there are too many connections from IP address to an application server which passes threshold value in a given period of time. IP addresses, application server are identified a by fields "srcIp", "app". For eg: Alert if more than 10 connections from an IP address in 15 minutes
Notification Types: Email & Webhook
User Inputs
You can set up the alerts in Skedler-Alert as given below,

Notification received via Email
Hi,
Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 14:10:45
Time Window - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST
Final Result
| srcIp | app | Count | 
| 191.199.241.108 | BI Connector | 21 | 
| 232.66.107.147 | Skedler - Reports | 20 | 
| 47.37.62.5 | Skedler-Alerts | 14 | 
Thanks
Notification received via Web-hook
you will be receiving the alert in web-hook as below

Explanation on Parameters:
1. message :
"message": "Hi,\n Alert has been triggered for alert Too many Open Connection on 03-08-2017 11:01:05 \n Wed Aug 03 2016 11:01:05 IST - Thu Aug 03 2017 11:01:05 IST \n [{\"srcIp\":\"191.199.241.108\",\"app\":\"BI Connector\",\"value\":21},{"\srcIp\":\"232.66.107.147\",\"app\":\"Skedler-Reports\",\"value\":20},{\"srcIp\":\"47.37.62.5\",\"app\":\"Skedler-Alerts\",\"value\":14}] \nThanks"
Replaced parameters
- ${AlertName} - Too many Open Connection
- ${TimeStamp} - 19-03-2017 14:10:45
- ${TimeWindow} - Mon Mar 27 2017 13:55:45 IST - Mon Mar 27 2017 14:10:45 IST
- ${Result} -[{"srcIp":"191.199.241.108","app":"BI Connector","value":21},{"srcIp":"232.66.107.147","app":"Skedler-Reports","value":20},{"srcIp":"47.37.62.5","app":"Skedler-Alerts","value":14}]
2. data: [ ]
Note - For additional parameters, refer How to setup merge parameters for alert action?
Conclusion
Below table shows the list of IP addresses which passes the threshold value 10
| srcIp | app | Count | 
| 191.199.241.108 | BI Connector | 21 | 
| 232.66.107.147 | Skedler - Reports | 20 | 
| 47.37.62.5 | Skedler-Alerts | 14 | 
4. DDOS attack warning
Usecase
Alert when a total number of connections in any state to a specific network service (as defined by the TCP port “domain”) pass a threshold in a given period of time. domain, service type is identified a by a field "srcdomain", "serviceType" respectively.
Need to notify the user of domain and service type which passes the threshold value 100
Notification Types: Webhook
User Inputs
You can set up the alerts in Skedler-Alert as given below,

Notification received via Web-hook
you will be receiving the alert in web-hook as below

Explanation on Parameters:
1. message :
"message": "Hi,\n Alert has been triggered for alert DDOS attack warning on 03-08-2017 11:22:04 \n Wed Aug 03 2016 11:22:04 IST - Thu Aug 03 2017 11:22:04 IST \n [{\"srcDomain\":\"aron.name\",\"serviceType\":\"tcp\",\"value\":12},{\"srcDomain\":\"georgiana.net\",\"serviceType\":\"http\",\"value\":312},{\"srcDomain\":\"lou.biz\",\"serviceType\":\"https\",\"value\":111}] \nThanks"
Replaced parameters
- ${AlertName} - DDOS attack warning
- ${TimeStamp} - 19-03-2017 15:02:30
- ${TimeWindow} - Mon Mar 27 2017 14:47:45 IST - Mon Mar 27 2017 15:02:45 IST
- ${Result} - [{"srcDomain":"aron.name","serviceType":"tcp","value":12},{"srcDomain":"georgiana.net","serviceType":"http","value":312},{"srcDomain":"lou.biz","serviceType":"https","value":111}
2. data: [ ]
Note - For additional parameters, refer How to setup merge parameters for alert action?
Conclusion
Below table shows the list of domain and service type which passes the threshold value 100
| srcDomain | serviceType | count | 
| aron.name | tcp | 21 | 
| georgiana.net | http | 20 | 
| lou.biz | https | 14 | 
5. Lost/Stolen Device
When there is any access from lost/stolen device with a Mac address say "35:6e:5e:de:b5:61", which provides the lost/stolen device's country and city location. Mac address, country, city are identified by the fields "srcMac", "srcCountry","srcCity" respectively.
Need to notify the user of country and city of the stolen device location.
Notification Types: Email
User Inputs
You can set up the alerts in Skedler-Alert as given below,

Notification received via Email
Hi,
Alert has been triggered for alert Lost-stolen Device on 19-03-2017 15:53:50 IST
Time Window - Sun Mar 19 2017 14:53:50 IST - Sun Mar 19 2017 15:53:50 IST
Final Result
| srcCountry | srcCity | Count | 
| Japan | Tokyo | 1 | 
Thanks
Conclusion
Below table shows the country and city from where the lost/stolen device accessed with mac address "35:6e:5e:de:b5:61"
| srcCountry | srcCity | Count | 
| Japan | Tokyo | 1 | 
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article