We have the Nessus vulnerability scanner that launches as user “svc.nessus” that launches PowerShell (not sure if it’ll always be same PID or not) on our servers to do scans.
We had a issue this morning where that nessus security tool scanner user spiked out some servers. We would like to setup a process monitor that monitors and alerts when the user svc.nessus starts up a powershell and that powershell specific session/user is causing the server to spike in cpu/mem, etc.
Anyone have any idea on how to do this in SAM ?
