3 Replies Latest reply on Jun 9, 2017 11:07 AM by ldabrowski

    Port/Application Alert in NPM/NTA

    mstokes

      Really hoping someone will be able to assist us here or maybe someone has already accomplished this. Any help would be very much appreciated!!

       

      I am looking for a way to create an "Active Alert," to alert our organization immediately if any of our nodes see traffic traversing particular ports. This can be either by Port Number or Application Name. I have tried it a couple ways, but cannot seem to get any data or not see the right parameters that, I think, need to be set. Maybe I am missing something here or there just ins't a way to accomplish this.

       

      Specific Ports/APP:

       

      16992 Intel(R) AMT SOAP/HTTP

      16993 Intel(R) AMT SOAP/HTTPS

       

      NTA 4.1.2 NPM 12/0

       

      THANK YOU in advanced!

        • Re: Port/Application Alert in NPM/NTA
          sum_giais

          I haven't personally tried this but am familiar with Orion SDK and SWQL. This may be helpful... I'll have to play around with this at some point. Might help you possibly make a custom SWQL query. Not sure if it's plausible though.

           

          Extracting Netflow 4.0 data

            • Re: Port/Application Alert in NPM/NTA
              sum_giais

              Certainly would have to play with it more but hopefully this can get you possibly in the right direction. You may need to fiddle with the query more. I think it's very close to what you may need though. I haven't tested an actual alert on this also... just that the query data does show up and that it's valid SWQL.

               

              ############# SWQL Query ####################

              #      This part is already included when

              #       making a SWQL Alert

              #

               

              SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes

               

              ######### What you could add ########################

               

              INNER JOIN Orion.Netflow.Flows Flows

              ON Nodes.NodeID = Flows.NodeID

              WHERE Flows.TimeStamp > ADDHOUR(-1, GETDATE()) AND Flows.TimeStamp <= GETDATE()

              AND (Flows.Port = 16992 OR Flows.Port = 16993)

              GROUP BY Nodes.DisplayName

               

              ##############################################