Use Splunk to run Nmap scan from remote host to potential attacker

Question

When receiving internal attacks, I'd like to utilize Splunk alerts to trigger an Nmap scan against that attacking host from a remote machine; one other than the Splunk server.

Is there any API or script that would provide this functionality (Splunk alert, get source address, automatically send the address to a remote host to run Nmap (-A) scan against attacker)?

The idea here would be to automatically get additional information on internal hosts that are potentially malicious/compromised. Then, a potential add-on would be to send the scan results back to Splunk for correlation.

Answer 1

This questions is rather opinion based and not really about security.. so until this gets flagged I'll answer how I might go about accomplishing this as effortlessly as possible.

For what it's worth!

• set Splunk alert to invoke script (docs here)
• script (above) could be a simple shell script that takes in the necessary info that you need for the Nmap scan as a payload in a POST request to the server via cURL
• setup simple API for server to accept data via something like json-server (docs here)
• configure cron on server to run every N seconds to check db.json (json-server data storage) for new data and if found, run Nmap scan
• potentially store Nmap scan results within db.json so that Splunk machine can, by way of another script, query data and action accordingly

This is by no means perfect but might at least be able to provide you with an early route to start in hacking together a quick prototype for what you are looking to accomplish. Ideally, you would want to set up a more robust and tested API but, again, the above can suffice as a working POC.

This is a tutorial for quickly standing something like this up with JWT authentication.