Has anyone been succesful in detecting scans like nmap scans, port scans, vuln scans etc?
The first time I tried using an ESA rule from RSA Live it basically exploded NetWitness with false positives and I never went back to look at it.
We're now getting the question if we're able to detect these sorts of scans and I'd like to be able to give them an answer.
