Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Port and Protocol Tracker dashboard

The Port and Protocol Tracker tracks port and protocol activity, based on the rules set up in Configure > Content > Content Management in Enterprise Security. To edit, search for interesting_ports_lookup or use the Type dropdown menu to filter on Managed Lookup and scroll to Interesting Ports.

The lookup table specifies the network ports that the enterprise allows. From this dashboard, you can view new activity by port to identify devices that are not in compliance with corporate policy, as well as detect prohibited traffic.

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. Drop-down: select to filter by

Dashboard Panels

Panel Description
Port/Protocol Profiler Displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection. The drilldown opens the "New Search" dashboard and searches on the selected transport destination port and time range.
New Port Activity - Last 7 Days Displays a table of transport and port traffic communication over time. The drilldown opens the Traffic Search dashboard and searches on the selected transport and time range.
Prohibited Or Insecure Traffic Over Time - Last 24 Hours Displays the volume of prohibited network port activity over time, and helps determine if unapproved port activity is trending upwards or downwards. The drilldown opens the "New Search" dashboard and searches on the selected transport destination port and time range.
Prohibited Traffic Details - Last 24 Hours Displays a table of the number of prohibited network traffic events. The drilldown opens the "New Search" dashboard and searches on the selected source IP, destination IP, transport, port, and time range.

Troubleshooting

This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 19 January, 2022
Web Center and Network Changes dashboards   Protocol Intelligence dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters