Additional dashboards
Configuration information on this page is currently a work in progress; expect frequent near-term updates. Additional dashboards to be added here. |
Port & Protocol Tracker
The Port & Protocol Tracker dashboard tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in the Splunk App for Enterprise Security.
Relevant data sources
Relevant data sources for the Port & Protocol Tracker dashboard include data from devices that collect port and protocol information, along with data indexed in Splunk.
How to configure this dashboard
1. Index relevant data sources from a device, application, or system in Splunk.
2. Map the data to the following Common Information Model fields :
dvc,transport,dest_port
The Common Information Model fields bunit
and category
are derived by automatic identity lookup, and do not need to be mapped directly.
3. Tag your data with "network
" AND "communicate
".
Dashboard description
The Port & Protocol Tracker dashboard is populated by ad hoc searches against the sa_traffic
namespace. This index is populated by This index is created by the Network - All Communication - TSIDX Gen
search, which is a post-process of the Network - All Communication - Base
saved search.
The Network - All Communication - Base
search runs on a 15 minute cycle and looks at 15 minutes of data.
Schedule | 5,20,35,50 * * * * | Runs on a 15 minute schedule |
Dashboard update window | -20m@m to -5m@m | Looks at 15 minutes of data |
Note: The search window stops at "5 minutes ago", because some data sources may not have provided complete data in a more recent time frame.
For more information on namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" in the Splunk Search Reference Manual for more information about namespaces.
Useful searches/Troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network device(s) | sourcetype=<your_sourcetype_for_your_data> | Returns data from your network device(s). |
Verify that port and protocol data is indexed in Splunk | tag=network tag=communicate or `traffic` |
Returns all port and protocol data from your device(s) |
Verify that local port and protocol data exists | |`traffic` | Returns local port and protocol data |
Verify that port and protocol data is normalized to the Common Information Model properly | |`traffic`|table dvc transport src dest_port | Returns a list of events and the specific port and protocol data fields populated from your device(s) |
Additional Information
For more information about using the Port & Protocol Tracker dashboard, see Port & Protocol Tracker dashboard in the Splunk for Enterprise Security User Manual.
Audit dashboards | Search |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Feedback submitted, thanks!