Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Additional Network dashboards

Port & Protocol Tracker dashboard

The Port & Protocol Tracker tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in Enterprise Security. The table specifies the network ports that the enterprise allows. From here, unauthorized activity can be viewed by port to identify devices that are not in compliance with corporate policy, as well as detect undesirable traffic, such as IRC.

Use the filtering options at the top of the screen to limit which events are shown. Configure new data inputs through the Settings menu.

See the Splunk App for Enterprise Security Installation and Configuration Manual for more information on the application protocols table and how to configure it in Enterprise Security.

Es-PortProtocolTrackerDashboard22 1.png Es-PortProtocolTrackerDashboard22 2.png

Note: How do I approve ports and protocols? The main search controls above contain a filter to select ports based on approval status. Use the Enterprise Security Configuration Tool to set "status" to "unapproved" or "pending" in the Application Protocols lookup file. Anything not defined will be understood as "approved" by default.

Click on chart elements or table rows on this dashboard to display the raw events that are represented. See dashboard drilldown for more information. The following table describes the panels for this dashboard.

Panel Description
Dashboard filter Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options. The following domain-specific option is available:
  • Show ports by status: restricts view to ports with that status (Any, Approved, Pending, or UnApproved)
First Time Port Activity Shows network ports that have only recently been observed in use on the network. The presence of network traffic on a previously unused port may indicate that a compromise has occurred. For example, some malware will open a backdoor channel on an unusual port that allows it to communicate with other infected hosts or to allow the host to be controlled a remote user.
Port Status by Time Shows the volume of approved and disapproved network port activity over time and helps determine if unapproved port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection.
Port Activity by Status Shows the number of network-traffic-related events by status (approved or disapproved) and illustrates the overall volume of disapproved traffic. A high volume of disapproved port activity is generally a larger concern than a small volume.

Note: Text values in search fields must be lowercase text.

Last modified on 28 December, 2013
Audit dashboards   Resources dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters