Additional Network dashboards
Port & Protocol Tracker dashboard
The Port & Protocol Tracker tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in Enterprise Security. The table specifies the network ports that the enterprise allows. From here, unauthorized activity can be viewed by port to identify devices that are not in compliance with corporate policy, as well as detect undesirable traffic, such as IRC.
Use the filtering options at the top of the screen to limit which events are shown. Configure new data inputs through the Settings menu.
See the Splunk App for Enterprise Security Installation and Configuration Manual for more information on the application protocols table and how to configure it in Enterprise Security.
Note: How do I approve ports and protocols? The main search controls above contain a filter to select ports based on approval status. Use the Enterprise Security Configuration Tool to set "status" to "unapproved" or "pending" in the Application Protocols lookup file. Anything not defined will be understood as "approved" by default.
Click on chart elements or table rows on this dashboard to display the raw events that are represented. See dashboard drilldown for more information. The following table describes the panels for this dashboard.
|Dashboard filter||Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options. The following domain-specific option is available:|
|First Time Port Activity||Shows network ports that have only recently been observed in use on the network. The presence of network traffic on a previously unused port may indicate that a compromise has occurred. For example, some malware will open a backdoor channel on an unusual port that allows it to communicate with other infected hosts or to allow the host to be controlled a remote user.|
|Port Status by Time||Shows the volume of approved and disapproved network port activity over time and helps determine if unapproved port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection.|
|Port Activity by Status||Shows the number of network-traffic-related events by status (approved or disapproved) and illustrates the overall volume of disapproved traffic. A high volume of disapproved port activity is generally a larger concern than a small volume.|
Note: Text values in search fields must be lowercase text.
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1