|Configuration information on this page is currently a work in progress; expect frequent near-term updates. Additional dashboards to be added here.|
Port & Protocol Tracker
The Port & Protocol Tracker dashboard tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in the Splunk App for Enterprise Security.
Relevant data sources
Relevant data sources for the Port & Protocol Tracker dashboard include data from devices that collect port and protocol information, along with data indexed in Splunk.
How to configure this dashboard
1. Index relevant data sources from a device, application, or system in Splunk.
2. Map the data to the following Common Information Model fields :
The Common Information Model fields
category are derived by automatic identity lookup, and do not need to be mapped directly.
3. Tag your data with "
network" AND "
The Port & Protocol Tracker dashboard is populated by ad hoc searches against the
sa_traffic namespace. This index is populated by This index is created by the
Network - All Communication - TSIDX Gen search, which is a post-process of the
Network - All Communication - Base saved search.
Network - All Communication - Base search runs on a 15 minute cycle and looks at 15 minutes of data.
|Schedule||5,20,35,50 * * * *||Runs on a 15 minute schedule|
|Dashboard update window||-20m@m to -5m@m||Looks at 15 minutes of data|
Note: The search window stops at "5 minutes ago", because some data sources may not have provided complete data in a more recent time frame.
For more information on namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" in the Splunk Search Reference Manual for more information about namespaces.
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that you have data from your network device(s)||sourcetype=<your_sourcetype_for_your_data>||Returns data from your network device(s).|
|Verify that port and protocol data is indexed in Splunk||tag=network tag=communicate
|Returns all port and protocol data from your device(s)|
|Verify that local port and protocol data exists|||`traffic`||Returns local port and protocol data|
|Verify that port and protocol data is normalized to the Common Information Model properly|||`traffic`|table dvc transport src dest_port||Returns a list of events and the specific port and protocol data fields populated from your device(s)|
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1