Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Additional Network dashboards

Port & Protocol Tracker dashboard

The Port & Protocol Tracker tracks port and protocol activity, based on the rules set up in Configure > Data Enrichment > Lists and Lookups in Enterprise Security. The table specifies the network ports that the enterprise allows. From here, new activity can be viewed by port to identify devices that are not in compliance with corporate policy, as well as detect prohibited traffic.

ES33 PortProtocol Tracker Panels.png

Filter by Description Action
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Category Filter based on the categories to which the host belongs. For more information, see "Dashboard Filters" in the Installation and Configuration manual Drop-down: select to filter by

Dashboard Panels

Panel Description
Port/Protocol Profiler Displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection. The drilldown redirects the page to the "New Search" dashboard and searches on the selected transport destination port and time range.
New Port Activity - Last 7 Days Displays a table of transport and port traffic communication over time. The drilldown redirects the page to the "Traffic Search" dashboard and searches on the selected transport and time range.
Prohibited Or Insecure Traffic Over Time - Last 24 Hours Displays the volume of prohibited network port activity over time, and helps determine if unapproved port activity is trending upwards or downwards. The drilldown redirects the page to the "New Search" dashboard and searches on the selected transport destination port and time range.
Prohibited Traffic Details - Last 24 Hours Displays a table of the number of prohibited network traffic events. The drilldown redirects the page to the "New Search" dashboard and searches on the selected source IP, destination IP, transport, port, and time range.

Troubleshooting Network Dashboards

1. This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty.

2. Use the Open in Search link available in the lower left corner of a dashboard view to perform a direct search against the data model. The New Search dashboard also exposes the search commands and objects used to populate the view.

3. Determine if any data required for a dashboard is available in the data model.

a. Determine the data model objects used by a dashboard:
Dashboard Name Panel Title Data Model Data Model Object
Port & Protocol Tracker Port/Protocol Profiler Network Traffic All_Traffic.transport, .dest_port
Prohibited Or Insecure Traffic Over Time - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
Prohibited Traffic Details - Last 24 Hours All_Traffic.src_category, .dest_category, .src, .dest, .transport, .dest_port
New Port Activity - Last 7 Days None. Calls the application protocols lookup.
b. Use the data model and data model object to search for events in the data model:
Action Search Expected Result
Verify the data is normalized to the Common Information Model | datamodel data_model_name root_object_name search | table _time, sourcetype, root_object_name.*

Example: | datamodel Network_Traffic All_Traffic search | dedup sourcetype | table _time, sourcetype, All_Traffic.*

Returns a list of sourcetypes and the data model objects and fields populated by that sourcetype.

4. Validate the data model is being accelerated.

In the Splunk App for Enterprise Security, browse to Audit > Data Model Audit. Review the Acceleration Details panel for information about the data model acceleration status.
Note: For more information about data model acceleration and the Enterprise Security App, see "Data models in the Enterprise Security app" in the Installation and Configuration Manual.
Last modified on 29 May, 2015
Identity dashboards   Audit dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters