Additional dashboards
Configuration information on this page is currently a work in progress; expect frequent near-term updates. Additional dashboards to be added here. |
Port & Protocol Tracker
The Port & Protocol Tracker dashboard tracks approved and unapproved port and protocol activity, based on the rules set up in Configure > Lists and Lookups > Application Protocols in the Splunk App for Enterprise Security.
Relevant data sources
Relevant data sources for the Port & Protocol Tracker dashboard include data from devices that collect port and protocol information, along with data indexed in Splunk.
How to configure this dashboard
1. Index relevant data sources from a device, application, or system in Splunk.
2. Map the data to the following Common Information Model fields :
dvc,transport,dest_port
The Common Information Model fields bunit
and category
are derived by automatic identity lookup, and do not need to be mapped directly.
3. Tag your data with "network
" AND "communicate
".
Dashboard description
The Port & Protocol Tracker dashboard is populated by ad hoc searches against the sa_traffic
namespace. This index is populated by This index is created by the Network - All Communication - TSIDX Gen
search, which is a post-process of the Network - All Communication - Base
saved search.
The Network - All Communication - Base
search runs on a 15 minute cycle and looks at 15 minutes of data.
Schedule | 5,20,35,50 * * * * | Runs on a 15 minute schedule |
Dashboard update window | -20m@m to -5m@m | Looks at 15 minutes of data |
Note: The search window stops at "5 minutes ago", because some data sources may not have provided complete data in a more recent time frame.
For more information on distributed namespaces, see "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.
Useful searches/Troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network device(s) | sourcetype=<your_sourcetype_for_your_data> | Returns data from your network device(s). |
Verify that port and protocol data is indexed in Splunk | tag=network tag=communicate or `traffic` |
Returns all port and protocol data from your device(s) |
Verify that local port and protocol data exists | |`traffic` | Returns local port and protocol data |
Verify that port and protocol data is normalized to the Common Information Model properly | |`traffic`|table dvc transport src dest_port | Returns a list of events and the specific port and protocol data fields populated from your device(s) |
Additional Information
For more information about using the Port & Protocol Tracker dashboard, see Port & Protocol Tracker dashboard in the Splunk for Enterprise Security User Manual.
Audit dashboards | Search |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1
Feedback submitted, thanks!