Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Protocol Intelligence dashboards

Protocol Intelligence is a collection of dashboards and searches that report on the information collected from common network protocols. As an analyst, you can use these dashboards to gain insight into HTTP, DNS, TCP/UDP, TLS/SSL, and common email protocols across your system or network.

The Protocol Intelligence dashboards use packet capture data from apps such as Splunk Stream and the Splunk Add-on for Bro IDS. The dashboards will be empty without applicable data.

Packet capture data contains security-relevant information not typically collected in log files. Integrating network protocol data provides a rich source of additional context when detecting, monitoring, and responding to security related threats.

For information about integrating Splunk Stream with Splunk Enterprise Security, see Splunk Stream integration in the Enterprise Security Installation and Upgrade Manual.

For information about the protocols supported in Splunk Stream, see Supported Protocols in the Splunk Stream User Manual.

Protocol Center

The Protocol Center dashboard provides an overview of security-relevant network protocol data. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Connections By Protocol Displays the sum of all protocol connections, sorted by protocol over time. The connection distribution by protocol shows the most common protocols used in an environment, such as email protocols and HTTP/SSL. An exploited protocol may display a disproportionate number of connections for its service type.
Usage By Protocol Displays the sum of all protocol traffic in bytes, sorted by protocol over time. The bandwidth used per protocol will show consistency relative to the total network traffic. An exploited protocol may display a traffic increase disproportionate to its use.
Top Connection Sources Displays the top 10 hosts by total protocol traffic sent and received over time. A host displaying a large amount of connection activity may be heavily loaded, experiencing issues, or represent suspicious activity. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected source IP.
Usage For Well Known Ports Displays the sum of protocol traffic, sorted by ports under 1024 over time. The bandwidth used per port will show consistency relative to the total network traffic. An exploited port may display an increase in bandwidth disproportionate to its use. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected port.
Long Lived Connections Displays TCP connections sustained longer than 3 minutes. A long duration connection between hosts may represent unusual or suspicious activity. The drilldown opens the Traffic Search dashboard and searches on the selected event.

Data sources

The reports in the Protocol Center dashboard use fields in the Network Traffic data model. Relevant data sources include all devices or users generating TCP and UDP protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

DNS Activity

The DNS Activity dashboard displays an overview of data relevant to the DNS infrastructure being monitored. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Top Reply Codes By Unique Sources Displays the top DNS Reply codes observed across hosts. A host initiating a large number of DNS queries to unknown or unavailable domains will report a large number of DNS lookup failures with some successes. That pattern of DNS queries may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search dashboard and searches on the selected Reply Code.
Top DNS Query Sources Displays the top DNS query sources on the network. A host sending a large amount of DNS queries may be improperly configured, experiencing technical issues, or represent suspicious activity. The drilldown opens the DNS Search dashboard and searches on the selected source IP address.
Top DNS Queries Displays the top 10 DNS QUERY requests over time. The drilldown opens the DNS Search dashboard and searches on the queried host address.
Queries Per Domain Displays the most common queries grouped by domain. An unfamiliar domain receiving a large number of queries from hosts on the network may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search dashboard and searches on the queried domain address.
Recent DNS Queries Displays the 50 most recent DNS Response queries with added detail. The drilldown opens the DNS Search dashboard and searches on the selected queried address.

Data sources

The reports in the DNS dashboard use fields in the Network Resolution data model. Relevant data sources include all devices or users generating DNS protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

DNS Search

The DNS Search dashboard assists in searching DNS protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of DNS data, but is also the primary destination for drilldown searches in the DNS dashboard panels.

The DNS Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description Action
Source Source IP address Text field. Empty by default. Wildcard with an asterisk (*)
Destination Destination IP address Text field. Empty by default. Wildcard with an asterisk (*)
Query DNS Query Text field. Empty by default. Wildcard with an asterisk (*)
Message Type DNS Message type: Query, Response, or All. Drop-down: select to filter by
Reply Code DNS Reply type: All, All Errors, and a list of common Reply Codes Drop-down: select to filter by

SSL Activity

The SSL Activity dashboard displays an overview of the traffic and connections that use SSL. As an analyst, you can use these dashboards to view and review SSL encrypted traffic by usage, without decrypting the payload. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
SSL Activity By Common Name Displays outbound SSL connections by common name (CN) of the SSL certificate used. An unfamiliar domain receiving a large number of SSL connections from hosts on the network may represent unusual or suspicious activity. The drilldown redirects the page to the SSL Search dashboard, and searches on the selected common name.
SSL Cloud Sessions Displays the count of active sessions by CN that represents a known cloud service. The CN is compared to a list of cloud service domains pre-configured in the Cloud Domains lookup file. For more information about editing lookups in ES, see "Lists and Lookup editor" in this manual. The drilldown opens the SSL Search dashboard and searches on the selected source IP and common name.
Recent SSL Sessions Displays the 50 most recent SSL sessions in a table with additional information about SSL key. The fields ssl_end_time, ssl_validity_window, and ssl_is_valid use color-coded text for fast identification of expired, short lived, or invalid certificates. The drilldown redirects the page to the SSL Search dashboard and displays the full details of the selected event.

Data sources

The reports in the SSL Activity dashboard use fields in the Certificates data model. Relevant data sources include all devices or users generating SSL protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

SSL Search

The SSL Search dashboard assists in searching SSL protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of SSL protocol data, but is also the primary destination for drilldown searches in the SSL Activity dashboard panels.

The SSL Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description Action
Source Source IP address Text field. Empty by default. Wildcard with an asterisk (*)
Destination Destination IP address Text field. Empty by default. Wildcard with an asterisk (*)
Subject/Issuer Common Name Common name retrieved from the x.509 certificate Subject or Issuer fields. Text field. Empty by default. Wildcard with an asterisk (*)
Certificate Serial Number The x.509 certificate Serial Number field. Text field. Empty by default. Wildcard with an asterisk (*)
Certificate Hash The x.509 certificate Signature field. Text field. Empty by default. Wildcard with an asterisk (*)

Email Activity

The Email Activity dashboard displays an overview of data relevant to the email infrastructure being monitored. The dashboard searches displays result based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Top Email Sources Displays the hosts generating the most email protocol traffic. A host sending excessive amounts of email on the network may represent unusual or suspicious activity. Periodicity displayed across hosts viewed on the sparklines may be an indicator of a scripted action. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Large Emails Displays the hosts sending emails larger than 2MB. A host that repeatedly sends large emails may represent suspicious activity or data exfiltration. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Rarely Seen Senders Displays Sender email addresses that infrequently send email. An address that represents a service account or non-user sending email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and searches on the selected Sender.
Rarely Seen Receivers Displays Receiver email addresses that infrequently receive email. An address that represents a service account or non-user receiving email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and searches on the selected Recipient.

Data sources

The reports in the Email dashboard use fields in the Email data model. Relevant data sources include all the devices or users generating email protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

Email Search

The Email Search dashboard assists in searching email protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of email protocol data, but is also the primary destination for drilldown searches used in the Email Activity dashboard panels.

The Email Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description Action
Email Protocol The email communication protocol. Drop-down. Select to filter by.
Source Source IP address Text field. Empty by default. Wildcard with an asterisk (*)
Sender The sender's email address. Text field. Empty by default. Wildcard with an asterisk (*)
Destination Destination IP address Text field. Empty by default. Wildcard with an asterisk (*)
Recipient The recipient's email address. Text field. Empty by default. Wildcard with an asterisk (*)

Troubleshooting Protocol Intelligence dashboards

The Protocol Intelligence dashboards use packet capture data from apps such as "Splunk Stream" and the "Splunk Add-on for Bro IDS". Without applicable data, the dashboards remain empty. For an overview of Splunk Stream Integration with ES, see "Splunk Stream integration" in the Enterprise Security Installation and Upgrade Manual. See "Dashboard Troubleshooting" in this manual.

Last modified on 08 November, 2016
PREVIOUS
Port and Protocol Tracker dashboard
  NEXT
Dashboard overview

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters