Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Protocol Intelligence dashboards

Protocol Intelligence is a collection of dashboards and searches that report on the information collected from common network protocols. As an analyst, you can use these dashboards to gain insight into HTTP, DNS, TCP/UDP, TLS/SSL, and common email protocols across your system or network.

The Protocol Intelligence dashboards use packet capture data. Packet capture data contains security-relevant information not typically collected in log files. Integrating network protocol data provides a rich source of additional context when detecting, monitoring, and responding to security related threats.

Obtain packet capture data from apps such as Splunk Stream and the Splunk Add-on for Bro IDS. The dashboards will be empty without applicable data.

  • For information about integrating Splunk Stream with Splunk Enterprise Security, see Splunk Stream integration in the Enterprise Security Installation and Upgrade Manual.
  • For information about the protocols supported in Splunk Stream, see Supported Protocols in the Splunk Stream User Manual.

Protocol Center

The Protocol Center dashboard provides an overview of security-relevant network protocol data. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in this manual.
Connections By Protocol Displays the sum of all protocol connections, sorted by protocol over time. The connection distribution by protocol shows the most common protocols used in an environment, such as email protocols and HTTP/SSL. An exploited protocol may display a disproportionate number of connections for its service type.
Usage By Protocol Displays the sum of all protocol traffic in bytes, sorted by protocol over time. The bandwidth used per protocol will show consistency relative to the total network traffic. An exploited protocol may display a traffic increase disproportionate to its use.
Top Connection Sources Displays the top 10 hosts by total protocol traffic sent and received over time. A host displaying a large amount of connection activity may be heavily loaded, experiencing issues, or represent suspicious activity. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected source IP.
Usage For Well Known Ports Displays the sum of protocol traffic, sorted by ports under 1024 over time. The bandwidth used per port will show consistency relative to the total network traffic. An exploited port may display an increase in bandwidth disproportionate to its use. The drilldown redirects the page to the Traffic Search dashboard and searches on the selected port.
Long Lived Connections Displays TCP connections sustained longer than 3 minutes. A long duration connection between hosts may represent unusual or suspicious activity. The drilldown opens the Traffic Search dashboard and searches on the selected event.

Data sources

The reports in the Protocol Center dashboard use fields in the Network Traffic data model. Relevant data sources include all devices or users generating TCP and UDP protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

Traffic Size Analysis

Use the Traffic Size Analysis dashboard to compare traffic data with statistical data to find outliers, traffic that differs from what is normal in your environment. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed on this dashboard.

  • Investigate traffic data byte lengths to find connections with large byte counts per request, or that are making a high number of connection attempts with small byte count sizes.
  • Use the graph to spot suspicious patterns of data being sent.
  • Drill down into the summarized data to look for anomalous source/destination traffic.

Dashboard filters

Use the filters to refine the traffic size events list on the dashboard.

Filter by Description
Standard Deviation Index The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer user agent strings, or choose a lower number of deviations to see a greater number of user agent strings.
Time Range Select the time range to represent.
Advanced Filter Click to see the list of category events that can be filtered for this dashboard. See "Advanced Filter" in this manual for information.

Dashboard panels

Click chart elements or table rows to display raw events. See dashboard drilldown for more information on this feature. The following table describes the panels for this dashboard.

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in this manual.
Traffic Size Anomalies Over Time The chart displays a count of anomalous traffic size in your environment over time. It displays traffic volume greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis.
Traffic Size Details Table that displays each of the traffic events and related details such as the size of the traffic event in bytes. If there is more that one event from a source IP address, the count column shows how many events are seen. In the bytes column, the minimum, maximum, and average number of bytes for the traffic event are shown. Z indicates the standard deviations for the traffic event.

DNS Activity

The DNS Activity dashboard displays an overview of data relevant to the DNS infrastructure being monitored. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in this manual.
Top Reply Codes By Unique Sources Displays the top DNS Reply codes observed across hosts. A host initiating a large number of DNS queries to unknown or unavailable domains will report a large number of DNS lookup failures with some successes. That pattern of DNS queries may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search dashboard and searches on the selected Reply Code.
Top DNS Query Sources Displays the top DNS query sources on the network. A host sending a large amount of DNS queries may be improperly configured, experiencing technical issues, or represent suspicious activity. The drilldown opens the DNS Search dashboard and searches on the selected source IP address.
Top DNS Queries Displays the top 10 DNS QUERY requests over time. The drilldown opens the DNS Search dashboard and searches on the queried host address.
Queries Per Domain Displays the most common queries grouped by domain. An unfamiliar domain receiving a large number of queries from hosts on the network may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS Search dashboard and searches on the queried domain address.
Recent DNS Queries Displays the 50 most recent DNS Response queries with added detail. The drilldown opens the DNS Search dashboard and searches on the selected queried address.

Data sources

The reports in the DNS dashboard use fields in the Network Resolution data model. Relevant data sources include all devices or users generating DNS protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

DNS Search

The DNS Search dashboard assists in searching DNS protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of DNS data, but is also the primary destination for drilldown searches in the DNS dashboard panels.

The DNS Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description
Source Source IP address
Destination Destination IP address
Query DNS Query
Message Type DNS Message type: Query, Response, or All.
Reply Code DNS Reply type: All, All Errors, and a list of common Reply Codes

SSL Activity

The SSL Activity dashboard displays an overview of the traffic and connections that use SSL. As an analyst, you can use these dashboards to view and review SSL encrypted traffic by usage, without decrypting the payload. The dashboard searches display results based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
SSL Activity By Common Name Displays outbound SSL connections by common name (CN) of the SSL certificate used. An unfamiliar domain receiving a large number of SSL connections from hosts on the network may represent unusual or suspicious activity. The drilldown redirects the page to the SSL Search dashboard, and searches on the selected common name.
SSL Cloud Sessions Displays the count of active sessions by CN that represents a known cloud service. The CN is compared to a list of cloud service domains pre-configured in the Cloud Domains lookup file. For more information about editing lookups in ES, see Lists and Lookup editor in this manual. The drilldown opens the SSL Search dashboard and searches on the selected source IP and common name.
Recent SSL Sessions Displays the 50 most recent SSL sessions in a table with additional information about SSL key. The fields ssl_end_time, ssl_validity_window, and ssl_is_valid use color-coded text for fast identification of expired, short lived, or invalid certificates. The drilldown redirects the page to the SSL Search dashboard and displays the full details of the selected event.

Data sources

The reports in the SSL Activity dashboard use fields in the Certificates data model. Relevant data sources include all devices or users generating SSL protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

SSL Search

The SSL Search dashboard assists in searching SSL protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of SSL protocol data, but is also the primary destination for drilldown searches in the SSL Activity dashboard panels.

The SSL Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description
Source Source IP address
Destination Destination IP address
Subject/Issuer Common Name Common name retrieved from the x.509 certificate Subject or Issuer fields.
Certificate Serial Number The x.509 certificate Serial Number field.
Certificate Hash The x.509 certificate Signature field.

Email Activity

The Email Activity dashboard displays an overview of data relevant to the email infrastructure being monitored. The dashboard searches displays result based on the time period selected using the dashboard time picker.

Dashboard Panels

Panel Description
Key Indicators Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in this manual.
Top Email Sources Displays the hosts generating the most email protocol traffic. A host sending excessive amounts of email on the network may represent unusual or suspicious activity. Periodicity displayed across hosts viewed on the sparklines may be an indicator of a scripted action. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Large Emails Displays the hosts sending emails larger than 2MB. A host that repeatedly sends large emails may represent suspicious activity or data exfiltration. The drilldown opens the Email Search dashboard and searches on the selected source IP.
Rarely Seen Senders Displays Sender email addresses that infrequently send email. An address that represents a service account or non-user sending email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and searches on the selected Sender.
Rarely Seen Receivers Displays Receiver email addresses that infrequently receive email. An address that represents a service account or non-user receiving email may indicate suspicious activity or a phishing attempt. The drilldown opens the Email Search dashboard and searches on the selected Recipient.

Data sources

The reports in the Email dashboard use fields in the Email data model. Relevant data sources include all the devices or users generating email protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.

Email Search

The Email Search dashboard assists in searching email protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of email protocol data, but is also the primary destination for drilldown searches used in the Email Activity dashboard panels.

The Email Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.

Filter by Description
Email Protocol The email communication protocol.
Source Source IP address
Sender The sender's email address.
Destination Destination IP address
Recipient The recipient's email address.

Troubleshooting Protocol Intelligence dashboards

The Protocol Intelligence dashboards use packet capture data from apps such as Splunk Stream and the Splunk Add-on for Bro IDS. Without applicable data, the dashboards remain empty. For an overview of Splunk Stream Integration with ES, see Splunk Stream integration in the Enterprise Security Installation and Upgrade Manual. See Dashboard Troubleshooting in this manual.

PREVIOUS
Port and Protocol Tracker dashboard
  NEXT
Dashboard overview

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters