Port and Protocol Tracker dashboard
The Port and Protocol Tracker tracks port and protocol activity, based on the rules set up in Configure > Content > Content Management in Enterprise Security. To edit, search for interesting_ports_lookup or use the Type dropdown menu to filter on Lookup and scroll to Interesting Ports.
The lookup table specifies the network ports that the enterprise allows. From this dashboard, you can view new activity by port to identify devices that are not in compliance with corporate policy, as well as detect prohibited traffic.
|Business Unit||A group or department classification for the identity.||Text field. Empty by default. Wildcard strings with an asterisk (*)|
|Category||Filter based on the categories to which the host belongs.||Drop-down: select to filter by|
|Port/Protocol Profiler||Displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection. The drilldown opens the "New Search" dashboard and searches on the selected transport destination port and time range.|
|New Port Activity - Last 7 Days||Displays a table of transport and port traffic communication over time. The drilldown opens the Traffic Search dashboard and searches on the selected transport and time range.|
|Prohibited Or Insecure Traffic Over Time - Last 24 Hours||Displays the volume of prohibited network port activity over time, and helps determine if unapproved port activity is trending upwards or downwards. The drilldown opens the "New Search" dashboard and searches on the selected transport destination port and time range.|
|Prohibited Traffic Details - Last 24 Hours||Displays a table of the number of prohibited network traffic events. The drilldown opens the "New Search" dashboard and searches on the selected source IP, destination IP, transport, port, and time range.|
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Web Center and Network Changes dashboards
Protocol Intelligence dashboards
This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2
Feedback submitted, thanks!