Network Traffic Activity
This report provides a six month view of network traffic activity between PCI domains. This report looks at traffic data produced by firewalls, routers, switches, and any other device that produces network traffic data. You can modify and customize the report by using different filters.
Relevant data sources
Relevant data sources for this report include any device that creates network traffic activity, such as firewalls.
How to configure this report
- Index firewall activity data in Splunk platform.
- Map the data to the following Common Information Model fields.
host,action,dvc,rule,transport,src,src_port,dest,dest_port,vendor_product. CIM-compliant add-ons for these data sources perform this step for you.
- Set the category column for each asset in the Asset table to
- Set the pci_domain column for each asset in the Asset table to
- Set the
is_prohibitedcolumns of the prohibited traffic list to
actionfield shows either
eventtypesfor traffic-related data are tagged with
The Network Traffic Activity report relies on the Network Traffic data model.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that you have data from your network devices.||sourcetype=<your_sourcetype_for_your_data>||Returns data from your network devices.|
|Verify that network activity data has been indexed in Splunk platform.|| tag=network tag=communicate
|Returns all network traffic data from your network devices.|
|Verify that the fields are normalized to the Common Information Model.||`communicate` | fields sourcetype, action, dvc, rule, transport, src, dest||Returns a list of events and the specific network traffic fields of data populated from your devices.|
Firewall Rule Activity
Default Account Access
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2