Network Traffic Activity
This report provides a six month view of network traffic activity between PCI domains. This report looks at traffic data produced by firewalls, routers, switches, and any other device that produces network traffic data. You can modify and customize the report by using different filters.
Relevant data sources
Relevant data sources for this report include any device that creates network traffic activity, such as firewalls.
How to configure this report
- Index firewall activity data in Splunk platform.
- Map the data to the following Common Information Model fields.
host,action,dvc,rule,transport,src,src_port,dest,dest_port,vendor_product
. CIM-compliant add-ons for these data sources perform this step for you. - Set the category column for each asset in the Asset table to
pci
orcardholder
. - Set the pci_domain column for each asset in the Asset table to
{dmz|trust|untrust|cardholder|wireless}
. - Set the
is_secure
andis_prohibited
columns of the prohibited traffic list to{true|false}
.
Mapping examples:
- The
action
field shows eitherallowed
orblocked
traffic. - The
eventtypes
for traffic-related data are tagged withcommunicate
andnetwork
Report description
The Network Traffic Activity report relies on the Network Traffic data model.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network devices. | sourcetype=<your_sourcetype_for_your_data> | Returns data from your network devices. |
Verify that network activity data has been indexed in Splunk platform. | tag=network tag=communicate or `communicate` |
Returns all network traffic data from your network devices. |
Verify that the fields are normalized to the Common Information Model. | `communicate` | fields sourcetype, action, dvc, rule, transport, src, dest | Returns a list of events and the specific network traffic fields of data populated from your devices. |
Firewall Rule Activity | Default Account Access |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!