Protocol intelligence dashboards
Protocol intelligence is a collection of dashboards and searches that report on the information collected from common network protocols. As an analyst, you can use these dashboards to gain insight into HTTP, DNS, TCP/UDP, TLS/SSL, and common email protocols across your system or network.
The Protocol intelligence dashboards use packet capture data. Packet capture data contains security-relevant information not typically collected in log files. Integrating network protocol data provides a rich source of additional context when detecting, monitoring, and responding to security related threats.
Obtain packet capture data from apps such as Splunk Stream and the Splunk Ad-on TA for Zeek. The dashboards will be empty without applicable data.
Protocol center dashboard
The Protocol center dashboard provides an overview of security-relevant network protocol data. The dashboard searches display results based on the time period selected using the dashboard time picker.
Dashboard panels
| Panel | Description | 
|---|---|
| Key indicators | Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. Key indicators displayed include Protocol activity, Long lived connections, Stream connections, Encrypted connections, and Total bytes. | 
| Connections by protocol | Displays the sum of all protocol connections, sorted by protocol over time. The connection distribution by protocol shows the most common protocols used in an environment, such as email protocols and HTTP/SSL. An exploited protocol may display a disproportionate number of connections for its service type. | 
| Usage by protocol | Displays the sum of all protocol traffic in bytes, sorted by protocol over time. The bandwidth used per protocol will show consistency relative to the total network traffic. An exploited protocol may display a traffic increase disproportionate to its use. | 
| Top connection sources | Displays the top 10 hosts by total protocol traffic sent and received over time. A host displaying a large amount of connection activity may be heavily loaded, experiencing issues, or represent suspicious activity. The drilldown redirects the page to the traffic search dashboard and searches on the selected source IP. | 
| Usage for well known ports | Displays the sum of protocol traffic, sorted by ports under 1024 over time. The bandwidth used per port will show consistency relative to the total network traffic. An exploited port may display an increase in bandwidth disproportionate to its use. The drilldown redirects the page to the traffic search dashboard and searches on the selected port. | 
| Long lived connections | Displays TCP connections sustained longer than 3 minutes. A long duration connection between hosts may represent unusual or suspicious activity. The drilldown opens the traffic search dashboard and searches on the selected event. | 
Data sources
The reports in the Protocol center dashboard use fields in the network traffic data model. Relevant data sources include all devices or users generating TCP and UDP protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.
Traffic size analysis dashboard
Use the Traffic size analysis dashboard to compare traffic data with statistical data to find outliers, traffic that differs from what is normal in your environment. Any traffic data, such as firewall, router, switch, or network flows, can be summarized and viewed on this dashboard.
- Investigate traffic data byte lengths to find connections with large byte counts per request, or that are making a high number of connection attempts with small byte count sizes.
- Use the graph to spot suspicious patterns of data being sent.
- Drill down into the summarized data to look for anomalous source/destination traffic.
Dashboard filters
Use the filters to refine the traffic size events list on the dashboard.
| Filter by | Description | 
|---|---|
| Standard deviation index | The percentage (%) shows the amount of data that will be filtered out if that number of standard deviations is selected. Choose a higher number of deviations to see fewer traffic size anomalies and details, or choose a lower number of deviations to see a greater number of traffic size anomalies and details. | 
| Time range | Select the time range to represent. | 
| Advanced filter | Select this option to see the list of category events that can be filtered for this dashboard. | 
Dashboard panels
Select chart elements or table rows to display raw events. The following table describes the panels for this dashboard.
| Panel | Description | 
|---|---|
| Key indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. | 
| Traffic size anomalies over time | The chart displays a count of anomalous traffic size in your environment over time. It displays traffic volume greater than the number of standard deviations selected in the filter (2 by default) displayed in a line graph with time as the x-axis and count as the y-axis. | 
| Traffic size details | Table that displays each of the traffic events and related details such as the size of the traffic event in bytes. If there is more that one event from a source IP address, the countcolumn shows how many events are seen. In thebytescolumn, the minimum, maximum, and average number of bytes for the traffic event are shown. Z indicates the standard deviations for the traffic event. | 
DNS activity dashboard
The DNS activity dashboard displays an overview of data relevant to the DNS infrastructure being monitored. The dashboard searches display results based on the time period selected using the dashboard time picker.
Dashboard panels
| Panel | Description | 
|---|---|
| Key indicators | Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. | 
| Top reply codes by unique sources | Displays the top DNS Reply codes observed across hosts. A host initiating a large number of DNS queries to unknown or unavailable domains will report a large number of DNS lookup failures with some successes. That pattern of DNS queries may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS search dashboard and searches on the selected reply code. | 
| Top DNS query sources | Displays the top DNS query sources on the network. A host sending a large amount of DNS queries may be improperly configured, experiencing technical issues, or represent suspicious activity. The drilldown opens the DNS search dashboard and searches on the selected source IP address. | 
| Top DNS queries | Displays the top 10 DNS QUERY requests over time. The drilldown opens the DNS search dashboard and searches on the queried host address. | 
| Queries per domain | Displays the most common queries grouped by domain. An unfamiliar domain receiving a large number of queries from hosts on the network may represent an exfiltration attempt or suspicious activity. The drilldown opens the DNS search dashboard and searches on the queried domain address. | 
| Recent DNS queries | Displays the 50 most recent DNS response queries with added detail. The drilldown opens the DNS search dashboard and searches on the selected queried address. | 
Data sources
The reports in the DNS dashboard use fields in the network resolution data model. Relevant data sources include all devices or users generating DNS protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.
DNS search dashboard
The DNS search dashboard assists in searching DNS protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of DNS data, but is also the primary destination for drilldown searches in the DNS dashboard panels.
The DNS search page displays no results unless it is opened in response to a drilldown action, or you set a filter or time range and select Submit.
| Filter by | Description | 
|---|---|
| Source | Source IP address | 
| Destination | Destination IP address | 
| Query | DNS query | 
| Message type | DNS message type: Query, Response, or All. | 
| Reply Code | DNS reply type: All, All Errors, and a list of common reply codes | 
SSL activity dashboard
The SSL activity dashboard displays an overview of the traffic and connections that use SSL. As an analyst, you can use these dashboards to view and review SSL encrypted traffic by usage without decrypting the payload. The dashboard searches display results based on the time period selected using the dashboard time picker.
Dashboard panels
| Panel | Description | 
|---|---|
| Key indicators | Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. | 
| SSL activity by common name | Displays outbound SSL connections by common name (CN) of the SSL certificate used. An unfamiliar domain receiving a large number of SSL connections from hosts on the network may represent unusual or suspicious activity. The drilldown redirects the page to the SSL search dashboard, and searches on the selected common name. | 
| SSL cloud sessions | Displays the count of active sessions by CN that represents a known cloud service. The CN is compared to a list of cloud service domains pre-configured in the cloud domains lookup file. The drilldown opens the SSL search dashboard and searches on the selected source IP and common name. | 
| Recent SSL sessions | Displays the 50 most recent SSL sessions in a table with additional information about SSL key. The fields ssl_end_time,ssl_validity_window, andssl_is_validuse color-coded text for fast identification of expired, short lived, or invalid certificates. The drilldown redirects the page to the SSL search dashboard and displays the full details of the selected event. | 
Data sources
The reports in the SSL activity dashboard use fields in the certificates data model. Relevant data sources include all devices or users generating SSL protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.
SSL search dashboard
The SSL search dashboard assists in searching SSL protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of SSL protocol data, but is also the primary destination for drilldown searches in the SSL activity dashboard panels.
The SSL search page displays no results unless it is opened in response to a drilldown action, or you set a filter or time range and select Submit.
| Filter by | Description | 
|---|---|
| Source | Source IP address. | 
| Destination | Destination IP address. | 
| Subject/Issuer | Subject or issuer fields. | 
| Subject/Issuer common name | Common name retrieved from the x.509 certificate subject or issuer fields. | 
| Certificate serial number | The x.509 certificate serial number field. | 
| Certificate hash | The x.509 certificate signature field. | 
Email activity dashboard
The Email activity dashboard displays an overview of data relevant to the email infrastructure being monitored. The dashboard searches displays result based on the time period selected using the dashboard time picker.
Dashboard panels
| Panel | Description | 
|---|---|
| Key indicators | Displays metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. | 
| Top email sources | Displays the hosts generating the most email protocol traffic. A host sending excessive amounts of email on the network may represent unusual or suspicious activity. Periodicity displayed across hosts viewed on the sparklines may be an indicator of a scripted action. The drilldown opens the email search dashboard and searches on the selected source IP. | 
| Large emails | Displays the hosts sending emails larger than 2MB. A host that repeatedly sends large emails may represent suspicious activity or data exfiltration. The drilldown opens the email search dashboard and searches on the selected source IP. | 
| Rarely seen senders | Displays sender email addresses that infrequently send email. An address that represents a service account or non-user sending email may indicate suspicious activity or a phishing attempt. The drilldown opens the email search dashboard and searches on the selected sender. | 
| Rarely seen receivers | Displays receiver email addresses that infrequently receive email. An address that represents a service account or non-user receiving email may indicate suspicious activity or a phishing attempt. The drilldown opens the email search dashboard and searches on the selected recipient. | 
Data sources
The reports in the Email activity dashboard use fields in the email data model. Relevant data sources include all the devices or users generating email protocol traffic on the network captured from vulnerability scanners and packet analysis tools such as Splunk Stream and the Bro network security monitor.
Email search dashboard
The Email search dashboard assists in searching email protocol data, refined by the search filters. The dashboard is used in ad-hoc searching of email protocol data, but is also the primary destination for drilldown searches used in the email activity dashboard panels.
The Email search page displays no results unless it is opened in response to a drilldown action, or you set a filter or time range and select Submit.
| Filter by | Description | 
|---|---|
| Email protocol | The email communication protocol. | 
| Source | Source IP address. | 
| Sender | The sender's email address. | 
| Destination | Destination IP address. | 
| Recipient | The recipient's email address. | 
Troubleshooting protocol intelligence dashboards
The Protocol intelligence dashboards use packet capture data from apps such as Splunk Stream and the Splunk Add-on for Bro IDS. Without applicable data, the dashboards remain empty. For an overview of Splunk Stream Integration with Splunk Enterprise Security, see Integrate Splunk Stream with Splunk Enterprise Security in the Enterprise Security Installation and Upgrade Manual. See Troubleshoot dashboards that are not populating in Splunk Enterprise Security in Administer Splunk Enterprise Security.