Getting Data In

How do you use NetFlow to detect traffic spikes over a 10 min window by src_ip?

honey4sec
Explorer

Hi,

I am currently trying to create a search that looks at NetFlow data from all our hosts using a specified port 389

The value(traffic) is not fixed as some of our hosts have a normal hight chattiness using LDAP.

So my problem is that I haven't figured out how to create a search that's able to find the spikes in traffic.

What i do is trying to count packets, and say if the volume is doubled within the timewindow of 10 minutes, create an alert for that one host(src_ip)

Any tips or tricks?

I did try creating a search using moving average but the visual representation was all mumbled using timechart.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...