Splunk Enterprise Security

How to track inbound and outbound traffic from firewall logs

ashferns08
Engager

Hi helpful people,

I am trying to create a use case which will monitor source and destination traffic(like both communicating with each other)

For eg, malicious src connecting with internal IP's and Internal Ip's responding back to the same destination.

The idea is monitor internal sources that communicating outside and outside responding back to same source and to record the bytes_out, bytes_out and port details.

0 Karma
1 Solution

jawaharas
Motivator

The 'ES Content Updates' great Splunk app for various security tactics, techniques, and methodologies that help with detection, investigation, and response. For your use case, below Analytic Story might help you.

-->Prohibited Traffic Allowed or Protocol Mismatch

View solution in original post

0 Karma

jawaharas
Motivator

The 'ES Content Updates' great Splunk app for various security tactics, techniques, and methodologies that help with detection, investigation, and response. For your use case, below Analytic Story might help you.

-->Prohibited Traffic Allowed or Protocol Mismatch

0 Karma

jawaharas
Motivator

@ashferns08
If my answer helped you, please accept and/or upvote it!

0 Karma

ashferns08
Engager

Hi Jawaharas, Thank you for the update. however i don't have permissions to install more apps on splunk we are running. Thank you though

Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...