Splunk Enterprise Security

How to track inbound and outbound traffic from firewall logs

ashferns08
Engager

Hi helpful people,

I am trying to create a use case which will monitor source and destination traffic(like both communicating with each other)

For eg, malicious src connecting with internal IP's and Internal Ip's responding back to the same destination.

The idea is monitor internal sources that communicating outside and outside responding back to same source and to record the bytes_out, bytes_out and port details.

0 Karma
1 Solution

jawaharas
Motivator

The 'ES Content Updates' great Splunk app for various security tactics, techniques, and methodologies that help with detection, investigation, and response. For your use case, below Analytic Story might help you.

-->Prohibited Traffic Allowed or Protocol Mismatch

View solution in original post

0 Karma

jawaharas
Motivator

The 'ES Content Updates' great Splunk app for various security tactics, techniques, and methodologies that help with detection, investigation, and response. For your use case, below Analytic Story might help you.

-->Prohibited Traffic Allowed or Protocol Mismatch

View solution in original post

0 Karma

jawaharas
Motivator

@ashferns08
If my answer helped you, please accept and/or upvote it!

0 Karma

ashferns08
Engager

Hi Jawaharas, Thank you for the update. however i don't have permissions to install more apps on splunk we are running. Thank you though

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!