Skip to main content
 
Splunk Lantern

Network communication data

 

Network monitoring is essential for detecting threats originating from both outside and inside the network. Network communication data is a record of communication associated with core networks or data centers, but also distribution networks, WAN connections, and local area networks. Network data can be collected at the network perimeter (for example, IDS/IPS or firewall logs), via internal networks (for example, WANs and remote offices), Netflow, packet capture, deep packet inspection, and endpoint forensic data. logs you might want to collect and analyze include the following:

  • Basic traffic logs. Network activity data can be recorded by many technologies including host operating systems, firewalls, switches, routers, intrusion detection and prevention systems, and wire data sources. At a minimum, the event record should include the source IP address, source port number, destination IP address, destination port number, and the protocol used.
  • Application-aware traffic logs. Application-aware firewalls, or firewalls that go beyond just monitoring ports and protocols, and application-aware wire data sources like Splunk Stream, Bro/Zeek, or a network analysis solution like ExtraHop are capable of inspecting the contents of network traffic at the application level.
  • User-aware traffic logs. Awareness of user identity and group information is critical to secure access to resources and data. Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and computer identities behind those IP addresses. Traffic logs from a user-aware device, such as a next-generation firewall, map users and computer identities.

In the Common Information Model, network communication data is typically mapped to the Network traffic data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products

Be sure to explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with network communication data.