Network monitoring is essential for detecting threats originating from both outside and inside the network. Network communication data is a record of communication associated with core networks or data centers, but also distribution networks, WAN connections, and local area networks. Network data can be collected at the network perimeter (for example, IDS/IPS or firewall logs), via internal networks (for example, WANs and remote offices), Netflow, packet capture, deep packet inspection, and endpoint forensic data. logs you might want to collect and analyze include the following:
- Basic traffic logs. Network activity data can be recorded by many technologies including host operating systems, firewalls, switches, routers, intrusion detection and prevention systems, and wire data sources. At a minimum, the event record should include the source IP address, source port number, destination IP address, destination port number, and the protocol used.
- Application-aware traffic logs. Application-aware firewalls, or firewalls that go beyond just monitoring ports and protocols, and application-aware wire data sources like Splunk Stream, Bro/Zeek, or a network analysis solution like ExtraHop are capable of inspecting the contents of network traffic at the application level.
- User-aware traffic logs. Awareness of user identity and group information is critical to secure access to resources and data. Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and computer identities behind those IP addresses. Traffic logs from a user-aware device, such as a next-generation firewall, map users and computer identities.
In the Common Information Model, network communication data is typically mapped to the Network traffic data model.
Common data sources
- Dell EMC Isilon App for Splunk Enterprise
- Splunk Add-on for Linux
- Splunk App for Stream
- PCAP Analyzer for Splunk
- Zeek App for Splunk
- NetFlow and SNMP Analytics for Splunk
- Simple SNMP Getter
- Arista Networks Telemetry For Splunk
- Splunk Add-on for Forcepoint Web Security
- Splunk Add-on for McAfee Web Gateway
- Splunk Add-on for Cisco WSA
- Cisco Networks Add-on for Splunk Enterprise
- Splunk Add-on for Websense DLP
- Technology Add-on for Cisco Secure Access Control Server (ACS)
- Aruba Networks Add-on for Splunk
Use cases for the Splunk platform
- Complying with the Markets in Financial Instruments Directive II
- Monitoring NIST SP 800-53 rev5 control families
- Detecting AWS network ACL activity
- Managing Cisco IOS devices
- Recovering lost visibility of IT infrastructure
- Detecting software supply chain attacks
- Investigating a ransomware attack
- Analyzing wire data from databases