Skip to main content
Splunk Lantern

Using protocol intelligence in Enterprise Security


You are concerned about network activity in your organization. You want a consistent and reliable method to: 

  • Monitor suspicious network traffic
  • Correlate logged versus actual activity
  • Gain direct access to network traffic for SSL, HTTP, DNS, and SMTP
  • Configure correlation searches that can monitor network traffic


Protocol intelligence, part of the Splunk Enterprise Security suite of security intelligence tools, helps you analyze network activity by protocol. It can be used in organizational defense against the exploitation and installation phases of the cyber kill chain

Getting protocol intelligence data in

A best practice for capturing network traffic is to use the Splunk App for Stream. This app is deployed on forwarders and listens to traffic. That traffic data is forwarded to indexers and made available to Splunk Enterprise Security. Splunk Stream events in the notable index are stored with the orig_sourcetype field as stream:xxxx (for example, stream:tcp or stream:http). Standard fields are extracted, as well as additional fields for the specific source type, such as the following:

  • HTTP: cookies, request parameters
  • SMTP: sender, receiver, subject, summary of body
  • DNS: DNS query, query type, DNS host

Captured data does not include message content unless specifically configured. See the Splunk Stream manual for more information.

Analyzing protocol intelligence data

Protocol intelligence includes a number of dashboards specially designed to assist with analysis of this data. 

  • The Protocol Center displays an overview of security-relevant network protocol data and provides a quick glance into potential issues. For example, an exploited protocol might display a disproportionate number of connections for its service type.
  • The Traffic Size Analysis dashboard lets you compare traffic data with statistical data to find outliers. It displays traffic data from firewalls, routers, switches, or network flows.
  • The DNS Activity dashboard displays an overview of data relevant to the DNS infrastructure being monitored. This dashboard also include a search interface.
  • The SSL Activity dashboard provides an overview of the traffic and connections that use SSL. You can use these dashboards to view and review SSL encrypted traffic by usage, without decrypting the payload. This dashboard also include a search interface.
  • The Email Activity dashboard provides an overview of the data relevant to the email infrastructure being monitored. You can use the data to find suspect emails including, top email sources, large emails, and rare senders or receivers. This dashboard also include a search interface.

Next steps

If you found this article useful and want to advance your skills, Splunk Education offers a 13.5-hour, instructor-led course on using Splunk Enterprise Security. The hands-on labs in the course will teach you how to:

  • Security monitoring and incident investigation
  • Risk-based alerting
  • Assets and identities
  • Security domain dashboards
  • User intelligence
  • Web intelligence
  • Threat intelligence
  • Protocol intelligence

Click here for the course catalog where you can read the details about this and other Splunk Enterprise Security courses, as well as register.