Network traffic patterns between a source-destination pair
You hypothesize that a network user only accesses a certain external website sporadically. You want to see when those connections occur and how much each occurrence contributes to the overall bytes out from that source to the destination.
Data required
Procedure
This sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=fgt_traffic src=<IP address sending the request> dest=<IP address receiving the request> bytes_out>0 | sort date | streamstats sum(bytes_out) AS total_bytes_out BY src | table date bytes_out total_bytes_out
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=fgt_traffic |
Search only Fortinet FortiGate network traffic data. |
src=<IP address sending the request> |
Search data coming from this IP address. |
dest=<IP address receiving the request> |
Search data going to this IP address. Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. Example: Example: |
bytes_out>0 |
Exclude results that do not have any outgoing traffic. |
| sort date |
Sort the results with the oldest date first. |
| streamstats sum(bytes_out) AS total_bytes_out BY src |
Stream a running total volume of bytes_out for all preceding events and display in a total_bytes_out column. |
| table date bytes_out total_bytes_out |
Display the results in a table with columns in the order shown. |
Next steps
The results display the total bytes out for the destination on each day and a cumulative bytes out for the time range you selected. Selecting the Visualizations tab and displaying the results in an area chart or a line chart can give you a quicker understanding of the network communication pattern between the source and the destination. You can compare these results to those of network users who your baselines show should have similar usage patterns to start to understand if there is anything unusual happening.
You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.