Skip to main content
 
Splunk Lantern

Volume of network traffic from one user

 

While monitoring your network traffic for volume outliers, excessive data from one user catches your eye. You want to investigate that user's activity.

Data required 

Firewall data

Procedure

This sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype="pan:traffic" (src_ip=<IP address of user> OR dest_ip=<IP address of user>)
| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip
| eval mb_in=round((bytes_in/1024/1024),2)  
| eval mb_out=round((bytes_out/1024/1024),2) 
| eval mb_total=round((bytes_total/1024/1024),2)
| fields - bytes*
| sort - mb_total
| head 10

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="pan:traffic" 

Search only Palo Alto Networks data.

(src_ip=<IP address of user> OR dest_ip=<IP address of user>)

Search for events with the IP address of the user you are investigating as the source or destination.

| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip

Group the events by unique source and destination IP address connections, count the number of times each connection occurred, and show the result in an event_count column. Sum the bytes in, bytes out, and bytes total for each set of events.

| eval mb_in=round((bytes_in/1024/1024),2)  

Convert bytes_in to megabytes, rounded to two decimal places, and display in a column called mb_in.

| fields - bytes*

Remove any field with bytes in the name from the results.

| sort - mb_total

Sort the results so the event with the highest total megabyte count appears first.

| head 10

Limit the results to the top 10.

Next steps

The results show the top 10 talkers between the user under investigation and other systems. You can investigate the connections and drill further into each of them as needed. 

You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.