Skip to main content
Splunk Lantern

Monitoring employee network traffic

You are concerned about employees accidentally accessing malicious websites that can damage your network, such as attacker-controlled domains that are hubs for command and control communications and for data exfiltration. You want to monitor internet usage for traffic to new domains on the hypothesis that never-before-seen domains are the ones most likely to pose a threat.

You can use Splunk software to establish baselines and lookup tables of the domains typically accessed by your network users. You can then construct searches to compare daily usage against those baselines and alerts to notify you of anomalies.

Data required 

How to use Splunk software for this use case

You can run many searches with Splunk software to monitor for connections to new domains. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Establishing internet usage policies
  • Configuring firewalls
  • Creating blocklists and allowlists

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Malicious domains identified: The number of domains alerted on that posed a threat

The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.