Volume of network traffic from one user
While monitoring your network traffic for volume outliers, excessive data from one user catches your eye. You want to investigate that user's activity.
Data required
Procedure
This sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="pan:traffic" (src_ip=<IP address of user> OR dest_ip=<IP address of user>) | stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip | eval mb_in=round((bytes_in/1024/1024),2) | eval mb_out=round((bytes_out/1024/1024),2) | eval mb_total=round((bytes_total/1024/1024),2) | fields - bytes* | sort - mb_total | head 10
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search only Palo Alto Networks data. |
|
|
Search for events with the IP address of the user you are investigating as the source or destination. |
|
|
Group the events by unique source and destination IP address connections, count the number of times each connection occurred, and show the result in an |
|
|
Convert |
|
|
Remove any field with bytes in the name from the results. |
|
|
Sort the results so the event with the highest total megabyte count appears first. |
|
|
Limit the results to the top 10. |
Next steps
The results show the top 10 talkers between the user under investigation and other systems. You can investigate the connections and drill further into each of them as needed.
You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.