You might want to look at the volume of traffic related to a certain user's network connections when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
While monitoring your network traffic for volume outliers, excessive data from one user catches your eye. You want to investigate that user's activity.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks data. You can replace this source with any other network traffic data used in your organization.
- Run the following search:
sourcetype="pan:traffic" (src_ip=<IP address of user> OR dest_ip=<IP address of user>)
| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip
| eval mb_in=round((bytes_in/1024/1024),2)
| eval mb_out=round((bytes_out/1024/1024),2)
| eval mb_total=round((bytes_total/1024/1024),2)
| fields - bytes*
| sort - mb_total
| head 10
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype="pan:traffic" |
Search only Palo Alto Networks data. |
(src_ip=<IP address of user> OR dest_ip=<IP address of user>) |
Search for events with the IP address of the user you are investigating as the source or destination. |
| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip |
Group the events by unique source and destination IP address connections, count the number of times each connection occurred, and show the result in an event_count column. Sum the bytes in, bytes out, and bytes total for each set of events. |
| eval mb_in=round((bytes_in/1024/1024),2) |
Convert bytes_in to megabytes, rounded to two decimal places, and display in a column called mb_in. |
| fields - bytes* |
Remove any field with bytes in the name from the results. |
| sort - mb_total |
Sort the results so the event with the highest total megabyte count appears first. |
| head 10 |
Limit the results to the top 10. |
Result
The results show the top 10 talkers between the user under investigation and other systems. You can investigate the connections and drill further into each of them as needed.
Comments
0 comments
Please sign in to leave a comment.