Skip to main content

Monitoring for network traffic volume outliers

  • Updated

Scenario: You work for a small company and your manager wants you to put together a report on typical network usage among your 8 users. Specifically, your manager is interested in which external websites network users most often communicate with. You need to establish usage baselines and monitor them for anomalous behavior. 

How Splunk software can help

You can use the stats command in Splunk Enterprise to perform a number of simple statistical calculations that give you a picture of traffic flows from your network hosts to external IP addresses. 

What you need 

To succeed in implementing this use case, you need the following dependencies, resources, and information.

People

The best person to implement this use case is a security analyst or threat hunter who is familiar with firewall data sources. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.

Time

If you already have a month's worth of network data in your Splunk deployment, establishing network traffic baselines and setting up alerts for outliers using Splunk software generally takes several hours.

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

  • Splunk Enterprise or Splunk Cloud
  • Data sources onboarded

How to use Splunk software for this use case

You can run many searches with Splunk software to establish baselines and set alerts. Depending on what information you have available, you might find it useful to identify some or all of the following: 

As you establish baselines, you might find source IP addresses that you want to investigate immediately. You can run the following investigations based off results from the monitoring activities in this use case:

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Understanding cyclical usage patterns
  • Understanding network management policies 
  • Creating inventories of physical and virtual network devices
  • Creating network diagrams
  • Adhering to frameworks, such as the IT Infrastructure Library 

Related resources 

These additional Splunk resources might help you understand and implement this use case:

How to assess your results

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Identification of risk factors: The number of anomalies you identified that were positive security risks

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.