Prohibited Network Traffic Allowed

Description

This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookupinterestingports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Compliance

Category

Operations, GDPR

Alert Volume

This search looks for network traffic defined by port and transport layer protocol in the Enterprise Security lookup table "lookup_interesting_ports", that is marked as prohibited, and has an associated 'allow' action in the Network_Traffic data model. This could be indicative of a misconfigured network device.

SPL Difficulty

None

Journey

Stage 4

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol

Kill Chain Phases

Delivery
Command and Control

Data Sources

Network Communication

   Help

Prohibited Network Traffic Allowed Help

In order to properly run this search, Splunk needs to ingest data from firewalls or other network control devices that mediate the traffic allowed into an environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest. The search requires the Network_Traffic data model be populated.

   Search

Open in Search