Network communication data
Network communication data refers to the information exchanged between devices, applications, or systems over a network, such as the internet or a local area network (LAN). Network communication data enables devices to interact, share information, and collaborate efficiently. The nature of the data can vary depending on the type of communication, ranging from basic text-based messages to multimedia files, but the key components of all network communication data are:
- Payload: The actual data being transmitted (for example, text, images, audio, video)
- Headers: Metadata used for routing, processing, and managing the communication (for example, source/destination IP, protocol type)
- Protocol data: Specific information required by the protocol being used (for example, HTTP methods, TCP flags, encryption keys)
This data is transmitted in the form of packets and follows specific communication protocols to ensure it is delivered, interpreted, and processed correctly. Common network communication protocols are:
- Application layer: HTTP, HTTPS, FTP, SMTP, IMAP, POP3, MQTT
- Transport layer: TCP, UDP
- Network layer: IP (IPv4, IPv6)
- Data link layer: Ethernet, Wi-Fi
Network communication data typically includes:
- HTTP requests and responses (web browsing): A user opens a web browser and types in a URL to access a website
- API communication (REST or GraphQL): A mobile app retrieves weather data from a weather service API
- Email protocols (SMTP, IMAP, POP3): A user sends an email using an email client (for example, Outlook or Gmail)
- File transfer (FTP or SFTP): A developer uploads a file to a remote server using an FTP client
- Video streaming (RTMP, HLS, or DASH): A user watches a video on a streaming platform like YouTube or Netflix
- Messaging applications (chat protocols): Two users exchange messages via a chat application like WhatsApp or Slack
- IoT devices (MQTT protocol): A smart thermostat communicates with a cloud-based control system
- Peer-to-peer communication (VoIP or video calls): Two users are on a video call using a platform like Zoom or Skype
The Splunk Common Information Model (CIM) add-on contains a Network traffic data model with fields that describe flows of data across network infrastructure components. Network traffic in the Network Traffic data model is allowed or denied based on simple network connection rules, which use network parameters such as TCP headers, destination, ports, and so on. These rules are usually triggered when the network connection is being established.
Common data sources
- Dell EMC Isilon App for Splunk Enterprise
- Splunk Add-on for Linux
- Splunk App for Stream
- PCAP Analyzer for Splunk
- NetFlow and SNMP Analytics for Splunk
- Arista Networks Telemetry For Splunk
- Splunk Add-on for Forcepoint Web Security
- Splunk Add-on for McAfee Web Gateway
- Splunk Add-on for Cisco WSA
- Cisco Networks Add-on for Splunk Enterprise
- Splunk Add-on for Websense DLP
- Aruba Networks Add-on for Splunk
Use cases for the Splunk platform
- Complying with the Markets in Financial Instruments Directive II
- Monitoring NIST SP 800-53 rev5 control families
- Detecting AWS network ACL activity
- Managing Cisco IOS devices
- Recovering lost visibility of IT infrastructure
- Detecting software supply chain attacks
- Investigating a ransomware attack
- Analyzing wire data from databases
- Monitoring usage of wireless access points
- Monitoring and logging MQTT topic messages using Eclipse Mosquitto
Use cases for Splunk security products
Be sure to explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with network communication data.