heroui logo

Prohibited Network Traffic Allowed

Splunk Security Content

View Source
Summary
The rule 'Prohibited Network Traffic Allowed' is designed to detect instances of network traffic that are permitted despite using ports and protocols categorized as prohibited according to a predefined lookup table ('lookup_interesting_ports'). This detection approach utilizes the Network_Traffic data model, allowing for comprehensive cross-referencing of traffic data against established security policies. The primary focus of this detection is to identify potential misconfigurations or violations that compromise security, potentially enabling unauthorized access or data exfiltration by attackers. If such traffic is confirmed as malicious, it can signify significant breaches in network defenses, leading to severe repercussions for the organization. The analytic highlights security risks and assists in maintaining a robust security posture within the SOC (Security Operations Center).
Categories
  • Network
  • Endpoint
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1048
Created: 2024-11-15