Name:Detect Large ICMP Traffic id:9cd6d066-94d5-4ccd-a8b9-28c03ca91be8 version:1 date:2025-03-27 author:Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status:production type:TTP Description:The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation. Data_source:
-Palo Alto Network Traffic
search:| tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol All_Traffic.bytes | `drop_dm_object_name("All_Traffic")` | iplocation dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_large_icmp_traffic_filter`
how_to_implement:The following analytic was developed with Palo Alto traffic logs. Ensure that the logs are being ingested into Splunk and mapped to the Network_Traffic data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives:ICMP packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. As such, it is possible that a large ICMP packet could be perfectly legitimate. If large ICMP packets are associated with Command And Control traffic, there will typically be a large number of these packets observed over time. If the search is providing a large number of false positives, you can modify the macro `detect_large_icmp_traffic_filter` to adjust the byte threshold or add specific IP addresses to an allow list. References: drilldown_searches: name:'View the detection results for - "$src_ip$" and "$dest_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$" dest_ip = "$dest_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Command And Control' - 'China-Nexus Threat Activity' - 'Backdoor Pingpong' asset_type:Endpoint mitre_attack_id: - 'T1095' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
