Network Activity Ports Widget
The Network Activity Ports widget displays a scatter plot of network port usage, helping you monitor traffic patterns and detect anomalies. It distinguishes between normal (non-alerted) port activity and alerted activity where a security rule has flagged the traffic. Use this widget to spot unexpected port usage, potential port scanning, or data exfiltration over unusual ports.
Configuration
Click + Add Widget, select Network Activity Ports, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A title (e.g., 'Network Activity Ports'). | — |
Source or Destination | No | Which port numbers to chart — source ports or destination ports. | Source |
Excluded Ports | No | Ports to omit from the chart. Comma-separated. | Empty |
Query | No | A DataBee search query to filter network activity records. | Empty |
Time Range | No | Period to display. | Use Global |
Source vs Destination
Option | Shows | Use When |
Source | Source ports from outgoing connections. | You want to see which ports your devices use to initiate connections. |
Destination | Destination ports being targeted. | You want to see which services are being accessed — useful for detecting port scanning or unexpected service exposure. |
Excluding Noisy Ports
Well-known, high-traffic ports can dominate the chart and obscure more interesting activity. Enter port numbers to exclude, separated by commas.
Tip: Common ports to exclude: 80 (HTTP), 443 (HTTPS), 53 (DNS), 22 (SSH), 25 (SMTP), 123 (NTP), 993 (IMAPS), 995 (POP3S). Removing these focuses the chart on unusual or unexpected port usage.
Reading the Chart
Indicator | Visual | Meaning |
Non-alerted | Blue circle (small) | Normal port activity — no security rules triggered. |
Alerted | Red triangle (larger) | A security rule flagged this traffic. Hover to see the alert description. |
The X-axis shows port numbers and the Y-axis shows connection counts. Toggle buttons at the bottom let you show or hide alerted vs non-alerted ports independently.
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Network Activity Ports
Scenario | Query |
Only from a specific subnet | src_endpoint.ip in 10.0.1.* |
Exclude internal traffic | dst_endpoint.ip notin 10.0.0.* |
Only Palo Alto traffic | metadata.product.name in PaloAlto |
Only TCP connections | connection_info.protocol_name in TCP |
Interactive Features
- Hover over any point to see the port number, connection count, and alert description (if alerted).
- Use 'Show Non-Alerted Ports' and 'Show Alerted Ports' toggles to filter the display.