https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659488#M9721 <P>Good afternoon,</P> <P>Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule.<BR /><BR />My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000")<BR /><BR />Here is my current search:</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port FROM datamodel=Network_Traffic WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule" BY All_Traffic.dest_port | rename All_Traffic.* AS *</LI-CODE> <P>&nbsp;</P> <P>Thank you in advance for any help that you may be able to provide!</P> Tue, 03 Oct 2023 21:25:58 GMT kimsey4701 2023-10-03T21:25:58Z https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659488#M9721 <P>Good afternoon,</P> <P>Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule.<BR /><BR />My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000")<BR /><BR />Here is my current search:</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port FROM datamodel=Network_Traffic WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule" BY All_Traffic.dest_port | rename All_Traffic.* AS *</LI-CODE> <P>&nbsp;</P> <P>Thank you in advance for any help that you may be able to provide!</P> Tue, 03 Oct 2023 21:25:58 GMT https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659488#M9721 kimsey4701 2023-10-03T21:25:58Z https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659638#M9738 <P>In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.</P><P><BR />My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.&nbsp; This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.</P> Wed, 04 Oct 2023 11:43:55 GMT https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659638#M9738 chris_barrett 2023-10-04T11:43:55Z https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659643#M9741 <P>Chris,</P><P>That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it.</P><P>I'll just close out my question and do things the slow way with exports to Excel.</P><P>Thanks,</P><P>Kimsey</P> Wed, 04 Oct 2023 12:24:24 GMT https://community.splunk.com/t5/Knowledge-Management/How-can-I-use-the-Network-Traffic-datamodel-to-find-what-has-NOT/m-p/659643#M9741 kimsey4701 2023-10-04T12:24:24Z