Graph approach for firewall logs & rules analysis
I have been using Dataiku Graph Analytics plugin for a few weeks for firewall rules & logs analysis following the https://diablohorn.com/2022/04/09/firewall-analysis-a-portable-graph-based-approach/ approach.
This approach offered quick benefits:
- It helped understanding configuration issues using a visual approach, much more understandable than an excel sheet with hundred on config lines.
- It helped assessing compromised accounts impact using security logs extracted from various systems.
However, the dataiku graph analytics plugin quickly showed some limits when displaying thousands of nodes and edges in a chart. The main limitation is linked with graph filtering / subgraph extraction to focus on relevant objects.
I started developping an additional recipe to the graph analytics plugin which returns an induced subgraph of neighbors centered at selected nodes within a configurable radius. This draft work is shared in the https://github.com/dataiku/dss-plugin-graph-analytics/pull/15 draft PR and I would be happy if some of you had time to test it, provide feedback, or contribute to this work.
Cheers,
Matthieu