All Apps and Add-ons

Splunk Common Information Model (CIM): Can you explain these options in the "All_Traffic" data model?

vedburtruba
New Member

Hi!

As I see CIM All_Traffic data model may have one of 3 possible values:

allowed
blocked
teardown.

Blocked is easy one.

But what exactly teardown means? Does it mean that connection was been closed after being allowed? And in this case Allowed means that connection is still alive?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @vedburtruba,

Network_Traffic.All_Traffic datamodel is not assigning allowed, blocked or teardown value, these values are coming from action field in original data. Could you please let us know which type of data are you searching so that we can assist you that what is the meaning of all 3 values.

For example If I consider Checkpoint logs (Add-on Splunk_TA_checkpoint-opseclea) then it is giving 3 different result for action field allowed, blocked and dropped.

In general allowed means traffic is allowed for example from firewall, blocked means traffic is blocked and while looking at the one of the document teardown meaning when firewall didn't get ACK-SYN package from destination at that time it logs teardown.

I hope this helps.

Thanks,
Harshil

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @vedburtruba,

Network_Traffic.All_Traffic datamodel is not assigning allowed, blocked or teardown value, these values are coming from action field in original data. Could you please let us know which type of data are you searching so that we can assist you that what is the meaning of all 3 values.

For example If I consider Checkpoint logs (Add-on Splunk_TA_checkpoint-opseclea) then it is giving 3 different result for action field allowed, blocked and dropped.

In general allowed means traffic is allowed for example from firewall, blocked means traffic is blocked and while looking at the one of the document teardown meaning when firewall didn't get ACK-SYN package from destination at that time it logs teardown.

I hope this helps.

Thanks,
Harshil

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...