Security Compliance Audit & Remediation¶
Scenario Overview¶
Organization: Managed Security Service Provider (MSSP) serving 150+ enterprise clients Challenge: Validate compliance across multi-tenant security infrastructure Infrastructure: 500+ firewalls, 200+ VPN gateways, complex segmentation Requirements: Continuous compliance monitoring, automated remediation
Technical Workflow¶
Step 1: Security Audit Setup¶
# Initialize security audit project
mkdir -p security-audit/{docs,analysis,remediation}
cd security-audit
# Initialize FalkorDB for security analysis
netintel-ocr kg init \
--falkordb-host localhost \
--falkordb-port 6379 \
--graph-name security_audit
# Set environment for security-focused processing
export FALKORDB_GRAPH=security_audit
export KG_MODEL=ComplEx # Better for bidirectional relationships
export KG_EPOCHS=150
Step 2: Process Security Documentation¶
# Process network segmentation diagrams with KG
netintel-ocr process pdf docs/network-segmentation.pdf \
--network-model qwen2.5vl:7b \
--kg-model ComplEx \
--kg-epochs 150 \
--output analysis/
# Process firewall configurations (multiple vendors)
for config in docs/configs/*.pdf; do
netintel-ocr process pdf "$config" \
--extract-tables \
--table-method llm \
--kg-model ComplEx \
--output "analysis/$(basename $config .pdf)/"
done
# Process security policies in batch
netintel-ocr process batch docs/policies/ \
--pattern "*.pdf" \
--output-dir analysis/policies/
# Process each document with KG generation
netintel-ocr kg process \
--model ComplEx \
--epochs 150 \
docs/complete-security-docs.pdf
# Verify extraction
netintel-ocr kg stats --format json > analysis/stats.json
# View statistics
netintel-ocr kg stats --format table
# Example Output:
# Graph Statistics:
# Total nodes: 234
# Total edges: 8,456
# Node types: Firewall, Rule, Zone, VLAN, Policy
# Edge types: HAS_RULE, CONNECTS_TO, ENFORCES
Step 3: PCI-DSS Compliance Analysis¶
# Query for network segmentation violations using Cypher
netintel-ocr kg query \
"MATCH (ce:Zone {name: 'Customer_Edge'})-[r]-(other:Zone)
WHERE NOT exists(r.firewall) AND other.tenant <> ce.tenant
RETURN ce, r, other" \
--format json > analysis/segmentation_violations.json
# Find any-any firewall rules (security risk)
netintel-ocr kg query \
"MATCH (fw:Firewall)-[:HAS_RULE]->(r:Rule)
WHERE r.source = 'any' AND r.destination = 'any'
RETURN fw.name as firewall, count(r) as any_any_rules
ORDER BY any_any_rules DESC" \
--format json > analysis/any_any_rules.json
# Query for unencrypted protocols in sensitive zones
netintel-ocr kg query \
"MATCH (s:Service)
WHERE s.protocol IN ['telnet', 'ftp', 'http', 'snmp-v1']
AND s.zone IN ['Customer_Edge', 'DMZ']
RETURN s.name, s.protocol, s.port" \
--format json > analysis/unencrypted_services.json
# Use hybrid search to find compliance issues
netintel-ocr kg hybrid-search \
"PCI-DSS compliance violations firewall rules" \
--strategy adaptive \
--limit 50 > analysis/compliance_issues.json
# Output:
# PCI-DSS Compliance Score: 78%
#
# Critical Violations: 3
# - Cross-tenant data leakage path detected (SP Req 1.3.1)
# - Missing inter-tenant segmentation controls (SP Req 1.3.4)
# - Unencrypted management protocols on provider edge (SP Req 2.3)
#
# High Risk: 8
# Medium Risk: 15
# Low Risk: 42
Step 4: Configuration Analysis Using Embeddings¶
# Train embeddings on security configurations
netintel-ocr kg train-embeddings \
--model ComplEx \
--epochs 150 \
--force
# Find similar firewall configurations using KG embeddings
netintel-ocr kg find-similar "FW-Template-PCI" \
--limit 20 \
--threshold 0.85 > analysis/similar_configs.json
# Compare configurations between firewalls
netintel-ocr kg similarity "FW-PROD-01" "FW-DR-01" \
--method cosine > analysis/config_similarity.txt
# Cluster firewalls by configuration similarity
netintel-ocr kg cluster \
--n-clusters 5 \
--method kmeans > analysis/firewall_clusters.json
# Visualize configuration landscape
netintel-ocr kg visualize \
--method tsne \
--dimensions 2 \
--color-by type \
--save-plot analysis/config_landscape.png
# Show drift summary
cat analysis/config_drift.json | jq '.drift_summary'
# Output:
# {
# "total_devices": 234,
# "compliant": 187,
# "drift_detected": 47,
# "critical_drift": 12,
# "parameters_changed": {
# "acl_rules": 23,
# "nat_policies": 15,
# "logging_config": 34,
# "timeout_values": 18
# }
# }
# Generate detailed comparison for each firewall
for fw in $(cat analysis/firewall_clusters.json | jq -r '.outliers[].name'); do
netintel-ocr kg similarity "$fw" "FW-Template-PCI" \
--method cosine > "analysis/drift/${fw}_similarity.txt"
# Query for specific configuration differences
netintel-ocr kg query \
"MATCH (fw:Firewall {name:'$fw'})-[:HAS_CONFIG]->(c:Config)
RETURN c.parameter, c.value" \
--format json > "analysis/drift/${fw}_config.json"
done
Step 5: Access Path Analysis¶
# Find paths between security zones
netintel-ocr kg path-find "Internet" "Database_Zone" \
--max-depth 5 \
--bidirectional > analysis/access_paths.json
# Find all paths from DMZ to internal resources
netintel-ocr kg query \
"MATCH p=(dmz:Zone {name:'DMZ'})-[*1..5]->(internal:Zone)
WHERE internal.classification = 'internal'
RETURN p" \
--format json > analysis/dmz_paths.json
# Query for potential security violations
netintel-ocr kg query \
"MATCH (external)-[:ALLOWS_ACCESS]->(internal)
WHERE external.trust_level < internal.trust_level
RETURN external, internal" \
--format json > analysis/trust_violations.json
# Use RAG to analyze security posture
netintel-ocr kg rag-query \
"What are the security risks in the current network configuration?" \
--mode hybrid \
--context-depth 3 > analysis/security_analysis.txt
# View critical findings
grep -E "CRITICAL|HIGH" analysis/zero_trust_audit.json | head -20
Step 6: Analysis and Reporting¶
# Export the security knowledge graph
netintel-ocr kg export \
--format cypher \
--output analysis/security_graph.cypher
# Export with embeddings for further analysis
netintel-ocr kg export \
--format json \
--include-embeddings \
--output analysis/full_security_graph.json
# Generate remediation recommendations using RAG
netintel-ocr kg rag-query \
"Based on the any-any rules found, generate Cisco IOS commands to fix them" \
--mode hybrid \
--temperature 0.3 > remediation/fix_any_any_rules.txt
# Query for specific remediation guidance
netintel-ocr kg rag-query \
"How to implement network segmentation between Customer_Edge and Core_Network?" \
--mode hybrid > remediation/segmentation_guide.txt
# Create remediation report combining multiple analyses
cat > remediation/report.md << 'EOF'
# Security Remediation Report
## Critical Findings
$(cat analysis/any_any_rules.json | jq -r '.[] | "- " + .firewall + ": " + (.any_any_rules|tostring) + " any-any rules"')
## Unencrypted Services
$(cat analysis/unencrypted_services.json | jq -r '.[] | "- " + .name + " (" + .protocol + ")"')
## Recommendations
$(cat remediation/fix_any_any_rules.txt)
EOF
Advanced Compliance Queries¶
Finding Policy Violations¶
# Query for any-any rules (already shown above)
netintel-ocr kg query \
"MATCH (fw:Firewall)-[:HAS_RULE]->(r:Rule)
WHERE r.source = 'any' AND r.destination = 'any'
RETURN fw.name as firewall, count(r) as any_any_rules
ORDER BY any_any_rules DESC"
# Find services without encryption
netintel-ocr kg query \
"MATCH (s:Service)
WHERE s.protocol IN ['telnet', 'ftp', 'http', 'snmp-v1', 'snmp-v2']
AND s.zone IN ['Customer_Edge', 'Service_Provider_Edge']
RETURN s.name, s.protocol, s.port, s.tenant"
Configuration Analysis¶
# Compare firewall configurations using embeddings
netintel-ocr kg similarity "FW-PROD-01" "FW-DR-01" \
--method cosine
# Find similar devices to identify configuration patterns
netintel-ocr kg find-similar "FW-PROD-01" \
--limit 10 \
--threshold 0.8
# Use clustering to find configuration outliers
netintel-ocr kg cluster \
--n-clusters 10 \
--method dbscan \
--min-samples 3 \
--eps 0.3
Compliance Analysis¶
# Use batch queries for compliance checks
cat > compliance_queries.txt << 'EOF'
How many any-any firewall rules exist?
What unencrypted protocols are in use?
Which zones lack proper segmentation?
What are the highest risk configurations?
EOF
netintel-ocr kg batch-query compliance_queries.txt \
--output analysis/compliance_batch.json \
--parallel 4
# Classify security-related queries
netintel-ocr kg classify-query "firewall rules violating PCI-DSS"
netintel-ocr kg classify-query "unencrypted services in DMZ"
# Compare different analysis strategies
netintel-ocr kg compare-strategies \
"security compliance violations in network configuration" \
--detailed \
--format json > analysis/strategy_comparison.json
Reporting and Evidence¶
# Export full knowledge graph for reporting
netintel-ocr kg export \
--format json \
--include-embeddings \
--output analysis/full_audit_graph.json
# Export as Cypher for graph database import
netintel-ocr kg export \
--format cypher \
--output analysis/audit_graph.cypher
# Export as GraphML for visualization tools
netintel-ocr kg export \
--format graphml \
--output analysis/audit_graph.graphml
# Generate statistics summary
netintel-ocr kg stats --format json > analysis/final_stats.json
netintel-ocr kg embedding-stats --detailed > analysis/embedding_report.txt
# Create visualizations
netintel-ocr kg visualize \
--method pca \
--dimensions 3 \
--color-by type \
--output analysis/3d_security_landscape.html
# Generate compliance evidence using RAG
netintel-ocr kg rag-query \
"Generate a PCI-DSS compliance summary based on the analyzed configurations" \
--mode hybrid \
--context-depth 5 > analysis/compliance_summary.txt
Performance Analysis¶
# View embedding statistics for performance insights
netintel-ocr kg embedding-stats \
--detailed > analysis/performance_metrics.txt
# Analyze query performance
time netintel-ocr kg query \
"MATCH (n) RETURN count(n)" \
--format json
# Test hybrid search performance
time netintel-ocr kg hybrid-search \
"complex security compliance query" \
--strategy parallel \
--limit 100
# Get comprehensive statistics
netintel-ocr kg stats --format summary
Key Findings¶
Compliance Status¶
- PCI-DSS Score: 78% (target: 95%)
- Critical violations: 3 requiring immediate action
- Configuration drift: 47 devices (20%)
- Unauthorized access paths: 12 discovered
Security Insights¶
- Firewall rules analyzed: 8,456
- Any-any rules found: 23 (critical risk)
- Unencrypted protocols: 15 in sensitive zones
- Missing segmentation: 5 network segments
Remediation Impact¶
- Scripts generated: 156 automated fixes
- Estimated remediation time: 2 days (vs 3 weeks manual)
- Risk reduction: 67% after remediation
- Compliance improvement: 78% → 92% projected
Commands Reference¶
# Essential compliance analysis commands (using actual available commands)
netintel-ocr kg init # Initialize KG system
netintel-ocr kg process document.pdf # Process with KG
netintel-ocr kg train-embeddings --model ComplEx # Train embeddings
netintel-ocr kg query "[Cypher query]" # Query graph
netintel-ocr kg find-similar "[entity]" # Find similar configs
netintel-ocr kg cluster --method kmeans # Cluster configurations
netintel-ocr kg path-find "[from]" "[to]" # Find access paths
netintel-ocr kg rag-query "[compliance question]" # Analyze with RAG
netintel-ocr kg hybrid-search "[search query]" # Hybrid search
netintel-ocr kg export --format json # Export graph