topic What is the best way to build searches and alerting in a Hyper-V environment in which VMs pull MAC address ? in Splunk Enterprise Security

What is the best way to build searches and alerting in a Hyper-V environment in which VMs pull MAC address ?

gg74 — Tue, 09 May 2023 06:07:44 GMT

What is the best way to deal with building searches and alerting in a Hyper-V environment in which VMs pull MAC address from a pool controlled by the cluster nodes? Is setting all of my VMs to use static MAC addresses best practice (this is a large undertaking and would require maintenance) or is there a better way to do this? Should I rely on another variable to track these assets?

Re: What is the best way to build searches and alerting in a Hyper-V environment in which VMs pull MAC address ?

ITWhisperer — Tue, 09 May 2023 06:10:02 GMT

If you want a deterministic way to track assets, don't use a non-deterministic way of identifying the assets.

Re: What is the best way to build searches and alerting in a Hyper-V environment in which VMs pull MAC address ?

gg74 — Tue, 09 May 2023 11:55:57 GMT

Is there a better variable to use than the MAC address? Something that doesn't rely on manual intervention to set? Is the GUID or device name the standard? Just looking options I may not be aware of.

Re: What is the best way to build searches and alerting in a Hyper-V environment in which VMs pull MAC address ?

ITWhisperer — Tue, 09 May 2023 12:06:55 GMT

It depends how your assets are set up - often a qualified host name is unique (enough) in your environment to distinguish between different hosts.