https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280129#M2267 <P>What is the best way for Enterprise Security to handle assets that are assigned DHCP addresses? Obviously the MAC address and the hostname should be fairly "stable", but what about IPs? If the DHCP leases are short, a host could get multiple IPs over the course of a month or so.</P> <P>Do we just use the most recently assigned IP? Do we add a week or a month's worth of IPs to a single asset? What's the best practice?</P> <P>Thx.</P> Wed, 14 Dec 2016 18:53:45 GMT responsys_cm 2016-12-14T18:53:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280129#M2267 <P>What is the best way for Enterprise Security to handle assets that are assigned DHCP addresses? Obviously the MAC address and the hostname should be fairly "stable", but what about IPs? If the DHCP leases are short, a host could get multiple IPs over the course of a month or so.</P> <P>Do we just use the most recently assigned IP? Do we add a week or a month's worth of IPs to a single asset? What's the best practice?</P> <P>Thx.</P> Wed, 14 Dec 2016 18:53:45 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280129#M2267 responsys_cm 2016-12-14T18:53:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280130#M2268 <P>Most recent IP. However, best practice would be to not use DHCP data (only) to build your asset list for Enterprise Security.</P> <P>Here are the fields needed:<BR /> ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av</P> <P>Reference:<BR /> <A href="http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference" target="_blank">http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference</A></P> <P>DHCP data will only get you the first four fields. Combine it with Active Directory, SCCM, McAfee ePO and etc., would get your better results.</P> Tue, 29 Sep 2020 12:07:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280130#M2268 quihong 2020-09-29T12:07:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280131#M2269 <P>A minimum best practice would be to add DHCP as IP ranges and set the category accordingly. If the Pools are limited in location where they are used I would also populate the location fields for the entries. You won't have host name matches but at least you can match on the IPs if they occur in network and IDS type logs.</P> <P><A href="http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference">http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference</A></P> <P>You could optionally have a DHCP specific asset table with NO ips but include all host names and mac addresses. ES will cook all the asset information together. If something shows up as an IP you would get the information derived from the CIDR of the pool but no host name. If it shows in logs by name you would get that asset detail but without IP address.</P> Thu, 09 Feb 2017 00:37:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280131#M2269 starcher 2017-02-09T00:37:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280132#M2270 <P>You could also leverage the DHCP to maintain a time based lookup and apply within the specific searches as needed.</P> Sat, 11 Feb 2017 12:31:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/What-is-the-best-practice-for-building-a-Splunk-Enterprise/m-p/280132#M2270 starcher 2017-02-11T12:31:30Z