https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458158#M6530 <P>Thanks for advice. <BR /> Actually we require enrichment for many sourcetypes and it should be not by cidr but strict by ip. That's what asset_lookup_by_str does. <BR /> In provided recomendation there's no ability to choose sourcetypes for asset_lookup_by_cidr separately from asset_lookup_by_str (at least for ES ver. 4.7, that we have). <BR /> Looks like I'll rename output fields for default : LOOKUP-zv-asset_lookup_by_cidr-dest(dvc,src)</P> Tue, 29 Sep 2020 20:37:39 GMT evelenke 2020-09-29T20:37:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458156#M6528 <P>Hi Splunkers,</P> <P>In our alerts related to Network domain (IDS, netflow, etc), where in logs there's only IP address available we try to enrich IP addresses with all possible data - src_owner, src_dns etc. <BR /> src_dns may be correlated from DHCP ACK events or DNS lookup.<BR /> But for many assets, like mobile or VMs no authentication may be performed and so there are no source to enrich with src_owner value.</P> <P>As result owner gets populated from asset_lookup_by_cidr, which is obviously not an appropriate value.</P> <P>What is purpose and main use case of this lookup in general?<BR /> As of now I think it's better to take away at least dns, mac and owner population from this automatic lookup</P> Tue, 29 Sep 2020 20:36:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458156#M6528 evelenke 2020-09-29T20:36:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458157#M6529 <P>You could choose to enable it selectively by sourcetype, so that the enrichment only occurs for the sourcetypes where it is valuable. See <A href="https://docs.splunk.com/Documentation/ES/5.1.0/Admin/Configureassetandidentitycorrelation">https://docs.splunk.com/Documentation/ES/5.1.0/Admin/Configureassetandidentitycorrelation</A> for the instructions.</P> Thu, 26 Jul 2018 17:18:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458157#M6529 smoir_splunk 2018-07-26T17:18:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458158#M6530 <P>Thanks for advice. <BR /> Actually we require enrichment for many sourcetypes and it should be not by cidr but strict by ip. That's what asset_lookup_by_str does. <BR /> In provided recomendation there's no ability to choose sourcetypes for asset_lookup_by_cidr separately from asset_lookup_by_str (at least for ES ver. 4.7, that we have). <BR /> Looks like I'll rename output fields for default : LOOKUP-zv-asset_lookup_by_cidr-dest(dvc,src)</P> Tue, 29 Sep 2020 20:37:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Do-I-have-to-disable-asset-lookup-by-cidr/m-p/458158#M6530 evelenke 2020-09-29T20:37:39Z