Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

assets and identities

Chiranjeev
Explorer
‎05-30-2024 07:50 AM

currently for asset correlation with ips we have infoblox ,but that only works when we are in the company premises and ip assigned on asset is part of company network.when someone works from home and the ip of asset changes due to personal internet that ip does not get added to the asset lookup as its not part of infoblox flow.

i was thinking maybe using zscaler to add ip details for the asset but if there is any successful way someone used to mitigate this would be helpful .

 

 

0 Karma
Reply

antoniolamonica
SplunkTrust
SplunkTrust
‎05-31-2024 06:17 AM

a potential solution:

you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers.
"

yourindex
yoursourcetype
| specify your filters here
| lookup dnslookup clientip as youripfield OUTPUTNEW clienthost as yourassetfield



or inverse

| lookup dnslookup clienthost as yourassetfield  OUTPUTNEW clientip as youripfield 


| stats by youripfield , yourassetfield  
| table youripfield , yourassetfield  
| outputlookup nameOflookup.csv append=false


"

Save this as a report (OUTPUT_IP_Asset_Correlation) and set a schedule to it (daily, weekly, which ever frequency works for you).

Then in your actual query,  do a lookup up the generated lookup.
"

yourindex
yoursourcetype
| specify your filters here
| lookup nameOflookup.csv youripfield  as IP OUTPUTNEW host (or whatever field you need it to be)
or
| lookup nameOflookup.csv yourassetfield  as Asset OUTPUTNEW host (or whatever field you need it to be)


...
"

https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup
https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/m-p/72304

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-30-2024 10:50 AM

Maintaining dynamic assets is a bit of a difficulty. Since you're talking about Assets and Identities I assume you're talking about Enterprise Security. But you have to ask yourself what do you want from such asset database. Because if users are using dynamic IPs (as is typical for consumers internet connections) such database built on single time connections will be very unreliable and quickly outdated.

So it's not only about how to build such database (because that's probably down to using some more or less clever scripting to retrieve the data from - for example - company webserver logs or VPN service, save it to a file and push it to ES as an asset lookup) but about what/how do you want to use it.

Reply

Chiranjeev
Explorer
‎05-30-2024 11:35 PM

so how can i ensure asset data correlation with logs as its based on ips ,anyway can it be done with hostname?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...