- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- assets and identities
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assets and identities
currently for asset correlation with ips we have infoblox ,but that only works when we are in the company premises and ip assigned on asset is part of company network.when someone works from home and the ip of asset changes due to personal internet that ip does not get added to the asset lookup as its not part of infoblox flow.
i was thinking maybe using zscaler to add ip details for the asset but if there is any successful way someone used to mitigate this would be helpful .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a potential solution:
you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers.
"
yourindex
yoursourcetype
| specify your filters here
| lookup dnslookup clientip as youripfield OUTPUTNEW clienthost as yourassetfield
or inverse
| lookup dnslookup clienthost as yourassetfield OUTPUTNEW clientip as youripfield
| stats by youripfield , yourassetfield
| table youripfield , yourassetfield
| outputlookup nameOflookup.csv append=false
"
Save this as a report (OUTPUT_IP_Asset_Correlation) and set a schedule to it (daily, weekly, which ever frequency works for you).
Then in your actual query, do a lookup up the generated lookup.
"
yourindex
yoursourcetype
| specify your filters here
| lookup nameOflookup.csv youripfield as IP OUTPUTNEW host (or whatever field you need it to be)
or
| lookup nameOflookup.csv yourassetfield as Asset OUTPUTNEW host (or whatever field you need it to be)
...
"
https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup
https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/m-p/72304
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maintaining dynamic assets is a bit of a difficulty. Since you're talking about Assets and Identities I assume you're talking about Enterprise Security. But you have to ask yourself what do you want from such asset database. Because if users are using dynamic IPs (as is typical for consumers internet connections) such database built on single time connections will be very unreliable and quickly outdated.
So it's not only about how to build such database (because that's probably down to using some more or less clever scripting to retrieve the data from - for example - company webserver logs or VPN service, save it to a file and push it to ES as an asset lookup) but about what/how do you want to use it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so how can i ensure asset data correlation with logs as its based on ips ,anyway can it be done with hostname?
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
