Security

assets and identities

Chiranjeev
Explorer

currently for asset correlation with ips we have infoblox ,but that only works when we are in the company premises and ip assigned on asset is part of company network.when someone works from home and the ip of asset changes due to personal internet that ip does not get added to the asset lookup as its not part of infoblox flow.

i was thinking maybe using zscaler to add ip details for the asset but if there is any successful way someone used to mitigate this would be helpful .

 

 

Labels (1)
0 Karma

antoniolamonica
Explorer

a potential solution:

you can create a lookup file that performs an dnslookup of your IP/host assuming your IP/Asset info is reachable to the same DNS servers as your co-workers.
"

yourindex
yoursourcetype
| specify your filters here
| lookup dnslookup clientip as youripfield OUTPUTNEW clienthost as yourassetfield



or inverse

| lookup dnslookup clienthost as yourassetfield  OUTPUTNEW clientip as youripfield 


| stats by youripfield , yourassetfield  
| table youripfield , yourassetfield  
| outputlookup nameOflookup.csv append=false


"

Save this as a report (OUTPUT_IP_Asset_Correlation) and set a schedule to it (daily, weekly, which ever frequency works for you).

Then in your actual query,  do a lookup up the generated lookup.
"

yourindex
yoursourcetype
| specify your filters here
| lookup nameOflookup.csv youripfield  as IP OUTPUTNEW host (or whatever field you need it to be)
or
| lookup nameOflookup.csv yourassetfield  as Asset OUTPUTNEW host (or whatever field you need it to be)


...
"

https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Lookup
https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/m-p/72304

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Maintaining dynamic assets is a bit of a difficulty. Since you're talking about Assets and Identities I assume you're talking about Enterprise Security. But you have to ask yourself what do you want from such asset database. Because if users are using dynamic IPs (as is typical for consumers internet connections) such database built on single time connections will be very unreliable and quickly outdated.

So it's not only about how to build such database (because that's probably down to using some more or less clever scripting to retrieve the data from - for example - company webserver logs or VPN service, save it to a file and push it to ES as an asset lookup) but about what/how do you want to use it.

Chiranjeev
Explorer

so how can i ensure asset data correlation with logs as its based on ips ,anyway can it be done with hostname?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...