Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Do I have to disable asset_lookup_by_cidr?

evelenke
Contributor
‎07-26-2018 09:59 AM

Hi Splunkers,

In our alerts related to Network domain (IDS, netflow, etc), where in logs there's only IP address available we try to enrich IP addresses with all possible data - src_owner, src_dns etc.
src_dns may be correlated from DHCP ACK events or DNS lookup.
But for many assets, like mobile or VMs no authentication may be performed and so there are no source to enrich with src_owner value.

As result owner gets populated from asset_lookup_by_cidr, which is obviously not an appropriate value.

What is purpose and main use case of this lookup in general?
As of now I think it's better to take away at least dns, mac and owner population from this automatic lookup

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 10:18 AM

You could choose to enable it selectively by sourcetype, so that the enrichment only occurs for the sourcetypes where it is valuable. See https://docs.splunk.com/Documentation/ES/5.1.0/Admin/Configureassetandidentitycorrelation for the instructions.

0 Karma
Reply

evelenke
Contributor
‎07-27-2018 08:00 AM

Thanks for advice.
Actually we require enrichment for many sourcetypes and it should be not by cidr but strict by ip. That's what asset_lookup_by_str does.
In provided recomendation there's no ability to choose sourcetypes for asset_lookup_by_cidr separately from asset_lookup_by_str (at least for ES ver. 4.7, that we have).
Looks like I'll rename output fields for default : LOOKUP-zv-asset_lookup_by_cidr-dest(dvc,src)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...