Splunk Enterprise Security

How does splunk enterprise security asset lookup handle lookups of additional details for incidents with dynamic ip ?

Explorer

We are current running the seckit for aws asset runs schedully to created aws assets lookup table.

Now, for the elb, the IP changes automatically after sometime..for example 192.168.1.70 is mapped to host1.fqdn today..

And incident happens for 192.168.1.70 ip, and it is able to show host1.fqdn as the hostname/fqdn of that IP under incident review additional details section.

Tomorrow, 192.168.2.90 is used for the host1.fqdn elb. If I go and check yesterday's incident for 192.168.1.70 IP, will it still show host1.fqdn as the hostname/fqdn or it will not show any hostname/fqdn as that IP is not mapped to any host/fqdn anymore.

How can we retain the original hostname / original mapping fields for an incident in the additional fields in the incident review section for this kind of scenario?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!