Splunk Enterprise Security

How does splunk enterprise security asset lookup handle lookups of additional details for incidents with dynamic ip ?

archme
Explorer

We are current running the seckit for aws asset runs schedully to created aws assets lookup table.

Now, for the elb, the IP changes automatically after sometime..for example 192.168.1.70 is mapped to host1.fqdn today..

And incident happens for 192.168.1.70 ip, and it is able to show host1.fqdn as the hostname/fqdn of that IP under incident review additional details section.

Tomorrow, 192.168.2.90 is used for the host1.fqdn elb. If I go and check yesterday's incident for 192.168.1.70 IP, will it still show host1.fqdn as the hostname/fqdn or it will not show any hostname/fqdn as that IP is not mapped to any host/fqdn anymore.

How can we retain the original hostname / original mapping fields for an incident in the additional fields in the incident review section for this kind of scenario?

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...