Splunk Enterprise Security: Issue found in "SA-Ide...

jeanyvesnolen · ‎04-03-2018

Hello,

We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).

SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen

   | `asset_sources` 
   | `make_assets_cidr` 
   | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`) 
|  outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.

So if I do the following request (without expandiprange ) it works:

| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)

But with expandiprange it doesn’t work:

| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.

As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps

Thank you.

dapo-justice · ‎11-07-2023

Sorry for the 4 year resurrection of the thread, but I was wondering if this lead anywhere. Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies with the way 'make_ip_cidr' operates.

For ES population, I'm trying to use MV in KV stores of assets, as well as delimited csv lookups - but the cidr matching, make_ip_cidr and expandiprange and the lack of support of /32 is causing issues.

lakshman239 · ‎08-08-2019

@jeanyvesnolen - One approach would be to create a csv file/lookup, which extracts IP, macaddress, hostname and other populate other fields [ for compliance with required asset format by ES] from your DHCP logs [ definding inputs.conf] and then adding your definition to the macros.conf as something like

[asset_sources]
definition= inputlookup append=t yourlookuptransforms_asset | inputputlookup append=t yourlooktransforsm_dhcp

this will then merge all your asset related lookups to asset data. You can then run the search "|assets" to validate them

jbburkes · ‎08-07-2019

So interesting, if you run the search directly in the search bar you get the error I mentioned. However if you setup your inputs correctly and run the CIDR notation gen, it will populate the CIDR CSV file.

Thanks jeanvesnolen for the help.

lakshman239 · ‎08-08-2019

@jbburkes - have you tried 192.168.69.0/24?

anuremanan88 · ‎02-28-2019

Is the app updated? I am also facing this issue..

jeburkes76 · ‎07-30-2019

Setup, Splunk Enterprise running Enterprise Security 5.3.0. If I put in CIDR notation for each asset, for example 192.168.69.2/24 in the IP address field and then run the Identity - Asset CIDR Matches - Lookup Gen as a search, I get the following error:

Invalid 192.168.69.2/24 is not a valid IP address or CIDR block.

I was going to try and bypass the lookup gen and just put manual entries into assets_by_cidr.csv but the csv is blank, anyone know the format of assets_by_cidr.csv file?

jeanyvesnolen · ‎08-05-2019

Hello !

The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"

| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count

The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)

If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is

    fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields`

The what you are looking for is *| fields asset_key_field,asset_fields *

You will get the following after resolve all macros :

key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av

the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))

Thanks to the doc(link text) you will hqve the correct format for each field.

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation