Splunk Enterprise Security

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

Path Finder

Hello,

We have issues to merge our dhcpassetlist (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).

SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen

   | `asset_sources` 
   | `make_assets_cidr` 
   | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`) 
|  outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.

So if I do the following request (without expandiprange ) it works:

| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key) 

But with expandiprange it doesn’t work:

| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.

As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps

Thank you.

SplunkTrust
SplunkTrust

@jeanyvesnolen - One approach would be to create a csv file/lookup, which extracts IP, macaddress, hostname and other populate other fields [ for compliance with required asset format by ES] from your DHCP logs [ definding inputs.conf] and then adding your definition to the macros.conf as something like

[asset_sources]
definition= inputlookup append=t yourlookuptransforms_asset | inputputlookup append=t yourlooktransforsm_dhcp

this will then merge all your asset related lookups to asset data. You can then run the search "|assets" to validate them

0 Karma

Engager

So interesting, if you run the search directly in the search bar you get the error I mentioned. However if you setup your inputs correctly and run the CIDR notation gen, it will populate the CIDR CSV file.

Thanks jeanvesnolen for the help.

0 Karma

SplunkTrust
SplunkTrust

@jbburkes - have you tried 192.168.69.0/24?

0 Karma

Explorer

Is the app updated? I am also facing this issue..

Explorer

Setup, Splunk Enterprise running Enterprise Security 5.3.0. If I put in CIDR notation for each asset, for example 192.168.69.2/24 in the IP address field and then run the Identity - Asset CIDR Matches - Lookup Gen as a search, I get the following error:

Invalid 192.168.69.2/24 is not a valid IP address or CIDR block.

I was going to try and bypass the lookup gen and just put manual entries into assetsbycidr.csv but the csv is blank, anyone know the format of assetsbycidr.csv file?

0 Karma

Path Finder

Hello !

The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"

| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count

The main issue you will get is that the saved search will overide qny content of assetlookupby_cidr (because there is no append=t in the query)

If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is

    fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 

The what you are looking for is *| fields asset_key_field,asset_fields *

You will get the following after resolve all macros :

key, ip, mac,nthost,dns, owner,priority,lat,long,city,country,bunit,category,pcidomain, isexpected, shouldtimesync, shouldupdate, requiresav

the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))

Thanks to the doc(link text) you will hqve the correct format for each field.

0 Karma