Splunk Enterprise Security

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

jeanyvesnolen
Path Finder

Hello,

We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).

SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen

   | `asset_sources` 
   | `make_assets_cidr` 
   | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`) 
|  outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.

So if I do the following request (without expandiprange ) it works:

| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key) 

But with expandiprange it doesn’t work:

| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.

As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps

Thank you.

dapo-justice
Engager

Sorry for the 4 year resurrection of the thread,  but I was wondering if this lead anywhere.   Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies with the way 'make_ip_cidr' operates.   

For ES population,  I'm trying to use MV in KV stores of assets,  as well as delimited csv lookups -  but the cidr matching,  make_ip_cidr and expandiprange  and the lack of support of /32 is causing issues. 

lakshman239
Influencer

@jeanyvesnolen - One approach would be to create a csv file/lookup, which extracts IP, macaddress, hostname and other populate other fields [ for compliance with required asset format by ES] from your DHCP logs [ definding inputs.conf] and then adding your definition to the macros.conf as something like

[asset_sources]
definition= inputlookup append=t yourlookuptransforms_asset | inputputlookup append=t yourlooktransforsm_dhcp

this will then merge all your asset related lookups to asset data. You can then run the search "|assets" to validate them

0 Karma

jbburkes
Engager

So interesting, if you run the search directly in the search bar you get the error I mentioned. However if you setup your inputs correctly and run the CIDR notation gen, it will populate the CIDR CSV file.

Thanks jeanvesnolen for the help.

0 Karma

lakshman239
Influencer

@jbburkes - have you tried 192.168.69.0/24?

0 Karma

anuremanan88
Explorer

Is the app updated? I am also facing this issue..

jeburkes76
Explorer

Setup, Splunk Enterprise running Enterprise Security 5.3.0. If I put in CIDR notation for each asset, for example 192.168.69.2/24 in the IP address field and then run the Identity - Asset CIDR Matches - Lookup Gen as a search, I get the following error:

Invalid 192.168.69.2/24 is not a valid IP address or CIDR block.

I was going to try and bypass the lookup gen and just put manual entries into assets_by_cidr.csv but the csv is blank, anyone know the format of assets_by_cidr.csv file?

0 Karma

jeanyvesnolen
Path Finder

Hello !

The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"

| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count

The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)

If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is

    fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 

The what you are looking for is *| fields asset_key_field,asset_fields *

You will get the following after resolve all macros :

key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av

the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))

Thanks to the doc(link text) you will hqve the correct format for each field.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...