Splunk Enterprise Security

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

jeanyvesnolen
Path Finder

Hello,

We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).

SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen

   | `asset_sources` 
   | `make_assets_cidr` 
   | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`) 
|  outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.

So if I do the following request (without expandiprange ) it works:

| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key) 

But with expandiprange it doesn’t work:

| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.

As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps

Thank you.

dapo-justice
Engager

Sorry for the 4 year resurrection of the thread,  but I was wondering if this lead anywhere.   Working with lookups for assets and identities in ES and finding issues with the use / inconsistancies with the way 'make_ip_cidr' operates.   

For ES population,  I'm trying to use MV in KV stores of assets,  as well as delimited csv lookups -  but the cidr matching,  make_ip_cidr and expandiprange  and the lack of support of /32 is causing issues. 

lakshman239
Influencer

@jeanyvesnolen - One approach would be to create a csv file/lookup, which extracts IP, macaddress, hostname and other populate other fields [ for compliance with required asset format by ES] from your DHCP logs [ definding inputs.conf] and then adding your definition to the macros.conf as something like

[asset_sources]
definition= inputlookup append=t yourlookuptransforms_asset | inputputlookup append=t yourlooktransforsm_dhcp

this will then merge all your asset related lookups to asset data. You can then run the search "|assets" to validate them

0 Karma

jbburkes
Engager

So interesting, if you run the search directly in the search bar you get the error I mentioned. However if you setup your inputs correctly and run the CIDR notation gen, it will populate the CIDR CSV file.

Thanks jeanvesnolen for the help.

0 Karma

lakshman239
Influencer

@jbburkes - have you tried 192.168.69.0/24?

0 Karma

anuremanan88
Explorer

Is the app updated? I am also facing this issue..

jeburkes76
Explorer

Setup, Splunk Enterprise running Enterprise Security 5.3.0. If I put in CIDR notation for each asset, for example 192.168.69.2/24 in the IP address field and then run the Identity - Asset CIDR Matches - Lookup Gen as a search, I get the following error:

Invalid 192.168.69.2/24 is not a valid IP address or CIDR block.

I was going to try and bypass the lookup gen and just put manual entries into assets_by_cidr.csv but the csv is blank, anyone know the format of assets_by_cidr.csv file?

0 Karma

jeanyvesnolen
Path Finder

Hello !

The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"

| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count

The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)

If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is

    fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 

The what you are looking for is *| fields asset_key_field,asset_fields *

You will get the following after resolve all macros :

key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av

the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))

Thanks to the doc(link text) you will hqve the correct format for each field.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...