Splunk Enterprise Security

What is the best practice for building a Splunk Enterprise Security asset list off of DHCP data?

responsys_cm
Builder

What is the best way for Enterprise Security to handle assets that are assigned DHCP addresses? Obviously the MAC address and the hostname should be fairly "stable", but what about IPs? If the DHCP leases are short, a host could get multiple IPs over the course of a month or so.

Do we just use the most recently assigned IP? Do we add a week or a month's worth of IPs to a single asset? What's the best practice?

Thx.

0 Karma

starcher
SplunkTrust
SplunkTrust

A minimum best practice would be to add DHCP as IP ranges and set the category accordingly. If the Pools are limited in location where they are used I would also populate the location fields for the entries. You won't have host name matches but at least you can match on the IPs if they occur in network and IDS type logs.

http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

You could optionally have a DHCP specific asset table with NO ips but include all host names and mac addresses. ES will cook all the asset information together. If something shows up as an IP you would get the information derived from the CIDR of the pool but no host name. If it shows in logs by name you would get that asset detail but without IP address.

starcher
SplunkTrust
SplunkTrust

You could also leverage the DHCP to maintain a time based lookup and apply within the specific searches as needed.

0 Karma

quihong
Path Finder

Most recent IP. However, best practice would be to not use DHCP data (only) to build your asset list for Enterprise Security.

Here are the fields needed:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Reference:
http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference

DHCP data will only get you the first four fields. Combine it with Active Directory, SCCM, McAfee ePO and etc., would get your better results.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...