Splunk Enterprise Security

Splunk Enterprise Security: Issue found in "SA-IdentityManagement" : Identity - Asset CIDR Matches - Lookup Gen

jeanyvesnolen
Path Finder

Hello,

We have issues to merge our dhcp_asset_list (made of dns record, mac and ip address) into the Asset & Identity Management subsystem.
I realize that there is a condition into a macro (I rebuilt the macro tree to be clear).

SA-IdentityManagement - Identity - Asset CIDR Matches - Lookup Gen

   | `asset_sources` 
   | `make_assets_cidr` 
   | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| `make_assets` | eval `asset_key_field`=mvfilter(match(`asset_key_field`, `ipv4_cidr_regex`)) | where isnotnull(`asset_key_field`) 
|  outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

====

| `asset_sources` 
| fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 
| eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
| outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr

But the command expandiprange ip
Transforms fully qualified cidr like “192.168.1.1/32” into single IP "192.168.1.1" with not match the followed regex.

So if I do the following request (without expandiprange ) it works:

| makeresults | eval ip="192.168.10.20/32" |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key) 

But with expandiprange it doesn’t work:

| makeresults | eval ip="192.168.10.20/32" | expandiprange ip |rename ip as key | eval key=mvfilter(match(key, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/(\d|[12]\d|3[012])$")) | where isnotnull(key)
No results found.

As a workaround we have overridden the macro in one of our apps, but could you update the SA-IdentityManagement apps

Thank you.

lakshman239
SplunkTrust
SplunkTrust

@jeanyvesnolen - One approach would be to create a csv file/lookup, which extracts IP, macaddress, hostname and other populate other fields [ for compliance with required asset format by ES] from your DHCP logs [ definding inputs.conf] and then adding your definition to the macros.conf as something like

[asset_sources]
definition= inputlookup append=t yourlookuptransforms_asset | inputputlookup append=t yourlooktransforsm_dhcp

this will then merge all your asset related lookups to asset data. You can then run the search "|assets" to validate them

0 Karma

jbburkes
Engager

So interesting, if you run the search directly in the search bar you get the error I mentioned. However if you setup your inputs correctly and run the CIDR notation gen, it will populate the CIDR CSV file.

Thanks jeanvesnolen for the help.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

@jbburkes - have you tried 192.168.69.0/24?

0 Karma

anuremanan88
Explorer

Is the app updated? I am also facing this issue..

jeburkes76
Explorer

Setup, Splunk Enterprise running Enterprise Security 5.3.0. If I put in CIDR notation for each asset, for example 192.168.69.2/24 in the IP address field and then run the Identity - Asset CIDR Matches - Lookup Gen as a search, I get the following error:

Invalid 192.168.69.2/24 is not a valid IP address or CIDR block.

I was going to try and bypass the lookup gen and just put manual entries into assets_by_cidr.csv but the csv is blank, anyone know the format of assets_by_cidr.csv file?

0 Karma

jeanyvesnolen
Path Finder

Hello !

The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"

| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count

The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)

If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is

    fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields` 

The what you are looking for is *| fields asset_key_field,asset_fields *

You will get the following after resolve all macros :

key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av

the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))

Thanks to the doc(link text) you will hqve the correct format for each field.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...