Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best practice for building a Splunk Enterprise Security asset list off of DHCP data?

responsys_cm
Builder
‎12-14-2016 10:53 AM

What is the best way for Enterprise Security to handle assets that are assigned DHCP addresses? Obviously the MAC address and the hostname should be fairly "stable", but what about IPs? If the DHCP leases are short, a host could get multiple IPs over the course of a month or so.

Do we just use the most recently assigned IP? Do we add a week or a month's worth of IPs to a single asset? What's the best practice?

Thx.

0 Karma
Reply

starcher
Influencer
‎02-08-2017 04:37 PM

A minimum best practice would be to add DHCP as IP ranges and set the category accordingly. If the Pools are limited in location where they are used I would also populate the location fields for the entries. You won't have host name matches but at least you can match on the IPs if they occur in network and IDS type logs.

http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

You could optionally have a DHCP specific asset table with NO ips but include all host names and mac addresses. ES will cook all the asset information together. If something shows up as an IP you would get the information derived from the CIDR of the pool but no host name. If it shows in logs by name you would get that asset detail but without IP address.

Reply

starcher
Influencer
‎02-11-2017 04:31 AM

You could also leverage the DHCP to maintain a time based lookup and apply within the specific searches as needed.

0 Karma
Reply

quihong
Path Finder
‎12-14-2016 11:56 AM

Most recent IP. However, best practice would be to not use DHCP data (only) to build your asset list for Enterprise Security.

Here are the fields needed:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Reference:
http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference

DHCP data will only get you the first four fields. Combine it with Active Directory, SCCM, McAfee ePO and etc., would get your better results.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...