What is the best way for Enterprise Security to handle assets that are assigned DHCP addresses? Obviously the MAC address and the hostname should be fairly "stable", but what about IPs? If the DHCP leases are short, a host could get multiple IPs over the course of a month or so.
Do we just use the most recently assigned IP? Do we add a week or a month's worth of IPs to a single asset? What's the best practice?
Thx.
A minimum best practice would be to add DHCP as IP ranges and set the category accordingly. If the Pools are limited in location where they are used I would also populate the location fields for the entries. You won't have host name matches but at least you can match on the IPs if they occur in network and IDS type logs.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference
You could optionally have a DHCP specific asset table with NO ips but include all host names and mac addresses. ES will cook all the asset information together. If something shows up as an IP you would get the information derived from the CIDR of the pool but no host name. If it shows in logs by name you would get that asset detail but without IP address.
You could also leverage the DHCP to maintain a time based lookup and apply within the specific searches as needed.
Most recent IP. However, best practice would be to not use DHCP data (only) to build your asset list for Enterprise Security.
Here are the fields needed:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
Reference:
http://docs.splunk.com/Documentation/ES/4.5.1/User/AssetandIdentityLookupReference
DHCP data will only get you the first four fields. Combine it with Active Directory, SCCM, McAfee ePO and etc., would get your better results.