RFC1918 IP Not in CMDB
RFC1918 IP Not in CMDB
Description
Find internal addresses that aren't in your Asset database.
Content Mapping
This content is not mapped to any local saved search. Add mapping
How to Implement |
---|
Accurate CMDB information is a life-long effort, and is the hard part of this query. Given the goal of this search, it probably makes the most sense to implement it in phases, starting with a production data center and then moving elsewhere. A primary goal here is to detect shadow IT, so it's often useful to augment this detection with DHCP data (either as a lookup, combined | stats, or even as a different dashboard panel or adaptive response action) to weed out authorized devices being plugged into unusual locations. |
Known False Positives |
---|
Because of invariably incomplete CMDB data and the challenges with DHCP scopes, this search will likely produce a large volume of noise. It's use is only recommended in very clean environments, such as companies that believe they've conquered the CMDB challenge or in particular enclaves where shadow IT is a risk and there is relatively minimal change. |
How To Respond |
---|
When this alert fires, leverage DHCP to determine what device is plugged in, to see if there is any record of it. Work with the network team to track down the location of the device and determine whether it is allowable or not. If you have a large volume of these alerts, consider automating this process with a SOAR product like Splunk Phantom. |
Help |
---|
RFC1918 IP Not in CMDB HelpThis example leverages the simple search assistant. Our dataset is an anonymized collection of network traffic logs. For this analysis, we are aggregating by source_ip, and then looking it up in an asset database to determine the owner of each asset. When we don't have a match in the asset database, that is cause for an alert.. |
SPL for RFC1918 IP Not in CMDB
Demo Data
| First we load our basic demo data, and aggregate per source IP |
| Next we filter for source_ips that are coming from RFC1918 IP space. |
| Then we put take the src_ip field and look it up in our asset information, to see what hosts are in the asset data. This is a CIDR lookup, and if it ever matches the field "key" will be output. |
| Finally, we look for fields where there is no key field output. |
Accelerated Data
| First we look in the network traffic data model for traffic originating from RFC1918 space. |
| Then we put take the src_ip field and look it up in our asset information, to see what hosts are in the asset data. This is a CIDR lookup, and if it ever matches the field "key" will be output. |
| Finally, we look for fields where there is no key field output. |
Screenshot of Demo Data
