Navigation :

RFC1918 IP Not in CMDB

Description

Find internal addresses that aren't in your Asset database.


Use Case

Security Monitoring, Compliance

Category

Best Practices, Compliance, Shadow IT

Security Impact

In many organizations, chaos reigns free, but if you have controlled the chaos they you may want to know when your rules are being broken. The key concern here for most organizations is Shadow IT where a user plugs in a switch or wireless AP for their own convenience, to the detriment of your security controls, though it may also catch a bold physical security penetration tester (or a reckless digital intruder). When a new Source IP shows up that isn't a part of any address ranges or known hosts in the CMDB, this can indicate trouble.

Alert Volume

Medium (?)

SPL Difficulty

Basic

Journey

Stage 4

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Hardware Additions

Data Sources

Network Communication

   How to Implement

Accurate CMDB information is a life-long effort, and is the hard part of this query. Given the goal of this search, it probably makes the most sense to implement it in phases, starting with a production data center and then moving elsewhere. A primary goal here is to detect shadow IT, so it's often useful to augment this detection with DHCP data (either as a lookup, combined | stats, or even as a different dashboard panel or adaptive response action) to weed out authorized devices being plugged into unusual locations.

   Known False Positives

Because of invariably incomplete CMDB data and the challenges with DHCP scopes, this search will likely produce a large volume of noise. It's use is only recommended in very clean environments, such as companies that believe they've conquered the CMDB challenge or in particular enclaves where shadow IT is a risk and there is relatively minimal change.

   How To Respond

When this alert fires, leverage DHCP to determine what device is plugged in, to see if there is any record of it. Work with the network team to track down the location of the device and determine whether it is allowable or not. If you have a large volume of these alerts, consider automating this process with a SOAR product like Splunk Phantom.

   Help

RFC1918 IP Not in CMDB Help

This example leverages the simple search assistant. Our dataset is an anonymized collection of network traffic logs. For this analysis, we are aggregating by source_ip, and then looking it up in an asset database to determine the owner of each asset. When we don't have a match in the asset database, that is cause for an alert..

SPL for RFC1918 IP Not in CMDB

Demo Data

| `Load_Sample_Log_Data(Sample Firewall Data)` | stats count by src_ip
First we load our basic demo data, and aggregate per source IP
| search src_ip=10.0.0.0/8 OR src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12
Next we filter for source_ips that are coming from RFC1918 IP space.
| lookup sse_sample_asset_list ip as src_ip
Then we put take the src_ip field and look it up in our asset information, to see what hosts are in the asset data. This is a CIDR lookup, and if it ever matches the field "key" will be output.
| where isnull(key)
Finally, we look for fields where there is no key field output.

Accelerated Data

| tstats summariesonly=t allow_old_summaries=t count from datamodel=Network_Traffic where All_Traffic.src_ip=10.0.0.0/8 OR All_Traffic.src_ip=192.168.0.0/16 OR All_Traffic.src_ip=172.16.0.0./12 by All_Traffic.src_ip
First we look in the network traffic data model for traffic originating from RFC1918 space.
| lookup asset_lookup_by_str ip as All_Traffic.src_ip OUTPUT key
Then we put take the src_ip field and look it up in our asset information, to see what hosts are in the asset data. This is a CIDR lookup, and if it ever matches the field "key" will be output.
| where isnull(key)
Finally, we look for fields where there is no key field output.

Screenshot of Demo Data