Ultimately, we are enforcing compliance upon connection to our network which is going to be taken care of by our different assets. Like I said, I'm very new to Splunk so please let me know if you need me to clarify anything (and also if you have any pointers for learning it more quickly!). So Cisco logs could use src_add as an IP address field and Forescout could refer to the same host and have the same IP for that host, but use the field name ip_add. Here's what I'm trying to get out of my Splunk dashboards - I'm trying to pull in data from several assets (as mentioned in the post) and map field/value pairs that identify unique hosts across all of our asset logs. You've answered it for me already so thank you very much! Normalizing MAC addresses as well as things like date-time stamps that may be different across assets is actually another question I had and was planning on asking that in another post. Just some random thoughts, take them as they are. Once you get IP_Address working, then you may need to choose what thing(s) from which data types to call The_Activity (if you were trying to dashboard this, for example).ĭepending on your use case, Forescout's ctupdate=hostinfo events may not necessarily be useful and you might want to dig around in the ctupdate=policyinfo events instead. That might be a long-running search, especially if you're looking back over a long period of time, but I find coalesce very helpful to get things going when trying to combine multiple datasets. | eval IP_Address=coalesce(ip, ip_addr, src_ip) If your Tanium events have it as ip_addr and your Cisco ISE events have it as src_ip (both for the sake of argument), you could try something like (index=forescout ip="123.456.789.0") OR (index=tanium ip_addr="123.456.789.0") OR (index=cisco-ise src_ip="123.456.789.0") Regex and multi-field stuff will be your friend with FS data.įorescout's ctupdate=hostinfo and ctupdate=policyinfo JSON events usually just have the IP address in a field called ip. I've done a lot of Splunking with Forescout data (and with getting that data into Splunk in the first place) for public sector customers if you have any questions I might be able to help with, drop me line.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |