Time based DHCP Lookups using Splunk

Quite often, especially when using Splunk Enterprise Security, we need to have a dynamic lookup between IP Addresses seen in events, and hostname values. This is useful for the user looking at the event data, but also allows events from sources such as network traffic to be associated with events from sources such as Windows event log.

How can we get Splunk to do this association automatically at search time?

The answer is time based lookups.

The lookup file is very, very simple :

dhcp_time dhcp_hostname dhcp_ip
timestamp hostname ip

Time based lookups utilise the time of an event, to perform a lookup against a set of values with associated timestamps. Splunk will retrieve the closest match between the search time event and the lookup file. There is a maximum skew between the two times that can be implemented, so for example, we can have Splunk retrieve the closest matching value within the lookup file, that occurred within 1 hour of the event in question.

These can be configured using a standard props / transforms rule on your Splunk Search Head.

props.conf

1
2
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
LOOKUP-dhcp_lookup_auto = dhcp_time_lookup dhcp_hostname AS host OUTPUTNEW dhcp_ip AS dhcp_ip

transforms.conf

1
2
3
4
5
6
7
8
[dhcp_time_lookup]
batch_index_query = 0
case_sensitive_match = 0
filename = dhcp_lookup.csv
max_matches = 1
max_offset_secs = 3600
time_field = dhcp_time
time_format = %s

The result of this is an automatic lookup that runs on the WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype matching against a single entry of the lookup file that has a timestamp field which is no more than one hour behind our search time event. This offset allows us to have multiple entries in this lookup over time, which means that as new IP’s are assigned, events should match up against the most appropriate single entry based on time.

The lookup file itself can be automatically populated by Splunk using SPL and a DCHP dataset, such as one generated by the Windows DHCP service.

Remember - if you want to use these globally, all knowledge objects must be shared globally! That includes the lookup file AND the lookup defintion. If you’re using Splunk Enteprise Security, consider using the Managed Lookups feature as this will handle permissions for you nicely.

Therefore, what we end up with is a automatic lookup that will always enrich network data with a DHCP hostname, but also events such as Windows Event log can be enriched with an an accurate and dynamic assigned IP address.