Skip to main content
 
Splunk Lantern

IP address assignment data

 

In order to access network resources, every device on the network must possess a unique IP address. IP addresses are assigned to devices either dynamically or statically upon joining the network. Dynamic Host Configuration Protocol (DHCP) and Virtual Private Network (VPN) play the role of automatically allocating IP addresses and lease duration. Additionally, IP Address Management (IPAM) tools tie Domain Name Server (DNS) entries to DHCP changes for further enriched information about how and when IP addresses are assigned. Audit logging of DHCP, VPN, and IPAM are critical for investigations and can provide insights into suspicious activity, and other warning signs of of an attacker on the network.

Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on user authentication, which can be as simple as a username and password. VPNs use network tunneling protocols such as IPSec, OpenVPN plus SSL or L2TP with cryptographically strong algorithms to scramble information in transit and ensure end-to-end data integrity.

DHCP is the network protocol most client devices use to associate themselves with an IP network. Implemented via a DHCP server, which could be standalone or embedded in a router or other network appliance, DHCP provides network clients with critical network parameters including IP address, subnet mask, network gateway, DNS servers, WINS or other name servers, time servers (NTP), a host and domain name, and the address of other optional network services. DHCP logs show exactly which systems are connecting to a network, their IP and MAC addresses, when they connect, and for how long. 

In the Common Information Model, IP address assignment data is typically mapped to the Network Sessions data model and Authentication data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: