Embedded Files
Introduction
Introduction
A lot of you must know about this already, but I only recently stumbled over Rumble. HD Moore's latest development patching a hole which has been gaping at us for a while now; knowing your assets on the network! The website claims: "Rumble identifies assets without the need for credentials or special access. A single agent can be used to assess an entire enterprise, or multiple agents can be used to limit cross-site traffic. Discover networks, large or small, in a fraction of the time required by legacy tools. "
So I give this a go to see how it could help my friends in the Splunk world to get a grip on their assets. And although I have no Enterprise network, my modern home provided to be a pretty little test ground.
First I got a free account at rumble.run, installed the agent and installed it on one of my machines. It took around 10 minutes between getting an account and having a full picture of all the assets in my network.
It did not uncover all the details of all my devices, but many of these do not offer a lot of services. (Although they have my attention now). As curiosity got the best of me, I exported the data to bring to my Splunk instance.
Creating a lookup
Creating a lookup
Adding CSV to Splunk for lookups is a pretty simple procedure. 1.) Create a new Lookup Table file, this allows you to upload your CSV. 2.) create a lookup definition. For details on this please have a look at the documentation if this is new to you:
Having set this up, it only takes a simple pieve of SPL to enrich events with the newly discovered Rumble information!
Using the lookup in search
Using the lookup in search
To transfer this simple events like this:
Into an event with a LOT of context
I am keen to automate the flow of things, next up is to stick this all in a TA. And have Splunk initiate a scheduled network Scan!
Page updated
Report abuse