Re: Get Hostname from IP address

Laxmikant_Nagar

Hi,

I am trying to get the internal hostname from an internal IP address in SOAR.

Is there any action which can get me the hostname or any UDM query to get the correct hostname from Chronical SIEM.

For now i am fetching it from alert itself, but there are cases were alert do not have hostname but only IP address.

dlove40

Enriching an internal IP address will depend on what SOAR integrations you have available. If you don't have an integration available that can enrich an internal IP address, then you can create a custom integration that could lookup the host information.

Laxmikant_Nagar

@dlove40

Thank you for the reply, I am new to the SOAR and not sure how to build custom integration.

If there is any in build tools or integration which can ping or do an nslookup or run command through terminal please share some information or documentation on it.

Are there any repo avaiable for custom integration which users has created and can share among others.

Regards,

Laxmikant

f3rz

@Laxmikant_Nagar

You can use action DNS Lookup from Tools Power Up from the Marketplace:

However, since it is internal IP, meaning you wouldn't have access to it from SOAR, you would need to use Remote Agent in the same network where you have DNS server and run action through Remote Agent.

Documentation links:

https://cloud.google.com/chronicle/docs/soar/marketplace/power-ups/tools#dns-lookup

https://cloud.google.com/chronicle/docs/soar/working-with-remote-agents/remote-agents-for-cloud-over...

mccrilb

I do this with the CrowdStrike integration. But you should also be able to do it with the UDM, but without knowing what your logs sources are it is hard to say.

If you can figure out the query in the SIEM with your log sources to return the data that you want, it would be easy to use a playbook to pull that info in.