Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Best Practices

mollerblog.jpg

Dashboard: DHCPv4 Range Utilization - Empty Ranges

Hey guys,

 

A customer of us needed a dashboard that gives you the option to show all DHCP Networks that are not being utilized. It's a bit surprising to us that this is not a feature available in any of the default dashboards/reports.

 

In the default settings you will get all DHCP networks that have no utilization in the last 30 days. This allows a customer to clean up old non used DHCP ranges in big network environments.

 

John Neerdael & Roy Wiss

SecureLink Netherlands

 

screencapture-demogm1-infoblox-ui-0qxm07X2W35zvNHxk7Rjnw-0qx96-7X220-1502385833923.png

 

<form>
  <label>DHCPv4 Range Utilization - Empty Ranges</label>
  <description>DHCPv4 Range Utilization - Empty Ranges</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-30d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="text" token="network">
      <label>Network (eg: *.168.1.*)</label>
      <default>*</default>
      <change>
        <condition value="All">
          <set token="network_str">| noop</set>
        </condition>
        <condition value="*">
          <set token="network_str">| filterdhcprangesreport start_address end_address "$value$"</set>
        </condition>
      </change>
      <initialValue>*</initialValue>
    </input>
    <input type="text" token="dhcp_utilization">
      <label>Utilization % (eg: &gt;10)</label>
      <default>=0.000000</default>
      <initialValue>=0.000000</initialValue>
    </input>
    <input type="text" token="ranges_field">
      <label>Ranges (eg: !=0 )</label>
      <default>!=0</default>
      <initialValue>!=0</initialValue>
    </input>
  </fieldset>
  <search id="base_search">
    <query>index=ib_dhcp_summary report=si_dhcp_range_utilization_trend
        $dhcp_range_str$
        | msservers ms_servers
        $microsoft_servers_str$
        | eval members=if(isnull(members), "", members)
        $members$
        | eval ms_servers=if(isnull(ms_servers), "", ms_servers)
        | stats avg(dhcp_utilization) as ADU by _time view members ms_servers start_address end_address DHCP_RANGE dhcp_utilization_status
        $network_str$
        | timechart bins=1000 eval(avg(ADU)/10) by DHCP_RANGE where min in bottom$bottomn$  useother=f
        | interpolate 43200</query>
    <earliest>$time.earliest$</earliest>
    <latest>$time.latest$</latest>
  </search>
  <row>
    <panel>
      <table>
        <search>
          <query>sourcetype=ib:dhcp:network index=ib_dhcp (members="*") cidr &gt;=1 address=$network$ ranges$ranges_field$  | stats avg(dhcp_utilization) as ADU by address, cidr, ranges |  where ADU $dhcp_utilization$  | sort +  address |  table address , cidr, ADU, ranges |rename address as Network, cidr as CIDR, ADU as "DHCPv4 Utilization %", ranges as Ranges</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="count">10</option>
      </table>
    </panel>
  </row>
</form>

 

 

Comments
Showing results for 
Search instead for 
Did you mean: