Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Filter DHCP lease history with Extensible attributes

[ Edited ]
Adviser
Posts: 15
5379     0

Hello,

 

A customer asked me today to export dhcp lease history from Turkey only.

 

Here are the steps to filter DHCP lease history based on Extensible attributes:

 

1) Export Networks from IPAM

Capture d’écran 2019-02-01 à 15.22.47.png

 

2) Import in Reporting lookup, change permissions and test it:

 

Capture d’écran 2019-02-01 à 17.47.02.png

Capture d’écran 2019-02-01 à 15.22.32.png

3) Update the DHCP lease history search

sourcetype=ib:dhcp:lease_history index=ib_dhcp_lease_history dhcpd OR dhcpdv6 r-l-e | eval Network=FP_NW+"/"+FP_CIDR | lookup network-with-ea.csv Network as Network | eval Protocol=if(PROTO=="dhcpdv6","IPV6","IPV4") | noop | eval LEASE_START=strftime(START_EPOCH, "%Y-%m-%d %H:%M:%S") | eval LEASE_END=strftime(END_EPOCH, "%Y-%m-%d %H:%M:%S") | eval dummy_epoch="" | eval __COMMENT="The lease_time.latest and lease_time.latest are the date format in epoch number. For example if timestamp is 01-01-1971 01.01.01, the epoch number is 8 digit number. So taken lease_time length with >=8." | eval min_lengh_epoch=8 | eval earliest=if(len("0") <= min_lengh_epoch, dummy_epoch , "0") | eval latest=if(len("") <= min_lengh_epoch, dummy_epoch , "") | eval earliest=if(len("0") == 0, START_EPOCH,"0") | eval latest=if(len("") == 0, END_EPOCH,"") | where ((earliest <= START_EPOCH) AND (START_EPOCH <= latest)) OR ((earliest <= END_EPOCH) AND (END_EPOCH <= latest)) | eval FINGER_PRINT=if(isnull(OS_NUMBER) OR OS_NUMBER==0,FP,SFP) | msservers MS_SERVER | eval resolved_names_or_ips=coalesce(ms_resolved_names,ms_resolved_ips) | eval resolved_names_or_ips=if(isnull(resolved_names_or_ips),MS_SERVER,resolved_names_or_ips) | noop | noop | eval host = if (isnull(MS_SERVER),host,NULL) | eval MEMBER_IP = if (isnull(MS_SERVER),MEMBER_IP,NULL) | noop | eval DEVICE_CLASS=if(isnull(DEVICE_CLASS), "Modified or Deleted", DEVICE_CLASS) | rename host as "Member", ACTION as "Action", LEASE_IP as "Lease IP", MAC_DUID as "MAC/DUID", MEMBER_IP as "Member IP", OPTION12HOST as "Host Name", LEASE_START as "Lease Start", LEASE_END as "Lease End", FINGER_PRINT as "Fingerprint", MS_SERVER as "Microsoft Server IP", ms_resolved_names as "Microsoft Server" | convert ctime(_time) as Time | table Time, Member, "Member IP", Protocol, Action, "Lease IP", "MAC/DUID", "Host Name", "Lease Start", "Lease End", "Fingerprint", "Microsoft Server", "Microsoft Server IP"

 

4) And voila:

Capture d’écran 2019-02-01 à 17.33.16.pngCapture d’écran 2019-02-01 à 17.37.44.png

 

It is also possible to modify the DHCP lease history dashboard to include drop down menu for country, region and site if you use this data often.

 

Feel free to share your feedback

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.

Re: Filter DHCP lease history with Extensible attributes

New Member
Posts: 1
5380     0

Hi Jeanselme,

 

How can we add the comment field in the DHCP lease history report. The comment needs to be the Network scope comment.

 

Thanks

Showing results for 
Search instead for 
Did you mean: 

Recommended for You