THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

General Security & Cybersecurity Ecosystem

Reply

On demand DHCP lease history search from SIEM

[ Edited ]
NJeanselme
Adviser
Posts: 15

‎01-10-2019 02:57 AM - edited ‎01-10-2019 03:25 AM

5872     0

I have met with a lot of SOC managers recently, some of them using investigation tools like IBM Resilient, and they had this request:

 

I would like to be able to search IP and/or MAC and/or hostname in a given period from our investigation tools without having to open Infoblox UI.

 

Here is how to do that, only by issuing REST API calls:

 

Prerequisites:

- Infoblox Reporting & Analytics module

- Grid Reporting Properties > General > DHCP Lease history is enabled

- An infoblox administrator account with Grid Reporting Properties Read Only permission, that has already successfully connected through GUI, and tested that DHCP Lease history report is actually showing data

 

Postman configuration to test it:

 

0) Postman Environment variables:

logincall: /services/auth/login/

savedsearches: /services/saved/searches

search: /services/search/jobs/

RS: https://<Your-REPORTING-Member-IP>:9185

 

 

0) Import the attached file: Infoblox-Reporting-WAPI-DHCP-lease-history.postman_collection.json in Postman

 

1) Authenticate and generate token

- Open 1- Get Token

- Change username and password in body

- Send

a sessionkey must be returned, if not make sure that GUI works and that the report works with this user

 

1.png

 

 

2) Create the search

- Open 2- Save search

- Send

 

2.png

 

3) Actually perform your search!

- Open 3- Saved Search Synchronous

- change

     + args.lease_time.earliest

     + args.lease_time.latest

     + dispatch.earliest_time

     + dispatch.latest_time

with your search interval epochtime

args.lease_ip_str and/or args.host_name_str and/or args.mac_duid_str with the IP, hostname, MAC address your are searching

- Send

- a SID must be returned

 

3.png

 

4) Get your search results

- Open 4 - get job output JSON

- Send

- And voila:

 

4.png

 

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.
Reply

Re: On demand DHCP lease history search from SIEM
NJeanselme
Adviser
Posts: 15

‎02-06-2019 03:19 AM

5872     0

If you want to do it with Python, you can quickly adapt this code:

https://www.splunk.com/blog/2011/08/02/splunk-rest-api-is-easy-to-use.html

 

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.
Reply
0 Kudos

Re: On demand DHCP lease history search from SIEM
saraparker
New Member
Posts: 1

‎09-30-2019 10:55 AM

5872     0

Ya we can quickly adapt it, but there are some issues when it was specifficaly writen in python.

Reply
0 Kudos

Re: On demand DHCP lease history search from SIEM

[ Edited ]
pedadar
New Member
Posts: 1

‎09-01-2020 05:09 AM - edited ‎09-01-2020 05:13 AM

5872     0

Hi @NJeanselme

 

This is a great script to pull data via API from the reporting member. We are trying to setup the same thing in our environment. We receiveing the following error when trying to access our reporting member using https://our-reporting-member:9185/services/auth/login as indicated in the script. Any help is appreciated.


 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">Login failed</msg>
  </messages>
</response>

 

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements