Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

General Security & Cybersecurity Ecosystem

Reply

On demand DHCP lease history search from SIEM

[ Edited ]
Adviser
Posts: 15
9954     3

I have met with a lot of SOC managers recently, some of them using investigation tools like IBM Resilient, and they had this request:

 

I would like to be able to search IP and/or MAC and/or hostname in a given period from our investigation tools without having to open Infoblox UI.

 

Here is how to do that, only by issuing REST API calls:

 

Prerequisites:

- Infoblox Reporting & Analytics module

- Grid Reporting Properties > General > DHCP Lease history is enabled

- An infoblox administrator account with Grid Reporting Properties Read Only permission, that has already successfully connected through GUI, and tested that DHCP Lease history report is actually showing data

 

Postman configuration to test it:

 

0) Postman Environment variables:

logincall: /services/auth/login/

savedsearches: /services/saved/searches

search: /services/search/jobs/

RS: https://<Your-REPORTING-Member-IP>:9185

 

 

0) Import the attached file: Infoblox-Reporting-WAPI-DHCP-lease-history.postman_collection.json in Postman

 

1) Authenticate and generate token

- Open 1- Get Token

- Change username and password in body

- Send

a sessionkey must be returned, if not make sure that GUI works and that the report works with this user

 

1.png

 

 

2) Create the search

- Open 2- Save search

- Send

 

2.png

 

3) Actually perform your search!

- Open 3- Saved Search Synchronous

- change

     + args.lease_time.earliest

     + args.lease_time.latest

     + dispatch.earliest_time

     + dispatch.latest_time

with your search interval epochtime

args.lease_ip_str and/or args.host_name_str and/or args.mac_duid_str with the IP, hostname, MAC address your are searching

- Send

- a SID must be returned

 

3.png

 

4) Get your search results

- Open 4 - get job output JSON

- Send

- And voila:

 

4.png

 

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.

Re: On demand DHCP lease history search from SIEM

Adviser
Posts: 15
9955     3

If you want to do it with Python, you can quickly adapt this code:

https://www.splunk.com/blog/2011/08/02/splunk-rest-api-is-easy-to-use.html

 

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.

Re: On demand DHCP lease history search from SIEM

New Member
Posts: 1
9955     3

Ya we can quickly adapt it, but there are some issues when it was specifficaly writen in python.

Re: On demand DHCP lease history search from SIEM

[ Edited ]
New Member
Posts: 1
9955     3

Hi @NJeanselme

 

This is a great script to pull data via API from the reporting member. We are trying to setup the same thing in our environment. We receiveing the following error when trying to access our reporting member using https://our-reporting-member:9185/services/auth/login as indicated in the script. Any help is appreciated.


 

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">Login failed</msg>
  </messages>
</response>

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You