Skip to content

ExtraHop DHCP

ExtraHop DHCP

About

Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks.The DHCP is controlled by a DHCP server that dynamically distributes network configuration parameters for interfaces and services. Networks ranging in size from small home networks to campus networks frequently use DHCP.

Product Details

Vendor URL: ExtraHop DHCP

Product Type: DHCP

Product Tier: Tier I

Integration Method: Syslog

Integration URL: ExtraHop Syslog Export

Requirements

*MAC Adress has to be present in the raw data for use to use UDM Event Type "NETWORK_DHCP". If not present, parser will default to GENERIC_EVENT.

Parser Details

Fill in the following fields for parser details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: EXTRAHOP_DHCP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"EXTRAHOP" metadata.vendor_name
"DHCP" metadata.product_name
message metadata.description
hostname target.hostname
gateway target.ip
transaction network.dhcp.transaction_id
DHCP network.application_protocol
client_hardware_address network.dhcp.chaddr
options.code network.dhcp.options.code
options.payload network.dhcp.ciaddr
options.payload network.dhcp.lease_time_seconds
options.payload network.dhcp.type
options.payload principal.hostname

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
dhcp NETWORK_DHCP
all other events GENERIC_EVENT

Log Sample

<14>1999-07-11T13:38:02.91Z extrahop-mgmt.acme.com 
{
  "message": "DHCPACK",
  "gateway": null,
  "hardware_type": 1,
  "client_hardware_address": "00:00:00:00:00:00",
  "transaction": 1469128644,
  "options": [
    {
      "code": 53,
      "name": "DHCP Msg Type",
      "payload": 5
    },
    {
      "code": 54,
      "name": "DHCP Server Id",
      "payload": "1.1.1.1"
    },
    {
      "code": 51,
      "name": "Address Time",
      "payload": 600
    },
    {
      "code": 1,
      "name": "Subnet Mask",
      "payload": -512
    },
    {
      "code": 3,
      "name": "Router",
      "payload": [
        "1.1.1.10"
      ]
    },
    {
      "code": 12,
      "name": "Hostname",
      "payload": "hostname"
    },
    {
      "code": 15,
      "name": "Domain Name",
      "payload": "acme.com"
    },
    {
      "code": 6,
      "name": "Domain Server",
      "payload": [
        "1.1.1.2",
        "1.1.1.3"
      ]
    }
  ],
  "ip": "1.1.1.4"
}

Sample Parsing

metadata.event_timestamp = "1999-07-11T13:38:02.910Z"
metadata.event_type = "NETWORK_DHCP"
metadata.vendor_name = "EXTRAHOP"
metadata.product_name = "DHCP"
metadata.description = "DHCPACK"
principal.hostname = "extrahop-mgmt.acme.com"
principal.asset.hostname = "extrahop-mgmt.acme.com"
network.application_protocol = "DHCP"
network.dhcp.transaction_id = 1469128644
network.dhcp.ciaddr = "1.1.1.1"
network.dhcp.yiaddr = "1.1.1.4"
network.dhcp.chaddr = "00:00:00:00:00:00"
network.dhcp.options.code = 53
network.dhcp.options.code = 54
network.dhcp.options.code = 51
network.dhcp.options.code = 1
network.dhcp.options.code = 3
network.dhcp.options.code = 12
network.dhcp.options.code = 15
network.dhcp.options.code = 6
network.dhcp.type = "ACK"
network.dhcp.lease_time_seconds = 600

Parser Alerting

No alerting is built into this parser.

Rules

Coming Soon