ExtraHop DHCP¶
About¶
The @Adapter series not only enables appropriate access to the authentication network, but also provides customers with various means and know-how to quickly and easily approach the authentication network, which tends to impair convenience, and supports the efficient operation of the authentication network.
Product Details¶
Vendor URL: Hcnet Account Adapter Plus
Product Type: DHCP
Product Tier: Tier I
Integration Method: Syslog
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 95%
Data Label: HCNET_ACCOUNT_ADAPTER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| All values selected with a custom filter | intermediary.hostname |
| intermediary.ip | |
| network.application_protocol | |
| network.dhcp.chaddr | |
| network.dhcp.ciaddr | |
| network.dhcp.client_hostname | |
| network.dhcp.giaddr | |
| network.dhcp.type | |
| network.dhcp.yiaddr | |
| network.direction | |
| observer.hostname | |
| observer.hostname | |
| principal.application | |
| principal.asset.hostname | |
| principal.asset.ip | |
| principal.asset.mac | |
| principal.hostname | |
| principal.ip | |
| principal.mac | |
| security_result.action | |
| target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| dhcp | NETWORK_DHCP |
| radiusd | USER_LOGIN |
| all | GENERIC_EVENT |
Log Sample¶
<134>Aug 5 21:16:03 hostname1 dhcpd: DHCPACK on 10.10.165.254 to a8:ab:bf:a5:5a:a2 (hostname2) via10.10.167.254
Sample Parsing¶
metadata.event_timestamp = "2022-08-05T12:16:03Z"
metadata.event_type = "NETWORK_DHCP"
metadata.vendor_name = "HCNET"
metadata.product_name = "Account Adapter Plus"
principal.hostname = "hostname2"
principal.ip = "10.10.165.254"
principal.mac = "a8:ab:bf:a5:5a:a2 "
principal.application = "dhcpd"
principal.asset.hostname = "hostname2"
principal.asset.ip = "10.10.165.254"
principal.asset.mac = "a8:ab:bf:a5:5a:a2 "
observer.hostname = "hostname1"
network.application_protocol = "DHCP"
network.dhcp.yiaddr = "10.10.165.254"
network.dhcp.giaddr = "10.10.167.254"
network.dhcp.chaddr = "a8:ab:bf:a5:5a:a2 "
network.dhcp.type = "ACK"
network.dhcp.client_hostname = "hostname2"
network.direction = "OUTBOUND"
Parser Alerting¶
No alerting is built into this parser.
Rules¶
Coming Soon