Skip to content

Windows DHCP

About

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed. With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation. (Windows DHCP)

Product Details

Vendor URL: Windows DHCP

Product Type: DHCP

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Windows DHCP - Cyderes Documentation

Log Guide: NXLog Reference Page

Parser Details

Log Format: Syslog, KV, and JSON

Expected Normalization Rate: Near 100%

Data Label: WINDOWS_DHCP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Inactive, can be based on ID event.idm.is_alert
loghost intermediary
Description metadata.description
Default: GENERIC_EVENT, NETWORK_DHCP or SYSTEM_AUDIT_LOG_UNCATEGORIZED metadata.event_type
SourceModuleType, ASCIIUserClass metadata.ingestion_labels
Event ID metadata.product_event_type
TransactionID metadata.product_log_id
Hard-coded Windows DHCP metadata.product_name
Hard-coded Microsoft metadata.vendor_name
Hard-coded DHCP network.application_protocol
formatted_mac network.dhcp.chaddr
IPAddress network.dhcp.ciaddr
HostName network.dhcp.client_hostname
Dhcid network.dhcp.client_identifier
TransactionID network.dhcp.transaction_id
ACK, RELEASE, WIN_DELETED, WIN_EXPIRED, NAK network.dhcp.type
IPAddress network.dhcp.yiaddr
OUTBOUND network.direction
Domain principal.administrative_domain
AccountType principal.group.group_display_name
ProviderGuid principal.group.product_object_id
IPAddress principal.ip
MACAddress principal.mac
ScopeName principal.namespace
Channel principal.process.file.full_path
ExecutionThreadID principal.process.pid
ClientID principal.user.product_object_id
UserName or AccountName principal.user.userid
UserID principal.user.windows_sid
ID, EventID, EventType, Opcode security_result
PartnerServer target.ip

Product Event Types

Description metadata.event_type
Default GENERIC_EVENT
If ID = 10, 11, 12, 13, 14, 15, 16, 17, 18, 20, 21, 22, 23 NETWORK_DHCP
If any of HostName, IPAddress, MACAddress, and UserName are not provided SYSTEM_AUDIT_LOG_UNCATEGORIZED

NETWORK_DHCP Log Sample

<13>1 2021-12-10T07:53:19.026537-06:00 servername01 - - - [NXLOG@123456 EventReceivedTime="2021-12-10 07:53:19" SourceModuleName="dhcp" SourceModuleType="im_file"] 10,12/10/21,07:53:18,Assign,10.10.10.10,name.domain.com,112233445566,,123456789,0,,,,,,,,,0  

NETWORK_DHCP Sample Parsing

metadata.event_timestamp.seconds= 1639122798
metadata.product_log_id= "123456789"
metadata.event_type= NETWORK_DHCP
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 10"
metadata.description= "Assign"
principal.ip= "10.10.10.10"
principal.mac= "11=22=33=44=55=66"
intermediary.hostname= "servername01"
security_result.rule_name= "EventID= 10"
security_result.action= ALLOW
network.direction= OUTBOUND
network.application_protocol= DHCP
network.dhcp.transaction_id= 123456789
network.yiaddr= "10.10.10.10"
network.chaddr= "11=22=33=44=55=66"
network.type= ACK
network.client_hostname= "name.domain.com"

Windows Eventlog Log Sample

<11>1 2021-12-10T08:08:23.572248+00:00 host.domain.local Microsoft-Windows-DHCP-Server 3684 - [NXLOG@14506 Keywords="1234567890" EventType="ERROR" EventID="20287" ProviderGuid="{95c8fda2-59f5-11ec-bf63-0242ac130002}" Version="0" TaskValue="0" OpcodeValue="0" RecordNumber="1242711" ExecutionThreadID="1122" Channel="DhcpAdminEvents" Domain="NT AUTHORITY" AccountName="NETWORK SERVICE" UserID="S-1-2-33" AccountType="Defined Group" Opcode="Info" ClientID="00A0B1C23D45" ScopeName="SCOPE_NAME_HERE" EventReceivedTime="2021-12-10 08:08:25" SourceModuleName="dhcp_server_eventlog" SourceModuleType="im_msvistalog"] DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses.  

Windows Eventlog Sample Parsing

metadata.event_timestamp.seconds= 1639123705
metadata.event_type= GENERIC_EVENT
metadata.vendor_name= "Microsoft"
metadata.product_name= "Windows DHCP"
metadata.product_event_type= "EventID= 20287"
metadata.description= "DHCP client request from 00A0B1C23D45 was dropped since the applicable IP address ranges in scope/superscope SCOPE_NAME_HERE are out of available IP addresses. This could be because of IP address ranges of a policy being out of available IP addresses."
metadata.ingestion_labels.key= "SourceModuleType"
metadata.ingestion_labels.value= "im_msvistalog"
metadata.ingestion_labels.key= "SourceModuleName"
metadata.ingestion_labels.value= "dhcp_server_eventlog"
principal.user.product_object_id= "00A0B1C23D45"
principal.user.userid= "NETWORK SERVICE"
principal.user.windows_sid= "S-1-2-33"
principal.group.product_object_id= "{95c8fda2-59f5-11ec-bf63-0242ac130002}"
principal.group.group_display_name= "Defined Group"
principal.process.pid= "1122"
principal.process.file.full_path= "DhcpAdminEvents"
principal.administrative_domain= "NT AUTHORITY"
principal.namespace= "SCOPE_NAME_HERE"
intermediary.hostname= "host.domain.local"
security_result.rule_name= "EventID= 20287"
security_result.summary= "EventType= ERROR | Opcode= Info"
security_result.action= UNKNOWN_ACTION

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon