Microsoft DHCP Integration Guide
integrations endpoints microsoft
This guide provides configuration instructions for Microsoft Dynamic Host Configuration Protocol (DHCP) logging in order to transmit the logs for security monitoring by other agents. Supported agents can be found at Connect Microsoft Windows Event Log.
The Secureworks® Taegis™ XDR On-Premises Data Collector accepts DHCP logs in a comma-delimited format.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Windows Server | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Auth | DHCP | DNS | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|---|---|
Microsoft DHCP | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Logging Configuration Instructions ⫘
Windows servers must be configured to send DHCP logs via syslog to the XDR Collector.
Please refer to the vendor’s site for configuration guidance.
Important
The data source must be configured to report timestamps as UTC to ensure that XDR reports the correct time zone.
Note
NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.
An example of logging instructions:
Note
If using the NXLog Template for DHCP logging, ensure the DHCP Logs File path listed in the template matches the Audit log file path configuration setting on the server.
Sample Logs ⫘
January 1 2021 01:01:01 10.10.10.10 DHCPLog: 10,01/01/01,01:01:01,Assign,192.0.2.10,sampleHost1,000000000000,,17739,0,,,
January 1 2021 01:01:01 10.10.10.10 DHCPLog: 10,01/01/01,01:01:01,Assign,192.0.2.20,sampleHost2, 000000000000,,3096562285,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0