4 Replies Latest reply on Feb 8, 2016 11:16 AM by cbayless

    Match SIEM events by computer name


      I would like to get all events from a given computer name in an AD environment where DHCP change host IPs.


      - How should I match a host name to its IP on each event loged? (the hostname is not part of most data sources logs)

      - How should I match all historical events to a given hostname?


      Looking forward to hearing from you.


      Thanks in advance.

        • 1. Re: Match SIEM events by computer name

          Do you have an event being logged on the windows side recording this info you are requesting?

          • 2. Re: Match SIEM events by computer name

            Yes, a file on the DHCP Servers records this info.


            This is a sample of the file:

            30,10/30/15,17:50:20,DNS Update Request,,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:50:20,Renew,,SRD3V103.Domain.com,5CF9DDEB68FE,,409388030 5,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:50:20,DNS Update Successful,,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:50:47,DNS Update Request,,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:50:47,Renew,,SRPC0002.Domain.com,5CF9DDEDE0EC,,4209042516 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:50:48,DNS Update Successful,,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:53:41,DNS Update Request,,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:53:41,Renew,,SR1MR48S1.Domain.com,782BCBC1CB27,,712625876 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:53:41,DNS Update Successful,,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:53:48,DNS Update Request,,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:53:48,Renew,,SRD3V103.Domain.com,5CF9DDEB68FE,,191348908 8,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:53:48,DNS Update Successful,,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:55:24,DNS Update Request,,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:55:24,Renew,,SRPC0002.Domain.com,5CF9DDEDE0EC,,3766396532 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:55:24,DNS Update Successful,,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:56:24,DNS Update Request,,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:56:24,Renew,,SRPC0004.Domain.com,782BCBC20103,,674437840 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:56:24,DNS Update Successful,,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,18:01:36,DNS Update Request,,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,18:01:36,Renew,,SR20HJ8S1.Domain.com,782BCBC200FA,,173025528 6,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,18:01:36,DNS Update Successful,,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

            • 3. Re: Match SIEM events by computer name

              I would assume you would need to put the McAfee Agent Collector on each DHCP host in order in order to keep logs separated by hostname...Do you have ePO implemented - you can easily push the Agent to each server this way.

              • 4. Re: Match SIEM events by computer name

                did you get this resolved?