4 Replies Latest reply on Feb 8, 2016 11:16 AM by cbayless

    Match SIEM events by computer name

    guillote

      I would like to get all events from a given computer name in an AD environment where DHCP change host IPs.

       

      - How should I match a host name to its IP on each event loged? (the hostname is not part of most data sources logs)

      - How should I match all historical events to a given hostname?

       

      Looking forward to hearing from you.

       

      Thanks in advance.

        • 1. Re: Match SIEM events by computer name
          cbayless

          Do you have an event being logged on the windows side recording this info you are requesting?

          • 2. Re: Match SIEM events by computer name
            guillote

            Yes, a file on the DHCP Servers records this info.

             

            This is a sample of the file:

            30,10/30/15,17:50:20,DNS Update Request,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:50:20,Renew,10.2.7.10,SRD3V103.Domain.com,5CF9DDEB68FE,,409388030 5,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:50:20,DNS Update Successful,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:50:47,DNS Update Request,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:50:47,Renew,10.2.7.6,SRPC0002.Domain.com,5CF9DDEDE0EC,,4209042516 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:50:48,DNS Update Successful,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:53:41,DNS Update Request,10.2.7.5,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:53:41,Renew,10.2.7.5,SR1MR48S1.Domain.com,782BCBC1CB27,,712625876 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:53:41,DNS Update Successful,10.2.7.5,SR1MR48S1.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:53:48,DNS Update Request,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:53:48,Renew,10.2.7.10,SRD3V103.Domain.com,5CF9DDEB68FE,,191348908 8,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:53:48,DNS Update Successful,10.2.7.10,SRD3V103.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:55:24,DNS Update Request,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:55:24,Renew,10.2.7.6,SRPC0002.Domain.com,5CF9DDEDE0EC,,3766396532 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:55:24,DNS Update Successful,10.2.7.6,SRPC0002.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,17:56:24,DNS Update Request,10.2.7.14,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,17:56:24,Renew,10.2.7.14,SRPC0004.Domain.com,782BCBC20103,,674437840 ,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,17:56:24,DNS Update Successful,10.2.7.14,SRPC0004.Domain.com,,,0,6,,,,,,,,,0

            30,10/30/15,18:01:36,DNS Update Request,10.2.7.4,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

            11,10/30/15,18:01:36,Renew,10.2.7.4,SR20HJ8S1.Domain.com,782BCBC200FA,,173025528 6,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

            32,10/30/15,18:01:36,DNS Update Successful,10.2.7.4,SR20HJ8S1.Domain.com,,,0,6,,,,,,,,,0

            • 3. Re: Match SIEM events by computer name
              btkarp

              I would assume you would need to put the McAfee Agent Collector on each DHCP host in order in order to keep logs separated by hostname...Do you have ePO implemented - you can easily push the Agent to each server this way.

              • 4. Re: Match SIEM events by computer name
                cbayless

                did you get this resolved?