다음을 통해 공유


IPAM Audit logic

IPAM IP ADDRESS TRACKING

Goal:

For a given search criteria, (IP Address \ MAC Address \ Host Name \ User Name),  find as much as related activity as possible from IPAM-managed DHCP servers, NPS, and domain controllers.

The search results will be a combination of two things:

a)      All direct matches to the search criteria between the specified start time and end time.

b)      All the “related” logs based on the DHCP lease activity.

Finding “related” logs:

There are two steps to finding related data in the logs.

a)      For a given search criteria, (IP Address \ MAC Address \ User Name \ Host Name) – creating a set of “lease chunks.” The approach to creating lease chunks will vary depending on the search criteria.

b)      Getting the final correlated search results from the set of “lease chunks.” This approach is the same regardless of the search criteria.

End-to-end flow for “IP Address” search criteria:

Let’s say that the search criteria is: IP address = 3.3.3.1 and search interval = 1st January to 7th January.

a)      All the direct matches to 3.3.3.1 from 1st January to 7th January will be added to the final search results. This includes all the logs from DHCP, DC and NPS.

b)      Then, from the DHCP server each lease activity corresponding to 3.3.3.1 is evaluated. This information forms a lease chunk pairs.

1)      New lease – Release \ Delete lease.

2)      New lease – Renew lease.

3)      Renew lease – Release \ Delete lease.

Therefore, the following might be lease activity logs:

The following tuple denotes: [IP Address, Mac Address, Host Name, User Name, Log Type, Timestamp]

1)      (3.3.3.1, 00aaaabbbbcc, HostA, null, New Lease, 1st January)

2)      (3.3.3.1, 00aaaabbbbcc, HostA, null, Renew Lease, 2nd January)

3)      (3.3.3.1, 00aaaabbbbcc, HostA, null, Release Lease, 3rd January)

4)      (3.3.3.1, 00ccccccaaaa, HostB, null, New Lease, 4th January)

5)      (3.3.3.1, 00ccccccaaaa, HostB, null, Renew Lease, 5th January)

6)      (3.3.3.1, 00ccccccaaaa, HostB, null, Release Lease, 6th January)

Next, from this DHCP lease activity, the following lease chunk pairs are obtained”

(1,2) (2,3) (4,5) (5,6)

Then, for each chunk the correlated results are obtained.

Getting Correlated results from a lease chunk:

For example:

1)      (3.3.3.1, 00aaaabbbbcc, HostA, null, New Lease, 1st January)

2)      (3.3.3.1, 00aaaabbbbcc, HostA, null, Renew Lease, 2nd January)

The correlated search results thus include:

a)      All the logs from any source (DHCP \ NPS \ DC) that match the ANY OF IP Address = 3.3.3.1 OR MAC Address = 00aaaabbbbcc OR Host Name = HostA (between 1st January and 2nd January). Note: The logs that match HostName = HostA may have a different value for the corresponding IP Address like 3ffe::1 in dual-stack environments. Even though the search criteria is 3.3.3.1, this result is still displayed.

b)      Specifically to handle dual stack scenarios, special handling is as follows: Go back 14 days from 1st January, find all the unexpired IP addresses that are associated with HostA. Find activity for those IP addresses between 1st January and 2nd January. Typically there could be one such address in dual stack environments. Let’s say machine logon events are as follows:

(3ffe::1, null, HostA, null, Machine Logon, 25th December)    - obtained from the DC.

3ffe::1 is obtained as a related IP address as well, therefore its activity is queried between 1st January and 2nd January.

If a user logon event occurred like the following, then that will be included in the result.

(3ffe::1, null, null, UserA, User Logon, 1st January 5 PM) – obtained from the DC.

These same steps will be repeated for all lease chunks and the results will be combined and displayed.

End-To-End flow for Mac Address \ Host Name search criteria:

The steps will be similar to the IP address search criteria.

a)      All direct matches will be added to the final results.

b)      The “lease chunks” are obtained from DHCP activity logs by matching with MAC address or host name (specified as the search criteria).

c)       Correlated search results are obtained and displayed for lease chunks (the same procedure as used for IP address searches).

End-To-End flow for “User Name” search criteria:

This is the same, except for step b below. The procedure for getting lease chunks from a specified “User Name” criteria is different.

a)      All direct matches will be added to the final results.

b)      Obtain the DHCP lease chunks based on the specified User Name criteria (see the following procedure).

c)       From the lease chunks, obtain and display the correlated search results. This is the same procedure as used for IP address searches.

Procedure to obtain lease chunks based on the User Name criteria:

a)      Consider the following tuples:

1)      (3.3.3.1, 00aaaabbbbcc, HostA, null, DHCP New Lease, 1st January 3 pm)

2)      (3ffe::1, null, HostA, null, DC Machine Logon, 1st January 5 pm)

3)    (3ffe::1, null, null, UserA, DC User Logon, 1st January 6 pm)

4)    (3.3.3.1, 00aaaabbbbcc, HostA, null, DHCP Renew Lease, 1st January 8 pm)

 

If the search criteria is “UserA”, find the “DHCP Lease Chunk” such that the IP address associated with UserA has “machine logon” event as well within the same lease chunk, and the lease chunk has the “same host” as the machine logon event.

For example, using the previous tuples, the association will be:

a)      A user logon event for UserA occurs at 6 pm, with IP address: 3ffe::1.

b)      A machine logon event for HostA occurs at 5 pm with the same IP address: 3ffe::1.

c)       There is a lease chunk that includes HostA for these two periods (6 pm and 5 pm). So, this lease chunk will be added as a final lease chunk.

(3.3.3.1, 00aaaabbbbcc, HostA, null, DHCP New Lease, 1st January 3 pm)

(3.3.3.1, 00aaaabbbbcc, HostA, null, DHCP Renew Lease, 1st January 8 pm)

d)      Correlated results from the lease chunk (similar to earlier procedures) are displayed.