DHCP Troubleshooting
Copy link

In a successful setup, the following will occur between your DHCP Server, its assets, and SIEM (InsightIDR):

  • IP assignment log comes into the collector
  • The Collector makes a DNS request to see what computer now has the new IP address
  • The Collector sends the new IP address and the machine name log to backend servers
  • The events per minute (EPM) will show up for that event source

However, you may experience difficulties between your DHCP and SIEM (InsightIDR), depending on the setup of your environment.

When assigning a dynamic IP address, some DHCP servers do not provide the name of the machine in their audit logs. This makes it challenging for a collector to figure out which machine has just been assigned a new IP address.

Use one of the following solutions to resolve your issues:

SIEM (InsightIDR) Unable to Produce EPM
Copy link

If your DHCP server does not produce identifying logs, SIEM (InsightIDR) is unable to generate events per minute for that event source.

Try the following solutions in order to confirm whether or not there is an issue with SIEM (InsightIDR):

  1. Replace the DHCP event source with a generic syslog to confirm SIEM (InsightIDR) is receiving logs. If generic syslog does not produce EPM, check your network or the appliance sending logs for errors.
  2. Use the Collector to make DNS requests to the IP address range that the DHCP server assigns. If the Collector cannot retrieve machine names for the IP range, it will not generate EPM.

Tombstone Errors
Copy link

A tombstone error indicates a DHCP or VPN event source is in an error state or is not receiving data, or the event source’s collector is not communicating with the Insight platform. Therefore, it is not attributing data from the incoming IP addresses to the users.

Because Tombstone errors are specific to the connected event sources, you should examine the details of the error to find out the specific event source that is malfunctioning.

⚠️

Tombstone errors prevent SIEM (InsightIDR) from attributing activity to your users.

Any assets within the IP range observed from the event sources will no longer attribute activity from firewall, DNS queries, etc, to your users and assets.

Statically-Assigned IP Addresses
Copy link

The DHCP and VPN event sources are used to determine what host is using IP addresses specified in the log data. You must add in one DHCP event source for each DHCP device or server in your organization.

If you cannot add in any or all DHCP event sources to SIEM (InsightIDR) because you are not using DHCP or are not able to add in the event sources for other reasons, SIEM (InsightIDR) will still be able to do the IP to host attribution if you use either or both of the following options:

Option 1: Use Other Sources for IP to Host Attribution
Copy link

  1. Install the Insight Agent onto all workstations, servers, and laptops in the organization.
  2. Insight Agents must be able to connect to a Collector to proxy their data to the Rapid7 platform. The Agents must be able to successfully find at least one Insight Collector when they perform their network probes.
  3. Navigate to Settings > Static IP Ranges to add all network segments with endpoints to your environment.

To learn more about how Insight Agents and Collectors communicate, read the Vulnerability Management (InsightVM) documentation.

Option 2: Use Network Sensors
Copy link

Insight Network Sensors can be used to collect DHCP lease network traffic. Refer to the Network Sensor documentation to learn more.

Non-Windows Machines
Copy link

In order for SIEM (InsightIDR) to discover non-windows assets, make sure you specify the static IP addresses or ranges for SIEM (InsightIDR) to scan. SIEM (InsightIDR) will use DNS to discover the host names for these IP addresses in order to attribute traffic to the asset.