DHCP Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| client_hostname | string | clientHostname$ | Hostname of the DHCP client machine |
| client_address | string | clientAddress$ | IP of the DHCP client machine |
| client_mac | string | clientMac$ | MAC address for the client |
| server_hostname | string | serverHostname$ | Hostname of the DHCP server |
| server_address | string | serverAddress$ | IP of the DHCP server |
| server_mac | string | serverMac$ | MAC address for the server |
| action | Dhcp.DHCP_Action | action$ | Action for the DHCP event |
| expiration_time_usec | uint64 | expirationTimeUsec$ | Expiration Date for the lease |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
Dhcp.DHCP_Action🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | internal: unused but required for proto3 |
| DISCOVER | 1 | client broadcast to discover DHCP servers |
| OFFER | 2 | server response to client discovery (could be several offers) |
| REQUEST | 3 | client request to a specific server |
| INFORM | 4 | client to server - used if a client needs network params but not an IP |
| ACK | 5 | server responses to REQUEST or INFORM |
| NACK | 6 | |
| DECLINE | 7 | optional client response to server's ACK |
| RELEASE | 8 | client to server - release of IP lease |
| LEASE | 9 | some devices don't report this much detail, only that a lease was obtained |