Leveraging the DHCP/DNS Data Gold Mine for Security
October 6, 2020
Using Azure Sentinel could accelerate threat correlation and hunting
By Krupa Srivatsan, Director of Product Marketing at Infoblox

Over the years, organizations have started putting together a security stack as part of their defense-in-depth strategy. Each tool was built to address a specific threat vector. However, these tools didn’t talk to each other or readily share data, forcing security operations teams to manually gather information needed to correlate events. As partners try to find synchronization and transparency between network components and tools, using DHCP and DNS data in Azure Sentinel is a strong step toward achieving better visibility.
Microsoft has announced a dozen new connectors that automatically collect data from several leading security solutions, including Infoblox’s, into Azure Sentinel. These connectors help security teams to gather and analyze data from various sources much faster, lowering time to remediation.
______________________________________________________________________
Learn how to implement the Infoblox connector for Azure Sentinel here.
______________________________________________________________________
Visibility Is Key for Security Operations
The first place to start addressing operational challenges is with visibility. Organizations need a platform that provides ubiquitous visibility into everything that’s on the network – physical, virtual, cloud, branch, and IoT resources. To help understand the severity of network and security events, leveraging network context – things like criticality of the compromised asset, asset location, audit trail, and history of accessed destinations – is key.
An enterprise DDI (DNS, DHCP, and IPAM) platform knows, at any given point in time, what devices are on the organization’s network. This is because the first thing a device does when it joins a network is to request an IP address from the DHCP server. That server is also able to identify the characteristics of the device (type of device, OS, version) based on the initial DHCP request. This information is collected and put into a database (IPAM). Additional discovery data can also be gathered to further augment the device’s information (e.g., username, switch port, access point, physical location). All of this information becomes critically important if you have to conduct an investigation based on an IP address.
Value of DNS, DHCP to a SIEM for Threat Correlation and Hunting
DHCP/DNS data is a gold mine that can be leveraged in a SIEM, like Azure Sentinel, to help accelerate threat correlation and hunting.
Event correlation – Without DHCP data, it’s hard to correlate disparate events related to the same device under investigation, especially in dynamic environments. DHCP servers are responsible for allocating IP addresses that are used to identify the specific devices involved in security events. A DHCP assignment signals the insertion of a device onto the network and hence is an audit trail of devices on the network.
Scope of breach – DNS query data provides a “client-centric” record of activity. This includes internal activity inside the security perimeter, BYOD, and IoT devices and provides an excellent basis from which to profile device and user activity. Without DNS and DHCP, operations teams may have limited visibility into what resources a client has been accessing. DNS provides a universal audit trail of the services and resources the device has recently accessed.

Using the Infoblox connector, Azure Sentinel users can get quick and easy access to this highly valuable data, analyze and correlate the information, and respond to events more efficiently. With the ease of integration and quick access, partners can leverage it to provide more connected and transparent security solutions to enterprises.
Srikrupa Srivatsan has 20-plus years of experience in technology in various roles including software development, product management, and product marketing. Currently, as director of product marketing at Infoblox, she is responsible for messaging, positioning, and bringing to market Infoblox’s security solutions that optimize operations and provide foundational security against known and zero-day threats. She has an MBA from the University of California Haas School of Business and a Computer Science Engineering degree.
Microsoft has announced a dozen new connectors that automatically collect data from several leading security solutions, including Infoblox’s, into Azure Sentinel. These connectors help security teams to gather and analyze data from various sources much faster, lowering time to remediation.
______________________________________________________________________
Learn how to implement the Infoblox connector for Azure Sentinel here.
______________________________________________________________________
Visibility Is Key for Security Operations
The first place to start addressing operational challenges is with visibility. Organizations need a platform that provides ubiquitous visibility into everything that’s on the network – physical, virtual, cloud, branch, and IoT resources. To help understand the severity of network and security events, leveraging network context – things like criticality of the compromised asset, asset location, audit trail, and history of accessed destinations – is key.
An enterprise DDI (DNS, DHCP, and IPAM) platform knows, at any given point in time, what devices are on the organization’s network. This is because the first thing a device does when it joins a network is to request an IP address from the DHCP server. That server is also able to identify the characteristics of the device (type of device, OS, version) based on the initial DHCP request. This information is collected and put into a database (IPAM). Additional discovery data can also be gathered to further augment the device’s information (e.g., username, switch port, access point, physical location). All of this information becomes critically important if you have to conduct an investigation based on an IP address.
Value of DNS, DHCP to a SIEM for Threat Correlation and Hunting
DHCP/DNS data is a gold mine that can be leveraged in a SIEM, like Azure Sentinel, to help accelerate threat correlation and hunting.
Event correlation – Without DHCP data, it’s hard to correlate disparate events related to the same device under investigation, especially in dynamic environments. DHCP servers are responsible for allocating IP addresses that are used to identify the specific devices involved in security events. A DHCP assignment signals the insertion of a device onto the network and hence is an audit trail of devices on the network.
Scope of breach – DNS query data provides a “client-centric” record of activity. This includes internal activity inside the security perimeter, BYOD, and IoT devices and provides an excellent basis from which to profile device and user activity. Without DNS and DHCP, operations teams may have limited visibility into what resources a client has been accessing. DNS provides a universal audit trail of the services and resources the device has recently accessed.

Using the Infoblox connector, Azure Sentinel users can get quick and easy access to this highly valuable data, analyze and correlate the information, and respond to events more efficiently. With the ease of integration and quick access, partners can leverage it to provide more connected and transparent security solutions to enterprises.
Srikrupa Srivatsan has 20-plus years of experience in technology in various roles including software development, product management, and product marketing. Currently, as director of product marketing at Infoblox, she is responsible for messaging, positioning, and bringing to market Infoblox’s security solutions that optimize operations and provide foundational security against known and zero-day threats. She has an MBA from the University of California Haas School of Business and a Computer Science Engineering degree.