FortiSIEM: Facilitating investigation by ensuring the traceability of dynamic IP addresses

AlexFerdissan · ‎02-27-2025

Dynamic IP addresses change regularly, making it difficult to identify the host associated with an IP address detected at any given time during incident investigations.

Is there anyone who can give me a solution?,

In my opinion, I think we can create a correlation rule that associates DHCP log events with assigned IP addresses to help maintain a correspondence between dynamic IP addresses and hosts, or use Lookup Tables to keep track of the history of assignments.

Thanks,

AEK · ‎02-27-2025

Does it help to increase lease time and/or use DHCP reservation?

AEK

AlexFerdissan · ‎02-27-2025

Your question is not clear; the problem is not in configuration of DHCP server.

I think you don't understand me very well. I want a solution in fortisiem to quickly get the name of the local host (victime) through the IP address discovered in the incident list.

Thanks

Richie_C · ‎03-05-2025

Hi @AlexFerdissan

Maybe the identity and location dashboard could be helpful in this instance. FortiSIEM keeps track and can link users based on various logs. Some of the behavior is supported by default if the correct types of events are being received. However, sometimes you will need to add extra data sources. For example if you have a DHCP server that is not in the supported list. More information on the feature can be found here:

https://help.fortinet.com/fsiem/7-3-1/Online-Help/HTML5_Help/Dashboard-identity-location.htm?Highlig...

This data is then used to enrich received events. For example a username might be added to an event automatically.

Thanks

Take a backup before making any changes

FortiSIEM: Facilitating investigation by ensuring the traceability of dynamic IP addresses

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website