Forum Discussion

ddaniel's avatar
ddaniel
Icon for Staying Involved rankStaying Involved
3 hours ago

Is there any way to expose/export DHCP logs from Cato SDP clients?

is there any way (events / API) to see DHCP events for our SDP users?  Our security vendors (Rapid7 and Defender for Identity) are doing correlation based on DNS and DHCP events and sometimes see SDP addresses as different machines.

I have DNS and PTR records updating but am curious if there is any way to expose the DHCP lease events for SDP users.  I see those events for other Cato DHCP but not for SDP users in my tenant.

Cato has the concept of "User Awareness" that is correlating IP addresses to User IDs.  When we were using Windows DHCP servers we fed the logs to our security vendors for a similar type of correlation between IP addresses and User IDs.  As we are moving away from Windows Servers in our offices, we are losing this visibility.  We are beginning to allow Cato to provide the DHCP on our LAN segments, as well as for our remote SDP client users.  As this happens, we are seeing DHCP events on the LAN segments which can be tied to machine names and matched against login events via active directory or Entra ID to correlate IP addresses to users.  However, for our remote SDP client users I cannot seem to find DHCP events.

This leads to issues.  Microsoft Defender for Endpoint sees a user getting different IP remote SDP client addresses in the 10.41.x.x as "Pass the Hash" attacks.  However, when I investigate, it is the same workstation being getting different IP addresses through normal, remote operation.  If the user does not reboot/login every day this raises security alerts.

Am I missing the point, or not configuring something correctly?  Is there a way via API or syslog forwarding to monitor DHCP logs from Cato for both LAN segments and SDP client segments?  

The ultimate solution would be log forwarding type of solution where I could forward all Cato DHCP lease events to Microsoft Defender for Endpoints/Identity and my security vendor (Rapid7) but I am just wondering how others are handling this.

I figured I would ask around before I put something in the Idea hub for a non-issue.

API
monitoring
network
sdp
security
No RepliesBe the first to reply