IG2 IG3

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Control Group: 1. Inventory and Control of Enterprise Assets

Asset Type: Devices

Security Function: Identify

Description

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

8

Enable logging on all in-scope systems

9

Configure log forwarding to centralized SIEM

10

Define log retention periods per policy

11

Establish log review schedule and procedures

Tool Recommendations

Axonius Forrester Wave Leader, CAASM 2023

Cyber asset attack surface management platform providing comprehensive asset inventory across IT, cloud, SaaS, and OT environments

Axonius · Enterprise subscription

ServiceNow IT Asset Management Gartner MQ Leader, ITSM 2024

Enterprise IT asset management and CMDB platform with automated discovery and lifecycle management

ServiceNow · Enterprise subscription

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

IP Address Exhaustion or Conflict Attacks

Availability

Attackers conduct DHCP starvation attacks to exhaust the address pool, then introduce rogue DHCP servers to redirect traffic through attacker-controlled infrastructure.

Untracked Dynamic Device Connections

Confidentiality

Devices obtaining IP addresses via DHCP without logging evade inventory tracking, allowing transient or malicious endpoints to operate without accountability.

Vulnerabilities (When Safeguard Absent)

No DHCP Log Correlation with Asset Inventory

Without DHCP logging feeding the asset inventory, dynamically addressed devices are not tracked, creating gaps in visibility for devices that come and go.

Inability to Attribute Network Activity to Specific Devices

Without DHCP logs mapping IP leases to MAC addresses and hostnames, forensic investigation cannot reliably tie network activity to a specific physical device.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Enterprise Asset Management Policy

Control 1

Related Safeguards in Control 1

1.1 Establish and Maintain Detailed Enterprise Asset Inventory

1.2 Address Unauthorized Assets

1.3 Utilize an Active Discovery Tool

1.5 Use a Passive Asset Discovery Tool