Page Comparison

Infoblox Platform logs are delivered in parquet format. You can use the Apache parquet tools that Infoblox provides (click here to access the tools) to convert the parquet files to JSON format if necessary. For more information, see Converting Parquet to JSON.

...

{“opcode”:0,”timestamp”:1525857674,”qname”:”eicar”exampledomain.co.”,”qtype”:1,”qclass”:1,”source”:
“3b9eea03015cee5cca1bcb22b02c837c”,”qip”:”54.152.30.60″,”qport”:47″3b9eea03015cee5cca1bcb22b02c837c”,”qip”:”54.152.30.60″,”qport”:47697,”rip”:”
“,”rport”:-1,”protocol”:17,”delay”:1.0,”rcode”:3,”type”:1,”qqr”:false,”qaa”:false,”qtc”:false,”qrd”:false,”qra”:false,
“qad”:false,”qcd”:false,”qdo”:false,”rqr”:true,”raa”:false,”rtc”:false,”rrd”:true,”rra”:false,”rad”:true,”rcd”:false,
“rdo”:false,”rrr1″:{},”rrr2″:{},”rrr3″:{},”view”:””,”anonymized”:false,”nanosec”:220087857,”pid”:”120873″,
“cid”:”:c4f0717dbd1150904aab042e1843a91f”,”tid”:””}

...

Amazon S3 > <bucketname> /archivers/ rpz_enriched / year=xxxx / month=xx / day=xx /hour=xx

Example:

Amazon S3 > testbucket/rpz_enriched /year=2024/month=3/day=3/hour=15/

File format: part-00000-0228fa58-6334-464c-8502-37f04dd40528.c000.snappy.parquet

RPZ

Field Name	Type	Description
opcode	INT32	opcode for NOTIFY, STATUS, QUERY, UPDATE This is the opcode for the corresponding DNS traffic, such as QUERY (0), IQUERY (1), STATUS (2), NOTIFY(4), and UPDATE (5). Infoblox log collector assigns a default value of -1 to this field when opcode data is not available from the source log.
timestamp	INT64	timestamp in second part
nanosecond	INT32	Timestamp in nano second part
tcode	INT32	RPZ Trigger code (adapted from ZyTrax) 0: QNAME Trigger on query name 1: CLIENT-IP Trigger on DNS client IP 2: IP Trigger on query response IP 3: NSDNAME Trigger on NS name during delegation 4: NS-IP Trigger on NS IP during delegation
tname	STRING	FQDN for RPZ trigger (feedname.rpz_entry or rpz_entry.feedname)
acode	INT32	RPZ Action code (adapted from ZyTrax) 0: Local-Data Response data defined by RR and target name 1: NODATA Return name exists but with no answer data 2: PASSTHRU Do nothing – normally defines an exception in a range 3: NXDOMAIN Return name does not exist 4: TCP-Only Force use of TCP (REDIRECT for policy engine) 5: REFUSED Support for JANUS 6: DROP Causes client timeout
arrtype	INT32	RPZ Action RR type
arrdata	STRING	RPZ Action RR data
qname	STRING	DNS query name in FQDN
qtype	INT32	DNS query type
qclass	INT32	DNS query class
source	STRING	data source or DNS server ID
qip	STRING	requester IP
qport	INT32	Requester Port
rip	STRING	Responder IP
rport	INT32	Responder Port
view	STRING	DNS view (Infoblox feed or others. Optionally prefix with network view qualifier)
pvendor	STRING	Product vendor
pname	STRING	Product name
pversion	STRING	Product version
loglevel	INT32	Syslog severity level indicator
disabled	BOOL	Is RPZ rule disabled
tid	STRING	Transaction Identifier of DNS response
pid	STRING	Policy Identifier (optional)
cid	STRING	Client Identifier (optional)
anonymized	BOOL	Anonymized flag
cmac	STRING	Client MAC address (optional)
csite	STRING	Client Site ID (optional)
qcat	STRING	Content category (optional)
tinfo	STRING	Trigger information: threat property, threat level, threat confidence (optional)
username	STRING	Username for authenticated users
region	STRING	ATC's region
extra	NULL	[('user_name', 'somename'), ('threat_class', 'CAT'), ('sld', 'exampledomain.com'), ('pname', 'remote_client'), ('domain_applications', 'Uncategorized'), ('feed_name', 'CAT_Business Software'), ('client_region', 'exampleregion'), ('endpointgroups', 'Examplecountry_SEZ_STPI'), ('client_country', 'example_country'), ('qname_norm', 'peers.exampledomain.com'), ('property', 'Business Software'), ('private_ip', '174.135.1.13'), ('category', 'Business Software'), ('client_continent', 'Asia'), ('event_date', '2024-07-28 10:00:00.799'), ('threat_indicator', 'peers.exampledomain.com'), ('mac_address', '3e:1f:62:53:81:d2'), ('response_region', 'example_response_region'), ('record_type', '3'), ('device_name', 'LIN65003287.sub.exampledomain.com'), ('policy_name', 'India_SEZ'), ('egress_ip', '52.214.211.36'), ('domain_categories', 'Business Software,Technology - Other'), ('all_tags', 'APP_Uncategorized,CAT_Business Software,CAT_Technology - Other,LIST_658691,LIST_672857'), ('response_country', 'ExampleCountry'), ('storage_id', '302391'), ('pdisplay_name', 'Remote Client (ATeP)'), ('network', 'BloxOne Endpoint'), ('feed_type', 'FQDN'), ('policy_action', 'Redirect'), ('os_version', 'Windows 11 Pro'), ('device_ip', '53.115.256.28'), ('response_continent', 'Asia'), ('response', '213.156.45.111), ('query_type', 'A')]
version	STRING	Schema version
key	STRING	example: com.123xyz@123abc
sld	STRING	Second level domain (example: googl.com)

...

{“opcode”:-1,”timestamp”:1521522768,”nanosec”:0,”tcode”:0,”tname”:”eicar”exampledomain.co.base.rpz.infoblox.local”,”acode”:3,”arrtype”:-1,”arrdata”:””,”qname”:”eicar”exampledomain.co”,”qtype”:1,”qclass”:-1,”source”:””,”qip”:”10.120.20.247″,”qport”:39826,”rip”:”10.35.205.4″,”rport”:-1,”view”:”_default”,”pvendor”:”Infoblox”,”pname”:”NIOS”,”pversion”:”8.2.0-357775″,”loglevel”:7,”disabled”:false,”tid”:””,”pid”:””,”cid”:””,”anonymized”:false,”cmac”:””,”csite”:””,”qcat”:””,”tinfo”:””}

...

Version	Old Version 3	New Version 4
Changes made by	Gary Leicht	Gary Leicht
Saved on	Nov 29, 2024	Nov 29, 2024

Versions Compared

Key