...
| Internal field | Product | CEF | LEEF | Splunk CIM | Description | ||
|---|---|---|---|---|---|---|---|
Timestamp | NIOS, B1TD, B1DDI | Timestamp* | Timestamp* | Timestamp* | UTC timezone | ||
<name server ip> rip | NIOS | dst | dst | dest | IP address of the DNS server | ||
<client IP> qip | NIOS, B1TD, B1DDI | src | src | src | IP address of the client | ||
<port> qport | NIOS | spt | srcPort | src_port | Source port | ||
<dns view>, view | NIOS | InfobloxDNSView | InfobloxDNSView | dns_view | DNS View | ||
<qname> | NIOS, B1TD, B1DDI | destinationDnsDomain | url | query | Requested domain name | ||
<class name> qclass | NIOS, B1TD, B1DDI | InfobloxDNSQClass | InfobloxDNSQClass | record_type | Request class | ||
<type name> qtype | NIOS, B1TD, B1DDI | InfobloxDNSQType | InfobloxDNSQType | query_type | Request record type | ||
<flags> qqr, qaa, qtc, qrd, qra, qad, qcd, qdo, | NIOS, B1TD, B1DDI | InfobloxDNSQFlags | InfobloxDNSQFlags | dns_request_flags | DNS request options | ||
<flags> rqr, raa, rtc, rrd, rra, rad, rcd, rdo | NIOS, B1TD, B1DDI | InfobloxDNSQFlags | InfobloxDNSQFlags | dns_response_flags | DNS response options | ||
protocol | NIOS, B1TD, B1DDI | proto | proto | transport | TCP or UDP | ||
- | NIOS, B1TD, B1DDI | app | app | DNS | |||
- | NIOS, B1TD, B1DDI | cnt | cnt | query_count | Query count | ||
<rcode> | NIOS, B1TD, B1DDI | InfobloxDNSRCode | InfobloxDNSRCode | reply_code, reply_code_id | Response code | ||
[<RR in text format>] rrr1, rrr2, rrr3 | NIOS, B1TD, B1DDI | msg | msg | answer dns_record | Returned resource records | ||
ttl | RR's TTL | ||||||
arcount | B1TD, B1DDI | InfobloxArCount | InfobloxArCount | additional_answer_count | Response. Additional RR count | ||
ancount | B1TD, B1DDI | InfobloxAnCount | InfobloxAnCount | answer_count | Response. RR count | ||
nscount | B1TD, B1DDI | InfobloxNsCount | InfobloxNsCount | authority_answer_count | Response. Authoritative RR count | ||
rport | B1TD, B1DDI | dest_port | DNS Server's port | ||||
NIOS, B1TD, B1DDI | message_type | DNS Query or DNS Response | |||||
tid | B1TD, B1DDI | transaction_id | Transaction id | ||||
- | NIOS, B1TD, B1DDI | vendor_product | For CIM: Infoblox NIOS Infoblox BloxOne TD Infoblox BloxOne DDI | ||||
opcode | B1TD, B1DDI | opcode | Operational code | ||||
source | B1TD, B1DDI | source_id | Source ID | ||||
type | B1TD, B1DDI | dns_packet_type | DNS packet type | ||||
pid | policy_id | Policy ID | |||||
cid | client_id | Client ID | |||||
anonymized | anonymized | Anonymized | |||||
DNS Query/Response: Additional Metadata | |||||||
region | B1TD | InfobloxB1Region | InfobloxB1Region | ib_b1_region | B1 PoP Region | ||
pname | B1TD | InfobloxB1ConnectionType | InfobloxB1ConnectionType | ib_b1_connection_type | Connection type: remote_client, DFP, direct (NAT/Network) | ||
display_name | B1TD | InfobloxB1OPHName | InfobloxB1OPHName | oph_name | On-prem host name | ||
ip_address | B1TD | InfobloxB1OPHIPAddress | InfobloxB1OPHIPAddress | oph_ip_address | On-prem host IP | ||
network | B1TD | InfobloxB1Network | InfobloxB1Network | src_network | Network name (Network, DFP, Client) | ||
user_name | B1TD | suser | usrName | user_name | User name | ||
device_name | B1TD | dvchost | identHostName | src_device_name | User's device name | ||
mac_address or cmac | B1TD | smac | srcMAC | src_mac | User's device MAC | ||
device_ip | B1TD | dvc | src_ip | User's device IP | |||
os_version | B1TD | InfobloxB1SrcOSVersion | InfobloxB1SrcOSVersion | src_os_version | User's device OS | ||
dhcp_fingerprint | B1TD | InfobloxB1DHCPFingerprint | InfobloxB1DHCPFingerprint | src_dhcp_fingerprint | User's device DHCP Fingerprint | ||
all_tags | B1TD | InfobloxB1DNSTags | InfobloxB1DNSTags | ib_dns_tags | DNS request categorization tags | ||
...