...
- query=domain.*AND device=52.123*
- device=office1.domain OR device=office2.domain.com
- dns_view=example-view AND query_type=A
(source=‘BloxOne ‘Infoblox Endpoint’ OR source=“example 1”) AND device=52.123*
...
- DETECTED: The date the indicator was first detected.
- THREAT LEVEL: The threat level for the malicious hit. This can be High, Medium, Low, or Info.
- QUERY: Displays the domain that sent the DNS query. ClickingClickingthe view on Dossier icon associated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record.
- CLASS: The threat intelligence class, such as Phishing, MalwareC2DGA, and others.
- PROPERTY: The property or nature of the threat. By default, the portal includes all threat properties.
- POLICY: The security policy against which the malicious hit triggered.
- ACTION: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
- DEVICE NAME: The name of the device.
- SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
- RESPONSE: The response taken by BloxOne Cloud by Infoblox Platform for the malicious hit.
- DNS VIEW: The DNS version data being served.
- FEED: The name of the threat feed against which the malicious hit triggered.
- QUERY TYPE: The DNS query type.
- MAC ADDRESS: The detected MAC address of the device.
- DHCP FINGERPRINT: The unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
- USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.
THREAT CONFIDENCE: A scoring system for malicious hits where confidence is rated High, Medium, or Low.
- DEVICE IP: The IP address of the device responsible for the hit.
- OS VERSION: The version of the device's operating system making the request.
- INDICATOR: The policy source from which the indicator type being reported. The indicator can originate from an application or category filter, from a custom list, or from a feed.
- RESPONSE REGION: The region within a country where the response originated based on information acquired from the public IP address of BloxOne of Infoblox Endpoint and DFP,
- RESPONSE COUNTRY: The country where the response originated based on information acquired from the public IP address of BloxOne of Infoblox Endpoint and DFP,
- DEVICE REGION: The region within a country where the response originated.
- DEVICE COUNTRY: The country where the device resides.
...