Event Field Logs

This section provides details on the supported event field log fields when utilizing Data Connector with automation scripts.

Customers have the flexibility to choose the specific fields to transmit to a SIEM or an automation script from Infoblox Cloud via Data Connector or directly from Infoblox’s cloud.

The following event field log types are supported:

Service Logs
Audit logs
Atlas Notifications
IR Notifications
TD DNS
TD RPZ
DDI DNS
DDI DHCP

Service Logs

Display Name	Internal Field	*Mandatory ( )**
Timestamp	@timestamp	*
Message	log	*
Pool ID	pool_id
Service ID	service_id
Log Name	@log_name

Audit Logs

Display Name	Internal Field	*Mandatory ( )**
Timestamp	created_at	*
Action	action	*
User Name	user_name	*
Message	message	*
HTTP Request Body	http_req_body
HTTP Response Body	http_resp_body
Subject Type	subject_type
Subject Groups	subject_groups
Event Version	event_version
Event Category	event_cat
Resource Type	resource_type
Resource Description	resource_desc
Resource ID	resource_id
Application ID	app_id
Client IP	client_ip
Result	result
Severity	severity

Atlas Notifications

Display Name	Internal Field	*Mandatory ( )**
Timestamp	OccuredTimestamp	*
Message	metadata_message	*
Status	status
Type	type
Subtype	subtype
Event Category	EventCategory
Host	metadata_host
Severity	severity

IR Notifications

Display Name	Internal Field	*Mandatory ( )**
Timestamp	Timestamp	*
Query Name	Qname	*
Timestamp Nanosecond	Nanosec
Message Type	Message_type
Source ID	Source
Reply Code Number	Rcode
Policy ID	Pid
Additional Answer Count	Arcount
Source MAC Address	Src_mac
DNS View	View
Message	Msg
DNS Response Flags	Dns_response_flags
DNS Query Type	Qtype
OPH Name	Extra_display_name
Event Category	EventCategory
DNS Tags	Extra_all_tags
Source Device Name	Extra_device_name
DNS Answer	Answer
Protocol Code	Protocol
DHCP Fingerprint	Extra_dhcp_fingerprint
User Name	Extra_user_name
Destination IP	Rip
Query Class Name	Query_class
Op Code	Opcode
Region	Region
DNS Request Flags	Dns_request_flags
Host OS Version	Extra_os_version
Anonymized	Anonymized
Reply Code	Reply_code
OPH IP Address	Extra_ip_address
Transaction ID	Tid
Delay	Delay
Record Type	Record_type
Returned Resource Records	Dns_record
Vendor Product	Vendor_product
Flags	Flags
Source Port	Qport
Device IP	Extra_device_ip
Destination Port	Rport
Source Network	Extra_network
Reply Code (Parsed)	Rcode_string
DNS Packet Type	Type
Answer Count	Ancount
Query Count	Query_count
DNS QClass	Qclassname
DNS Query Type (Parsed)	Qtypename
Connection Type	Extra_pname
Query Class	Qclass
User's device MAC	Extra_mac_address
Client ID	Cid
Source IP	Qip
TTL	Ttl
Protocol	Transport_protocol
Authority Answer Count	Nscount
Query Type	Query_type
Application	App
Severity	severity

TD DNS

Display Name	Internal Field	*Mandatory ( )**
Timestamp	Timestamp	*
Query Name	Qname	*
Timestamp Nanosecond	Nanosec
Message Type	Message_type
Source ID	Source
Reply Code Number	Rcode
Policy ID	Pid
Additional Answer Count	Arcount
Source MAC Address	Src_mac
DNS View	View
Message	Msg
DNS Response Flags	Dns_response_flags
DNS Query Type	Qtype
OPH Name	Extra_display_name
Event Category	EventCategory
DNS Tags	Extra_all_tags
Source Device Name	Extra_device_name
DNS Answer	Answer
Protocol Code	Protocol	*
DHCP Fingerprint	Extra_dhcp_fingerprint
User Name	Extra_user_name
Destination IP	Rip
Query Class Name	Query_class
Op Code	Opcode
Region	Region
DNS Request Flags	Dns_request_flags
Host OS Version	Extra_os_version
Anonymized	Anonymized
Reply Code	Reply_code
OPH IP Address	Extra_ip_address
Transaction ID	Tid
Delay	Delay
Record Type	Record_type
Returned Resource Records	Dns_record
Vendor Product	Vendor_product
Flags	Flags
Source Port	Qport
Device IP	Extra_device_ip
Destination Port	Rport
Source Network	Extra_network
Reply Code (Parsed)	Rcode_string
DNS Packet Type	Type
Answer Count	Ancount
Query Count	Query_count
DNS QClass	Qclassname
DNS Query Type (Parsed)	Qtypename
Connection Type	Extra_pname
Query Class	Qclass
User's device MAC	Extra_mac_address
Client ID	Cid
Source IP	Qip
TTL	Ttl
Protocol	Transport_protocol
Authority Answer Count	Nscount
Query Type	Query_type
Application	App
Severity	severity

TD RPZ

Display Name	Internal Field	*Mandatory ( )**
Timestamp	Timestamp	*
Query Name	Qname	*
Threat Severity	Threat_severity
DNS Tags	Extra_all_tags
ARR Type	Arrtype
Query Class Name	Query_class
QType	Qtype
ACode	Acode
QClass	Qclass
Feed Type	Extra_feed_type
Client ID	Cid
Domain Category	Qcat
Operational code	Opcode
Threat Level	Threat_level
Threat Indicator	Extra_threat_indicator
DHCP Fingerprint	Extra_dhcp_fingerprint
Rule Action	Rule_action
OPH IP Address	Extra_ip_address
Anonymized	Anonymized
Rpz Query Feed	Rpz_query_feed
Threat Confidence	Threat_confidence
Source	Qip
Category	Category
Query Type (Parsed)	Query_type
Client Site ID	Csite
User Name	User_name
Destination IP	Rip
Rule Disabled	Disabled
Threat Property	Threat_property
Transaction ID	Tid
Region	Region
Policy Action	Extra_policy_action
Source IP	Src
ARR Data	Arrdata
Timestamp Nanosecond	Nanosec
IDS Type	Ids_type
Action	Action
Log Level	Loglevel
Trigger Code	Tcode
Transport	Transport
OPH Name	Extra_display_name
RPZ Rule	Tname
DNS View	View
Message	Msg
Source Network	Extra_network
Source MAC	Src_mac
Source ID	Source
Connection Type	P_name
Severity	CefLeefSeverity
Destination Port	Rport
Policy ID	Pid
Vendor	Pvendor
Version	Pversion
Feed Name	Extra_feed_name
Vendor Product	Vendor_product
Source Device Name	Extra_device_name
Host OS Version	Extra_os_version
Device IP	Extra_device_ip
Application	App
Source Port	Qport
Policy Name	Extra_policy_name
Protocol	Protocol
Rule Disabled	disabled
User's device OS	os_version
Severity	severity

DDI DNS

Display Name	Internal Field	Mandatory ( * )
Timestamp	timestamp	*
Query Name	qname	*
Source Port	qport
OPH Name	extra_display_name
QType	qtype
Reply Code	dns_rcode
Authority Answer Count	nscount
Record Type	dns_record_type
Answer	answer
Connection Type	extra_pname
DNS Tags	extra_all_tags
Region	region
Query Count	query_count
Source IP (Parsed)	extra_device_ip
Transaction ID	tid
Timestamp Nanosec	nanosec
Source ID	source
Source IP	qip
Destination IP	rip
Client ID	cid
OPH IP Address	extra_ip_address
Query Class	qclass
Transport Protocol	transport_protocol
DNS QClass	qClassName
DNS View	view
Host OS Version	extra_os_version
Anonymized	anonymized
Application	app
DNS Packet Type	type
Policy ID	pid
Reply Code Number	rcode
Op Code	opcode
User Name	extra_user_name
DHCP Fingerprint	extra_dhcp_fingerprint
DNS Request Flags	dns_request_flags
Source Network	extra_network
Destination Port	rport
Returned Resource Records	dns_record
Message	msg
Vendor Product	vendor_product
Message Type	message_type
Category	event_class
Answer Count	ancount
Additional Answer Count	arcount
DNS Response Flags	dns_response_flags
Protocol	protocol
Query Type (Parsed)	query_type
TTL	ttl_value
DNS QFlags	qFlags
Delay	delay
Source MAC Address	src_mac
Source Device Name	extra_device_name
DNS QType	qTypeName
Severity	severity

DDI DHCP

Display Name	Internal Field	Mandatory ( * )
Timestamp	timestamp	*
IP Address	LeaseExtra_Address	*
Subnet	LeaseExtra_Subnet
Application	app
Lease Lifetime	Lease_Lifetime
Lease Host ID	LeaseExtra_HostID
Leased Host Name	Lease_Hostname
Lease UUID	Lease_LeaseUUID
Lease Scope	LeaseExtra_LeaseScope
Vendor Product	vendor_product
Signature	signature
Action	action
Fingerprint	Lease_Fingerprint
DHCP Options	dhcp_options
User Name	user
Fingerprint PR	LeaseExtra_InfobloxFingerprintPr
Destination DUID	dest_duid
DHCP Host IP Address	host_ip
IP Range Start	LeaseExtra_RangeStart
IP Range End	LeaseExtra_RangeEnd
Host Name	host
Category	cat
IP Space Name	LeaseExtra_SpaceName
Source MAC Address	LeaseExtra_Smac
Client ID	LeaseExtra_ClientID
Severity	severity