Event Log Fields
- Gary Leicht
This section provides details on the supported event log fields when utilizing Data Connector with automation scripts.
Customers have the flexibility to choose the specific fields to transmit to a SIEM or an automation script from Infoblox Cloud via Data Connector or directly from Infoblox’s cloud.
The following event field types are supported:
Service Logs
Audit logs
Atlas Notifications
SOC Insights
TD DNS
TD RPZ
DDI DNS
DDI DHCP
NIOS DNS Q/R
NIOS RPZ
NIOS IPMeta
Service Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | @timestamp | * |
|
|
|
Message | log | * |
|
|
|
Pool ID | pool_id |
|
|
|
|
Service ID | service_id |
|
|
|
|
Log Name | @log_name |
|
|
|
|
Audit Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | created_at | * |
|
|
|
Action | action | * |
|
|
|
User Name | user_name | * |
|
|
|
Message | message | * |
|
|
|
HTTP Request Body | http_req_body |
|
|
|
|
HTTP Response Body | http_resp_body |
|
|
|
|
Subject Type | subject_type |
|
|
|
|
Subject Groups | subject_groups |
|
|
|
|
Event Version | event_version |
|
|
|
|
Event Category | event_cat |
|
|
|
|
Resource Type | resource_type |
|
|
|
|
Resource Description | resource_desc |
|
|
|
|
Resource ID | resource_id |
|
|
|
|
Application ID | app_id |
|
|
|
|
Client IP | client_ip |
|
|
|
|
Result | result |
|
|
|
|
Severity | severity |
|
|
|
|
Atlas Notifications
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | OccuredTimestamp | * |
|
|
|
Message | metadata_message | * |
|
|
|
Status | status |
|
|
|
|
Type | type |
|
|
|
|
Subtype | subtype |
|
|
|
|
Event Category | EventCategory |
|
|
|
|
Host | metadata_host |
|
|
|
|
Severity | severity |
|
|
|
|
SOC Insights
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Slunk CIM |
|---|---|---|---|---|---|
Timestamp | Timestamp | * |
|
|
|
Query Name | Qname | * |
|
|
|
Timestamp Nanosecond | Nanosec |
|
|
|
|
Message Type | Message_type |
|
|
|
|
Source ID | Source |
|
|
|
|
Reply Code Number | Rcode |
|
|
|
|
Policy ID | Pid |
|
|
|
|
Additional Answer Count | Arcount |
|
|
|
|
Source MAC Address | Src_mac |
|
|
|
|
DNS View | View |
|
|
|
|
Message | Msg |
|
|
|
|
DNS Response Flags | Dns_response_flags |
|
|
|
|
DNS Query Type | Qtype |
|
|
|
|
OPH Name | Extra_display_name |
|
|
|
|
Event Category | EventCategory |
|
|
|
|
DNS Tags | Extra_all_tags |
|
|
|
|
Source Device Name | Extra_device_name |
|
|
|
|
DNS Answer | Answer |
|
|
|
|
Protocol Code | Protocol |
|
|
|
|
DHCP Fingerprint | Extra_dhcp_fingerprint |
|
|
|
|
User Name | Extra_user_name |
|
|
|
|
Destination IP | Rip |
|
|
|
|
Query Class Name | Query_class |
|
|
|
|
Op Code | Opcode |
|
|
|
|
Region | Region |
|
|
|
|
DNS Request Flags | Dns_request_flags |
|
|
|
|
Host OS Version | Extra_os_version |
|
|
|
|
Anonymized | Anonymized |
|
|
|
|
Reply Code | Reply_code |
|
|
|
|
OPH IP Address | Extra_ip_address |
|
|
|
|
Transaction ID | Tid |
|
|
|
|
Delay | Delay |
|
|
|
|
Record Type | Record_type |
|
|
|
|
Returned Resource Records | Dns_record |
|
|
|
|
Vendor Product | Vendor_product |
|
|
|
|
Flags | Flags |
|
|
|
|
Source Port | Qport |
|
|
|
|
Device IP | Extra_device_ip |
|
|
|
|
Destination Port | Rport |
|
|
|
|
Source Network | Extra_network |
|
|
|
|
Reply Code (Parsed) | Rcode_string |
|
|
|
|
DNS Packet Type | Type |
|
|
|
|
Answer Count | Ancount |
|
|
|
|
Query Count | Query_count |
|
|
|
|
DNS QClass | Qclassname |
|
|
|
|
DNS Query Type (Parsed) | Qtypename |
|
|
|
|
Connection Type | Extra_pname |
|
|
|
|
Query Class | Qclass |
|
|
|
|
User's device MAC | Extra_mac_address |
|
|
|
|
Client ID | Cid |
|
|
|
|
Source IP | Qip |
|
|
|
|
TTL | Ttl |
|
|
|
|
Protocol | Transport_protocol |
|
|
|
|
Authority Answer Count | Nscount |
|
|
|
|
Query Type | Query_type |
|
|
|
|
Application | App |
|
|
|
|
Severity | severity |
|
|
|
|
TD DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | Timestamp | * |
|
|
|
Query Name | Qname | * |
|
|
|
Timestamp Nanosecond | Nanosec |
|
|
|
|
Message Type | Message_type |
|
|
|
|
Source ID | Source |
|
|
|
|
Reply Code Number | Rcode |
|
|
|
|
Policy ID | Pid |
|
|
|
|
Additional Answer Count | Arcount |
|
|
|
|
Source MAC Address | Src_mac |
|
|
|
|
DNS View | View |
|
|
|
|
Message | Msg |
|
|
|
|
DNS Response Flags | Dns_response_flags |
|
|
|
|
DNS Query Type | Qtype |
|
|
|
|
OPH Name | Extra_display_name |
|
|
|
|
Event Category | EventCategory |
|
|
|
|
DNS Tags | Extra_all_tags |
|
|
|
|
Source Device Name | Extra_device_name |
|
|
|
|
DNS Answer | Answer |
|
|
|
|
Protocol Code | Protocol | * |
|
|
|
DHCP Fingerprint | Extra_dhcp_fingerprint |
|
|
|
|
User Name | Extra_user_name |
|
|
|
|
Destination IP | Rip |
|
|
|
|
Query Class Name | Query_class |
|
|
|
|
Op Code | Opcode |
|
|
|
|
Region | Region |
|
|
|
|
DNS Request Flags | Dns_request_flags |
|
|
|
|
Host OS Version | Extra_os_version |
|
|
|
|
Anonymized | Anonymized |
|
|
|
|
Reply Code | Reply_code |
|
|
|
|
OPH IP Address | Extra_ip_address |
|
|
|
|
Transaction ID | Tid |
|
|
|
|
Delay | Delay |
|
|
|
|
Record Type | Record_type |
|
|
|
|
Returned Resource Records | Dns_record |
|
|
|
|
Vendor Product | Vendor_product |
|
|
|
|
Flags | Flags |
|
|
|
|
Source Port | Qport |
|
|
|
|
Device IP | Extra_device_ip |
|
|
|
|
Destination Port | Rport |
|
|
|
|
Source Network | Extra_network |
|
|
|
|
Reply Code (Parsed) | Rcode_string |
|
|
|
|
DNS Packet Type | Type |
|
|
|
|
Answer Count | Ancount |
|
|
|
|
Query Count | Query_count |
|
|
|
|
DNS QClass | Qclassname |
|
|
|
|
DNS Query Type (Parsed) | Qtypename |
|
|
|
|
Connection Type | Extra_pname |
|
|
|
|
Query Class | Qclass |
|
|
|
|
User's device MAC | Extra_mac_address |
|
|
|
|
Client ID | Cid |
|
|
|
|
Source IP | Qip |
|
|
|
|
TTL | Ttl |
|
|
|
|
Protocol | Transport_protocol |
|
|
|
|
Authority Answer Count | Nscount |
|
|
|
|
Query Type | Query_type |
|
|
|
|
Application | App |
|
|
|
|
Severity | severity |
|
|
|
|
TD RPZ
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | Timestamp | * |
|
|
|
Query Name | Qname | * |
|
|
|
Threat Severity | Threat_severity |
|
|
|
|
DNS Tags | Extra_all_tags |
|
|
|
|
ARR Type | Arrtype |
|
|
|
|
Query Class Name | Query_class |
|
|
|
|
QType | Qtype |
|
|
|
|
ACode | Acode |
|
|
|
|
QClass | Qclass |
|
|
|
|
Feed Type | Extra_feed_type |
|
|
|
|
Client ID | Cid |
|
|
|
|
Domain Category | Qcat |
|
|
|
|
Operational code | Opcode |
|
|
|
|
Threat Level | Threat_level |
|
|
|
|
Threat Indicator | Extra_threat_indicator |
|
|
|
|
DHCP Fingerprint | Extra_dhcp_fingerprint |
|
|
|
|
Rule Action | Rule_action |
|
|
|
|
OPH IP Address | Extra_ip_address |
|
|
|
|
Anonymized | Anonymized |
|
|
|
|
Rpz Query Feed | Rpz_query_feed |
|
|
|
|
Threat Confidence | Threat_confidence |
|
|
|
|
Source | Qip |
|
|
|
|
Category | Category |
|
|
|
|
Query Type (Parsed) | Query_type |
|
|
|
|
Client Site ID | Csite |
|
|
|
|
User Name | User_name |
|
|
|
|
Destination IP | Rip |
|
|
|
|
Rule Disabled | Disabled |
|
|
|
|
Threat Property | Threat_property |
|
|
|
|
Transaction ID | Tid |
|
|
|
|
Region | Region |
|
|
|
|
Policy Action | Extra_policy_action |
|
|
|
|
Source IP | Src |
|
|
|
|
ARR Data | Arrdata |
|
|
|
|
Timestamp Nanosecond | Nanosec |
|
|
|
|
IDS Type | Ids_type |
|
|
|
|
Action | Action |
|
|
|
|
Log Level | Loglevel |
|
|
|
|
Trigger Code | Tcode |
|
|
|
|
Transport | Transport |
|
|
|
|
OPH Name | Extra_display_name |
|
|
|
|
RPZ Rule | Tname |
|
|
|
|
DNS View | View |
|
|
|
|
Message | Msg |
|
|
|
|
Source Network | Extra_network |
|
|
|
|
Source MAC | Src_mac |
|
|
|
|
Source ID | Source |
|
|
|
|
Connection Type | P_name |
|
|
|
|
Severity | CefLeefSeverity |
|
|
|
|
Destination Port | Rport |
|
|
|
|
Policy ID | Pid |
|
|
|
|
Vendor | Pvendor |
|
|
|
|
Version | Pversion |
|
|
|
|
Feed Name | Extra_feed_name |
|
|
|
|
Vendor Product | Vendor_product |
|
|
|
|
Source Device Name | Extra_device_name |
|
|
|
|
Host OS Version | Extra_os_version |
|
|
|
|
Device IP | Extra_device_ip |
|
|
|
|
Application | App |
|
|
|
|
Source Port | Qport |
|
|
|
|
Policy Name | Extra_policy_name |
|
|
|
|
Protocol | Protocol |
|
|
|
|
Rule Disabled | disabled |
|
|
|
|
User's device OS | os_version |
|
|
|
|
Severity | severity |
|
|
|
|
DDI DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
|---|---|---|---|---|---|
Timestamp | timestamp | * |
|
|
|
Query Name | qname | * |
|
|
|
Source Port | qport |
|
|
|
|
OPH Name | extra_display_name |
|
|
|
|
QType | qtype |
|
|
|
|
Reply Code | dns_rcode |
|
|
|
|
Authority Answer Count | nscount |
|
|
|
|
Record Type | dns_record_type |
|
|
|
|
Answer | answer |
|
|
|
|
Connection Type | extra_pname |
|
|
|
|
DNS Tags | extra_all_tags |
|
|
|
|
Region | region |
|
|
|
|
Query Count | query_count |
|
|
|
|
Source IP (Parsed) | extra_device_ip |
|
|
|
|
Transaction ID | tid |
|
|
|
|
Timestamp Nanosec | nanosec |
|
|
|
|
Source ID | source |
|
|
|
|
Source IP | qip |
|
|
|
|
Destination IP | rip |
|
|
|
|
Client ID | cid |
|
|
|
|
OPH IP Address | extra_ip_address |
|
|
|
|
Query Class | qclass |
|
|
|
|
Transport Protocol | transport_protocol |
|
|
|
|
DNS QClass | qClassName |
|
|
|
|
DNS View | view |
|
|
|
|
Host OS Version | extra_os_version |
|
|
|
|
Anonymized | anonymized |
|
|
|
|
Application | app |
|
|
|
|
DNS Packet Type | type |
|
|
|
|
Policy ID | pid |
|
|
|
|
Reply Code Number | rcode |
|
|
|
|
Op Code | opcode |
|
|
|
|
User Name | extra_user_name |
|
|
|
|
DHCP Fingerprint | extra_dhcp_fingerprint |
|
|
|
|
DNS Request Flags | dns_request_flags |
|
|
|
|
Source Network | extra_network |
|
|
|
|
Destination Port | rport |
|
|
|
|
Returned Resource Records | dns_record |
|
|
|
|
Message | msg |
|
|
|
|
Vendor Product | vendor_product |
|
|
|
|
Message Type | message_type |
|
|
|
|
Category | event_class |
|
|
|
|
Answer Count | ancount |
|
|
|
|
Additional Answer Count | arcount |
|
|
|
|
DNS Response Flags | dns_response_flags |
|
|
|
|
Protocol | protocol |
|
|
|
|
Query Type (Parsed) | query_type |
|
|
|
|
TTL | ttl_value |
|
|
|
|
DNS QFlags | qFlags |
|
|
|
|
Delay | delay |
|
|
|
|
Source MAC Address | src_mac |
|
|
|
|
Source Device Name | extra_device_name |
|
|
|
|
DNS QType | qTypeName |
|
|
|
|
Severity | severity |
|
|
|
|
DDI DHCP
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM
|
|---|---|---|---|---|---|
Timestamp | timestamp | * |
|
|
|
IP Address | LeaseExtra_Address | * |
|
|
|
Subnet | LeaseExtra_Subnet |
|
|
|
|
Application | app |
|
|
|
|
Lease Lifetime | Lease_Lifetime |
|
|
|
|
Lease Host ID | LeaseExtra_HostID |
|
|
|
|
Leased Host Name | Lease_Hostname |
|
|
|
|
Lease UUID | Lease_LeaseUUID |
|
|
|
|
Lease Scope | LeaseExtra_LeaseScope |
|
|
|
|
Vendor Product | vendor_product |
|
|
|
|
Signature | signature |
|
|
|
|
Action | action |
|
|
|
|
Fingerprint | Lease_Fingerprint |
|
|
|
|
DHCP Options | dhcp_options |
|
|
|
|
User Name | user |
|
|
|
|
Fingerprint PR | LeaseExtra_InfobloxFingerprintPr |
|
|
|
|
Destination DUID | dest_duid |
|
|
|
|
DHCP Host IP Address | host_ip |
|
|
|
|
IP Range Start | LeaseExtra_RangeStart |
|
|
|
|
IP Range End | LeaseExtra_RangeEnd |
|
|
|
|
Host Name | host |
|
|
|
|
Category | cat |
|
|
|
|
IP Space Name | LeaseExtra_SpaceName |
|
|
|
|
Source MAC Address | LeaseExtra_Smac |
|
|
|
|
Client ID | LeaseExtra_ClientID |
|
|
|
|
Severity | severity |
|
|
|
|
NIOS DNS Q/R
Field ID(UI) | Display Name(UI) | Internal Field(Destination formatting field) | Mandatory | CEF | LEEF | CSV | Splunk CIM | JSON |
|---|---|---|---|---|---|---|---|---|
view | View | view |
|
|
| x |
| x |
qip | ClientIP | clientIp (qip) |
|
|
|
|
|
|
qport | ClinetPort | clientPort (qport) |
|
|
|
|
|
|
transport | Transport | transport |
|
|
| x | x | x |
qname | Query Name | queryName (qname) |
|
|
|
|
|
|
queryFlags | Query Flags | queryFlags |
|
|
|
|
|
|
dst | Query Server | queryServer (dst) |
| x | x |
|
|
|
responseRCode | ResponseRCode | responseRCode |
| x |
|
|
|
|
responseFlags | Response Flags | responseFlags |
|
|
|
|
|
|
responses | Responses | responses |
|
|
|
|
| x |
external | External | external |
|
|
|
|
|
|
source | Source | source |
|
|
|
|
|
|
viewName | View Name | viewName |
|
|
|
|
|
|
delay | Delay | delay |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
src | Src | src (clientIp) |
| x | x |
| x |
|
spt | Spt | spt (clinetPort) |
| x |
|
|
|
|
spt | Spt | srcPort |
|
| x |
|
|
|
proto | Proto | proto (transport ) |
| x | x |
|
|
|
InfobloxDNSView | InfobloxDNSView | InfobloxDNSView(view) |
| x | x |
|
|
|
InfobloxAnCount | InfobloxAnCount | InfobloxAnCount (responses) |
| x | x |
|
|
|
InfobloxNsCount | InfobloxNsCount | InfobloxNsCount |
|
|
|
|
|
|
InfobloxArCount | InfobloxArCount | InfobloxArCount |
|
|
|
|
|
|
CEF | CEF | CEF: (cefVersion) |
| x |
|
|
|
|
message_type | Message Type | messageType |
|
|
|
|
| x |
cat | Cat | cat(messageType) |
|
| x |
|
|
|
sev | Sev | sev |
|
|
|
|
|
|
url | Url | url(queryName) |
|
| x |
|
|
|
|
|
|
|
|
|
|
|
|
timestamp | Timestamp | timestamp | x |
|
| x | x | x |
nanosec | Nanosec | nanosec |
|
|
|
|
|
|
additional_answer_count | Additional Answer Count | additional_answer_count |
|
|
|
| x |
|
answer | Answer | answer |
|
|
|
| x |
|
answer_count | Answer Count | answer_count |
|
|
| x | x |
|
authority_answer_count | Authority Answer Count | authority_answer_count |
|
|
|
| x |
|
dest | Dest | dest |
|
|
|
| x |
|
dest_port | Dest Port | dest_port |
|
|
|
| x |
|
message_type | Message Type | message_type |
|
|
| x | x |
|
query | Query | query(qname) |
|
|
|
| x | x |
query_count | Query Count | query_count |
|
|
| x | x | x |
query_type | Query Type | query_type |
| x |
| x | x | x |
record_type | Record Type | record_type |
|
|
|
| x |
|
reply_code | Reply Code | reply_code |
|
|
| x | x | x |
reply_code_id | Reply Code ID | reply_code_id |
|
|
|
| x |
|
src_port | Src Port | src_port |
|
|
| x | x | x |
transaction_id | Transaction ID | transaction_id |
|
|
|
| x |
|
ttl | Ttl | ttl |
|
|
| x | x |
|
vendor_product | Vendor Product | vendor_product |
|
|
|
| x |
|
query_class | Query Class | query_class(queryClass) |
| x |
| x | x | x |
opcode | OpCode | opcode |
|
|
|
| x |
|
source_id | Source ID | source_id |
|
|
|
| x |
|
dns_packet_type | Dns Packet Type | dns_packet_type |
|
|
|
| x |
|
qqr | Qqr | qqr |
|
|
|
| x |
|
qaa | Qaa | qaa |
|
|
|
| x |
|
qtc | Qtc | qtc |
|
|
|
| x |
|
qrd | Qrd | qrd |
|
|
|
| x |
|
qra | Qra | qra |
|
|
|
| x |
|
qad | Qad | qad |
|
|
|
| x |
|
qcd | Qcd | qcd |
|
|
|
| x |
|
qdo | Qdo | qdo |
|
|
|
| x |
|
rpr | Rpr | rpr |
|
|
|
| x |
|
raa | Raa | raa |
|
|
|
| x |
|
rtc | Rtc | rtc |
|
|
|
| x |
|
rrd | Rrd | rrd |
|
|
|
| x |
|
rra | Rra | rra |
|
|
|
| x |
|
rad | Rad | rad |
|
|
|
| x |
|
rcd | Rcd | rcd |
|
|
|
| x |
|
rdo | Rdo | rdo |
|
|
|
| x |
|
dns_record | Dns Record | dns_record |
|
|
|
| x |
|
dns_view | Dns View | dns_view |
|
|
|
| x |
|
anonymized | Anonymized | anonymized |
|
|
|
| x |
|
policy_id | Policy ID | policy_id |
|
|
|
| x |
|
client_id | Client ID | client_id |
|
|
|
| x |
|
|
|
|
|
|
|
|
|
|
time-msec | Time Msec | time-msec |
|
|
| x |
|
|
src_ip | Src IP | src_ip |
|
|
| x |
| x |
query_source | Query Source | query_source |
|
|
| x |
| x |
flag_recursion | Flag recursion | flag_recursion |
|
|
| x |
|
|
flag_aa | Flag aa | flag_aa |
|
|
| x |
|
|
flag_tc | Flag tc | flag_tc |
|
|
| x |
|
|
flag_ad | Flag ad | flag_ad |
|
|
| x |
|
|
flag_cd | Flag cd | flag_cd |
|
|
| x |
|
|
flag_edns | Flag edns | flag_edns |
|
|
| x |
|
|
flag_edns_do | Flag edns do | flag_edns_do |
|
|
| x |
|
|
flag_tsig | Flag tsig | flag_tsig |
|
|
| x |
|
|
flag_gslb | Flag gsib | flag_gslb |
|
|
| x |
|
|
name | Name | name |
|
|
| x |
|
|
host_class | Host Class | host_class |
|
|
| x |
|
|
host_type | Host Type | host_type |
|
|
| x |
|
|
rdata | Rdata | rdata |
|
|
| x |
|
|
nameservers_count | Nameserverts Count | nameservers_count |
|
|
| x |
|
|
additional_records_count | Additional Records Count | additional_records_count |
|
|
| x |
|
|
app | App | app |
| x | x |
|
|
|
timestamp_nanosec | Timestamp Nanosec | timestamp_nanosec |
|
|
|
| x |
|
source_type | Source Type | source_type | x |
|
|
|
| x |
|
|
|
|
|
|
|
|
|
With responses (pre-requisite) |
|
|
|
|
|
|
|
|
destinationDnsDomain | Destination DNS Domain | destinationDnsDomain |
| x |
|
|
|
|
InfobloxDNSQClass | Infoblox DNS QClass | InfobloxDNSQClass |
| x | x |
|
|
|
InfobloxDNSQType | Infoblox DNS QType | InfobloxDNSQType |
| x | x |
|
|
|
InfobloxDNSQFlags | Infoblox DNS QFlags | InfobloxDNSQFlags |
| x | x |
|
|
|
InfobloxDNSRCode | Infoblox DNS RCode | InfobloxDNSRCode |
| x | x |
|
|
|
msg | MSG | msg |
| x | x |
|
|
|
NIOS RPZ
Field ID | Display Name | Internal Field | Mandatory | CEF | LEEF | CSV (Infoblox Legacy) | Splunk CIM | JSON (SPLUNK HEC,MS Sentinel) |
|---|---|---|---|---|---|---|---|---|
vendor | Vendor | vendor |
|
|
|
|
|
|
name | Name | name |
|
|
|
|
|
|
pversion | Version | pversion |
|
|
| x |
|
|
tcode | Trigger Code | tcode |
|
|
| x |
| x |
acode | ACode | acode |
|
|
| x |
| x |
syslogseverity | Syslog Serverity | syslogseverity |
|
|
|
|
|
|
qip | Source IP | qip |
|
|
| x |
| x |
qport | Source Port | qport |
|
|
| x |
| x |
rip | Destination IP | rip |
|
|
| x |
| x |
qname | Query Name | qname |
|
|
| x |
| x |
query_type | Query Type | qtype |
|
|
| x |
| x |
tname | TName | tname |
|
|
| x |
| x |
anonymized | Anonymized | anonymized |
|
|
| x | x | x |
isexternal | Is External | isexternal |
|
|
|
|
|
|
rule_disabled | Rule Disabled | rule_disabled |
|
|
|
| x |
|
rule_disabled | Rule Disabled | disabled |
|
|
| x |
| x |
timestamp | Timestamp | timestamp | * |
|
| x |
| x |
source_id | Source ID | source |
|
|
| x |
| x |
view | View | view |
|
|
| x |
| x |
|
|
|
|
|
|
|
|
|
dst | Dst | dst |
| x | x |
|
|
|
dst | Dst | dest |
|
|
|
| x |
|
src | Src | src (clientip) |
| x | x |
| x |
|
spt | Spt | spt(clinetPort) |
| x | x |
|
|
|
InfobloxDNSView | InfobloxDNSView | InfobloxDNSView (queryview) |
| x | x |
|
|
|
InfobloxDNSQType | InfobloxDNSQType | InfobloxDNSQType (qtype) |
| x | x |
|
|
|
msg | Msg | msg (rpztype + rpzaction ) |
| x | x |
|
|
|
rewrite | Rewrite | rewrite (query) | * | x |
|
| x |
|
rewrite | Rewrite | query | * |
|
|
| x |
|
act | Act | act (rpzaction) |
| x | x |
|
|
|
destinationDnsDomain | DestinationDnsDomain | destinationDnsDomain (rpzquery) |
| x |
|
|
|
|
InfobloxRPZRule | InfobloxRPZRule | InfobloxRPZRule (policy) |
| x | x |
|
|
|
InfobloxRPZ | InfobloxRPZ | InfobloxRPZ |
| x | x |
|
|
|
nanosec | Nanosec | nanosec |
|
|
| x |
| x |
nanosec | Nanosec | timestamp_nanosec |
|
|
|
| x |
|
pvendor | Pvendor | pvendor |
|
|
| x |
| x |
pname | Pname | pname |
|
|
| x |
| x |
loglevel | LogLevel | loglevel |
|
|
| x |
| x |
action | Action | action |
|
|
|
| x |
|
category | Category | category |
|
|
|
| x |
|
dest_port | Dest Port | dest_port |
|
|
|
| x |
|
ids_type | Ids Type | ids_type |
|
|
|
| x |
|
severity | Serverity | severity |
|
|
|
| x |
|
signature | Signature | signature |
|
|
|
| x |
|
src_port | Src Port | src_port |
|
|
|
| x |
|
transport | Transport | transport |
|
|
|
| x |
|
user | User | user |
|
|
|
| x |
|
vendor_product | Vendor Product | vendor_product |
|
|
|
| x |
|
opcode | Opcode | opcode |
|
|
|
| x |
|
rpz_trigger_code | RPZ Trigger Code | rpz_trigger_code |
|
|
|
| x |
|
arrtype | ArrType | arrtype |
|
|
|
| x |
|
arrdata | ArrData | arrdata |
|
|
|
| x |
|
query_type | Query Type | query_type |
|
|
|
| x |
|
query_class | Query Class | query_class |
|
|
|
| x |
|
source_id | Source ID | source_id |
|
|
|
| x |
|
dns_view | DNS View | dns_view |
|
|
|
| x |
|
rule_disabled | Rule DIsabled | rule_disabled |
|
|
|
| x |
|
transaction_id | Transaction ID | transaction_id |
|
|
|
| x |
|
policy_id | Policy ID | policy_id |
|
|
|
| x |
|
client_id | Client ID | client_id |
|
|
|
| x |
|
src_mac | Src_mac | src_mac |
|
|
|
| x |
|
client_site_id | Csite | client_site_id |
|
|
|
| x |
|
threat_property | Threat_property | threat_property |
|
|
|
| x |
|
threat_confidence | Threat_confidence | threat_confidence |
|
|
|
| x |
|
threat_level | Threat_level | threat_level |
|
|
|
| x |
|
dns_domain_category | Qcat | dns_domain_category |
|
|
|
| x |
|
pversion | Pversion | pversion |
|
| x |
|
| x |
cat | EventCategory | cat |
|
| x |
|
|
|
sev | Severity | sev |
|
| x |
|
|
|
url | Url | url |
|
| x |
|
|
|
app | App | app |
| x | x |
|
|
|
source_type | Source Type | source_type | x |
|
|
|
| x |
NIOS IPMeta
Infoblox does not support field selection for IPMeta as it will be in parquet format.
Exclusion of field selection exists where we select Infoblox Cloud as the service instance for NIOS flow.
Display Name | Internal Field | Mandatory | Parquet |
|---|---|---|---|
Opcode | opcode |
| x |
Source | source |
| x |
Timestamp | timestamp |
| x |
Nanosec | nanosec |
|
|
Cip | cip |
| x |
HostNames | hostnames |
| x |
UserNames | usernames |
| x |
Mac | mac |
| x |
View | view |
| x |
FingerPrint | fingerprint |
| x |
OS | os |
| x |
Firstts | firstts |
| x |
Lastts | lastts |
| x |
Extrattrs | extattrs |
| x |
Anonymized | anonymized |
|
|
Member | member |
|
|
Discover Data | discovered_data |
|
|
Extera | extra |
|
|
|
|
|
|
Serverd By | served_by |
| x |
Server Host Name | server_host_name |
| x |
Remote ID | remote_id |
| x |
Comment | comment |
| x |
Start Address | start_addr |
| x |
End Address | end_addr |
| x |
Disable | disable |
| x |
Name | name |
| x |
Network | network |
| x |
Network View | network_view |
| x |
IPV6 Start Prefix | ipv6_start_prefix |
| x |
IPV6 Prefix Bits | ipv6_prefix_bits |
| x |
IPV6 End Prefix | ipv6_end_prefix |
| x |
IPV4Address | ipv4addr |
| x |
IPV6Address | ipv6addr |
| x |
IPV6Prefix | ipv6prefix |
| x |
Host | host |
| x |
Zone | zone |
| x |
Dns Name | dns_name |
| x |
Dns Aliases | dns_aliases |
| x |
Device Description | device_description |
| x |
Device Location | device_location |
| x |
Device Type | device_type |
| x |
Device Vendor | device_vendor |
| x |
Lease Start | lease_start |
| x |
Lease End | lease_end |
| x |
Lease Binding State | lease_binding_state |
| x |
This exclusion exists for where we select Infoblox Cloud as the service instance for NIOS flow.