Event Field Logs
This section provides details on the supported event field log fields when utilizing Data Connector with automation scripts.
Customers have the flexibility to choose the specific fields to transmit to a SIEM or an automation script from Infoblox Cloud via Data Connector or directly from Infoblox’s cloud.
The following event field log types are supported:
Service Logs
Audit logs
Atlas Notifications
IR Notifications
TD DNS
TD RPZ
DDI DNS
DDI DHCP
Service Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | @timestamp | * | Â | Â | Â |
Message | log | * | Â | Â | Â |
Pool ID | pool_id | Â | Â | Â | Â |
Service ID | service_id | Â | Â | Â | Â |
Log Name | @log_name | Â | Â | Â | Â |
Audit Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | created_at | * | Â | Â | Â |
Action | action | * | Â | Â | Â |
User Name | user_name | * | Â | Â | Â |
Message | message | * | Â | Â | Â |
HTTP Request Body | http_req_body | Â | Â | Â | Â |
HTTP Response Body | http_resp_body | Â | Â | Â | Â |
Subject Type | subject_type | Â | Â | Â | Â |
Subject Groups | subject_groups | Â | Â | Â | Â |
Event Version | event_version | Â | Â | Â | Â |
Event Category | event_cat | Â | Â | Â | Â |
Resource Type | resource_type | Â | Â | Â | Â |
Resource Description | resource_desc | Â | Â | Â | Â |
Resource ID | resource_id | Â | Â | Â | Â |
Application ID | app_id | Â | Â | Â | Â |
Client IP | client_ip | Â | Â | Â | Â |
Result | result | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
Atlas Notifications
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | OccuredTimestamp | * | Â | Â | Â |
Message | metadata_message | * | Â | Â | Â |
Status | status | Â | Â | Â | Â |
Type | type | Â | Â | Â | Â |
Subtype | subtype | Â | Â | Â | Â |
Event Category | EventCategory | Â | Â | Â | Â |
Host | metadata_host | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
IR Notifications
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Slunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | Â | Â | Â |
Query Name | Qname | * | Â | Â | Â |
Timestamp Nanosecond | Nanosec | Â | Â | Â | Â |
Message Type | Message_type | Â | Â | Â | Â |
Source ID | Source | Â | Â | Â | Â |
Reply Code Number | Rcode | Â | Â | Â | Â |
Policy ID | Pid | Â | Â | Â | Â |
Additional Answer Count | Arcount | Â | Â | Â | Â |
Source MAC Address | Src_mac | Â | Â | Â | Â |
DNS View | View | Â | Â | Â | Â |
Message | Msg | Â | Â | Â | Â |
DNS Response Flags | Dns_response_flags | Â | Â | Â | Â |
DNS Query Type | Qtype | Â | Â | Â | Â |
OPH Name | Extra_display_name | Â | Â | Â | Â |
Event Category | EventCategory | Â | Â | Â | Â |
DNS Tags | Extra_all_tags | Â | Â | Â | Â |
Source Device Name | Extra_device_name | Â | Â | Â | Â |
DNS Answer | Answer | Â | Â | Â | Â |
Protocol Code | Protocol | Â | Â | Â | Â |
DHCP Fingerprint | Extra_dhcp_fingerprint | Â | Â | Â | Â |
User Name | Extra_user_name | Â | Â | Â | Â |
Destination IP | Rip | Â | Â | Â | Â |
Query Class Name | Query_class | Â | Â | Â | Â |
Op Code | Opcode | Â | Â | Â | Â |
Region | Region | Â | Â | Â | Â |
DNS Request Flags | Dns_request_flags | Â | Â | Â | Â |
Host OS Version | Extra_os_version | Â | Â | Â | Â |
Anonymized | Anonymized | Â | Â | Â | Â |
Reply Code | Reply_code | Â | Â | Â | Â |
OPH IP Address | Extra_ip_address | Â | Â | Â | Â |
Transaction ID | Tid | Â | Â | Â | Â |
Delay | Delay | Â | Â | Â | Â |
Record Type | Record_type | Â | Â | Â | Â |
Returned Resource Records | Dns_record | Â | Â | Â | Â |
Vendor Product | Vendor_product | Â | Â | Â | Â |
Flags | Flags | Â | Â | Â | Â |
Source Port | Qport | Â | Â | Â | Â |
Device IP | Extra_device_ip | Â | Â | Â | Â |
Destination Port | Rport | Â | Â | Â | Â |
Source Network | Extra_network | Â | Â | Â | Â |
Reply Code (Parsed) | Rcode_string | Â | Â | Â | Â |
DNS Packet Type | Type | Â | Â | Â | Â |
Answer Count | Ancount | Â | Â | Â | Â |
Query Count | Query_count | Â | Â | Â | Â |
DNS QClass | Qclassname | Â | Â | Â | Â |
DNS Query Type (Parsed) | Qtypename | Â | Â | Â | Â |
Connection Type | Extra_pname | Â | Â | Â | Â |
Query Class | Qclass | Â | Â | Â | Â |
User's device MAC | Extra_mac_address | Â | Â | Â | Â |
Client ID | Cid | Â | Â | Â | Â |
Source IP | Qip | Â | Â | Â | Â |
TTL | Ttl | Â | Â | Â | Â |
Protocol | Transport_protocol | Â | Â | Â | Â |
Authority Answer Count | Nscount | Â | Â | Â | Â |
Query Type | Query_type | Â | Â | Â | Â |
Application | App | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
TD DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | Â | Â | Â |
Query Name | Qname | * | Â | Â | Â |
Timestamp Nanosecond | Nanosec | Â | Â | Â | Â |
Message Type | Message_type | Â | Â | Â | Â |
Source ID | Source | Â | Â | Â | Â |
Reply Code Number | Rcode | Â | Â | Â | Â |
Policy ID | Pid | Â | Â | Â | Â |
Additional Answer Count | Arcount | Â | Â | Â | Â |
Source MAC Address | Src_mac | Â | Â | Â | Â |
DNS View | View | Â | Â | Â | Â |
Message | Msg | Â | Â | Â | Â |
DNS Response Flags | Dns_response_flags | Â | Â | Â | Â |
DNS Query Type | Qtype | Â | Â | Â | Â |
OPH Name | Extra_display_name | Â | Â | Â | Â |
Event Category | EventCategory | Â | Â | Â | Â |
DNS Tags | Extra_all_tags | Â | Â | Â | Â |
Source Device Name | Extra_device_name | Â | Â | Â | Â |
DNS Answer | Answer | Â | Â | Â | Â |
Protocol Code | Protocol | * | Â | Â | Â |
DHCP Fingerprint | Extra_dhcp_fingerprint | Â | Â | Â | Â |
User Name | Extra_user_name | Â | Â | Â | Â |
Destination IP | Rip | Â | Â | Â | Â |
Query Class Name | Query_class | Â | Â | Â | Â |
Op Code | Opcode | Â | Â | Â | Â |
Region | Region | Â | Â | Â | Â |
DNS Request Flags | Dns_request_flags | Â | Â | Â | Â |
Host OS Version | Extra_os_version | Â | Â | Â | Â |
Anonymized | Anonymized | Â | Â | Â | Â |
Reply Code | Reply_code | Â | Â | Â | Â |
OPH IP Address | Extra_ip_address | Â | Â | Â | Â |
Transaction ID | Tid | Â | Â | Â | Â |
Delay | Delay | Â | Â | Â | Â |
Record Type | Record_type | Â | Â | Â | Â |
Returned Resource Records | Dns_record | Â | Â | Â | Â |
Vendor Product | Vendor_product | Â | Â | Â | Â |
Flags | Flags | Â | Â | Â | Â |
Source Port | Qport | Â | Â | Â | Â |
Device IP | Extra_device_ip | Â | Â | Â | Â |
Destination Port | Rport | Â | Â | Â | Â |
Source Network | Extra_network | Â | Â | Â | Â |
Reply Code (Parsed) | Rcode_string | Â | Â | Â | Â |
DNS Packet Type | Type | Â | Â | Â | Â |
Answer Count | Ancount | Â | Â | Â | Â |
Query Count | Query_count | Â | Â | Â | Â |
DNS QClass | Qclassname | Â | Â | Â | Â |
DNS Query Type (Parsed) | Qtypename | Â | Â | Â | Â |
Connection Type | Extra_pname | Â | Â | Â | Â |
Query Class | Qclass | Â | Â | Â | Â |
User's device MAC | Extra_mac_address | Â | Â | Â | Â |
Client ID | Cid | Â | Â | Â | Â |
Source IP | Qip | Â | Â | Â | Â |
TTL | Ttl | Â | Â | Â | Â |
Protocol | Transport_protocol | Â | Â | Â | Â |
Authority Answer Count | Nscount | Â | Â | Â | Â |
Query Type | Query_type | Â | Â | Â | Â |
Application | App | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
TD RPZ
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | Â | Â | Â |
Query Name | Qname | * | Â | Â | Â |
Threat Severity | Threat_severity | Â | Â | Â | Â |
DNS Tags | Extra_all_tags | Â | Â | Â | Â |
ARR Type | Arrtype | Â | Â | Â | Â |
Query Class Name | Query_class | Â | Â | Â | Â |
QType | Qtype | Â | Â | Â | Â |
ACode | Acode | Â | Â | Â | Â |
QClass | Qclass | Â | Â | Â | Â |
Feed Type | Extra_feed_type | Â | Â | Â | Â |
Client ID | Cid | Â | Â | Â | Â |
Domain Category | Qcat | Â | Â | Â | Â |
Operational code | Opcode | Â | Â | Â | Â |
Threat Level | Threat_level | Â | Â | Â | Â |
Threat Indicator | Extra_threat_indicator | Â | Â | Â | Â |
DHCP Fingerprint | Extra_dhcp_fingerprint | Â | Â | Â | Â |
Rule Action | Rule_action | Â | Â | Â | Â |
OPH IP Address | Extra_ip_address | Â | Â | Â | Â |
Anonymized | Anonymized | Â | Â | Â | Â |
Rpz Query Feed | Rpz_query_feed | Â | Â | Â | Â |
Threat Confidence | Threat_confidence | Â | Â | Â | Â |
Source | Qip | Â | Â | Â | Â |
Category | Category | Â | Â | Â | Â |
Query Type (Parsed) | Query_type | Â | Â | Â | Â |
Client Site ID | Csite | Â | Â | Â | Â |
User Name | User_name | Â | Â | Â | Â |
Destination IP | Rip | Â | Â | Â | Â |
Rule Disabled | Disabled | Â | Â | Â | Â |
Threat Property | Threat_property | Â | Â | Â | Â |
Transaction ID | Tid | Â | Â | Â | Â |
Region | Region | Â | Â | Â | Â |
Policy Action | Extra_policy_action | Â | Â | Â | Â |
Source IP | Src | Â | Â | Â | Â |
ARR Data | Arrdata | Â | Â | Â | Â |
Timestamp Nanosecond | Nanosec | Â | Â | Â | Â |
IDS Type | Ids_type | Â | Â | Â | Â |
Action | Action | Â | Â | Â | Â |
Log Level | Loglevel | Â | Â | Â | Â |
Trigger Code | Tcode | Â | Â | Â | Â |
Transport | Transport | Â | Â | Â | Â |
OPH Name | Extra_display_name | Â | Â | Â | Â |
RPZ Rule | Tname | Â | Â | Â | Â |
DNS View | View | Â | Â | Â | Â |
Message | Msg | Â | Â | Â | Â |
Source Network | Extra_network | Â | Â | Â | Â |
Source MAC | Src_mac | Â | Â | Â | Â |
Source ID | Source | Â | Â | Â | Â |
Connection Type | P_name | Â | Â | Â | Â |
Severity | CefLeefSeverity | Â | Â | Â | Â |
Destination Port | Rport | Â | Â | Â | Â |
Policy ID | Pid | Â | Â | Â | Â |
Vendor | Pvendor | Â | Â | Â | Â |
Version | Pversion | Â | Â | Â | Â |
Feed Name | Extra_feed_name | Â | Â | Â | Â |
Vendor Product | Vendor_product | Â | Â | Â | Â |
Source Device Name | Extra_device_name | Â | Â | Â | Â |
Host OS Version | Extra_os_version | Â | Â | Â | Â |
Device IP | Extra_device_ip | Â | Â | Â | Â |
Application | App | Â | Â | Â | Â |
Source Port | Qport | Â | Â | Â | Â |
Policy Name | Extra_policy_name | Â | Â | Â | Â |
Protocol | Protocol | Â | Â | Â | Â |
Rule Disabled | disabled | Â | Â | Â | Â |
User's device OS | os_version | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
DDI DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | timestamp | * | Â | Â | Â |
Query Name | qname | * | Â | Â | Â |
Source Port | qport | Â | Â | Â | Â |
OPH Name | extra_display_name | Â | Â | Â | Â |
QType | qtype | Â | Â | Â | Â |
Reply Code | dns_rcode | Â | Â | Â | Â |
Authority Answer Count | nscount | Â | Â | Â | Â |
Record Type | dns_record_type | Â | Â | Â | Â |
Answer | answer | Â | Â | Â | Â |
Connection Type | extra_pname | Â | Â | Â | Â |
DNS Tags | extra_all_tags | Â | Â | Â | Â |
Region | region | Â | Â | Â | Â |
Query Count | query_count | Â | Â | Â | Â |
Source IP (Parsed) | extra_device_ip | Â | Â | Â | Â |
Transaction ID | tid | Â | Â | Â | Â |
Timestamp Nanosec | nanosec | Â | Â | Â | Â |
Source ID | source | Â | Â | Â | Â |
Source IP | qip | Â | Â | Â | Â |
Destination IP | rip | Â | Â | Â | Â |
Client ID | cid | Â | Â | Â | Â |
OPH IP Address | extra_ip_address | Â | Â | Â | Â |
Query Class | qclass | Â | Â | Â | Â |
Transport Protocol | transport_protocol | Â | Â | Â | Â |
DNS QClass | qClassName | Â | Â | Â | Â |
DNS View | view | Â | Â | Â | Â |
Host OS Version | extra_os_version | Â | Â | Â | Â |
Anonymized | anonymized | Â | Â | Â | Â |
Application | app | Â | Â | Â | Â |
DNS Packet Type | type | Â | Â | Â | Â |
Policy ID | pid | Â | Â | Â | Â |
Reply Code Number | rcode | Â | Â | Â | Â |
Op Code | opcode | Â | Â | Â | Â |
User Name | extra_user_name | Â | Â | Â | Â |
DHCP Fingerprint | extra_dhcp_fingerprint | Â | Â | Â | Â |
DNS Request Flags | dns_request_flags | Â | Â | Â | Â |
Source Network | extra_network | Â | Â | Â | Â |
Destination Port | rport | Â | Â | Â | Â |
Returned Resource Records | dns_record | Â | Â | Â | Â |
Message | msg | Â | Â | Â | Â |
Vendor Product | vendor_product | Â | Â | Â | Â |
Message Type | message_type | Â | Â | Â | Â |
Category | event_class | Â | Â | Â | Â |
Answer Count | ancount | Â | Â | Â | Â |
Additional Answer Count | arcount | Â | Â | Â | Â |
DNS Response Flags | dns_response_flags | Â | Â | Â | Â |
Protocol | protocol | Â | Â | Â | Â |
Query Type (Parsed) | query_type | Â | Â | Â | Â |
TTL | ttl_value | Â | Â | Â | Â |
DNS QFlags | qFlags | Â | Â | Â | Â |
Delay | delay | Â | Â | Â | Â |
Source MAC Address | src_mac | Â | Â | Â | Â |
Source Device Name | extra_device_name | Â | Â | Â | Â |
DNS QType | qTypeName | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |
DDI DHCP
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM Â |
---|---|---|---|---|---|
Timestamp | timestamp | * | Â | Â | Â |
IP Address | LeaseExtra_Address | * | Â | Â | Â |
Subnet | LeaseExtra_Subnet | Â | Â | Â | Â |
Application | app | Â | Â | Â | Â |
Lease Lifetime | Lease_Lifetime | Â | Â | Â | Â |
Lease Host ID | LeaseExtra_HostID | Â | Â | Â | Â |
Leased Host Name | Lease_Hostname | Â | Â | Â | Â |
Lease UUID | Lease_LeaseUUID | Â | Â | Â | Â |
Lease Scope | LeaseExtra_LeaseScope | Â | Â | Â | Â |
Vendor Product | vendor_product | Â | Â | Â | Â |
Signature | signature | Â | Â | Â | Â |
Action | action | Â | Â | Â | Â |
Fingerprint | Lease_Fingerprint | Â | Â | Â | Â |
DHCP Options | dhcp_options | Â | Â | Â | Â |
User Name | user | Â | Â | Â | Â |
Fingerprint PR | LeaseExtra_InfobloxFingerprintPr | Â | Â | Â | Â |
Destination DUID | dest_duid | Â | Â | Â | Â |
DHCP Host IP Address | host_ip | Â | Â | Â | Â |
IP Range Start | LeaseExtra_RangeStart | Â | Â | Â | Â |
IP Range End | LeaseExtra_RangeEnd | Â | Â | Â | Â |
Host Name | host | Â | Â | Â | Â |
Category | cat | Â | Â | Â | Â |
IP Space Name | LeaseExtra_SpaceName | Â | Â | Â | Â |
Source MAC Address | LeaseExtra_Smac | Â | Â | Â | Â |
Client ID | LeaseExtra_ClientID | Â | Â | Â | Â |
Severity | severity | Â | Â | Â | Â |