This section provides details on the supported event field log fields when utilizing Data Connector with automation scripts.
Customers have the flexibility to choose the specific fields to transmit to a SIEM or an automation script from BloxOne Cloud via Data Connector or directly from Infoblox’s cloud.
The following event field log types are supported:
Service Logs
Audit logs
Atlas Notifications
IR Notifications
TD DNS
TD RPZ
DDI DNS
DDI DHCP
Service Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | @timestamp | * | |||
Message | log | * | |||
Pool ID | pool_id | ||||
Service ID | service_id | ||||
Log Name | @log_name |
Audit Logs
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | created_at | * | |||
Action | action | * | |||
User Name | user_name | * | |||
Message | message | * | |||
HTTP Request Body | http_req_body | ||||
HTTP Response Body | http_resp_body | ||||
Subject Type | subject_type | ||||
Subject Groups | subject_groups | ||||
Event Version | event_version | ||||
Event Category | event_cat | ||||
Resource Type | resource_type | ||||
Resource Description | resource_desc | ||||
Resource ID | resource_id | ||||
Application ID | app_id | ||||
Client IP | client_ip | ||||
Result | result | ||||
Severity | severity |
Atlas Notifications
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | OccuredTimestamp | * | |||
Message | metadata_message | * | |||
Status | status | ||||
Type | type | ||||
Subtype | subtype | ||||
Event Category | EventCategory | ||||
Host | metadata_host | ||||
Severity | severity |
IR Notifications
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Slunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | |||
Query Name | Qname | * | |||
Timestamp Nanosecond | Nanosec | ||||
Message Type | Message_type | ||||
Source ID | Source | ||||
Reply Code Number | Rcode | ||||
Policy ID | Pid | ||||
Additional Answer Count | Arcount | ||||
Source MAC Address | Src_mac | ||||
DNS View | View | ||||
Message | Msg | ||||
DNS Response Flags | Dns_response_flags | ||||
DNS Query Type | Qtype | ||||
OPH Name | Extra_display_name | ||||
Event Category | EventCategory | ||||
DNS Tags | Extra_all_tags | ||||
Source Device Name | Extra_device_name | ||||
DNS Answer | Answer | ||||
Protocol Code | Protocol | ||||
DHCP Fingerprint | Extra_dhcp_fingerprint | ||||
User Name | Extra_user_name | ||||
Destination IP | Rip | ||||
Query Class Name | Query_class | ||||
Op Code | Opcode | ||||
Region | Region | ||||
DNS Request Flags | Dns_request_flags | ||||
Host OS Version | Extra_os_version | ||||
Anonymized | Anonymized | ||||
Reply Code | Reply_code | ||||
OPH IP Address | Extra_ip_address | ||||
Transaction ID | Tid | ||||
Delay | Delay | ||||
Record Type | Record_type | ||||
Returned Resource Records | Dns_record | ||||
Vendor Product | Vendor_product | ||||
Flags | Flags | ||||
Source Port | Qport | ||||
Device IP | Extra_device_ip | ||||
Destination Port | Rport | ||||
Source Network | Extra_network | ||||
Reply Code (Parsed) | Rcode_string | ||||
DNS Packet Type | Type | ||||
Answer Count | Ancount | ||||
Query Count | Query_count | ||||
DNS QClass | Qclassname | ||||
DNS Query Type (Parsed) | Qtypename | ||||
Connection Type | Extra_pname | ||||
Query Class | Qclass | ||||
User's device MAC | Extra_mac_address | ||||
Client ID | Cid | ||||
Source IP | Qip | ||||
TTL | Ttl | ||||
Protocol | Transport_protocol | ||||
Authority Answer Count | Nscount | ||||
Query Type | Query_type | ||||
Application | App | ||||
Severity | severity |
TD DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | |||
Query Name | Qname | * | |||
Timestamp Nanosecond | Nanosec | ||||
Message Type | Message_type | ||||
Source ID | Source | ||||
Reply Code Number | Rcode | ||||
Policy ID | Pid | ||||
Additional Answer Count | Arcount | ||||
Source MAC Address | Src_mac | ||||
DNS View | View | ||||
Message | Msg | ||||
DNS Response Flags | Dns_response_flags | ||||
DNS Query Type | Qtype | ||||
OPH Name | Extra_display_name | ||||
Event Category | EventCategory | ||||
DNS Tags | Extra_all_tags | ||||
Source Device Name | Extra_device_name | ||||
DNS Answer | Answer | ||||
Protocol Code | Protocol | * | |||
DHCP Fingerprint | Extra_dhcp_fingerprint | ||||
User Name | Extra_user_name | ||||
Destination IP | Rip | ||||
Query Class Name | Query_class | ||||
Op Code | Opcode | ||||
Region | Region | ||||
DNS Request Flags | Dns_request_flags | ||||
Host OS Version | Extra_os_version | ||||
Anonymized | Anonymized | ||||
Reply Code | Reply_code | ||||
OPH IP Address | Extra_ip_address | ||||
Transaction ID | Tid | ||||
Delay | Delay | ||||
Record Type | Record_type | ||||
Returned Resource Records | Dns_record | ||||
Vendor Product | Vendor_product | ||||
Flags | Flags | ||||
Source Port | Qport | ||||
Device IP | Extra_device_ip | ||||
Destination Port | Rport | ||||
Source Network | Extra_network | ||||
Reply Code (Parsed) | Rcode_string | ||||
DNS Packet Type | Type | ||||
Answer Count | Ancount | ||||
Query Count | Query_count | ||||
DNS QClass | Qclassname | ||||
DNS Query Type (Parsed) | Qtypename | ||||
Connection Type | Extra_pname | ||||
Query Class | Qclass | ||||
User's device MAC | Extra_mac_address | ||||
Client ID | Cid | ||||
Source IP | Qip | ||||
TTL | Ttl | ||||
Protocol | Transport_protocol | ||||
Authority Answer Count | Nscount | ||||
Query Type | Query_type | ||||
Application | App | ||||
Severity | severity |
TD RPZ
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | Timestamp | * | |||
Query Name | Qname | * | |||
Threat Severity | Threat_severity | ||||
DNS Tags | Extra_all_tags | ||||
ARR Type | Arrtype | ||||
Query Class Name | Query_class | ||||
QType | Qtype | ||||
ACode | Acode | ||||
QClass | Qclass | ||||
Feed Type | Extra_feed_type | ||||
Client ID | Cid | ||||
Domain Category | Qcat | ||||
Operational code | Opcode | ||||
Threat Level | Threat_level | ||||
Threat Indicator | Extra_threat_indicator | ||||
DHCP Fingerprint | Extra_dhcp_fingerprint | ||||
Rule Action | Rule_action | ||||
OPH IP Address | Extra_ip_address | ||||
Anonymized | Anonymized | ||||
Rpz Query Feed | Rpz_query_feed | ||||
Threat Confidence | Threat_confidence | ||||
Source | Qip | ||||
Category | Category | ||||
Query Type (Parsed) | Query_type | ||||
Client Site ID | Csite | ||||
User Name | User_name | ||||
Destination IP | Rip | ||||
Rule Disabled | Disabled | ||||
Threat Property | Threat_property | ||||
Transaction ID | Tid | ||||
Region | Region | ||||
Policy Action | Extra_policy_action | ||||
Source IP | Src | ||||
ARR Data | Arrdata | ||||
Timestamp Nanosecond | Nanosec | ||||
IDS Type | Ids_type | ||||
Action | Action | ||||
Log Level | Loglevel | ||||
Trigger Code | Tcode | ||||
Transport | Transport | ||||
OPH Name | Extra_display_name | ||||
RPZ Rule | Tname | ||||
DNS View | View | ||||
Message | Msg | ||||
Source Network | Extra_network | ||||
Source MAC | Src_mac | ||||
Source ID | Source | ||||
Connection Type | P_name | ||||
Severity | CefLeefSeverity | ||||
Destination Port | Rport | ||||
Policy ID | Pid | ||||
Vendor | Pvendor | ||||
Version | Pversion | ||||
Feed Name | Extra_feed_name | ||||
Vendor Product | Vendor_product | ||||
Source Device Name | Extra_device_name | ||||
Host OS Version | Extra_os_version | ||||
Device IP | Extra_device_ip | ||||
Application | App | ||||
Source Port | Qport | ||||
Policy Name | Extra_policy_name | ||||
Protocol | Protocol | ||||
Rule Disabled | disabled | ||||
User's device OS | os_version | ||||
Severity | severity |
DDI DNS
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | timestamp | * | |||
Query Name | qname | * | |||
Source Port | qport | ||||
OPH Name | extra_display_name | ||||
QType | qtype | ||||
Reply Code | dns_rcode | ||||
Authority Answer Count | nscount | ||||
Record Type | dns_record_type | ||||
Answer | answer | ||||
Connection Type | extra_pname | ||||
DNS Tags | extra_all_tags | ||||
Region | region | ||||
Query Count | query_count | ||||
Source IP (Parsed) | extra_device_ip | ||||
Transaction ID | tid | ||||
Timestamp Nanosec | nanosec | ||||
Source ID | source | ||||
Source IP | qip | ||||
Destination IP | rip | ||||
Client ID | cid | ||||
OPH IP Address | extra_ip_address | ||||
Query Class | qclass | ||||
Transport Protocol | transport_protocol | ||||
DNS QClass | qClassName | ||||
DNS View | view | ||||
Host OS Version | extra_os_version | ||||
Anonymized | anonymized | ||||
Application | app | ||||
DNS Packet Type | type | ||||
Policy ID | pid | ||||
Reply Code Number | rcode | ||||
Op Code | opcode | ||||
User Name | extra_user_name | ||||
DHCP Fingerprint | extra_dhcp_fingerprint | ||||
DNS Request Flags | dns_request_flags | ||||
Source Network | extra_network | ||||
Destination Port | rport | ||||
Returned Resource Records | dns_record | ||||
Message | msg | ||||
Vendor Product | vendor_product | ||||
Message Type | message_type | ||||
Category | event_class | ||||
Answer Count | ancount | ||||
Additional Answer Count | arcount | ||||
DNS Response Flags | dns_response_flags | ||||
Protocol | protocol | ||||
Query Type (Parsed) | query_type | ||||
TTL | ttl_value | ||||
DNS QFlags | qFlags | ||||
Delay | delay | ||||
Source MAC Address | src_mac | ||||
Source Device Name | extra_device_name | ||||
DNS QType | qTypeName | ||||
Severity | severity |
DDI DHCP
Display Name | Internal Field | Mandatory ( * ) | CEF | LEEF | Splunk CIM |
---|---|---|---|---|---|
Timestamp | timestamp | * | |||
IP Address | LeaseExtra_Address | * | |||
Subnet | LeaseExtra_Subnet | ||||
Application | app | ||||
Lease Lifetime | Lease_Lifetime | ||||
Lease Host ID | LeaseExtra_HostID | ||||
Leased Host Name | Lease_Hostname | ||||
Lease UUID | Lease_LeaseUUID | ||||
Lease Scope | LeaseExtra_LeaseScope | ||||
Vendor Product | vendor_product | ||||
Signature | signature | ||||
Action | action | ||||
Fingerprint | Lease_Fingerprint | ||||
DHCP Options | dhcp_options | ||||
User Name | user | ||||
Fingerprint PR | LeaseExtra_InfobloxFingerprintPr | ||||
Destination DUID | dest_duid | ||||
DHCP Host IP Address | host_ip | ||||
IP Range Start | LeaseExtra_RangeStart | ||||
IP Range End | LeaseExtra_RangeEnd | ||||
Host Name | host | ||||
Category | cat | ||||
IP Space Name | LeaseExtra_SpaceName | ||||
Source MAC Address | LeaseExtra_Smac | ||||
Client ID | LeaseExtra_ClientID | ||||
Severity | severity |