Infoblox Parser bug Fix

Removed ProcessName column from Project-Away
Renamed column DnsResponseCodeName to DnsResponseCode. Removed filter condition in Analytic Rule and updated version

Solutions/Infoblox NIOS/Analytic Rules/ExcessiveNXDOMAINDNSQueries.yaml

@@ -21,13 +21,11 @@ query: |
 
   let threshold = 200;
   Infoblox_dnsclient
-  | where ProcessName =~ "named" and Log_Type =~ "client"
   | where isnotempty(DnsResponseCode)
   | where DnsResponseCode =~ "NXDOMAIN"
   | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
   | where count_ > threshold
   | join kind=inner (Infoblox_dnsclient
-      | where ProcessName =~ "named" and Log_Type =~ "client"
       | where isnotempty(DnsResponseCode)
       | where DnsResponseCode =~ "NXDOMAIN"
       ) on SrcIpAddr
@@ -37,5 +35,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/Infoblox NIOS/Parser/Infoblox_dnsclient.txt

@@ -30,13 +30,13 @@ let response =
         ": query: " DnsQuery: string
         " " DnsQueryClassName: string
         " " DnsQueryTypeName: string
-        " response: " DnsResponseCodeName: string
+        " response: " DnsResponseCode: string
         " " DnsFlags: string
     | extend DnsResponseNameIndex= indexof(DnsFlags, " ")
     | extend DnsResponseName =iif(DnsResponseNameIndex != "-1", substring(DnsFlags, DnsResponseNameIndex+1), "")
     | extend DnsFlags =iif(DnsResponseNameIndex != "-1", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)
     | extend EventSubType = "response"
-    | project-away DnsResponseNameIndex,SyslogMessage, ProcessName, ProcessID, Facility, SeverityLevel, HostName
+    | project-away DnsResponseNameIndex,SyslogMessage, ProcessID, Facility, SeverityLevel, HostName
     ;
 //
 // Parse Request Logs
@@ -59,8 +59,8 @@ let request =
         " " DnsFlags: string
     | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')
     | extend DnsFlags= tostring((split(DnsFlags," "))[0])
-    | extend EventSubType = "request",DnsResponseCodeName = "NA"
-    | project-away SyslogMessage, ProcessName, ProcessID, Facility, SeverityLevel, HostName
+    | extend EventSubType = "request",DnsResponseCode = "NA"
+    | project-away SyslogMessage, ProcessID, Facility, SeverityLevel, HostName
     ;
 //
 // Union Request and Response Logs
@@ -71,7 +71,7 @@ let Infoblox_NIOS_ParsedData =
         EventProduct="NIOS",
         EventVendor="Infoblox",
         EventType="Query",
-        EventResult=iff(EventSubType=="request" or DnsResponseCodeName=="NOERROR","Success","Failure"),
+        EventResult=iff(EventSubType=="request" or DnsResponseCode=="NOERROR","Success","Failure"),
         DvcIpAddr=iff (HostIP == "Unknown IP", "", HostIP)
     | project-away HostIP
     ;