Analytic Rule Changes for Infoblox NIOS

2022-07-29 13:25:11 +05:30 · 2022-07-29 13:25:11 +05:30 · 25c543322e
--- a/Rules/ExcessiveNXDOMAINDNSQueries.yaml
+++ b/Rules/ExcessiveNXDOMAINDNSQueries.yaml
@ -20,18 +20,18 @@ relevantTechniques:
 query: |

  let threshold = 200;
-  InfobloxNIOS
+  Infoblox_dnsclient
  | where ProcessName =~ "named" and Log_Type =~ "client"
-  | where isnotempty(ResponseCode)
-  | where ResponseCode =~ "NXDOMAIN"
-  | summarize count() by Client_IP, bin(TimeGenerated,15m)
+  | where isnotempty(DnsResponseCode)
+  | where DnsResponseCode =~ "NXDOMAIN"
+  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
  | where count_ > threshold
-  | join kind=inner (InfobloxNIOS
+  | join kind=inner (Infoblox_dnsclient
      | where ProcessName =~ "named" and Log_Type =~ "client"
-      | where isnotempty(ResponseCode)
-      | where ResponseCode =~ "NXDOMAIN"
-      ) on Client_IP
-  | extend timestamp = TimeGenerated, IPCustomEntity = Client_IP
+      | where isnotempty(DnsResponseCode)
+      | where DnsResponseCode =~ "NXDOMAIN"
+      ) on SrcIpAddr
+  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
 entityMappings:
  - entityType: IP
    fieldMappings:
--- a/Rules/PotentialDHCPStarvationAttack.yaml
+++ b/Rules/PotentialDHCPStarvationAttack.yaml
@ -19,11 +19,11 @@ relevantTechniques:
 query: |

  let threshold = 1000;
-  InfobloxNIOS
+  Infoblox
  | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
  | summarize count() by ServerIP, bin(TimeGenerated,5m)
  | where count_ > threshold
-  | join kind=inner (InfobloxNIOS
+  | join kind=inner (Infoblox
      | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
      ) on ServerIP
  | extend timestamp = TimeGenerated, IPCustomEntity = ServerIP
--- a/NIOS/Data/Solution_InfobloxNIOS.json
+++ b/NIOS/Data/Solution_InfobloxNIOS.json
@ -45,5 +45,4 @@
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"Is1Pconnector": false
-  }
-  
+  }
--- a/NIOS/Package/2.0.0.zip
+++ b/NIOS/Package/2.0.0.zip
--- a/NIOS/Package/createUiDefinition.json
+++ b/NIOS/Package/createUiDefinition.json
@ -60,7 +60,7 @@
            "name": "dataconnectors1-text",
            "type": "Microsoft.Common.TextBlock",
            "options": {
-              "text": "This solution installs the data connector for ingesting Infoblox NIOS logs into Microsoft Sentinel via Syslog. This data connector depends on a parser based on a Kusto Function to work as expected. After installing the solution, configure and enable this data connector by following guidance in Manage solution view. "
+              "text": "This solution installs the data connector for ingesting Infoblox NIOS logs into Microsoft Sentinel via Syslog. This data connector depends on a parser based on a Kusto Function to work as expected. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
            }
          },
          {
--- a/NIOS/Package/mainTemplate.json
+++ b/NIOS/Package/mainTemplate.json
@ -46,7 +46,7 @@
    }
  },
  "variables": {
-    "solutionId": "azuresentinel.azure-sentinel-solution-infobloxnios-preview",
+    "solutionId": "azuresentinel.azure-sentinel-solution-infobloxnios",
    "_solutionId": "[variables('solutionId')]",
    "email": "support@microsoft.com",
    "_email": "[variables('email')]",
@ -3629,7 +3629,7 @@
                "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.",
                "displayName": "Excessive NXDOMAIN DNS Queries",
                "enabled": false,
-                "query": "\nlet threshold = 200;\nInfobloxNIOS\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n    | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n    | where isnotempty(ResponseCode)\n    | where ResponseCode =~ \"NXDOMAIN\"\n    ) on Client_IP\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\n",
+                "query": "\nlet threshold = 200;\nInfoblox_dnsclient\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(DnsResponseCode)\n| where DnsResponseCode =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (Infoblox_dnsclient\n    | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n    | where isnotempty(DnsResponseCode)\n    | where DnsResponseCode =~ \"NXDOMAIN\"\n    ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
                "queryFrequency": "PT1H",
                "queryPeriod": "PT1H",
                "severity": "Medium",
@ -3651,13 +3651,13 @@
                ],
                "entityMappings": [
                  {
+                    "entityType": "IP",
                    "fieldMappings": [
                      {
-                        "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
                      }
-                    ],
-                    "entityType": "IP"
+                    ]
                  }
                ]
              }
@ -3737,7 +3737,7 @@
                "description": "This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.",
                "displayName": "Potential DHCP Starvation Attack",
                "enabled": false,
-                "query": "\nlet threshold = 1000;\nInfobloxNIOS\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n    | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n    ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
+                "query": "\nlet threshold = 1000;\nInfoblox\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (Infoblox\n    | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n    ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
                "queryFrequency": "PT1H",
                "queryPeriod": "PT1H",
                "severity": "Medium",
@ -3759,13 +3759,13 @@
                ],
                "entityMappings": [
                  {
+                    "entityType": "IP",
                    "fieldMappings": [
                      {
-                        "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
                      }
-                    ],
-                    "entityType": "IP"
+                    ]
                  }
                ]
              }
--- a/NIOS/SolutionMetadata.json
+++ b/NIOS/SolutionMetadata.json
@ -13,6 +13,4 @@
 		"tier":"Microsoft",
 		"link":"https://support.microsoft.com"
 	}
-}
-
-
+}