From 9495a33de237b31f35537211bbd9a47c1ae48319 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Tue, 3 Sep 2024 18:00:15 +0530 Subject: [PATCH 01/11] Adding ASIM Parsers for Infoblox --- ASIM/dev/ASimTester/ASimTester.csv | 10 +- .../Parsers/ASimAuditEvent.yaml | 4 +- .../ASimAuditEventInfobloxBloxOne.yaml | 123 ++++++++ .../ASimAuditEvent/Parsers/imAuditEvent.yaml | 4 +- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 159 ++++++++++ ...xBloxOne_ASimAuditEvent_ASimDataTester.csv | 6 + ...loxOne_ASimAuditEvent_ASimSchemaTester.csv | 96 ++++++ ...oxBloxOne_vimAuditEvent_ASimDataTester.csv | 6 + ...BloxOne_vimAuditEvent_ASimSchemaTester.csv | 96 ++++++ .../ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml | 4 +- .../Parsers/ASimDhcpEventInfobloxBloxOne.yaml | 133 +++++++++ .../ASimDhcpEvent/Parsers/imDhcpEvent.yaml | 4 +- .../Parsers/vimDhcpEventInfobloxBloxOne.yaml | 173 +++++++++++ ...oxBloxOne_ASimDhcpEvent_ASimDataTester.csv | 11 + ...BloxOne_ASimDhcpEvent_ASimSchemaTester.csv | 73 +++++ ...loxBloxOne_vimDhcpEvent_ASimDataTester.csv | 11 + ...xBloxOne_vimDhcpEvent_ASimSchemaTester.csv | 73 +++++ Parsers/ASimDns/Parsers/ASimDns.yaml | 4 +- .../Parsers/ASimDnsInfobloxBloxOne.yaml | 227 ++++++++++++++ Parsers/ASimDns/Parsers/imDns.yaml | 4 +- .../Parsers/vimDnsInfobloxBloxOne.yaml | 280 ++++++++++++++++++ ...InfobloxBloxOne_ASimDns_ASimDataTester.csv | 5 + ...fobloxBloxOne_ASimDns_ASimSchemaTester.csv | 110 +++++++ .../InfobloxBloxOne_vimDns_ASimDataTester.csv | 5 + ...nfobloxBloxOne_vimDns_ASimSchemaTester.csv | 110 +++++++ ...ox_BloxOne_ASimAuditEvent_IngestedLogs.csv | 21 ++ ...lox_BloxOne_ASimDhcpEvent_IngestedLogs.csv | 21 ++ .../Infoblox_BloxOne_ASimDns_IngestedLogs.csv | 21 ++ 28 files changed, 1783 insertions(+), 11 deletions(-) create mode 100644 Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml create mode 100644 Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml create mode 100644 Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimDataTester.csv create mode 100644 Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv create mode 100644 Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimDataTester.csv create mode 100644 Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv create mode 100644 Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml create mode 100644 Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml create mode 100644 Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv create mode 100644 Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv create mode 100644 Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv create mode 100644 Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv create mode 100644 Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml create mode 100644 Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml create mode 100644 Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimDataTester.csv create mode 100644 Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv create mode 100644 Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimDataTester.csv create mode 100644 Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv create mode 100644 Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv create mode 100644 Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv create mode 100644 Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index 555064ad11..564e352ab0 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -548,11 +548,11 @@ EventOwner,string,Optional,RegistryEvent,,, EventOwner,string,Optional,UserManagement,,, EventOwner,string,Optional,WebSession,,, EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace, -EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud, +EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne, EventProduct,string,Mandatory,Common,,, -EventProduct,string,Mandatory,DhcpEvent,,, +EventProduct,string,Mandatory,DhcpEvent,,BloxOne, EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace, -EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate, +EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne, EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One, @@ -678,9 +678,9 @@ EventUid,string,Recommended,RegistryEvent,,, EventUid,string,Recommended,UserManagement,,, EventUid,string,Recommended,WebSession,,, EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google, -EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware, +EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox, EventVendor,string,Mandatory,Common,,, -EventVendor,string,Mandatory,DhcpEvent,,, +EventVendor,string,Mandatory,DhcpEvent,,Infoblox, EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google, EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet, EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall, diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index 2361796414..2557fb3ae2 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -32,6 +32,7 @@ Parsers: - _ASim_AuditEvent_VectraXDRAudit - _ASim_AuditEvent_SentinelOne - _ASim_AuditEvent_VMwareCarbonBlackCloud + - _ASim_AuditEvent_InfobloxBloxOne ParserParams: - Name: pack Type: bool @@ -54,5 +55,6 @@ ParserQuery: | ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))), ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))), ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))), - ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))) + ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), + ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml new file mode 100644 index 0000000000..90dc0edd45 --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml @@ -0,0 +1,123 @@ +Parser: + Title: AuditEvent ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 26 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: AuditEvent + Version: '0.1' +References: +- Title: ASIM AuditEvent Schema + Link: https://aka.ms/ASimAuditEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation +- Link: https://docs.infoblox.com/space/BloxOneThreatDefense/35406922/DNS+Query%2FResponse+Log+Message+Mapping +Description: | + This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: ASimAuditEventInfobloxBloxOne +EquivalentBuiltInParser: _ASim_AuditEvent_InfobloxBloxOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: + let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let parser = (disabled:bool=false) { + CommonSecurityLog + | where not(disabled) + and DeviceVendor == "Infoblox" + and DeviceEventClassID has "AUDIT" + | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=") + | lookup EventSeverityLookup on LogSeverity + | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') + | project-rename + EventResult = EventOutcome, + Operation = DeviceAction, + ActorUsername = SourceUserName, + SrcIpAddr = SourceIP, + EventOriginalSeverity = LogSeverity, + EventMessage = Message, + EventOriginalType = DeviceEventCategory + | extend + Dvc = DvcHostname, + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventType = case( + Operation has_any ("update", "upsert"), + "Set", + Operation has "create", + "Create", + Operation has "delete", + "Delete", + "Other" + ), + Src = SrcIpAddr, + ActorUserType = _ASIM_GetUserType(ActorUsername, ""), + AdditionalFields = bag_pack( + "InfobloxHTTPReqBody", + InfobloxHTTPReqBody, + "InfobloxHTTPRespBody", + InfobloxHTTPRespBody + ), + User = ActorUsername, + IpAddr = SrcIpAddr, + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | extend + EventCount = toint(1), + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventSchema = "AuditEvent", + EventSchemaVersion = "0.1" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + ExtID, + Reason, + Activity, + Infoblox* + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml index ada99d0b05..391081912b 100644 --- a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml @@ -32,6 +32,7 @@ Parsers: - _Im_AuditEvent_VectraXDRAudit - _Im_AuditEvent_SentinelOne - _Im_AuditEvent_VMwareCarbonBlackCloud + - _Im_AuditEvent_InfobloxBloxOne ParserParams: - Name: starttime Type: datetime @@ -85,5 +86,6 @@ ParserQuery: | vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))), vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))), vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))), - vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))) + vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))), + vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml new file mode 100644 index 0000000000..38b3024d0d --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -0,0 +1,159 @@ +Parser: + Title: AuditEvent ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 26 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: AuditEvent + Version: '0.1' +References: +- Title: ASIM AuditEvent Schema + Link: https://aka.ms/ASimAuditEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation + Link: https://docs.infoblox.com/space/BloxOneThreatDefense +Description: | + This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: vimAuditEventInfbloxBloxOne +EquivalentBuiltInParser: _Im_AuditEvent_InfobloxBloxOne +ParserParams: + - Name: disabled + Type: bool + Default: false + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: operation_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: object_has_any + Type: dynamic + Default: dynamic([]) + - Name: newvalue_has_any + Type: dynamic + Default: dynamic([]) +ParserQuery: | + let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) { + CommonSecurityLog + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and DeviceVendor == "Infoblox" + and DeviceEventClassID has "AUDIT" + and (eventresult == "*" or EventOutcome =~ eventresult) + and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any)) + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix)) + and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any)) + and array_length(object_has_any) == 0 + and array_length(newvalue_has_any) == 0 + | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=") + | extend EventType = case( + DeviceAction has_any ("update", "upsert"), + "Set", + DeviceAction has "create", + "Create", + DeviceAction has "delete", + "Delete", + "Other" + ) + | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) + | lookup EventSeverityLookup on LogSeverity + | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') + | project-rename + EventResult = EventOutcome, + Operation = DeviceAction, + ActorUsername = SourceUserName, + SrcIpAddr = SourceIP, + EventOriginalSeverity = LogSeverity, + EventMessage = Message, + EventOriginalType = DeviceEventCategory + | extend + Dvc = DvcHostname, + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + Src = SrcIpAddr, + ActorUserType = _ASIM_GetUserType(ActorUsername, ""), + AdditionalFields = bag_pack( + "InfobloxHTTPReqBody", + InfobloxHTTPReqBody, + "InfobloxHTTPRespBody", + InfobloxHTTPRespBody + ), + User = ActorUsername, + IpAddr = SrcIpAddr, + ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) + | extend + EventCount = toint(1), + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventSchema = "AuditEvent", + EventSchemaVersion = "0.1" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + ExtID, + Reason, + Activity, + Infoblox* + }; + parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any) diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimDataTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimDataTester.csv new file mode 100644 index 0000000000..ac66801d40 --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimDataTester.csv @@ -0,0 +1,6 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Infoblox""] (Schema:AuditEvent)" +"(2) Info: Empty value in 36 records (100.0%) in optional field [DvcFQDN] (Schema:AuditEvent)" +"(2) Info: Empty value in 36 records (100.0%) in recommended field [DvcDomain] (Schema:AuditEvent)" +"(2) Info: Empty value in 4 records (11.11%) in optional field [EventMessage] (Schema:AuditEvent)" diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv new file mode 100644 index 0000000000..8e69a357e6 --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv @@ -0,0 +1,96 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [NewValue]" +"(1) Warning: Missing recommended field [ObjectId]" +"(1) Warning: Missing recommended field [Object]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(1) Warning: Missing recommended field [TargetIpAddr]" +"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" +"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActingOriginalAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [OldValue]" +"(2) Info: Missing optional field [OriginalObjectType]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppName]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDomain]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetOriginalAppType]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [TargetUrl]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [ValueType]" +"(2) Info: Missing recommended alias [Value] aliasing non-existent column [NewValue]" diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimDataTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimDataTester.csv new file mode 100644 index 0000000000..ac66801d40 --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimDataTester.csv @@ -0,0 +1,6 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:AuditEvent)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 36 records (100.0%) for field [EventVendor] of type [Enumerated]: [""Infoblox""] (Schema:AuditEvent)" +"(2) Info: Empty value in 36 records (100.0%) in optional field [DvcFQDN] (Schema:AuditEvent)" +"(2) Info: Empty value in 36 records (100.0%) in recommended field [DvcDomain] (Schema:AuditEvent)" +"(2) Info: Empty value in 4 records (11.11%) in optional field [EventMessage] (Schema:AuditEvent)" diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv new file mode 100644 index 0000000000..8e69a357e6 --- /dev/null +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv @@ -0,0 +1,96 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [NewValue]" +"(1) Warning: Missing recommended field [ObjectId]" +"(1) Warning: Missing recommended field [Object]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(1) Warning: Missing recommended field [TargetIpAddr]" +"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" +"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActingOriginalAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserAadId]" +"(2) Info: Missing optional field [ActorUserId]" +"(2) Info: Missing optional field [ActorUserSid]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [OldValue]" +"(2) Info: Missing optional field [OriginalObjectType]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppName]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDomain]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetOriginalAppType]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [TargetUrl]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [ValueType]" +"(2) Info: Missing recommended alias [Value] aliasing non-existent column [NewValue]" diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml index aa35b1820a..831a35b604 100644 --- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml @@ -22,7 +22,8 @@ ParserQuery: | let parser=(pack:bool=false){ union isfuzzy=true vimDhcpEventEmpty, - ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))) + ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))), + ASimDhcpInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers)))) }; parser (pack=pack) ParserParams: @@ -32,3 +33,4 @@ ParserParams: Parsers: - _Im_DhcpEvent_Empty - _ASim_DhcpEvent_Native + - _ASim_Dhcp_InfobloxBloxOne diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml new file mode 100644 index 0000000000..ac07193de0 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml @@ -0,0 +1,133 @@ +Parser: + Title: Dhcp ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 21 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: Dhcp + Version: '0.1' +References: +- Title: ASIM Dhcp Schema + Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation + Link: https://docs.infoblox.com/space/BloxOneThreatDefense +Description: | + This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM Dhcp normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: ASimDhcpInfobloxBloxOne +EquivalentBuiltInParser: _ASim_Dhcp_InfobloxBloxOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: + let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let parser = (disabled:bool=false) { + CommonSecurityLog + | where not(disabled) + and DeviceVendor == "Infoblox" + and DeviceEventClassID has "DHCP" + and ApplicationProtocol == "DHCP" + | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=";", kv_delimiter="=") + | lookup EventSeverityLookup on LogSeverity + | invoke _ASIM_ResolveSrcFQDN('SourceHostName') + | invoke _ASIM_ResolveDvcFQDN('InfobloxHost') + | project-rename + SrcIpAddr = SourceIP, + SrcMacAddr = SourceMACAddress, + DhcpLeaseDuration = InfoBloxLifeTime, + DhcpSrcDHCId = InfoBloxClientId, + EventOriginalSeverity = LogSeverity + | extend + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventType = iff(Activity has_any ("Abandon", "Delete"), "Release", "Assign"), + AdditionalFields = bag_pack( + "InfobloxIPSpace", + InfobloxIPSpace, + "InfobloxSubnet", + InfobloxSubnet, + "InfobloxRangeStart", + InfobloxRangeStart, + "InfobloxRangeEnd", + InfobloxRangeEnd, + "InfobloxLeaseOp", + InfobloxLeaseOp, + "InfobloxClientID", + InfobloxClientID, + "InfobloxDUID", + InfobloxDUID, + "InfobloxLeaseUUID", + InfobloxLeaseUUID, + "InfobloxFingerprintPr", + InfobloxFingerprintPr, + "InfobloxFingerprint", + InfobloxFingerprint, + "InfobloxDHCPOptions", + InfobloxDHCPOptions + ), + Duration = DhcpLeaseDuration, + IpAddr = SrcIpAddr + | extend + EventCount = toint(1), + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventResult = "Success", + EventSchema = "DhcpEvent", + EventSchemaVersion = "0.1" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + EventOutcome, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + CollectorHostName, + ExtID, + Reason, + Message, + Activity, + Infoblox* + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml b/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml index fb5bba8c01..1398004e4a 100644 --- a/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/imDhcpEvent.yaml @@ -55,9 +55,11 @@ ParserQuery: | { union isfuzzy=true vimDhcpEventEmpty, - vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers)))) + vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers)))), + vimDhcpEventInfobloxBloxOne (starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, srchostname_has_any = srchostname_has_any, srcusername_has_any = , eventresult = eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventInfobloxBloxOne' in (DisabledParsers)))) }; parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack) Parsers: - _Im_DhcpEvent_Empty - _Im_DhcpEvent_Native + - _Im_DhcpEvent_InfobloxBloxOne diff --git a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml new file mode 100644 index 0000000000..f577579911 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml @@ -0,0 +1,173 @@ +Parser: + Title: Dhcp ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 21 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: Dhcp + Version: '0.1' +References: +- Title: ASIM Dhcp Schema + Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation + Link: https://docs.infoblox.com/space/BloxOneThreatDefense +Description: | + This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM Dhcp normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: vimDhcpEventInfobloxBloxOne +EquivalentBuiltInParser: _Im_DhcpEvent_InfobloxBloxOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: srchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: srcusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let parser = ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + srcipaddr_has_any_prefix:dynamic=dynamic([]), + srchostname_has_any:dynamic=dynamic([]), + srcusername_has_any:dynamic=dynamic([]), + eventresult:string='*', + disabled:bool=false + ) { + CommonSecurityLog + | where not(disabled) + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and DeviceVendor == "Infoblox" + and DeviceEventClassID has "DHCP" + and ApplicationProtocol == "DHCP" + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix)) + and (array_length(srchostname_has_any) == 0 or (SourceHostName has_any (srchostname_has_any))) + and array_length(srcusername_has_any) == 0 + and ((eventresult == "*") or (eventresult == "Success")) + | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=";", kv_delimiter="=") + | lookup EventSeverityLookup on LogSeverity + | invoke _ASIM_ResolveSrcFQDN('SourceHostName') + | invoke _ASIM_ResolveDvcFQDN('InfobloxHost') + | project-rename + SrcIpAddr = SourceIP, + SrcMacAddr = SourceMACAddress, + DhcpLeaseDuration = InfoBloxLifeTime, + DhcpSrcDHCId = InfoBloxClientId, + EventOriginalSeverity = LogSeverity + | extend + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventType = iff(Activity has_any ("Abandon", "Delete"), "Release", "Assign"), + AdditionalFields = bag_pack( + "InfobloxIPSpace", + InfobloxIPSpace, + "InfobloxSubnet", + InfobloxSubnet, + "InfobloxRangeStart", + InfobloxRangeStart, + "InfobloxRangeEnd", + InfobloxRangeEnd, + "InfobloxLeaseOp", + InfobloxLeaseOp, + "InfobloxClientID", + InfobloxClientID, + "InfobloxDUID", + InfobloxDUID, + "InfobloxLeaseUUID", + InfobloxLeaseUUID, + "InfobloxFingerprintPr", + InfobloxFingerprintPr, + "InfobloxFingerprint", + InfobloxFingerprint, + "InfobloxDHCPOptions", + InfobloxDHCPOptions + ), + Duration = DhcpLeaseDuration, + IpAddr = SrcIpAddr + | extend + EventCount = toint(1), + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventResult = "Success", + EventSchema = "DhcpEvent", + EventSchemaVersion = "0.1" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + EventOutcome, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + CollectorHostName, + ExtID, + Reason, + Message, + Activity, + Infoblox* + }; + parser ( + starttime = starttime, + endtime = endtime, + srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, + srchostname_has_any = srchostname_has_any, + srcusername_has_any = srcusername_has_any, + eventresult = eventresult, + disabled = disabled + ) \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv new file mode 100644 index 0000000000..0622706279 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv @@ -0,0 +1,11 @@ +Result +"(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)" +"(1) Warning: Empty value in 1000 records (100.0%) in mandatory field [EventCount] (Schema:DhcpEvent)" +"(1) Warning: Empty value in 129 records (12.9%) in mandatory field [SrcHostname] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DvcFQDN] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [DvcDomain] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [DvcHostname] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [SrcDomain] (Schema:DhcpEvent)" +"(2) Info: Empty value in 906 records (90.6%) in optional field [SrcFQDN] (Schema:DhcpEvent)" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv new file mode 100644 index 0000000000..24b1a589a9 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv @@ -0,0 +1,73 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DhcpSessionId]" +"(2) Info: Missing optional alias [Username] aliasing non-existent column [SrcUsername]" +"(2) Info: Missing optional field [DhcpCircuitId]" +"(2) Info: Missing optional field [DhcpSessionDuration]" +"(2) Info: Missing optional field [DhcpSessionId]" +"(2) Info: Missing optional field [DhcpSubscriberId]" +"(2) Info: Missing optional field [DhcpUserClassId]" +"(2) Info: Missing optional field [DhcpUserClass]" +"(2) Info: Missing optional field [DhcpVendorClassId]" +"(2) Info: Missing optional field [DhcpVendorClass]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [RequestedIpAddr]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserScopeId]" +"(2) Info: Missing optional field [SrcUserScope]" +"(2) Info: Missing optional field [SrcUserSessionId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcUserUid]" +"(2) Info: Missing optional field [SrcUsername]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv new file mode 100644 index 0000000000..0622706279 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv @@ -0,0 +1,11 @@ +Result +"(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)" +"(1) Warning: Empty value in 1000 records (100.0%) in mandatory field [EventCount] (Schema:DhcpEvent)" +"(1) Warning: Empty value in 129 records (12.9%) in mandatory field [SrcHostname] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [DvcFQDN] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [DvcDomain] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [DvcHostname] (Schema:DhcpEvent)" +"(2) Info: Empty value in 1000 records (100.0%) in recommended field [SrcDomain] (Schema:DhcpEvent)" +"(2) Info: Empty value in 906 records (90.6%) in optional field [SrcFQDN] (Schema:DhcpEvent)" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv new file mode 100644 index 0000000000..24b1a589a9 --- /dev/null +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv @@ -0,0 +1,73 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcAction]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [EventResultDetails]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [Src]" +"(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]" +"(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DhcpSessionId]" +"(2) Info: Missing optional alias [Username] aliasing non-existent column [SrcUsername]" +"(2) Info: Missing optional field [DhcpCircuitId]" +"(2) Info: Missing optional field [DhcpSessionDuration]" +"(2) Info: Missing optional field [DhcpSessionId]" +"(2) Info: Missing optional field [DhcpSubscriberId]" +"(2) Info: Missing optional field [DhcpUserClassId]" +"(2) Info: Missing optional field [DhcpUserClass]" +"(2) Info: Missing optional field [DhcpVendorClassId]" +"(2) Info: Missing optional field [DhcpVendorClass]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [RequestedIpAddr]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserScopeId]" +"(2) Info: Missing optional field [SrcUserScope]" +"(2) Info: Missing optional field [SrcUserSessionId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcUserUid]" +"(2) Info: Missing optional field [SrcUsername]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" diff --git a/Parsers/ASimDns/Parsers/ASimDns.yaml b/Parsers/ASimDns/Parsers/ASimDns.yaml index abe4efc755..e1dc2f7fd9 100644 --- a/Parsers/ASimDns/Parsers/ASimDns.yaml +++ b/Parsers/ASimDns/Parsers/ASimDns.yaml @@ -32,6 +32,7 @@ Parsers: - _ASim_Dns_SentinelOne - _ASim_Dns_VectraAI - _ASim_Dns_ZscalerZIA + - _ASim_Dns_InfobloxBloxOne ParserParams: - Name: pack Type: bool @@ -54,4 +55,5 @@ ParserQuery: | ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )), ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )), ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )), - ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) )) \ No newline at end of file + ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) )), + ASimDnsInfobloxBloxOne (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxBloxOne' in (DisabledParsers) )) \ No newline at end of file diff --git a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml new file mode 100644 index 0000000000..692f5bdb3f --- /dev/null +++ b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml @@ -0,0 +1,227 @@ +Parser: + Title: Dns ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 21 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: Dns + Version: '0.1.7' +References: +- Title: ASIM Dns Schema + Link: https://aka.ms/ASimDnsDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation + Link: https://docs.infoblox.com/space/BloxOneThreatDefense +Description: | + This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: ASimDnsInfobloxBloxOne +EquivalentBuiltInParser: _ASim_Dns_InfobloxBloxOne +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: + let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int) + [ + "A", 1, + "NS", 2, + "MD", 3, + "MF", 4, + "CNAME", 5, + "SOA", 6, + "MB", 7, + "MG", 8, + "MR", 9, + "NULL", 10, + "WKS", 11, + "PTR", 12, + "HINFO", 13, + "MINFO", 14, + "MX", 15, + "TXT", 16, + "RP", 17, + "AFSDB", 18, + "X25", 19, + "ISDN", 20, + "RT", 21, + "NSAP", 22, + "NSAPPTR", 23, + "SIG", 24, + "KEY", 25, + "PX", 26, + "GPOS", 27, + "AAAA", 28, + "LOC", 29, + "NXT", 30, + "EID", 31, + "NIMLOC", 32, + "SRV", 33, + "ATMA", 34, + "NAPTR", 35, + "KX", 36, + "CERT", 37, + "A6", 38, + "DNAME", 39, + "SINK", 40, + "OPT", 41, + "APL", 42, + "DS", 43, + "SSHFP", 44, + "IPSECKEY", 45, + "RRSIG", 46, + "NSEC", 47, + "DNSKEY", 48, + "DHCID", 49, + "NSEC3", 50, + "NSEC3PARAM", 51, + "TLSA", 52, + "SMIMEA", 53, + "HIP", 55, + "NINFO", 56, + "RKEY", 57, + "TALINK", 58, + "CDS", 59, + "CDNSKEY", 60, + "OPENPGPKEY", 61, + "CSYNC", 62, + "ZONEMD", 63, + "SVCB", 64, + "HTTPS", 65, + "SPF", 99, + "UINFO", 100, + "UID", 101, + "GID", 102, + "UNSPEC", 103, + "TKEY", 249, + "TSIG", 250, + "IXFR", 251, + "MAILB", 253, + "MAILA", 254, + "ANY", 255, + "URI", 256, + "CAA", 257, + "TA", 32768, + "DLV", 32769 + ]; + let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int) + [ + "NOERROR", 0, + "FORMERR", 1, + "SERVFAIL", 2, + "NXDOMAIN", 3, + "NOTIMPL", 4, + "REFUSED", 5, + "YXDOMAIN", 6, + "YXRRSET", 7, + "NXRRSET", 8, + "NOTAUTH", 9, + "NOTZONE", 10, + "DSOTYPENI", 11, + "RESERVED12", 12, + "RESERVED13", 13, + "RESERVED14", 14, + "RESERVED15", 15, + "BADVERS", 16, + "BADKEY", 17, + "BADTIME", 18, + "BADMODE", 19, + "BADNAME", 20, + "BADALG", 21, + "BADTRUNC", 22, + "BADCOOKIE", 23, + ]; + let parser = (disabled:bool=false) { + CommonSecurityLog + | where not(disabled) and DeviceVendor == "Infoblox" and DeviceEventClassID has "DNS" + | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string) with (pair_delimiter=";", kv_delimiter="=") + | project-rename + EventResultDetails = InfobloxDNSRCode, + DnsQueryTypeName = InfobloxDNSQType + | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) + | lookup EventSeverityLookup on LogSeverity + | lookup DnsQueryTypeLookup on DnsQueryTypeName + | lookup DnsResponseCodeLookup on EventResultDetails + | invoke _ASIM_ResolveDvcFQDN('DeviceName') + | project-rename + DnsQuery = DestinationDnsDomain, + DvcIpAddr = DeviceAddress, + SrcIpAddr = SourceIP, + EventMessage = Message, + EventOriginalSeverity = LogSeverity, + EventOriginalType = Activity, + SrcUsername = SourceUserName, + SrcPortNumber = SourcePort + | extend + Dvc = coalesce(DvcHostname, DvcIpAddr), + EventEndTime = TimeGenerated, + EventResult = iff(EventResultDetails == "NOERROR", "Success", "Failure"), + DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), + EventStartTime = TimeGenerated, + Src = SrcIpAddr, + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + DnsResponseCodeName = EventResultDetails, + IpAddr = SrcIpAddr, + User = SrcUsername + | extend Domain = DnsQuery + | extend + EventCount = toint(1), + EventSchema = "Dns", + EventSchemaVersion = "0.1.7", + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventType = "Query", + DnsQueryClass = toint(1), + DnsQueryClassName = "IN" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + EventOutcome, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + ExtID, + Reason + }; + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimDns/Parsers/imDns.yaml b/Parsers/ASimDns/Parsers/imDns.yaml index 6e06745da6..a8f5b938d6 100644 --- a/Parsers/ASimDns/Parsers/imDns.yaml +++ b/Parsers/ASimDns/Parsers/imDns.yaml @@ -62,7 +62,8 @@ ParserQuery: | vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))), vimDnsSentinelOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))), vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))), - vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) ))) + vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) ))), + vimDnsInfobloxBloxOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxBloxOne' in (DisabledParsers) ))) }; Generic( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack) EquivalentBuiltInParser: _Im_Dns @@ -82,3 +83,4 @@ Parsers: - _Im_Dns_SentinelOne - _Im_Dns_VectraAI - _Im_Dns_ZscalerZIA + - _Im_Dns_InfobloxBloxOne diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml new file mode 100644 index 0000000000..51428a9a03 --- /dev/null +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -0,0 +1,280 @@ +Parser: + Title: Dns ASIM parser for Infoblox BloxOne + Version: '0.1.0' + LastUpdated: Jun 21 2024 +Product: + Name: Infoblox BloxOne +Normalization: + Schema: Dns + Version: '0.1.7' +References: +- Title: ASIM Dns Schema + Link: https://aka.ms/ASimDnsDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +- Title: Infoblox BloxOne Documentation + Link: https://docs.infoblox.com/space/BloxOneThreatDefense +Description: | + This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: vimDnsInfobloxBloxOne +EquivalentBuiltInParser: _Im_Dns_InfobloxBloxOne +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr + Type: string + Default: '*' + - Name: domain_has_any + Type: dynamic + Default: dynamic([]) + - Name: responsecodename + Type: string + Default: '*' + - Name: response_has_ipv4 + Type: string + Default: '*' + - Name: response_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: eventtype + Type: string + Default: 'Query' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) + [ + "0", "Low", + "1", "Low", + "2", "Low", + "3", "Low", + "4", "Medium", + "5", "Medium", + "6", "Medium", + "7", "High", + "8", "High", + "9", "High", + "10", "High" + ]; + let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int) + [ + "A", 1, + "NS", 2, + "MD", 3, + "MF", 4, + "CNAME", 5, + "SOA", 6, + "MB", 7, + "MG", 8, + "MR", 9, + "NULL", 10, + "WKS", 11, + "PTR", 12, + "HINFO", 13, + "MINFO", 14, + "MX", 15, + "TXT", 16, + "RP", 17, + "AFSDB", 18, + "X25", 19, + "ISDN", 20, + "RT", 21, + "NSAP", 22, + "NSAPPTR", 23, + "SIG", 24, + "KEY", 25, + "PX", 26, + "GPOS", 27, + "AAAA", 28, + "LOC", 29, + "NXT", 30, + "EID", 31, + "NIMLOC", 32, + "SRV", 33, + "ATMA", 34, + "NAPTR", 35, + "KX", 36, + "CERT", 37, + "A6", 38, + "DNAME", 39, + "SINK", 40, + "OPT", 41, + "APL", 42, + "DS", 43, + "SSHFP", 44, + "IPSECKEY", 45, + "RRSIG", 46, + "NSEC", 47, + "DNSKEY", 48, + "DHCID", 49, + "NSEC3", 50, + "NSEC3PARAM", 51, + "TLSA", 52, + "SMIMEA", 53, + "HIP", 55, + "NINFO", 56, + "RKEY", 57, + "TALINK", 58, + "CDS", 59, + "CDNSKEY", 60, + "OPENPGPKEY", 61, + "CSYNC", 62, + "ZONEMD", 63, + "SVCB", 64, + "HTTPS", 65, + "SPF", 99, + "UINFO", 100, + "UID", 101, + "GID", 102, + "UNSPEC", 103, + "TKEY", 249, + "TSIG", 250, + "IXFR", 251, + "MAILB", 253, + "MAILA", 254, + "ANY", 255, + "URI", 256, + "CAA", 257, + "TA", 32768, + "DLV", 32769 + ]; + let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int) + [ + "NOERROR", 0, + "FORMERR", 1, + "SERVFAIL", 2, + "NXDOMAIN", 3, + "NOTIMPL", 4, + "REFUSED", 5, + "YXDOMAIN", 6, + "YXRRSET", 7, + "NXRRSET", 8, + "NOTAUTH", 9, + "NOTZONE", 10, + "DSOTYPENI", 11, + "RESERVED12", 12, + "RESERVED13", 13, + "RESERVED14", 14, + "RESERVED15", 15, + "BADVERS", 16, + "BADKEY", 17, + "BADTIME", 18, + "BADMODE", 19, + "BADNAME", 20, + "BADALG", 21, + "BADTRUNC", 22, + "BADCOOKIE", 23, + ]; + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + srcipaddr: string='*', + domain_has_any: dynamic=dynamic([]), + responsecodename: string='*', + response_has_ipv4: string='*', + response_has_any_prefix: dynamic=dynamic([]), + eventtype: string='Query', + disabled: bool=false + ) { + CommonSecurityLog + | where not(disabled) + and (eventtype == '*' or eventtype == "Query") + and (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and DeviceVendor == "Infoblox" + and DeviceEventClassID has "DNS" + and (srcipaddr=="*" or has_ipv4(SourceIP, srcipaddr)) + and array_length(domain_has_any) == 0 + and response_has_ipv4 == '*' + and array_length(response_has_any_prefix) == 0 + | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string) with (pair_delimiter=";", kv_delimiter="=") + | project-rename + EventResultDetails = InfobloxDNSRCode, + DnsQueryTypeName = InfobloxDNSQType + | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) + | lookup EventSeverityLookup on LogSeverity + | lookup DnsQueryTypeLookup on DnsQueryTypeName + | lookup DnsResponseCodeLookup on EventResultDetails + | invoke _ASIM_ResolveDvcFQDN('DeviceName') + | project-rename + DnsQuery = DestinationDnsDomain, + DvcIpAddr = DeviceAddress, + SrcIpAddr = SourceIP, + EventMessage = Message, + EventOriginalSeverity = LogSeverity, + EventOriginalType = Activity, + SrcUsername = SourceUserName, + SrcPortNumber = SourcePort + | extend + Dvc = coalesce(DvcHostname, DvcIpAddr), + EventEndTime = TimeGenerated, + EventResult = iff(EventResultDetails == "NOERROR", "Success", "Failure"), + DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), + EventStartTime = TimeGenerated, + Src = SrcIpAddr, + SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), + DnsResponseCodeName = EventResultDetails, + IpAddr = SrcIpAddr, + User = SrcUsername + | extend Domain = DnsQuery + | extend + EventCount = toint(1), + EventSchema = "Dns", + EventSchemaVersion = "0.1.7", + EventProduct = "BloxOne", + EventVendor = "Infoblox", + EventType = "Query", + DnsQueryClass = toint(1), + DnsQueryClassName = "IN" + | project-away + Source*, + Destination*, + Device*, + AdditionalExtensions, + CommunicationDirection, + EventOutcome, + Protocol, + SimplifiedDeviceAction, + ExternalID, + EndTime, + FieldDevice*, + Flex*, + File*, + Old*, + MaliciousIP*, + OriginalLogSeverity, + Process*, + ReceivedBytes, + SentBytes, + Remote*, + Request*, + StartTime, + TenantId, + ReportReferenceLink, + ReceiptTime, + Indicator*, + _ResourceId, + ThreatConfidence, + ThreatDescription, + ThreatSeverity, + Computer, + ApplicationProtocol, + ExtID, + Reason + }; + parser( + starttime=starttime, + endtime=endtime, + srcipaddr=srcipaddr, + domain_has_any=domain_has_any, + responsecodename=responsecodename, + response_has_ipv4=response_has_ipv4, + response_has_any_prefix=response_has_any_prefix, + eventtype=eventtype, + disabled=disabled + ) \ No newline at end of file diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimDataTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimDataTester.csv new file mode 100644 index 0000000000..405b3f0395 --- /dev/null +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimDataTester.csv @@ -0,0 +1,5 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcDomain] of type [Domain]: [""178.234.205""] (Schema:Dns)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcFQDN] of type [FQDN]: [""107.178.234.205""] (Schema:Dns)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:Dns)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [SrcUsername] (Schema:Dns)" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv new file mode 100644 index 0000000000..8cf38d5776 --- /dev/null +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv @@ -0,0 +1,110 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(1) Warning: Missing recommended field [SrcHostname]" +"(1) Warning: Missing recommended field [TransactionIdHex]" +"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]" +"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DnsFlagsAuthenticated]" +"(2) Info: Missing optional field [DnsFlagsAuthoritative]" +"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]" +"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]" +"(2) Info: Missing optional field [DnsFlagsRecursionDesired]" +"(2) Info: Missing optional field [DnsFlagsTruncated]" +"(2) Info: Missing optional field [DnsFlagsZ]" +"(2) Info: Missing optional field [DnsFlags]" +"(2) Info: Missing optional field [DnsNetworkDuration]" +"(2) Info: Missing optional field [DnsResponseIpCity]" +"(2) Info: Missing optional field [DnsResponseIpCountry]" +"(2) Info: Missing optional field [DnsResponseIpLatitude]" +"(2) Info: Missing optional field [DnsResponseIpLongitude]" +"(2) Info: Missing optional field [DnsResponseIpRegion]" +"(2) Info: Missing optional field [DnsResponseName]" +"(2) Info: Missing optional field [DnsSessionId]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDomain]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstDvcScopeId]" +"(2) Info: Missing optional field [DstDvcScope]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstHostname]" +"(2) Info: Missing optional field [DstIpAddr]" +"(2) Info: Missing optional field [DstOriginalRiskLevel]" +"(2) Info: Missing optional field [DstPortNumber]" +"(2) Info: Missing optional field [DstRiskLevel]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkProtocolVersion]" +"(2) Info: Missing optional field [NetworkProtocol]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcProcessId]" +"(2) Info: Missing optional field [SrcProcessName]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [SrcUserAWSId]" +"(2) Info: Missing optional field [SrcUserAadId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserOktaId]" +"(2) Info: Missing optional field [SrcUserScopeId]" +"(2) Info: Missing optional field [SrcUserScope]" +"(2) Info: Missing optional field [SrcUserSessionId]" +"(2) Info: Missing optional field [SrcUserSid]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcUserUid]" +"(2) Info: Missing optional field [TenantId]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [UrlCategory]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimDataTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimDataTester.csv new file mode 100644 index 0000000000..405b3f0395 --- /dev/null +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimDataTester.csv @@ -0,0 +1,5 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcDomain] of type [Domain]: [""178.234.205""] (Schema:Dns)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [DvcFQDN] of type [FQDN]: [""107.178.234.205""] (Schema:Dns)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventProduct] of type [Enumerated]: [""BloxOne""] (Schema:Dns)" +"(2) Info: Empty value in 1000 records (100.0%) in optional field [SrcUsername] (Schema:Dns)" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv new file mode 100644 index 0000000000..8cf38d5776 --- /dev/null +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv @@ -0,0 +1,110 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [EventUid]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(1) Warning: Missing recommended field [SrcHostname]" +"(1) Warning: Missing recommended field [TransactionIdHex]" +"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]" +"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]" +"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]" +"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DnsFlagsAuthenticated]" +"(2) Info: Missing optional field [DnsFlagsAuthoritative]" +"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]" +"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]" +"(2) Info: Missing optional field [DnsFlagsRecursionDesired]" +"(2) Info: Missing optional field [DnsFlagsTruncated]" +"(2) Info: Missing optional field [DnsFlagsZ]" +"(2) Info: Missing optional field [DnsFlags]" +"(2) Info: Missing optional field [DnsNetworkDuration]" +"(2) Info: Missing optional field [DnsResponseIpCity]" +"(2) Info: Missing optional field [DnsResponseIpCountry]" +"(2) Info: Missing optional field [DnsResponseIpLatitude]" +"(2) Info: Missing optional field [DnsResponseIpLongitude]" +"(2) Info: Missing optional field [DnsResponseIpRegion]" +"(2) Info: Missing optional field [DnsResponseName]" +"(2) Info: Missing optional field [DnsSessionId]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDomain]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstDvcScopeId]" +"(2) Info: Missing optional field [DstDvcScope]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoCountry]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstHostname]" +"(2) Info: Missing optional field [DstIpAddr]" +"(2) Info: Missing optional field [DstOriginalRiskLevel]" +"(2) Info: Missing optional field [DstPortNumber]" +"(2) Info: Missing optional field [DstRiskLevel]" +"(2) Info: Missing optional field [DvcAction]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [NetworkProtocolVersion]" +"(2) Info: Missing optional field [NetworkProtocol]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcProcessGuid]" +"(2) Info: Missing optional field [SrcProcessId]" +"(2) Info: Missing optional field [SrcProcessName]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [SrcUserAWSId]" +"(2) Info: Missing optional field [SrcUserAadId]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserOktaId]" +"(2) Info: Missing optional field [SrcUserScopeId]" +"(2) Info: Missing optional field [SrcUserScope]" +"(2) Info: Missing optional field [SrcUserSessionId]" +"(2) Info: Missing optional field [SrcUserSid]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcUserUid]" +"(2) Info: Missing optional field [TenantId]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [UrlCategory]" +"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]" diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv new file mode 100644 index 0000000000..04f0c8dc8e --- /dev/null +++ b/Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:14:45 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,delete,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is deleted,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.1,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,delete,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:15:56 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25-06""};InfobloxResourceId=32a6ffa2-330e-11ef-be77-223188134132;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/32a6ffa2-330e-11ef-be77-223188134132"",""name"":""25-06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.2,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:19:28 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""SplunkTest"",""description"":"""",""enabled"":true,""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""destination"":8037,""filter_expression"":"""",""script_schedule"":"""",""tags"":{}};InfobloxResourceId=11257;InfobloxResourceType=flow_data_v2;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""created_at"":""2024-06-06T17:41:13Z"",""description"":"""",""destination"":8037,""enabled"":true,""etl_filters"":[],""filter_expression"":"""",""id"":11257,""name"":""SplunkTest"",""script_schedule"":"""",""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""tags"":{},""updated_at"":""2024-06-25T16:19:26Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.3,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:22:40 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""created_at"":""2024-06-25T16:22:39.435361613Z"",""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T16:22:39.435361613Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""revoke_reason"":""hostapp disconnect""};InfobloxResourceId=93c4900d1df2ffda2b620edfb27f7e4f;InfobloxResourceType=cert;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",revoke,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Certificate is revoked using ophid,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.5,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,revoke,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody={};InfobloxResourceId=jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcaiba;InfobloxResourceType=hosts;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,Disconnect,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-host is disconnected,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.6,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Disconnect,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 5:12:16 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T17:12:15.187559688Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.7,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.8,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":null,""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":null,""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":null,""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":null,""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":null,""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":null,""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":null,""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":null,""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":null,""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":null,""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":null,""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.9,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.10,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":""b0137475-1aca-4175-9f0d-173e2d00ac38"",""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":""fd7debc4-a56d-4ff3-b6aa-bbc1e673a60b"",""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":""ec6cf1b0-2827-4279-9078-48e64442a153"",""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":""21810066-aa1d-4293-960b-a89ba5699133"",""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":""75df352f-39b6-468c-ad4d-641f2dded95d"",""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":""8249a3f3-ab1e-4325-8e43-205421cadb4a"",""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":""aa8e3e7b-2bf5-4518-8e4a-4b62b86f0edc"",""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":""b38499ce-6bce-4397-8106-0296da68e2c9"",""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":""66303055-37d0-4248-add7-bc5471bce7f5"",""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":""b34c26fb-4eb5-4656-8047-99e26669d01b"",""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":""e6384b62-984b-4e86-82d3-f0529cabb79e"",""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:05 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""40.121.5.68"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""40.121.5.68"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:06:48Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.12,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for Sensplunk"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=1dbf0491-2e3d-11ef-a715-729fd14e7c69;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:09:09.881962937Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""inheritance_sources"":null,""name"":""Ip space for Sensplunk"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:09:09.881962937Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""name"":""Ip space for Sensplunk"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718802549,""nanos"":881962937},""updated_at"":{""seconds"":1718802549,""nanos"":881962937},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.13,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""48.217.233.16"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""48.217.233.16"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:24:43Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.14,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:26:48 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for sensplunk2"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=93e1b4f0-2e3f-11ef-8fc3-42d72888b014;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:26:47.080311372Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""inheritance_sources"":null,""name"":""Ip space for sensplunk2"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:26:47.080311372Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""name"":""Ip space for sensplunk2"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718803607,""nanos"":80311372},""updated_at"":{""seconds"":1718803607,""nanos"":80311372},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.15,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 2:16:10 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25/06""};InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/d04b58f6-32fa-11ef-9bda-a26b6676565d"",""name"":""25/06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.16,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce5277bb842648ac8611753db8016aaf updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.17,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.18,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=208211;InfobloxResourceType=Security Policy;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateSecurityPolicy,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Policy, Details: Security PolicyName: Threat_Policy, AccountID: 2007292, Default: false, Description: , UpdatedAt: 2024-06-20 14:27:05.825786 +0000 +0000, NetworkLists: [], Rules fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""antimalware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against known malicious hostname threats that can take action on or control of your systems, such as Malware Command & Control, Malware Download, and active Phishing sites.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""ransomware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious""}} fields:{key:""description"" value:{string_value:""Suspicious destinations: Enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious-lookalikes""}} fields:{key:""description"" value:{string_value:""These are domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DNS Messenger""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Notional Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Zero Day DNS""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Fast Flux""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DGA""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}}, RoamingDeviceGroups: [954966], DFPs: [], DfpNames: [], DefaultAction: ALLOW, DefaultRedirectName: , ECS: false, UserGroups: [], Priority: 2, OnpremResolve: false, SafeSearch: false, DfpServices: [], ScopeExpr: , Tags: value:""{}"", ScopeTags: [], NetAddressDfps: [], BlockDnsRebindAttack: false",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.19,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateSecurityPolicy,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:01 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=0;InfobloxResourceType=Roaming Device Group;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdatePartialRoamingDeviceGroup,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Management, Details: Name: Threat_Management, Description: , Id: 954966, AccountID: 2007292, PolicyId: 208211, CreatedAt: 2024-05-01 14:02:40.069104 +0000 +0000, UpdatedAt: 2024-06-20 13:40:43.784547 +0000 +0000, ProbeResponse: 7UXCI9JRNUJ3VSZQ4W1XZ80T4JGM3B3X, ProbeDomain: probe.infoblox.com, ProbeEnabled: true, InternalDomainLists: [792596], RoamingDeviceCount: 0, MaxInactiveDays: 100, AdministrativeStatus: ENABLED, UpgradeWindowEnabled: false, UpgradeWindowTimeofdayStartMins: 0, UpgradeWindowDurationMins: 0, UpgradeWindowWeekdays: 7, UpgradeDeferralIntervalStart: 2024-05-24 15:46:23.368257 +0000 UTC, UpgradeDeferralIntervalEnd: 2024-05-24 15:46:23.368257 +0000 UTC, AuthnProfileId: , AuthnServerPort: 9094, SessionTTL: 28800, LogLevel: INFO, Tags: , PoPRegionID: 0",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.20,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdatePartialRoamingDeviceGroup,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv new file mode 100644 index 0000000000..95beeaa0f0 --- /dev/null +++ b/Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:38:01 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='armisappliance8153';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:021,,,,,,,,,,1.1.1.1,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:07 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:022,,,,,,,,,,1.1.1.2,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c';code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:023,,,,,,,,,,1.1.1.3,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:43:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:09:19:00:01:00:01:2d:fc:51:c5:00:50:56:a7:09:19;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=c7cf675d-28b7-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\t\031\000\001\000\001-\374Q\305\000PV\247\t\031';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:024,,,,,,,,,,1.1.1.4,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:44:03 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b6:07:00:01:00:01:2d:df:57:0a:00:50:56:a7:b6:07;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=ca697503-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\266\007\000\001\000\001-\337W\n\000PV\247\266\007';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:025,,,,,,,,,,1.1.1.5,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:46:10 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:50:52;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=13ba6378-32d6-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_51='\000\000\000<';code_53='\003';code_55='\001\034\002y\003\017\006\014w\032';code_61='\001\000PV\201PR',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:026,,,,,,,,,,1.1.1.6,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:47:43 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:63:6d:00:01:00:01:2e:02:c9:c2:00:50:56:a7:63:6d;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=d5782ae0-2c92-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247cm\000\001\000\001.\002\311\302\000PV\247cm';code_12='CE'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:027,,,,,,,,,,1.1.1.7,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:21 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:9f:6e:85:24:00:02:00:00:ab:11:6b:cb:20:2b:0f:d1:be:6e;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=b67e515a-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\003\014\017\006\032!y*';code_57='\002@';code_61='\377\237n\205$\000\002\000\000\253\021k\313';code_12='test',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test,00:50:56:92:0f:028,,,,,,,,,,1.1.1.8,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:37 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=00:63:69:73:63:6f:2d:30:30:35:30:2e:35:36:38:31:2e:62:39:39:62:2d:6f:75:74:73:69:64:65:2d:66:69:72:65:70:6f:77:65:72:00;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=9c38cc9b-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\006\017,\003!';code_57='\004\200';code_61='\000cisco-0050.5681.b99b-outside-firepower\000';code_12='firepower';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,firepower,00:50:56:92:0f:029,,,,,,,,,,1.1.1.9,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:55:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:c3:f2:00:01:00:01:2d:fc:38:18:00:50:56:a7:c3:f2;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=7a8a18bc-28a8-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\303\362\000\001\000\001-\3748\030\000PV\247\303\362';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:030,,,,,,,,,,1.1.1.10,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:01:11 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5c2fcea3-2cdf-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:031,,,,,,,,,,1.1.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:02:53 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:a9:8f:00:01:00:01:2e:0d:5c:6e:00:50:56:a7:a9:8f;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=204fa2cc-32e0-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\251\217\000\001\000\001.\r\n\000PV\247\251\217';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:032,,,,,,,,,,1.1.1.12,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:03:23 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:cb:e7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=449cf0dc-2cdc-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_12='GigaVUE-FM-6501';code_53='\003';code_55='\001\002\006\014\017\032\034y\003!()*w\371\374\021';code_57='\377\377';code_61='\001\000PV\201\313\347',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,gigavue-fm-6501,00:50:56:92:0f:033,,,,,,,,,,1.1.1.13,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:034,,,,,,,,,,1.1.1.14,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:035,,,,,,,,,,1.1.1.15,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:036,,,,,,,,,,1.1.1.16,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:037,,,,,,,,,,1.1.1.17,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_12='armisappliance8153'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:038,,,,,,,,,,1.1.1.18,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:039,,,,,,,,,,1.1.1.19,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:11:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT';code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:040,,,,,,,,,,1.1.1.20,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv new file mode 100644 index 0000000000..c67c193d20 --- /dev/null +++ b/Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv @@ -0,0 +1,21 @@ +TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.1,2.2.2.2,,,,,,,,,,,,,,,,"""www.example.com. 291 IN A 93.184.215.14""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.2,2.2.2.3,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A SERVFAIL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=SERVFAIL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Unreachable",,DNS,,ip.parrotdns.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.3,2.2.2.4,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Information Security",,DNS,,dnsscan.shadowserver.org.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.4,2.2.2.5,,,,,,,,,,,,,,,,"""dnsscan.shadowserver.org. 7199 IN A 184.105.143.133""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.5,2.2.2.6,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:24 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.6,2.2.2.7,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:25 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.7,2.2.2.8,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:31 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.8,2.2.2.9,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:33 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.9,2.2.2.10,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:34 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.10,2.2.2.11,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:46 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.11,2.2.2.12,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:54 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.12,2.2.2.13,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:58 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.13,2.2.2.14,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4000.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.14,2.2.2.15,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.15,2.2.2.16,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4002.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.16,2.2.2.17,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4003.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.17,2.2.2.18,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4004.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.18,2.2.2.19,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4005.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.19,2.2.2.20,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.21,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4006.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.20,2.2.2.21,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.22,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file From 344ff7545ca3948472a8798f881a9f779032a7f5 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Wed, 11 Sep 2024 15:42:18 +0530 Subject: [PATCH 02/11] Changed Sample Data file name --- ...estedLogs.csv => Infoblox_BloxOne_AuditEvent_IngestedLogs.csv} | 0 ...gestedLogs.csv => Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv} | 0 ...Dns_IngestedLogs.csv => Infoblox_BloxOne_Dns_IngestedLogs.csv} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename Sample Data/ASIM/{Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv => Infoblox_BloxOne_AuditEvent_IngestedLogs.csv} (100%) rename Sample Data/ASIM/{Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv => Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv} (100%) rename Sample Data/ASIM/{Infoblox_BloxOne_ASimDns_IngestedLogs.csv => Infoblox_BloxOne_Dns_IngestedLogs.csv} (100%) diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv similarity index 100% rename from Sample Data/ASIM/Infoblox_BloxOne_ASimAuditEvent_IngestedLogs.csv rename to Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv similarity index 100% rename from Sample Data/ASIM/Infoblox_BloxOne_ASimDhcpEvent_IngestedLogs.csv rename to Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv diff --git a/Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv similarity index 100% rename from Sample Data/ASIM/Infoblox_BloxOne_ASimDns_IngestedLogs.csv rename to Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv From 277d8648d2b3e9b06b86c535f3d8904dff28274b Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Thu, 12 Sep 2024 18:01:39 +0530 Subject: [PATCH 03/11] Added changes in Parser and Sample logs --- .../ASimAuditEventInfobloxBloxOne.yaml | 24 +++++++++-- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 7 ++-- .../ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml | 4 +- .../Parsers/ASimDhcpEventInfobloxBloxOne.yaml | 22 +++++----- .../Parsers/vimDhcpEventInfobloxBloxOne.yaml | 18 +++++---- .../Parsers/ASimDnsInfobloxBloxOne.yaml | 7 ++-- .../Parsers/vimDnsInfobloxBloxOne.yaml | 16 +++++--- ...foblox_BloxOne_AuditEvent_IngestedLogs.csv | 28 ++++++------- ...nfoblox_BloxOne_DhcpEvent_IngestedLogs.csv | 16 ++++---- .../Infoblox_BloxOne_Dns_IngestedLogs.csv | 40 +++++++++---------- 10 files changed, 105 insertions(+), 77 deletions(-) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml index 90dc0edd45..8ce7737f52 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: AuditEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 26 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: @@ -11,7 +11,7 @@ References: - Title: ASIM AuditEvent Schema Link: https://aka.ms/ASimAuditEventDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation - Link: https://docs.infoblox.com/space/BloxOneThreatDefense/35406922/DNS+Query%2FResponse+Log+Message+Mapping Description: | @@ -37,6 +37,22 @@ ParserQuery: "9", "High", "10", "High" ]; + let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) + [ + "CreateSecurityPolicy", "Security Policy", "Policy Role", + "UpdateSecurityPolicy", "Security Policy", "Policy", + "Create", "Network Resource", "Service", + "Update", "Network Resource", "Service", + "Restore", "Infoblox Resource", "Service", + "CreateOrGetDoHFQDN", "DOHFQDN", "Service", + "CreateOrUpdateDfpService", "Dfp Service", "Service", + "MoveToRecyclebin", "Recyclebin", "Other", + "CreateCategoryFilter", "Category Filter", "Other", + "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other", + "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", + "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", + "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" + ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) @@ -44,6 +60,7 @@ ParserQuery: and DeviceEventClassID has "AUDIT" | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=") | lookup EventSeverityLookup on LogSeverity + | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, @@ -52,7 +69,8 @@ ParserQuery: SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, - EventOriginalType = DeviceEventCategory + EventOriginalType = DeviceEventCategory, + EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index 38b3024d0d..429c747e30 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: AuditEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 26 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: @@ -11,7 +11,7 @@ References: - Title: ASIM AuditEvent Schema Link: https://aka.ms/ASimAuditEventDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation Link: https://docs.infoblox.com/space/BloxOneThreatDefense Description: | @@ -97,7 +97,8 @@ ParserQuery: | SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, - EventOriginalType = DeviceEventCategory + EventOriginalType = DeviceEventCategory, + EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml index 831a35b604..108eeeb11a 100644 --- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEvent.yaml @@ -23,7 +23,7 @@ ParserQuery: | union isfuzzy=true vimDhcpEventEmpty, ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))), - ASimDhcpInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers)))) + ASimDhcpEventInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers)))) }; parser (pack=pack) ParserParams: @@ -33,4 +33,4 @@ ParserParams: Parsers: - _Im_DhcpEvent_Empty - _ASim_DhcpEvent_Native - - _ASim_Dhcp_InfobloxBloxOne + - _ASim_DhcpEvent_InfobloxBloxOne diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml index ac07193de0..d283a52e96 100644 --- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml @@ -1,23 +1,23 @@ Parser: - Title: Dhcp ASIM parser for Infoblox BloxOne + Title: DhcpEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 21 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: - Schema: Dhcp + Schema: DhcpEvent Version: '0.1' References: -- Title: ASIM Dhcp Schema - Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM DhcpEvent Schema + Link: https://aka.ms/ASimDhcpEventDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation Link: https://docs.infoblox.com/space/BloxOneThreatDefense Description: | - This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM Dhcp normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. -ParserName: ASimDhcpInfobloxBloxOne -EquivalentBuiltInParser: _ASim_Dhcp_InfobloxBloxOne + This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. +ParserName: ASimDhcpEventInfobloxBloxOne +EquivalentBuiltInParser: _ASim_DhcpEvent_InfobloxBloxOne ParserParams: - Name: disabled Type: bool @@ -52,7 +52,9 @@ ParserQuery: SrcMacAddr = SourceMACAddress, DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, - EventOriginalSeverity = LogSeverity + EventOriginalSeverity = LogSeverity, + EventOriginalType = DeviceEventCategory, + EventUid = _ItemId | extend EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, diff --git a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml index f577579911..d56d4f9911 100644 --- a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml @@ -1,21 +1,21 @@ Parser: - Title: Dhcp ASIM parser for Infoblox BloxOne + Title: DhcpEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 21 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: - Schema: Dhcp + Schema: DhcpEvent Version: '0.1' References: -- Title: ASIM Dhcp Schema - Link: https://aka.ms/ASimDhcpDoc +- Title: ASIM DhcpEvent Schema + Link: https://aka.ms/ASimDhcpEventDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation Link: https://docs.infoblox.com/space/BloxOneThreatDefense Description: | - This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM Dhcp normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + This ASIM parser supports normalizing DhcpEvent logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. ParserName: vimDhcpEventInfobloxBloxOne EquivalentBuiltInParser: _Im_DhcpEvent_InfobloxBloxOne ParserParams: @@ -84,7 +84,9 @@ ParserQuery: | SrcMacAddr = SourceMACAddress, DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, - EventOriginalSeverity = LogSeverity + EventOriginalSeverity = LogSeverity, + EventOriginalType = DeviceEventCategory, + EventUid = _ItemId | extend EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, diff --git a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml index 692f5bdb3f..e04118908d 100644 --- a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Dns ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 21 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: @@ -11,7 +11,7 @@ References: - Title: ASIM Dns Schema Link: https://aka.ms/ASimDnsDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation Link: https://docs.infoblox.com/space/BloxOneThreatDefense Description: | @@ -166,7 +166,8 @@ ParserQuery: EventOriginalSeverity = LogSeverity, EventOriginalType = Activity, SrcUsername = SourceUserName, - SrcPortNumber = SourcePort + SrcPortNumber = SourcePort, + EventUid = _ItemId | extend Dvc = coalesce(DvcHostname, DvcIpAddr), EventEndTime = TimeGenerated, diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml index 51428a9a03..c3dce62a44 100644 --- a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Dns ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: Jun 21 2024 + LastUpdated: September 11, 2024 Product: Name: Infoblox BloxOne Normalization: @@ -11,7 +11,7 @@ References: - Title: ASIM Dns Schema Link: https://aka.ms/ASimDnsDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: Infoblox BloxOne Documentation Link: https://docs.infoblox.com/space/BloxOneThreatDefense Description: | @@ -189,10 +189,15 @@ ParserQuery: | and DeviceVendor == "Infoblox" and DeviceEventClassID has "DNS" and (srcipaddr=="*" or has_ipv4(SourceIP, srcipaddr)) - and array_length(domain_has_any) == 0 and response_has_ipv4 == '*' and array_length(response_has_any_prefix) == 0 + | project-rename + DnsQuery = DestinationDnsDomain, + | extend + DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery) + | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any) | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string) with (pair_delimiter=";", kv_delimiter="=") + | where responsecodename == '*' or (InfobloxDNSRCode =~ responsecodename) | project-rename EventResultDetails = InfobloxDNSRCode, DnsQueryTypeName = InfobloxDNSQType @@ -202,19 +207,18 @@ ParserQuery: | | lookup DnsResponseCodeLookup on EventResultDetails | invoke _ASIM_ResolveDvcFQDN('DeviceName') | project-rename - DnsQuery = DestinationDnsDomain, DvcIpAddr = DeviceAddress, SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, EventOriginalType = Activity, SrcUsername = SourceUserName, - SrcPortNumber = SourcePort + SrcPortNumber = SourcePort, + EventUid = _ItemId | extend Dvc = coalesce(DvcHostname, DvcIpAddr), EventEndTime = TimeGenerated, EventResult = iff(EventResultDetails == "NOERROR", "Success", "Failure"), - DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), EventStartTime = TimeGenerated, Src = SrcIpAddr, SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), diff --git a/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv index 04f0c8dc8e..27a552d487 100644 --- a/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv +++ b/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv @@ -1,21 +1,21 @@ TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:14:45 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,delete,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is deleted,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.1,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,delete,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:15:56 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25-06""};InfobloxResourceId=32a6ffa2-330e-11ef-be77-223188134132;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/32a6ffa2-330e-11ef-be77-223188134132"",""name"":""25-06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.2,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:19:28 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""SplunkTest"",""description"":"""",""enabled"":true,""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""destination"":8037,""filter_expression"":"""",""script_schedule"":"""",""tags"":{}};InfobloxResourceId=11257;InfobloxResourceType=flow_data_v2;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""created_at"":""2024-06-06T17:41:13Z"",""description"":"""",""destination"":8037,""enabled"":true,""etl_filters"":[],""filter_expression"":"""",""id"":11257,""name"":""SplunkTest"",""script_schedule"":"""",""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""tags"":{},""updated_at"":""2024-06-25T16:19:26Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.3,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:22:40 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""created_at"":""2024-06-25T16:22:39.435361613Z"",""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T16:22:39.435361613Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""revoke_reason"":""hostapp disconnect""};InfobloxResourceId=93c4900d1df2ffda2b620edfb27f7e4f;InfobloxResourceType=cert;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",revoke,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Certificate is revoked using ophid,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.5,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,revoke,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody={};InfobloxResourceId=jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcaiba;InfobloxResourceType=hosts;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,Disconnect,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-host is disconnected,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.6,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Disconnect,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:14:45 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,delete,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is deleted,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.1,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,delete,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:15:56 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25-06""};InfobloxResourceId=32a6ffa2-330e-11ef-be77-223188134132;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/32a6ffa2-330e-11ef-be77-223188134132"",""name"":""25-06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.1,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:19:28 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""SplunkTest"",""description"":"""",""enabled"":true,""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""destination"":8037,""filter_expression"":"""",""script_schedule"":"""",""tags"":{}};InfobloxResourceId=11257;InfobloxResourceType=flow_data_v2;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""created_at"":""2024-06-06T17:41:13Z"",""description"":"""",""destination"":8037,""enabled"":true,""etl_filters"":[],""filter_expression"":"""",""id"":11257,""name"":""SplunkTest"",""script_schedule"":"""",""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""tags"":{},""updated_at"":""2024-06-25T16:19:26Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.3,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:22:40 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""created_at"":""2024-06-25T16:22:39.435361613Z"",""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T16:22:39.435361613Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""revoke_reason"":""hostapp disconnect""};InfobloxResourceId=93c4900d1df2ffda2b620edfb27f7e4f;InfobloxResourceType=cert;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",revoke,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Certificate is revoked using ophid,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,revoke,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody={};InfobloxResourceId=jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcaiba;InfobloxResourceType=hosts;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,Disconnect,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-host is disconnected,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.2.1.6,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Disconnect,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 5:12:16 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T17:12:15.187559688Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.7,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.8,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":null,""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":null,""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":null,""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":null,""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":null,""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":null,""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":null,""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":null,""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":null,""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":null,""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":null,""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.9,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":null,""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":null,""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":null,""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":null,""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":null,""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":null,""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":null,""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":null,""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":null,""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":null,""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":null,""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.8,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.10,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":""b0137475-1aca-4175-9f0d-173e2d00ac38"",""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":""fd7debc4-a56d-4ff3-b6aa-bbc1e673a60b"",""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":""ec6cf1b0-2827-4279-9078-48e64442a153"",""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":""21810066-aa1d-4293-960b-a89ba5699133"",""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":""75df352f-39b6-468c-ad4d-641f2dded95d"",""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":""8249a3f3-ab1e-4325-8e43-205421cadb4a"",""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":""aa8e3e7b-2bf5-4518-8e4a-4b62b86f0edc"",""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":""b38499ce-6bce-4397-8106-0296da68e2c9"",""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":""66303055-37d0-4248-add7-bc5471bce7f5"",""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":""b34c26fb-4eb5-4656-8047-99e26669d01b"",""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":""e6384b62-984b-4e86-82d3-f0529cabb79e"",""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:05 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""40.121.5.68"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""40.121.5.68"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:06:48Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.12,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for Sensplunk"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=1dbf0491-2e3d-11ef-a715-729fd14e7c69;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:09:09.881962937Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""inheritance_sources"":null,""name"":""Ip space for Sensplunk"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:09:09.881962937Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""name"":""Ip space for Sensplunk"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718802549,""nanos"":881962937},""updated_at"":{""seconds"":1718802549,""nanos"":881962937},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.13,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:05 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""40.121.5.68"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""40.121.5.68"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:06:48Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for Sensplunk"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=1dbf0491-2e3d-11ef-a715-729fd14e7c69;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:09:09.881962937Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""inheritance_sources"":null,""name"":""Ip space for Sensplunk"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:09:09.881962937Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""name"":""Ip space for Sensplunk"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718802549,""nanos"":881962937},""updated_at"":{""seconds"":1718802549,""nanos"":881962937},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.2.1.11,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""48.217.233.16"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""48.217.233.16"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:24:43Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.14,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:26:48 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for sensplunk2"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=93e1b4f0-2e3f-11ef-8fc3-42d72888b014;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:26:47.080311372Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""inheritance_sources"":null,""name"":""Ip space for sensplunk2"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:26:47.080311372Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""name"":""Ip space for sensplunk2"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718803607,""nanos"":80311372},""updated_at"":{""seconds"":1718803607,""nanos"":80311372},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.15,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 2:16:10 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25/06""};InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/d04b58f6-32fa-11ef-9bda-a26b6676565d"",""name"":""25/06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.16,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce5277bb842648ac8611753db8016aaf updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.17,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.18,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=208211;InfobloxResourceType=Security Policy;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateSecurityPolicy,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Policy, Details: Security PolicyName: Threat_Policy, AccountID: 2007292, Default: false, Description: , UpdatedAt: 2024-06-20 14:27:05.825786 +0000 +0000, NetworkLists: [], Rules fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""antimalware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against known malicious hostname threats that can take action on or control of your systems, such as Malware Command & Control, Malware Download, and active Phishing sites.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""ransomware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious""}} fields:{key:""description"" value:{string_value:""Suspicious destinations: Enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious-lookalikes""}} fields:{key:""description"" value:{string_value:""These are domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DNS Messenger""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Notional Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Zero Day DNS""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Fast Flux""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DGA""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}}, RoamingDeviceGroups: [954966], DFPs: [], DfpNames: [], DefaultAction: ALLOW, DefaultRedirectName: , ECS: false, UserGroups: [], Priority: 2, OnpremResolve: false, SafeSearch: false, DfpServices: [], ScopeExpr: , Tags: value:""{}"", ScopeTags: [], NetAddressDfps: [], BlockDnsRebindAttack: false",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.19,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateSecurityPolicy,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:01 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=0;InfobloxResourceType=Roaming Device Group;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdatePartialRoamingDeviceGroup,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Management, Details: Name: Threat_Management, Description: , Id: 954966, AccountID: 2007292, PolicyId: 208211, CreatedAt: 2024-05-01 14:02:40.069104 +0000 +0000, UpdatedAt: 2024-06-20 13:40:43.784547 +0000 +0000, ProbeResponse: 7UXCI9JRNUJ3VSZQ4W1XZ80T4JGM3B3X, ProbeDomain: probe.infoblox.com, ProbeEnabled: true, InternalDomainLists: [792596], RoamingDeviceCount: 0, MaxInactiveDays: 100, AdministrativeStatus: ENABLED, UpgradeWindowEnabled: false, UpgradeWindowTimeofdayStartMins: 0, UpgradeWindowDurationMins: 0, UpgradeWindowWeekdays: 7, UpgradeDeferralIntervalStart: 2024-05-24 15:46:23.368257 +0000 UTC, UpgradeDeferralIntervalEnd: 2024-05-24 15:46:23.368257 +0000 UTC, AuthnProfileId: , AuthnServerPort: 9094, SessionTTL: 28800, LogLevel: INFO, Tags: , PoPRegionID: 0",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.20,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdatePartialRoamingDeviceGroup,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 2:16:10 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25/06""};InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/d04b58f6-32fa-11ef-9bda-a26b6676565d"",""name"":""25/06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce5277bb842648ac8611753db8016aaf updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.18,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=208211;InfobloxResourceType=Security Policy;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateSecurityPolicy,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Policy, Details: Security PolicyName: Threat_Policy, AccountID: 2007292, Default: false, Description: , UpdatedAt: 2024-06-20 14:27:05.825786 +0000 +0000, NetworkLists: [], Rules fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""antimalware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against known malicious hostname threats that can take action on or control of your systems, such as Malware Command & Control, Malware Download, and active Phishing sites.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""ransomware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious""}} fields:{key:""description"" value:{string_value:""Suspicious destinations: Enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious-lookalikes""}} fields:{key:""description"" value:{string_value:""These are domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DNS Messenger""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Notional Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Zero Day DNS""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Fast Flux""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DGA""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}}, RoamingDeviceGroups: [954966], DFPs: [], DfpNames: [], DefaultAction: ALLOW, DefaultRedirectName: , ECS: false, UserGroups: [], Priority: 2, OnpremResolve: false, SafeSearch: false, DfpServices: [], ScopeExpr: , Tags: value:""{}"", ScopeTags: [], NetAddressDfps: [], BlockDnsRebindAttack: false",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.19,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateSecurityPolicy,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:01 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=0;InfobloxResourceType=Roaming Device Group;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdatePartialRoamingDeviceGroup,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Management, Details: Name: Threat_Management, Description: , Id: 954966, AccountID: 2007292, PolicyId: 208211, CreatedAt: 2024-05-01 14:02:40.069104 +0000 +0000, UpdatedAt: 2024-06-20 13:40:43.784547 +0000 +0000, ProbeResponse: 7UXCI9JRNUJ3VSZQ4W1XZ80T4JGM3B3X, ProbeDomain: probe.infoblox.com, ProbeEnabled: true, InternalDomainLists: [792596], RoamingDeviceCount: 0, MaxInactiveDays: 100, AdministrativeStatus: ENABLED, UpgradeWindowEnabled: false, UpgradeWindowTimeofdayStartMins: 0, UpgradeWindowDurationMins: 0, UpgradeWindowWeekdays: 7, UpgradeDeferralIntervalStart: 2024-05-24 15:46:23.368257 +0000 UTC, UpgradeDeferralIntervalEnd: 2024-05-24 15:46:23.368257 +0000 UTC, AuthnProfileId: , AuthnServerPort: 9094, SessionTTL: 28800, LogLevel: INFO, Tags: , PoPRegionID: 0",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.20,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdatePartialRoamingDeviceGroup,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file diff --git a/Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv index 95beeaa0f0..dd40da2c4f 100644 --- a/Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv +++ b/Sample Data/ASIM/Infoblox_BloxOne_DhcpEvent_IngestedLogs.csv @@ -1,21 +1,21 @@ TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:38:01 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='armisappliance8153';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:021,,,,,,,,,,1.1.1.1,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:07 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:022,,,,,,,,,,1.1.1.2,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:07 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:022,,,,,,,,,,1.1.1.1,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:41:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c';code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:023,,,,,,,,,,1.1.1.3,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:43:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:09:19:00:01:00:01:2d:fc:51:c5:00:50:56:a7:09:19;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=c7cf675d-28b7-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\t\031\000\001\000\001-\374Q\305\000PV\247\t\031';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:024,,,,,,,,,,1.1.1.4,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:44:03 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b6:07:00:01:00:01:2d:df:57:0a:00:50:56:a7:b6:07;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=ca697503-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\266\007\000\001\000\001-\337W\n\000PV\247\266\007';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:025,,,,,,,,,,1.1.1.5,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:46:10 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:50:52;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=13ba6378-32d6-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_51='\000\000\000<';code_53='\003';code_55='\001\034\002y\003\017\006\014w\032';code_61='\001\000PV\201PR',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:026,,,,,,,,,,1.1.1.6,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:44:03 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b6:07:00:01:00:01:2d:df:57:0a:00:50:56:a7:b6:07;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=ca697503-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\266\007\000\001\000\001-\337W\n\000PV\247\266\007';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:025,,,,,,,,,,1.1.1.4,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:46:10 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:50:52;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=13ba6378-32d6-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_51='\000\000\000<';code_53='\003';code_55='\001\034\002y\003\017\006\014w\032';code_61='\001\000PV\201PR',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:026,,,,,,,,,,1.2.1.6,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:47:43 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:63:6d:00:01:00:01:2e:02:c9:c2:00:50:56:a7:63:6d;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=d5782ae0-2c92-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247cm\000\001\000\001.\002\311\302\000PV\247cm';code_12='CE'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:027,,,,,,,,,,1.1.1.7,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:21 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=ff:9f:6e:85:24:00:02:00:00:ab:11:6b:cb:20:2b:0f:d1:be:6e;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=b67e515a-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\003\014\017\006\032!y*';code_57='\002@';code_61='\377\237n\205$\000\002\000\000\253\021k\313';code_12='test',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,test,00:50:56:92:0f:028,,,,,,,,,,1.1.1.8,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:37 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=00:63:69:73:63:6f:2d:30:30:35:30:2e:35:36:38:31:2e:62:39:39:62:2d:6f:75:74:73:69:64:65:2d:66:69:72:65:70:6f:77:65:72:00;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=9c38cc9b-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\006\017,\003!';code_57='\004\200';code_61='\000cisco-0050.5681.b99b-outside-firepower\000';code_12='firepower';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,firepower,00:50:56:92:0f:029,,,,,,,,,,1.1.1.9,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:52:37 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=00:63:69:73:63:6f:2d:30:30:35:30:2e:35:36:38:31:2e:62:39:39:62:2d:6f:75:74:73:69:64:65:2d:66:69:72:65:70:6f:77:65:72:00;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=9c38cc9b-2cda-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\006\017,\003!';code_57='\004\200';code_61='\000cisco-0050.5681.b99b-outside-firepower\000';code_12='firepower';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,firepower,00:50:56:92:0f:029,,,,,,,,,,1.1.1.8,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 3:55:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:c3:f2:00:01:00:01:2d:fc:38:18:00:50:56:a7:c3:f2;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=7a8a18bc-28a8-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_61='\377V\247\303\362\000\001\000\001-\3748\030\000PV\247\303\362';code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:030,,,,,,,,,,1.1.1.10,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:01:11 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5c2fcea3-2cdf-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_53='\003';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,00:50:56:92:0f:031,,,,,,,,,,1.1.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:02:53 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:a9:8f:00:01:00:01:2e:0d:5c:6e:00:50:56:a7:a9:8f;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=204fa2cc-32e0-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\251\217\000\001\000\001.\r\n\000PV\247\251\217';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:032,,,,,,,,,,1.1.1.12,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:03:23 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:cb:e7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=449cf0dc-2cdc-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_12='GigaVUE-FM-6501';code_53='\003';code_55='\001\002\006\014\017\032\034y\003!()*w\371\374\021';code_57='\377\377';code_61='\001\000PV\201\313\347',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,gigavue-fm-6501,00:50:56:92:0f:033,,,,,,,,,,1.1.1.13,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:02:53 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:a9:8f:00:01:00:01:2e:0d:5c:6e:00:50:56:a7:a9:8f;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=204fa2cc-32e0-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\251\217\000\001\000\001.\r\n\000PV\247\251\217';code_12='CE';code_53='\003'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:032,,,,,,,,,,1.1.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:03:23 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:cb:e7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=449cf0dc-2cdc-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;code_12='GigaVUE-FM-6501';code_53='\003';code_55='\001\002\006\014\017\032\034y\003!()*w\371\374\021';code_57='\377\377';code_61='\001\000PV\201\313\347',,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,gigavue-fm-6501,00:50:56:92:0f:033,,,,,,,,,,1.2.1.11,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:034,,,,,,,,,,1.1.1.14,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:04:59 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=abd51188-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\021';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:035,,,,,,,,,,1.1.1.15,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=false;InfobloxFingerprint=;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:036,,,,,,,,,,1.1.1.16,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:037,,,,,,,,,,1.1.1.17,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:05:29 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=;InfobloxRangeStart=;InfobloxRangeEnd=;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=bdb72cf3-330c-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='co7';code_50='\n2\010\022';code_53='\003';code_54='\n2\013\022';code_55='\001\034\002y\017\006\014()*\032w\003y\371!\374*\021'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,co7,00:50:56:92:0f:037,,,,,,,,,,2.2.1.17,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:31 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=1a4c3958-2cde-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_12='armisappliance8153'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,armisappliance8153,00:50:56:92:0f:038,,,,,,,,,,1.1.1.18,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:039,,,,,,,,,,1.1.1.19,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:06:49 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.7.83;InfobloxRangeEnd=10.50.7.90;InfobloxLeaseOp=Update;InfobloxClientID=ff:56:a7:b8:bb:00:01:00:01:2d:fc:56:bb:00:50:56:a7:b8:bb;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=be24ee60-28ba-11ef-9ba7-5aa338a7988f;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='CE';code_53='\003';code_55='\001\034\002\003\017\006w\014,/\032y*';code_61='\377V\247\270\273\000\001\000\001-\374V\273\000PV\247\270\273'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce,00:50:56:92:0f:039,,,,,,,,,,2.2.1.19,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:11:27 PM",Infoblox,Data Connector,2.1.3,DHCP-LEASE-UPDATE,DHCP Lease Update,1,,"InfobloxHost=;InfobloxHostID=dhcp/host/689611;InfobloxIPSpace=ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb7155;InfobloxSubnet=10.50.0.0/20;InfobloxRangeStart=10.50.8.10;InfobloxRangeEnd=10.50.8.25;InfobloxLeaseOp=Update;InfobloxClientID=01:00:50:56:81:4d:d7;InfobloxDUID=;InfobloxLifetime=3600;InfobloxLeaseUUID=5cbf171b-2cdd-11ef-9ccb-ce89876002b2;InfobloxFingerprintPr=true;InfobloxFingerprint=VMware:Virtual Machine:Windows:;InfobloxDHCPOptions=;""code_12='WIN-R7J2MDOIO5C';code_53='\003';code_55='\001\017\003\006,./\037!y\371\374+';code_60='MSFT';code_61='\001\000PV\201M\327';code_81='\000\000\000win-r7j2mdoio5c'""",,DHCP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,win-r7j2mdoio5c.,00:50:56:92:0f:040,,,,,,,,,,1.1.1.20,,,,,"""DHCP Lease Update""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file diff --git a/Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv index c67c193d20..e4729fe938 100644 --- a/Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv +++ b/Sample Data/ASIM/Infoblox_BloxOne_Dns_IngestedLogs.csv @@ -1,21 +1,21 @@ TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.1,2.2.2.2,,,,,,,,,,,,,,,,"""www.example.com. 291 IN A 93.184.215.14""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.2,2.2.2.3,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A SERVFAIL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=SERVFAIL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Unreachable",,DNS,,ip.parrotdns.com.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.3,2.2.2.4,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Information Security",,DNS,,dnsscan.shadowserver.org.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.4,2.2.2.5,,,,,,,,,,,,,,,,"""dnsscan.shadowserver.org. 7199 IN A 184.105.143.133""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.5,2.2.2.6,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:24 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.6,2.2.2.7,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:25 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.7,2.2.2.8,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:31 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.8,2.2.2.9,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:33 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.9,2.2.2.10,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:34 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.10,2.2.2.11,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:46 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.11,2.2.2.12,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:54 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.12,2.2.2.13,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:58 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.13,2.2.2.14,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4000.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.14,2.2.2.15,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.15,2.2.2.16,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4002.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.16,2.2.2.17,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4003.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.17,2.2.2.18,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4004.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.18,2.2.2.19,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4005.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.19,2.2.2.20,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.21,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4006.axsgvadw.net.,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.20,2.2.2.21,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,3.3.3.22,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.1,2.2.2.2,,,,,,,,,,,,,,,,"""www.example.com. 291 IN A 93.184.215.14""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Technology - Other",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.2,2.2.2.3,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A SERVFAIL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=SERVFAIL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Unreachable",,DNS,,ip.parrotdns.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.3,2.2.2.4,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NOERROR,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NOERROR;InfobloxAnCount=1;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Information Security",,DNS,,dnsscan.shadowserver.org,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.4,2.2.2.5,,,,,,,,,,,,,,,,"""dnsscan.shadowserver.org. 7199 IN A 184.105.143.133""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:19 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.5,2.2.2.6,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:24 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.6,2.2.2.7,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.2.1.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:25 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.7,2.2.2.8,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:31 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.8,2.2.2.9,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:33 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.9,2.2.2.10,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:34 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.10,2.2.2.11,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:46 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.11,2.2.2.12,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:54 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.12,2.2.2.13,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:58 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN ANY NOTIMPL,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=ANY;InfobloxDNSQFlags=-EV;InfobloxDNSRCode=NOTIMPL;InfobloxAnCount=0;InfobloxNsCount=0;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,soc-botnet.tgolmdrx.top,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.13,2.2.2.14,,,,,,,,,,,,,,,,"""""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.2.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4000.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.14,2.2.2.15,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.15,2.2.2.16,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,ip.parrotdns.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.16,2.2.2.17,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,www.example.com,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.17,2.2.2.18,,,,,,,,,,,,,,,,"""net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,2.2.1.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.18,2.2.2.19,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.19,2.2.2.20,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,2.2.1.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-0xxxxxxx,"6/25/2024, 3:42:59 PM",Infoblox,Data Connector,2.1.3,DNS Response,DNS Response IN A NXDOMAIN,1,,"InfobloxDNSView=;InfobloxDNSQClass=IN;InfobloxDNSQType=A;InfobloxDNSQFlags=+EV;InfobloxDNSRCode=NXDOMAIN;InfobloxAnCount=0;InfobloxNsCount=1;InfobloxArCount=0;InfobloxB1Region=us-west-1;InfobloxB1ConnectionType=remote_office;InfobloxB1OPHName=;InfobloxB1OPHIPAddress=;InfobloxB1Network=;InfobloxB1SrcOSVersion=;InfobloxB1DHCPFingerprint=;InfobloxB1DNSTags=APP_Uncategorized,CAT_Uncategorized",,DNS,,nxbot4001.axsgvadw.net,,,,,,,,,,,,,,,,,,,,,,,,,1.1.1.20,2.2.2.21,,,,,,,,,,,,,,,,"""net. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1719330141 1800 900 604800 86400""",,,,,,,,,,,,TCP,,,,,,,,,,,,,,,,,,21388,1.1.1.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file From 082653d85314de4519771f0618dae332faa08981 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Thu, 12 Sep 2024 18:32:47 +0530 Subject: [PATCH 04/11] Added kqlvalidation changes --- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 17 +++++++++++++++++ .../ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index 429c747e30..8e4e80912a 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -64,6 +64,22 @@ ParserQuery: | "9", "High", "10", "High" ]; + let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) + [ + "CreateSecurityPolicy", "Security Policy", "Policy Role", + "UpdateSecurityPolicy", "Security Policy", "Policy", + "Create", "Network Resource", "Service", + "Update", "Network Resource", "Service", + "Restore", "Infoblox Resource", "Service", + "CreateOrGetDoHFQDN", "DOHFQDN", "Service", + "CreateOrUpdateDfpService", "Dfp Service", "Service", + "MoveToRecyclebin", "Recyclebin", "Other", + "CreateCategoryFilter", "Category Filter", "Other", + "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other", + "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", + "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", + "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" + ]; let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) { CommonSecurityLog | where not(disabled) @@ -89,6 +105,7 @@ ParserQuery: | ) | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) | lookup EventSeverityLookup on LogSeverity + | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml index c3dce62a44..9c5e6eb6f0 100644 --- a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -192,7 +192,7 @@ ParserQuery: | and response_has_ipv4 == '*' and array_length(response_has_any_prefix) == 0 | project-rename - DnsQuery = DestinationDnsDomain, + DnsQuery = DestinationDnsDomain | extend DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery) | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any) From 9eb522c7d447a2ddb46816f229c399d6c8f89205 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Fri, 13 Sep 2024 12:10:57 +0530 Subject: [PATCH 05/11] Removed tags to resolve ASIM parsers validation --- .../ASimAuditEventInfobloxBloxOne.yaml | 20 +++++++++---------- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 20 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml index 8ce7737f52..2a69ab58be 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml @@ -40,18 +40,18 @@ ParserQuery: let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ "CreateSecurityPolicy", "Security Policy", "Policy Role", - "UpdateSecurityPolicy", "Security Policy", "Policy", - "Create", "Network Resource", "Service", - "Update", "Network Resource", "Service", - "Restore", "Infoblox Resource", "Service", - "CreateOrGetDoHFQDN", "DOHFQDN", "Service", - "CreateOrUpdateDfpService", "Dfp Service", "Service", - "MoveToRecyclebin", "Recyclebin", "Other", + "UpdateSecurityPolicy", "Security Policy", "Policy", + "Create", "Network Resource", "Service", + "Update", "Network Resource", "Service", + "Restore", "Infoblox Resource", "Service", + "CreateOrGetDoHFQDN", "DOHFQDN", "Service", + "CreateOrUpdateDfpService", "Dfp Service", "Service", + "MoveToRecyclebin", "Recyclebin", "Other", "CreateCategoryFilter", "Category Filter", "Other", "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other", - "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", - "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", - "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" + "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", + "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", + "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" ]; let parser = (disabled:bool=false) { CommonSecurityLog diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index 8e4e80912a..feee64b16d 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -67,18 +67,18 @@ ParserQuery: | let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ "CreateSecurityPolicy", "Security Policy", "Policy Role", - "UpdateSecurityPolicy", "Security Policy", "Policy", - "Create", "Network Resource", "Service", - "Update", "Network Resource", "Service", - "Restore", "Infoblox Resource", "Service", - "CreateOrGetDoHFQDN", "DOHFQDN", "Service", - "CreateOrUpdateDfpService", "Dfp Service", "Service", - "MoveToRecyclebin", "Recyclebin", "Other", + "UpdateSecurityPolicy", "Security Policy", "Policy", + "Create", "Network Resource", "Service", + "Update", "Network Resource", "Service", + "Restore", "Infoblox Resource", "Service", + "CreateOrGetDoHFQDN", "DOHFQDN", "Service", + "CreateOrUpdateDfpService", "Dfp Service", "Service", + "MoveToRecyclebin", "Recyclebin", "Other", "CreateCategoryFilter", "Category Filter", "Other", "GetLookalikeThreatCounts", "Lookalike Threat Counts", "Other", - "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", - "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", - "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" + "GetLookalikeDomainCounts", "Lookalike Domain Counts", "Other", + "CreateRoamingDeviceGroup", "Roaming Device Group", "Configuration Atom", + "UpdatePartialRoamingDeviceGroup", "Partial Roaming Device Group", "Configuration Atom" ]; let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) { CommonSecurityLog From 424ab81c267c0dc5a48827ee44f5ac94911384ac Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Fri, 13 Sep 2024 17:22:12 +0530 Subject: [PATCH 06/11] Added validation for object and ObjectType, also added new tester files and changed sample logs --- .../Parsers/ASimAuditEventInfobloxBloxOne.yaml | 4 +++- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 8 +++++--- ...oxBloxOne_ASimAuditEvent_ASimSchemaTester.csv | 2 -- ...loxBloxOne_vimAuditEvent_ASimSchemaTester.csv | 2 -- .../Parsers/ASimDhcpEventInfobloxBloxOne.yaml | 2 +- .../Parsers/vimDhcpEventInfobloxBloxOne.yaml | 2 +- ...obloxBloxOne_ASimDhcpEvent_ASimDataTester.csv | 1 - ...loxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv | 1 - ...fobloxBloxOne_vimDhcpEvent_ASimDataTester.csv | 1 - ...bloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv | 1 - .../InfobloxBloxOne_ASimDns_ASimSchemaTester.csv | 1 - .../InfobloxBloxOne_vimDns_ASimSchemaTester.csv | 1 - .../Infoblox_BloxOne_AuditEvent_IngestedLogs.csv | 16 ++++++++-------- 13 files changed, 18 insertions(+), 24 deletions(-) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml index 2a69ab58be..a52152fb5b 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml @@ -69,7 +69,7 @@ ParserQuery: SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, - EventOriginalType = DeviceEventCategory, + EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, @@ -84,6 +84,8 @@ ParserQuery: "Delete", "Other" ), + Object = iff(isempty(Object), "Infoblox Network Resource", Object), + ObjectType = iff(isempty(ObjectType), "Service", ObjectType), Src = SrcIpAddr, ActorUserType = _ASIM_GetUserType(ActorUsername, ""), AdditionalFields = bag_pack( diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index feee64b16d..553cfcb2ce 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -91,7 +91,6 @@ ParserQuery: | and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any)) and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix)) and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any)) - and array_length(object_has_any) == 0 and array_length(newvalue_has_any) == 0 | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=";", kv_delimiter="=") | extend EventType = case( @@ -102,8 +101,11 @@ ParserQuery: | DeviceAction has "delete", "Delete", "Other" - ) + ), + Object = iff(isempty(Object), "Infoblox Network Resource", Object), + ObjectType = iff(isempty(ObjectType), "Service", ObjectType) | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) + | where (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') @@ -114,7 +116,7 @@ ParserQuery: | SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, - EventOriginalType = DeviceEventCategory, + EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv index 8e69a357e6..eeb4e204e6 100644 --- a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_ASimAuditEvent_ASimSchemaTester.csv @@ -3,10 +3,8 @@ "(1) Warning: Missing recommended field [DvcAction]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [EventResultDetails]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [NewValue]" "(1) Warning: Missing recommended field [ObjectId]" -"(1) Warning: Missing recommended field [Object]" "(1) Warning: Missing recommended field [TargetHostname]" "(1) Warning: Missing recommended field [TargetIpAddr]" "(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" diff --git a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv index 8e69a357e6..eeb4e204e6 100644 --- a/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv +++ b/Parsers/ASimAuditEvent/Tests/InfobloxBloxOne_vimAuditEvent_ASimSchemaTester.csv @@ -3,10 +3,8 @@ "(1) Warning: Missing recommended field [DvcAction]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [EventResultDetails]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [NewValue]" "(1) Warning: Missing recommended field [ObjectId]" -"(1) Warning: Missing recommended field [Object]" "(1) Warning: Missing recommended field [TargetHostname]" "(1) Warning: Missing recommended field [TargetIpAddr]" "(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml index d283a52e96..a583f3d160 100644 --- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml @@ -53,7 +53,7 @@ ParserQuery: DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, EventOriginalSeverity = LogSeverity, - EventOriginalType = DeviceEventCategory, + EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend EventEndTime = TimeGenerated, diff --git a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml index d56d4f9911..7cc0f66066 100644 --- a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml @@ -85,7 +85,7 @@ ParserQuery: | DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, EventOriginalSeverity = LogSeverity, - EventOriginalType = DeviceEventCategory, + EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend EventEndTime = TimeGenerated, diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv index 0622706279..68c941fa0a 100644 --- a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimDataTester.csv @@ -1,6 +1,5 @@ Result "(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)" -"(1) Warning: Empty value in 1000 records (100.0%) in mandatory field [EventCount] (Schema:DhcpEvent)" "(1) Warning: Empty value in 129 records (12.9%) in mandatory field [SrcHostname] (Schema:DhcpEvent)" "(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)" "(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv index 24b1a589a9..cca0cdd24c 100644 --- a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_ASimDhcpEvent_ASimSchemaTester.csv @@ -3,7 +3,6 @@ "(1) Warning: Missing recommended field [DvcAction]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [EventResultDetails]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [Src]" "(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]" "(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv index 0622706279..68c941fa0a 100644 --- a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimDataTester.csv @@ -1,6 +1,5 @@ Result "(0) Error: 10 invalid value(s) (up to 10 listed) in 94 records (9.4%) for field [SrcFQDN] of type [FQDN]: [""win-r7j2mdoio5c."",""win-gja1jutr15t."",""desktop-neagfkt."",""win-l1e9san4nkk."",""desktop-b8j7ka5."",""win-bmef6ak43fb."",""win-rghei85506n."",""win-9f21ldvoksh."",""win-aa8fe0tq3ri."",""desktop-rkkf54k.""] (Schema:DhcpEvent)" -"(1) Warning: Empty value in 1000 records (100.0%) in mandatory field [EventCount] (Schema:DhcpEvent)" "(1) Warning: Empty value in 129 records (12.9%) in mandatory field [SrcHostname] (Schema:DhcpEvent)" "(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpLeaseDuration] (Schema:DhcpEvent)" "(2) Info: Empty value in 1000 records (100.0%) in optional field [DhcpSrcDHCId] (Schema:DhcpEvent)" diff --git a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv index 24b1a589a9..cca0cdd24c 100644 --- a/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv +++ b/Parsers/ASimDhcpEvent/Tests/InfobloxBloxOne_vimDhcpEvent_ASimSchemaTester.csv @@ -3,7 +3,6 @@ "(1) Warning: Missing recommended field [DvcAction]" "(1) Warning: Missing recommended field [DvcIpAddr]" "(1) Warning: Missing recommended field [EventResultDetails]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [Src]" "(2) Info: Missing optional alias [Hostname] aliasing non-existent column [DstHostname]" "(2) Info: Missing optional alias [Rule] aliasing non-existent column [RuleName]" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv index 8cf38d5776..993f9194c9 100644 --- a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv @@ -1,6 +1,5 @@ Result "(1) Warning: Missing recommended field [Dst]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [SrcDomain]" "(1) Warning: Missing recommended field [SrcHostname]" "(1) Warning: Missing recommended field [TransactionIdHex]" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv index 8cf38d5776..993f9194c9 100644 --- a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv @@ -1,6 +1,5 @@ Result "(1) Warning: Missing recommended field [Dst]" -"(1) Warning: Missing recommended field [EventUid]" "(1) Warning: Missing recommended field [SrcDomain]" "(1) Warning: Missing recommended field [SrcHostname]" "(1) Warning: Missing recommended field [TransactionIdHex]" diff --git a/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv b/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv index 27a552d487..0dbbe1629b 100644 --- a/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv +++ b/Sample Data/ASIM/Infoblox_BloxOne_AuditEvent_IngestedLogs.csv @@ -3,19 +3,19 @@ asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:14:45 PM",Infoblox,Data Connect asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:15:56 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25-06""};InfobloxResourceId=32a6ffa2-330e-11ef-be77-223188134132;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/32a6ffa2-330e-11ef-be77-223188134132"",""name"":""25-06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.1,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:19:28 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""SplunkTest"",""description"":"""",""enabled"":true,""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""destination"":8037,""filter_expression"":"""",""script_schedule"":"""",""tags"":{}};InfobloxResourceId=11257;InfobloxResourceType=flow_data_v2;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""cdc_services"":[""z77m2xgrbsx22jokk44ueitoiianv7ny""],""created_at"":""2024-06-06T17:41:13Z"",""description"":"""",""destination"":8037,""enabled"":true,""etl_filters"":[],""filter_expression"":"""",""id"":11257,""name"":""SplunkTest"",""script_schedule"":"""",""source"":7704,""source_data_types"":[""ATLAS_NOTIFICATIONS"",""AUDIT_LOG"",""DDI_DHCP_LEASE_LOG"",""DDI_QUERY_RESP_LOG"",""SERVICE_LOG"",""TD_QUERY_RESP_LOG"",""TD_THREAT_FEEDS_HITS_LOG""],""tags"":{},""updated_at"":""2024-06-25T16:19:26Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.3,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:22:40 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""created_at"":""2024-06-25T16:22:39.435361613Z"",""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T16:22:39.435361613Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,peter@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""revoke_reason"":""hostapp disconnect""};InfobloxResourceId=93c4900d1df2ffda2b620edfb27f7e4f;InfobloxResourceType=cert;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",revoke,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Certificate is revoked using ophid,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,revoke,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""revoke_reason"":""hostapp disconnect""};InfobloxResourceId=93c4900d1df2ffda2b620edfb27f7e4f;InfobloxResourceType=cert;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",revoke,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Certificate is revoked using ophid,,,,,,,,,,,Failure,,,,,,,,,,,,,,,,,,,,1.1.1.4,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,revoke,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 4:23:19 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody={};InfobloxResourceId=jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcaiba;InfobloxResourceType=hosts;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,Disconnect,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-host is disconnected,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.2.1.6,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Disconnect,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 5:12:16 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Test_Connector"",""service_type"":""cdc"",""desired_state"":""start"",""pool_id"":""4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""tags"":{},""interface_labels"":[],""destinations"":[],""source_interfaces"":[]};InfobloxResourceId=k3f3v6sw45yaji3d6mprwful37qwlgad;InfobloxResourceType=services;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""desired_state"":""start"",""destinations"":[],""id"":""infra/service/k3f3v6sw45yaji3d6mprwful37qwlgad"",""name"":""Test_Connector"",""pool_id"":""infra/pool/4dex5wmrzw4fj7kyyjs7idpi7ttkuskn"",""service_type"":""cdc"",""source_interfaces"":[],""tags"":{},""updated_at"":""2024-06-25T17:12:15.187559688Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,hostapp,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Infra-service is updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.7,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.8,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":null,""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":null,""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":null,""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":null,""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":null,""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":null,""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":null,""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":null,""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":null,""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":null,""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":null,""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.8,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.10,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":""b0137475-1aca-4175-9f0d-173e2d00ac38"",""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":""fd7debc4-a56d-4ff3-b6aa-bbc1e673a60b"",""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":""ec6cf1b0-2827-4279-9078-48e64442a153"",""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":""21810066-aa1d-4293-960b-a89ba5699133"",""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":""75df352f-39b6-468c-ad4d-641f2dded95d"",""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":""8249a3f3-ab1e-4325-8e43-205421cadb4a"",""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":""aa8e3e7b-2bf5-4518-8e4a-4b62b86f0edc"",""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":""b38499ce-6bce-4397-8106-0296da68e2c9"",""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":""66303055-37d0-4248-add7-bc5471bce7f5"",""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":""b34c26fb-4eb5-4656-8047-99e26669d01b"",""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":""e6384b62-984b-4e86-82d3-f0529cabb79e"",""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""error"":""invalid JSON""};InfobloxResourceId=;InfobloxResourceType=notificationsdelivery;InfobloxResourceDesc=;InfobloxHTTPRespBody={};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Update,atlas.notifications.config,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Failure,,,,,,,,,,,,,,,,,,,,1.1.1.10,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/24/2024, 1:26:18 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""threshold"":[{""id"":""b0137475-1aca-4175-9f0d-173e2d00ac38"",""parent"":{""id"":""8c2e9889-2b27-4adc-b57d-5ed4d2ad7fdf""},""value"":90},{""id"":""fd7debc4-a56d-4ff3-b6aa-bbc1e673a60b"",""parent"":{""id"":""7673d68a-0f3c-4493-b2df-3337ed02becc""},""value"":90},{""id"":""ec6cf1b0-2827-4279-9078-48e64442a153"",""parent"":{""id"":""9d9b7f44-33aa-4122-a443-a3aad1c7c593""},""value"":90},{""id"":""21810066-aa1d-4293-960b-a89ba5699133"",""parent"":{""id"":""66178adb-291c-4593-9211-303d085a2ccc""},""value"":90},{""id"":""75df352f-39b6-468c-ad4d-641f2dded95d"",""parent"":{""id"":""b5381601-d8d3-41d9-9d5e-74e66117beab""},""value"":300},{""id"":""8249a3f3-ab1e-4325-8e43-205421cadb4a"",""parent"":{""id"":""1b51bdb5-e1ae-4d93-b353-dbea782e8790""},""value"":0},{""id"":""aa8e3e7b-2bf5-4518-8e4a-4b62b86f0edc"",""parent"":{""id"":""344c955c-0d0e-4714-96d0-614af6ab77db""},""value"":0},{""id"":""b38499ce-6bce-4397-8106-0296da68e2c9"",""parent"":{""id"":""385ac901-5cdd-4830-8edb-d3c2c1f65d01""},""value"":0},{""id"":""66303055-37d0-4248-add7-bc5471bce7f5"",""parent"":{""id"":""c49cce97-f791-47a6-8b10-409f246516a6""},""value"":0},{""id"":""b34c26fb-4eb5-4656-8047-99e26669d01b"",""parent"":{""id"":""ccdcf8e6-fce2-4960-add2-882e5253974b""},""value"":0},{""id"":""e6384b62-984b-4e86-82d3-f0529cabb79e"",""parent"":{""id"":""d9816b96-6689-4ec1-bd02-536a4aaa00ea""},""value"":0}]};InfobloxResourceId=;InfobloxResourceType=multithresholds;InfobloxResourceDesc=;InfobloxHTTPRespBody={""error"":""invalid JSON""};InfobloxSubjectGroups=[act_admin ib-interactive-user];InfobloxSubjectType=User",Upsert,atlas.notifications.thresholding,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Failure,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,musan@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Upsert,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:05 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""40.121.5.68"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""40.121.5.68"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:06:48Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.11,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for Sensplunk"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=1dbf0491-2e3d-11ef-a715-729fd14e7c69;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:09:09.881962937Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""inheritance_sources"":null,""name"":""Ip space for Sensplunk"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:09:09.881962937Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/1dbf0491-2e3d-11ef-a715-729fd14e7c69"",""name"":""Ip space for Sensplunk"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718802549,""nanos"":881962937},""updated_at"":{""seconds"":1718802549,""nanos"":881962937},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.2.1.11,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""48.217.233.16"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""48.217.233.16"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:24:43Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.14,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:26:48 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for sensplunk2"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=93e1b4f0-2e3f-11ef-8fc3-42d72888b014;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:26:47.080311372Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""inheritance_sources"":null,""name"":""Ip space for sensplunk2"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:26:47.080311372Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""name"":""Ip space for sensplunk2"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718803607,""nanos"":80311372},""updated_at"":{""seconds"":1718803607,""nanos"":80311372},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.15,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 2:16:10 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25/06""};InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/d04b58f6-32fa-11ef-9bda-a26b6676565d"",""name"":""25/06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce5277bb842648ac8611753db8016aaf updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 -asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,updated,,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.18,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:25:06 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""Sentinel-Config"",""description"":"""",""enabled"":true,""address"":""48.217.233.16"",""output_data_format"":""CEF"",""tags"":{},""port"":514,""transport_protocol"":""TCP"",""insecure_mode"":true};InfobloxResourceId=7418;InfobloxResourceType=destination_syslog;InfobloxResourceDesc=;InfobloxHTTPRespBody={""results"":{""address"":""48.217.233.16"",""ca_certificate"":""***"",""created_at"":""2024-04-11T07:58:41Z"",""description"":"""",""enabled"":true,""id"":7418,""insecure_mode"":true,""name"":""Sentinel-Config"",""output_data_format"":""CEF"",""port"":514,""tags"":{},""transport_protocol"":""TCP"",""updated_at"":""2024-06-19T13:24:43Z""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Update,cdc.flow.api,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Updated,,,,,,,,,,,Partial,,,,,,,,,,,,,,,,,,,,1.1.1.14,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Update,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/19/2024, 1:26:48 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""dhcp_options"":[],""inheritance_sources"":{""vendor_specific_option_option_space"":{""action"":""inherit""},""asm_config"":{""asm_enable_block"":{""action"":""inherit"",""value"":{""reenable_date"":""1970-01-01T00:00:00Z""}},""asm_growth_block"":{""action"":""inherit"",""value"":{}},""asm_threshold"":{""action"":""inherit""},""history"":{""action"":""inherit""},""min_unused"":{""action"":""inherit""}},""dhcp_config"":{""ignore_list"":{""action"":""inherit""},""allow_unknown"":{""action"":""inherit""},""allow_unknown_v6"":{""action"":""inherit""},""lease_time"":{""action"":""inherit""},""lease_time_v6"":{""action"":""inherit""},""ignore_client_uid"":{""action"":""inherit""},""abandoned_reclaim_time"":{""action"":""inherit""},""abandoned_reclaim_time_v6"":{""action"":""inherit""},""echo_client_id"":{""action"":""inherit""},""filters"":{""action"":""inherit""},""filters_v6"":{""action"":""inherit""}},""dhcp_options"":{""action"":""inherit"",""value"":[]},""dhcp_options_v6"":{""action"":""inherit"",""value"":[]},""ddns_update_block"":{""action"":""inherit"",""value"":{}},""ddns_hostname_block"":{""action"":""inherit"",""value"":{}},""ddns_update_on_renew"":{""action"":""inherit""},""ddns_conflict_resolution_mode"":{""action"":""inherit""},""ddns_client_update"":{""action"":""inherit""},""hostname_rewrite_block"":{""action"":""inherit"",""value"":{}},""ddns_ttl_percent"":{""action"":""inherit""},""header_option_server_address"":{""action"":""inherit""},""header_option_server_name"":{""action"":""inherit""},""header_option_filename"":{""action"":""inherit""}},""asm_config"":{""reenable_date"":""1970-01-01T00:00:00.000Z"",""forecast_period"":14,""history"":30},""dhcp_config"":{},""name"":""Ip space for sensplunk2"",""dhcp_options_v6"":[],""compartment_id"":null};InfobloxResourceId=93e1b4f0-2e3f-11ef-8fc3-42d72888b014;InfobloxResourceType=ip_space;InfobloxResourceDesc=;InfobloxHTTPRespBody={""result"":{""asm_config"":{""asm_threshold"":90,""enable"":true,""enable_notification"":true,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_total"":10,""min_unused"":10,""reenable_date"":""1970-01-01T00:00:00Z""},""asm_scope_flag"":0,""comment"":"""",""compartment_id"":"""",""created_at"":""2024-06-19T13:26:47.080311372Z"",""ddns_client_update"":""client"",""ddns_conflict_resolution_mode"":""check_with_dhcid"",""ddns_domain"":"""",""ddns_generate_name"":false,""ddns_generated_prefix"":""myhost"",""ddns_send_updates"":true,""ddns_ttl_percent"":0,""ddns_update_on_renew"":false,""ddns_use_conflict_resolution"":true,""default_realms"":[],""dhcp_config"":{""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""allow_unknown"":true,""allow_unknown_v6"":true,""echo_client_id"":true,""filters"":[],""filters_large_selection"":[],""filters_v6"":[],""ignore_client_uid"":false,""ignore_list"":[],""lease_time"":3600,""lease_time_v6"":3600},""dhcp_options"":[],""dhcp_options_v6"":[],""header_option_filename"":"""",""header_option_server_address"":"""",""header_option_server_name"":"""",""hostname_rewrite_char"":""-"",""hostname_rewrite_enabled"":false,""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""inheritance_sources"":null,""name"":""Ip space for sensplunk2"",""tags"":null,""threshold"":{""enabled"":false,""high"":0,""low"":0},""updated_at"":""2024-06-19T13:26:47.080311372Z"",""utilization"":{""abandon_utilization"":0,""abandoned"":""0"",""dynamic"":""0"",""free"":""0"",""static"":""0"",""total"":""0"",""used"":""0"",""utilization"":0},""utilization_v6"":{""abandoned"":""0"",""dynamic"":""0"",""static"":""0"",""total"":""0"",""used"":""0""},""vendor_specific_option_option_space"":null}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",Create,ddi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"{""response"":{""result"":{""id"":""ipam/ip_space/93e1b4f0-2e3f-11ef-8fc3-42d72888b014"",""name"":""Ip space for sensplunk2"",""utilization"":{},""threshold"":{},""dhcp_config"":{""allow_unknown"":true,""lease_time"":3600,""allow_unknown_v6"":true,""lease_time_v6"":3600,""abandoned_reclaim_time"":3600,""abandoned_reclaim_time_v6"":3600,""echo_client_id"":true},""asm_config"":{""enable"":true,""enable_notification"":true,""reenable_date"":{},""min_total"":10,""asm_threshold"":90,""forecast_period"":14,""growth_factor"":20,""growth_type"":""percent"",""history"":30,""min_unused"":10},""created_at"":{""seconds"":1718803607,""nanos"":80311372},""updated_at"":{""seconds"":1718803607,""nanos"":80311372},""ddns_send_updates"":true,""ddns_generated_prefix"":""myhost"",""ddns_use_conflict_resolution"":true,""ddns_client_update"":""client"",""hostname_rewrite_regex"":""[^a-zA-Z0-9.-]"",""hostname_rewrite_char"":""-"",""utilization_v6"":{""total"":""0"",""used"":""0"",""static"":""0"",""dynamic"":""0"",""abandoned"":""0""},""ddns_conflict_resolution_mode"":""check_with_dhcid""}}}",,,,,,,,,,,Partial,,,,,,,,,,,,,,,,,,,,1.1.1.15,,,matt.damon@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,Create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/25/2024, 2:16:10 PM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,"InfobloxEventVersion=;InfobloxHTTPReqBody={""name"":""25/06""};InfobloxResourceId=d04b58f6-32fa-11ef-9bda-a26b6676565d;InfobloxResourceType=jointoken;InfobloxResourceDesc=;InfobloxHTTPRespBody={""join_token"":""***"",""result"":{""id"":""ngp-cp/join_tokens/d04b58f6-32fa-11ef-9bda-a26b6676565d"",""name"":""25/06"",""status"":""ACTIVE"",""token_id"":""***"",""use_counter"":0},""success"":{""message"":""Created""}};InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User",create,hostactivation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Join token is created,,,,,,,,,,,Partial,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,create,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ce5277bb842648ac8611753db8016aaf updated,,,,,,,,,,,NA,,,,,,,,,,,,,,,,,,,,2.2.1.17,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 +asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=;InfobloxResourceType=Roaming Device;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateRoamingDevice,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,updated,,,,,,,,,,,NA,,,,,,,,,,,,,,,,,,,,1.1.1.18,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateRoamingDevice,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:00 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=208211;InfobloxResourceType=Security Policy;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdateSecurityPolicy,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Policy, Details: Security PolicyName: Threat_Policy, AccountID: 2007292, Default: false, Description: , UpdatedAt: 2024-06-20 14:27:05.825786 +0000 +0000, NetworkLists: [], Rules fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""antimalware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against known malicious hostname threats that can take action on or control of your systems, such as Malware Command & Control, Malware Download, and active Phishing sites.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""ransomware""}} fields:{key:""description"" value:{string_value:""Suspicious/malicious as destinations: Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious""}} fields:{key:""description"" value:{string_value:""Suspicious destinations: Enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_block""}} fields:{key:""data"" value:{string_value:""suspicious-lookalikes""}} fields:{key:""description"" value:{string_value:""These are domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.""}} fields:{key:""type"" value:{string_value:""named_feed""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DNS Messenger""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Notional Data Exfiltration""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Zero Day DNS""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - Fast Flux""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}} fields:{key:""action"" value:{string_value:""action_log""}} fields:{key:""data"" value:{string_value:""Threat Insight - DGA""}} fields:{key:""description"" value:{string_value:""Auto-generated""}} fields:{key:""type"" value:{string_value:""custom_list""}}, RoamingDeviceGroups: [954966], DFPs: [], DfpNames: [], DefaultAction: ALLOW, DefaultRedirectName: , ECS: false, UserGroups: [], Priority: 2, OnpremResolve: false, SafeSearch: false, DfpServices: [], ScopeExpr: , Tags: value:""{}"", ScopeTags: [], NetAddressDfps: [], BlockDnsRebindAttack: false",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,2.2.1.19,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdateSecurityPolicy,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 asdfvasd-3a80-4066-adf8-1451432121,"6/21/2024, 9:31:01 AM",Infoblox,Data Connector,2.1.3,BloxOne-Audit-Log,BloxOne Audit Log,1,,InfobloxEventVersion=;InfobloxHTTPReqBody=;InfobloxResourceId=0;InfobloxResourceType=Roaming Device Group;InfobloxResourceDesc=;InfobloxHTTPRespBody=;InfobloxSubjectGroups=[user act_admin ib-soc-insight-admin ib-td-admin ib-bloxone-nios-user ib-trusted-partner ib-soc-insight-user ib-ddi-user ib-td-user ib-ddi-admin ib-access-control-admin ib-interactive-user];InfobloxSubjectType=User,UpdatePartialRoamingDeviceGroup,atcapi,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Updated Threat_Management, Details: Name: Threat_Management, Description: , Id: 954966, AccountID: 2007292, PolicyId: 208211, CreatedAt: 2024-05-01 14:02:40.069104 +0000 +0000, UpdatedAt: 2024-06-20 13:40:43.784547 +0000 +0000, ProbeResponse: 7UXCI9JRNUJ3VSZQ4W1XZ80T4JGM3B3X, ProbeDomain: probe.infoblox.com, ProbeEnabled: true, InternalDomainLists: [792596], RoamingDeviceCount: 0, MaxInactiveDays: 100, AdministrativeStatus: ENABLED, UpgradeWindowEnabled: false, UpgradeWindowTimeofdayStartMins: 0, UpgradeWindowDurationMins: 0, UpgradeWindowWeekdays: 7, UpgradeDeferralIntervalStart: 2024-05-24 15:46:23.368257 +0000 UTC, UpgradeDeferralIntervalEnd: 2024-05-24 15:46:23.368257 +0000 UTC, AuthnProfileId: , AuthnServerPort: 9094, SessionTTL: 28800, LogLevel: INFO, Tags: , PoPRegionID: 0",,,,,,,,,,,Success,,,,,,,,,,,,,,,,,,,,1.1.1.20,,,example.infoblox@security.com,,BloxOne Audit Log,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ZTP_MSSentinel1604ForOva_92033666899467253,OpsManager,UpdatePartialRoamingDeviceGroup,CEFDataConnector1406,CommonSecurityLog,/subscriptions/sub_id/resourcegroups/resourcegrpname_1/providers/microsoft.compute/virtualmachines/cefdataconnector1406 \ No newline at end of file From f296444f386e0e9b45553600bf46f39616bee135 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Mon, 16 Sep 2024 10:57:34 +0530 Subject: [PATCH 07/11] Changes in vimAuditEvent parser for kqlValidation --- .../Parsers/vimAuditEventInfobloxBloxOne.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index 553cfcb2ce..d52e455698 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -101,13 +101,13 @@ ParserQuery: | DeviceAction has "delete", "Delete", "Other" - ), - Object = iff(isempty(Object), "Infoblox Network Resource", Object), - ObjectType = iff(isempty(ObjectType), "Service", ObjectType) + ) | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) | where (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction + | extend Object = iff(isempty(Object), "Infoblox Network Resource", Object), + ObjectType = iff(isempty(ObjectType), "Service", ObjectType) | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, From 2eef1a67b4d58bd4876b41ff672e22c6ef9b8e8d Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Mon, 16 Sep 2024 11:15:28 +0530 Subject: [PATCH 08/11] Added kqlvalidation changes --- .../ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index d52e455698..859caf618c 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -103,11 +103,11 @@ ParserQuery: | "Other" ) | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in)) - | where (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | extend Object = iff(isempty(Object), "Infoblox Network Resource", Object), ObjectType = iff(isempty(ObjectType), "Service", ObjectType) + | where (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, From e257e1454fbf0998587eb8b4f2766728080b42a9 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Mon, 16 Sep 2024 14:09:56 +0530 Subject: [PATCH 09/11] Mapped DnsFlag with Infoblox data --- Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml | 5 +++-- Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml | 5 +++-- .../Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv | 1 - .../Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv | 1 - 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml index e04118908d..952d3fc287 100644 --- a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml @@ -149,10 +149,11 @@ ParserQuery: let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == "Infoblox" and DeviceEventClassID has "DNS" - | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string) with (pair_delimiter=";", kv_delimiter="=") + | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=";", kv_delimiter="=") | project-rename EventResultDetails = InfobloxDNSRCode, - DnsQueryTypeName = InfobloxDNSQType + DnsQueryTypeName = InfobloxDNSQType, + DnsFlags = InfobloxDNSQFlags | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) | lookup EventSeverityLookup on LogSeverity | lookup DnsQueryTypeLookup on DnsQueryTypeName diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml index 9c5e6eb6f0..24cd78ff7a 100644 --- a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -196,11 +196,12 @@ ParserQuery: | | extend DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == ".", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery) | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any) - | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string) with (pair_delimiter=";", kv_delimiter="=") + | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=";", kv_delimiter="=") | where responsecodename == '*' or (InfobloxDNSRCode =~ responsecodename) | project-rename EventResultDetails = InfobloxDNSRCode, - DnsQueryTypeName = InfobloxDNSQType + DnsQueryTypeName = InfobloxDNSQType, + DnsFlags = InfobloxDNSQFlags | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) | lookup EventSeverityLookup on LogSeverity | lookup DnsQueryTypeLookup on DnsQueryTypeName diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv index 993f9194c9..45ad906d88 100644 --- a/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_ASimDns_ASimSchemaTester.csv @@ -15,7 +15,6 @@ "(2) Info: Missing optional field [DnsFlagsRecursionDesired]" "(2) Info: Missing optional field [DnsFlagsTruncated]" "(2) Info: Missing optional field [DnsFlagsZ]" -"(2) Info: Missing optional field [DnsFlags]" "(2) Info: Missing optional field [DnsNetworkDuration]" "(2) Info: Missing optional field [DnsResponseIpCity]" "(2) Info: Missing optional field [DnsResponseIpCountry]" diff --git a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv index 993f9194c9..45ad906d88 100644 --- a/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv +++ b/Parsers/ASimDns/Tests/InfobloxBloxOne_vimDns_ASimSchemaTester.csv @@ -15,7 +15,6 @@ "(2) Info: Missing optional field [DnsFlagsRecursionDesired]" "(2) Info: Missing optional field [DnsFlagsTruncated]" "(2) Info: Missing optional field [DnsFlagsZ]" -"(2) Info: Missing optional field [DnsFlags]" "(2) Info: Missing optional field [DnsNetworkDuration]" "(2) Info: Missing optional field [DnsResponseIpCity]" "(2) Info: Missing optional field [DnsResponseIpCountry]" From 5794407bff1423c9527ad7516a7bf171dbc2968c Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Mon, 16 Sep 2024 15:07:14 +0530 Subject: [PATCH 10/11] Changed mapping of EventOriginalType for dns parsers --- Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml | 2 +- Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml index 952d3fc287..2ccb76c382 100644 --- a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml @@ -165,7 +165,7 @@ ParserQuery: SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, - EventOriginalType = Activity, + EventOriginalType = DeviceEventClassID, SrcUsername = SourceUserName, SrcPortNumber = SourcePort, EventUid = _ItemId diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml index 24cd78ff7a..eddac83e1c 100644 --- a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -212,7 +212,7 @@ ParserQuery: | SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, - EventOriginalType = Activity, + EventOriginalType = DeviceEventClassID, SrcUsername = SourceUserName, SrcPortNumber = SourcePort, EventUid = _ItemId From d4465f0bd2b4a0d8fcc18bdae16e213107976108 Mon Sep 17 00:00:00 2001 From: "nipun.brahmbhatt@crestdatasys.com" Date: Thu, 19 Sep 2024 18:50:43 +0530 Subject: [PATCH 11/11] Changed LastUpdate format --- .../ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml | 2 +- .../ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml | 2 +- Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml | 2 +- Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml | 2 +- Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml | 2 +- Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml index a52152fb5b..a113c78e1a 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: AuditEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml index 859caf618c..fc9a0f897a 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: AuditEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: diff --git a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml index a583f3d160..9931943d4a 100644 --- a/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/ASimDhcpEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: DhcpEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: diff --git a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml index 7cc0f66066..64b1603fb7 100644 --- a/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml +++ b/Parsers/ASimDhcpEvent/Parsers/vimDhcpEventInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: DhcpEvent ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: diff --git a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml index 2ccb76c382..2361d098f7 100644 --- a/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/ASimDnsInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Dns ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: diff --git a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml index eddac83e1c..a0f5a73073 100644 --- a/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml +++ b/Parsers/ASimDns/Parsers/vimDnsInfobloxBloxOne.yaml @@ -1,7 +1,7 @@ Parser: Title: Dns ASIM parser for Infoblox BloxOne Version: '0.1.0' - LastUpdated: September 11, 2024 + LastUpdated: Sep 11, 2024 Product: Name: Infoblox BloxOne Normalization: