Analytical changes

Solutions/Infoblox NIOS/Analytic Rules/ExcessiveNXDOMAINDNSQueries.yaml

@@ -19,16 +19,18 @@ relevantTechniques:
 query: |
 
   let threshold = 200;
-  Infoblox_dnsclient
-  | where isnotempty(DnsResponseCode)
-  | where DnsResponseCode =~ "NXDOMAIN"
-  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)
+  InfobloxNIOS
+  | where ProcessName =~ "named" and Log_Type =~ "client"
+  | where isnotempty(ResponseCode)
+  | where ResponseCode =~ "NXDOMAIN"
+  | summarize count() by Client_IP, bin(TimeGenerated,15m)
   | where count_ > threshold
-  | join kind=inner (Infoblox_dnsclient
-      | where isnotempty(DnsResponseCode)
-      | where DnsResponseCode =~ "NXDOMAIN"
-      ) on SrcIpAddr
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
+  | join kind=inner (InfobloxNIOS
+      | where ProcessName =~ "named" and Log_Type =~ "client"
+      | where isnotempty(ResponseCode)
+      | where ResponseCode =~ "NXDOMAIN"
+      ) on Client_IP
+  | extend timestamp = TimeGenerated, IPCustomEntity = Client_IP
 entityMappings:
   - entityType: IP
     fieldMappings:

Solutions/Infoblox NIOS/Analytic Rules/PotentialDHCPStarvationAttack.yaml

@@ -18,13 +18,14 @@ relevantTechniques:
 query: |
 
   let threshold = 1000;
-  Infoblox_dhcprequest
-  | summarize count() by SrcIpAddr, bin(TimeGenerated,5m)
+  InfobloxNIOS
+  | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
+  | summarize count() by ServerIP, bin(TimeGenerated,5m)
   | where count_ > threshold
-  | join kind=inner (Infoblox_dhcprequest
+  | join kind=inner (InfobloxNIOS
       | where ProcessName =~ "dhcpd" and Log_Type =~ "DHCPREQUEST"
-      ) on SrcIpAddr
-  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr
+      ) on ServerIP
+  | extend timestamp = TimeGenerated, IPCustomEntity = ServerIP
 entityMappings:
   - entityType: IP
     fieldMappings: