BlueCat DNS Resolver¶
About¶
Transform DNS from biggest threat vectors into first lines of defense. Rapidly detect and remediate threats, and meet compliance standards with ease.
Product Details¶
Vendor URL: BlueCat DNS
Product Type: DNS
Product Tier: Tier II
Integration Method: Syslog
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Fill in the following fields for parser details
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: BLUECAT_DDI
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "Bluecat Edge" | metadata.vendor_name |
| "DNS Resolver" | metadata.product_name |
| eventType | metadata.product_event_type |
| sourceAddress | principal.ip |
| sourceAddress | principal.asset.ip |
| sourcePort | principal.port |
| requestData.question.0.questionTypeId | network.dns.question.type |
| requestData.header.rcode | network.dns.response_code |
| requestData.question.0.domainName | network.dns.question.name |
| threats.0.type | security_result.threat_name |
| threats.0.indicators.0 | security_result.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All Events | GENERIC_EVENT |
Log Sample¶
{ "socketFamily": "INET", "socketProtocol": "UDP", "time": 1643317344833, "eventType": "query-response", "key": "1111", "customerId": "abcd", "siteId": "efg", "servicePointId": "abc", "queriedNamespaces": [ { "id": "1112", "name": "Default", "fullRcode": 0 } ], "sourceAddress": "172.0.0.1", "sourcePort": 56289, "requestData": { "fullRcode": 0, "rcodeName": "NOERROR", "time": 1643317344833, "header": { "id": 14191, "qr": 0, "aa": false, "tc": false, "rd": true, "ra": false, "ad": false, "cd": false, "opcode": 0, "rcode": 0, "qdCount": 1, "anCount": 0, "nsCount": 0, "arCount": 0 }, "question": [ { "questionType": "A", "domainName": "website", "questionTypeId": 1 } ] }, "responseData": { "fullRcode": 0, "rcodeName": "NOERROR", "time": 1643317344834, "header": { "id": 14191, "qr": 1, "aa": false, "tc": false, "rd": true, "ra": true, "ad": false, "cd": false, "opcode": 0, "rcode": 0, "qdCount": 1, "anCount": 5, "nsCount": 0, "arCount": 0 }, "question": [ { "questionType": "A", "domainName": "website", "questionTypeId": 1 } ], "answers": [ { "recordType": "CNAME", "domainName": "website", "recordTypeId": 5, "ttl": 1296, "rData": "website" }, { "recordType": "CNAME", "domainName": "website", "recordTypeId": 5, "ttl": 115, "rData": "website" }, { "recordType": "CNAME", "domainName": "website", "recordTypeId": 5, "ttl": 1594, "rData": "website" }, { "recordType": "CNAME", "domainName": "website", "recordTypeId": 5, "ttl": 295, "rData": "website" }, { "recordType": "A", "domainName": "website", "recordTypeId": 1, "ttl": 5, "rData": "10.1.1.1" } ] }, "threats": [ { "type": "DNS_TUNNELING", "indicators": [ "VOLUMETRIC_TUNNELING" ] } ], "parentDomain": "website"}
Sample Parsing¶
metadata.event_timestamp = "2022-01-27T21:06:29.087057Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Bluecat Edge"
metadata.product_name = "DNS Resolver"
metadata.product_event_type = "query-response"
metadata.description = "A"
metadata.ingested_timestamp = "2022-01-27T21:06:29.087057Z"
principal.ip = "172.0.0.1"
principal.port = 56289
principal.asset.ip = "172.0.0.1"
security_result.threat_name = "DNS_TUNNELING"
network.dns.questions.name = "website"
network.dns.questions.type = 1
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon