Skip to content

Infoblox

Infoblox

About

Infoblox, formerly, is a privately held IT automation and security company based in California's Silicon Valley. The company focuses on managing and identifying devices connected to networks—specifically for the Domain Name System, Dynamic Host Configuration.

Infoblox NIOS is the world's leading on-premises platform for automating DNS, DHCP and IPAM (DDI)—and simplifying complex, dynamic network services for any sizeProtocol, and IP address management.

Product Details

Vendor URL: Infoblox | Cloud-First Security & Networking

Product Type: DNS, DHCP

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Configuring Syslog Forwarding - Infoblox Documentation Portal

Log Guide: Infoblox Log Guide

Parser Details

Log Format: Syslog

Expected Normalization Rate: 75%

Data Label: INFOBLOX

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
vendor metadata.vendor_name
product metadata.product_name
product_event metadata.product_event_type
GENERIC_EVENT/USER_LOGIN metadata.event_type
sdomain principal.administrative_domain
session additional.fields
application security_result.summary
application principal.application
srcport principal.port
dstport target.port
dst_int additional.fields
src principal.hostname
src principal.ip
dst target.hostname
dst target.ip
dhost target.hostname
dhost target.ip
shost principal.hostname
shost principal.ip
suser principal.user.userid
observer observer.hostname
observer observer.ip
ALLOW/BLOCK security_result.action
INFORMATIONAL/LOW/MEDIUM/HIGH security_result.severity
description metadata.description
AUTHTYPE_UNSPECIFIED extensions.auth.type

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default GENERIC_EVENT
Login_success USER_LOGIN

Log Sample

<28>Dec  1 15:23:47 OBSERVER.DOMAIN.COM hostservice: 410 Login_success, Username: john.doe, Src: hostname1.SUBDOMAIN.US.DOMAIN.COM, Src IP: 10.11.11.49, Dst IFace: default, Dst IP: 10.12.12.129, Src Port: 65384, Dst Port: 22, Ver: SSH-2.0-OpenSSH_5.2 Secure_Shell-v6, Session-Id: 1234

Sample Parsing

metadata.event_timestamp = "2021-12-01T15:23:47Z"
metadata.event_type = "USER_LOGIN"
metadata.product_event_type = "Login_success"
metadata.description = "SSH-2.0-OpenSSH_5.2 Secure_Shell-v6"
metadata.ingested_timestamp = "2021-12-01T19:23:49.914177Z"
additional.Dst IFace = "default"
additional.Session-Id = "1234"
principal.hostname = "hostname1"
principal.user.userid = "john.doe"
principal.ip = "10.11.11.49"
principal.port = 65384
principal.administrative_domain = "SUBDOMAIN.US.DOMAIN.COM"
principal.application = "SSH-2.0-OpenSSH_5.2"
principal.namespace = "DOMAIN"
principal.asset.ip = "10.11.11.49"
target.ip = "10.12.12.129"
target.port = 22
target.namespace = "DOMAIN"
target.asset.ip = "10.12.12.129"
observer.hostname = "OBSERVER.DOMAIN.COM"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon