TCPWave DDI¶
About¶
TCPWave reinforces DDI standards so that the DDI management and the service layers are built with consistency, continuity, creativity, and coherence. The TCPWave DDI standards aim to empower your network with the knowledge needed to drive your business. They also demonstrate how we can achieve a consistent and cohesive identity across our businesses that will differentiate us from our competition while connecting with our seasoned professionals. With many successful deployments, TCPWave stands out as the most trusted brand in the DDI world. We strive to learn and maintain a leading edge by constantly adhering to the highest standards. We ask our employees and partners to ensure that their decisions pass three tests: They are in our client's interests, enhance security, and adapt quickly to the changing technology landscapes. Since we do these things well, we positively impact the customers we serve and show what innovation can do. TCPWave has individuals with a driven mindset that demands responsible actions, an optimism to see a brighter future, the resilience to imagine a failure, and a passion for redefining the definition of perfection.
Product Details¶
Vendor URL: TCPWave DDI
Product Type: TCPWAVE_DDI
Product Tier: Tier I
Integration Method: Syslog
Integration URL: TCPWave DDI
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 99%
Data Label: TCPWAVE_DDI
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| metadata.description | description |
| metadata.description | inner_message |
| metadata.description | kv.cat |
| metadata.description | Log statistics |
| metadata.event_type | GENERIC_EVENT |
| metadata.event_type | NETWORK_DHCP |
| metadata.event_type | NETWORK_DNS |
| metadata.product_event_type | event_id |
| network.application_protocol | DHCP |
| network.application_protocol | DNS |
| network.dhcp.chaddr | client_mac |
| network.dhcp.ciaddr | client_ip |
| network.dhcp.ciaddr | src_ip |
| network.dhcp.ciaddr | target_ip |
| network.dhcp.giaddr | relay_ip |
| network.dhcp.opcode | BOOTREPLY |
| network.dhcp.opcode | BOOTREQUEST |
| network.dhcp.siaddr | src_ip |
| network.dhcp.type | ACK |
| network.dhcp.type | DISCOVER |
| network.dhcp.type | INFORM |
| network.dhcp.type | NAK |
| network.dhcp.type | OFFER |
| network.dhcp.type | RELEASE |
| network.dhcp.type | REQUEST |
| network.dhcp.yiaddr | src_ip |
| network.dns.answers | response |
| network.dns.authority | zone |
| network.dns.questions | query |
| network.dns.questions | question.type |
| network.dns.recursion_desired | true |
| principal.ip | src_ip |
| principal.ip | kv.src |
| principal.mac | client_mac |
| principal.port | integer |
| query.name | target_host |
| response.data | target_ip |
| network.dhcp.sname | server_host |
| target.hostname | server_host |
| principal.port | src_port |
| target.administrative_domain | zone |
| target.ip | dst_ip |
| target.ip | server_ip |
| target.ip | target_ip |
| target.mac | client_mac |
| target.hostname | target_host |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Default and failover if missing DHCP/DNS fields | GENERIC_EVENT |
| If log is DHCP event | NETWORK_DHCP |
| If log doesn't match known filters | NETWORK_DNS |
Log Sample¶
Oct 6 14:01:03 hostname named[9571]: 06-Oct-2022 14:01:03.337 info: client @0x7f14742e74c0 10.1.2.3#56823 (fully.qualified.server.name): query failed (SERVFAIL) for fully.qualified.server.name/IN/A at query.c:8678
Sample Parsing¶
metadata.event_type = "NETWORK_DNS"
metadata.description = "query failed"
principal.ip = "10.1.2.3"
principal.port = 56823
principal.asset.ip = "10.1.2.3"
target.hostname = "fully.qualified.server.name"
target.asset.hostname = "fully.qualified.server.name"
network.application_protocol = "DNS"
network.dns.questions.name = "fully.qualified.server.name"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon