[ box.devo_ea.files.dns_windows ] [ cloud.azure.firewall.dns_proxy ] [ ddi.infoblox.dns.queries_response ] Anchor |
---|
| box.devo_ea.files.dns_windows |
---|
| box.devo_ea.files.dns_windows |
---|
| box.devo_ea.files.dns_windowsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | contentServerDate |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | contentRemoteIpv4 |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | contentQuestionTokens |
| str
|
| type | contentQuestionType |
| str
|
| flags | contentFlagsCharCodes |
| str
|
| dnsServer | hostname | ip4(hostname)
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | contentThreadId |
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | contentOpCode |
| str
|
| answers | contentQueryResponse |
| str
|
| source | - | "box.devo_ea.files.dns_windows"
| str
|
| protocol | contentProtocol |
| str
|
| qr | contentFlagsHex | if startswith(contentFlagsHex, '0') or 2 startswith(contentFlagsHex, '1') or 3 startswith(contentFlagsHex, '3') or 4 startswith(contentFlagsHex, '7') ->'Q' 5 else 'R'
| str
|
| rawMessage | contentRaw |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layouterror | layouterror |
| str
| ✓ | raw | raw |
| str
| ✓ |
Anchor |
---|
| cloud.azure.firewall.dns_proxy |
---|
| cloud.azure.firewall.dns_proxy |
---|
| cloud.azure.firewall.dns_proxyField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate |
| timestamp
|
| serverdate | timestamp |
| timestamp
|
| severity | - |
| str
|
| srcIp | src | ip4(src)
| ip4
|
| dstIp | dst | ip4(dst)
| ip4
|
| name | name |
| str
|
| type | type |
| str
|
| flags | responseFlag |
| str
|
| dnsServer | - |
| ip4
|
| srcPort | srcPort |
| int8
|
| destPort | - |
| str
|
| PID | queryID |
| str
|
| TTL | - |
| str
|
| requestCount | - |
| str
|
| qclass | class |
| str
|
| category | category |
| str
|
| answers | - |
| str
|
| source | - | 'cloud.azure.firewall.dns_proxy'
| str
|
| protocol | protocol |
| str
|
| qr | - | 'Q'
| str
|
| rawMessage | rawMessage |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | raw | raw |
| str
| ✓ |
Anchor |
---|
| ddi.infoblox.dns.queries_response |
---|
| ddi.infoblox.dns.queries_response |
---|
| ddi.infoblox.dns.queries_responsesField in | Field in ddi.infoblox.dns.queries_responses | Field transformation | Type | Extra Field? |
---|
eventdate | eventdate | | timestamp | | serverdate | serverdate | | timestamp | | severity | - | | str | | srcIp | client_ip | | ip4 | | dstIp | - | Code Block |
---|
null(ip4("0.0.0.0")) |
| ip4 | | name | query_name | | str | | type | type | | str | | flags | flags | | str | | dnsServer | dnsServer | | ip4 | | srcPort | port | | int8 | | destPort | - | | str | | PID | - | | str | | TTL | - | | str | | requestCount | - | | str | | qclass | class | | str | | category | ib_category | | str | | answers | - | | str | | source | - | Code Block |
---|
"ddi.infoblox.dns.queries_responses" |
| str | | protocol | protocol | | str | | qr | ib_category | Code Block |
---|
(ib_category = 'queries') ? 'Q' : 'R' |
| str | | response | rr_text | | str | | rawMessage | rawMessage | | str | | hostchain | hostchain | | str | | tag | tag | | str | |
[ dns.bind.query ] [ dns.bluecat.named ] [ dns.infoblox.bloxonethreatdefense.threats ] Anchor |
---|
| dns.bind.query |
---|
| dns.bind.query |
---|
| dns.bind.queryField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate |
| timestamp
|
| severity | severity |
| str
|
| srcIp | srcIp |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | name |
| str
|
| type | type |
| str
|
| flags | flags |
| str
|
| dnsServer | dnsServer |
| ip4
|
| srcPort | srcPort | int8(srcPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | class |
| str
|
| category | - | null("")
| str
|
| answers | - | null("")
| str
|
| source | - | "dns.bind.query"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | raw | layout |
| str
| ✓ |
Anchor |
---|
| dns.bluecat.named |
---|
| dns.bluecat.named |
---|
| dns.bluecat.namedField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | - | null(timestamp(0))
| timestamp
|
| severity | severity |
| str
|
| srcIp | src |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | cs1 |
| str
|
| type | cat | split(cat,"_",0)
| str
|
| flags | flags |
| str
|
| dnsServer | dnsServerIp |
| ip4
|
| srcPort | srcPort | int8(srcPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | cs1Label |
| str
|
| answers | - | null("")
| str
|
| source | - | "dns.bluecat.named"
| str
|
| protocol | protocol |
| str
|
| qr | name | (name->'DNS query') ? 'Q' : 'R'
| str
|
| rawMessage | rawSource |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
Anchor |
---|
| dns.infoblox.bloxonethreatdefense.threats |
---|
| dns.infoblox.bloxonethreatdefense.threats |
---|
| dns.infoblox.bloxonethreatdefense.threatsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | event_time |
| timestamp
|
| severity | severity |
| str
|
| srcIp | private_ip qip | nvl(private_ip, qip)
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | qname | if endswith(qname, '.') -> substring(qname,0,length(qname)-1) 2else qname
| str
|
| type | qtype |
| str
|
| flags | - | null("")
| str
|
| dnsServer | qip |
| ip4
|
| srcPort | port |
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | tclass |
| str
|
| category | tproperty |
| str
|
| answers | rdata |
| str
|
| source | - | "dns.infoblox.bloxonethreatdefense.threats"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
[ dns.infoblox.response ] [ dns.windows ] [ edr.crowdstrike.cannon.dnsrequest ] Anchor |
---|
| dns.infoblox.response |
---|
| dns.infoblox.response |
---|
| dns.infoblox.responseField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | - | null(timestamp(0))
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | IP |
| ip4
|
| dstIp | - | 1null(ip4("0.0.0.0"))
| ip4
|
| name | queried_domain |
| str
|
| type | type |
| str
|
| flags | flags |
| str
|
| dnsServer | server_ip |
| ip4
|
| srcPort | port |
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | 1null("")
| str
|
| qclass | class |
| str
|
| category | event_type |
| str
|
| answers | - | 1null("")
| str
|
| source | - | "dns.infoblox.response"
| str
|
| protocol | protocol |
| str
|
| qr | event_type | (event_type->'query') ? 'Q' : 'R'
| str
|
| rawMessage | rawSource |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
dns.windowsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | remote_ipremote_ip |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | question_dot |
| str
|
| type | question_type |
| str
|
| flags | flags_char_codes |
| str
|
| dnsServer | hostname | ip4(hostname)
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | thread_id |
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | op_code |
| str
|
| answers | query_response |
| str
|
| source | - | "dns.windows"
| str
|
| protocol | protocol |
| str
|
| qr | flags_hex | if startswith(flags_hex, '0') or 2 startswith(flags_hex, '1') or 3 startswith(flags_hex, '3') or 4 startswith(flags_hex, '7') -> 'Q' 5else 'R'
| str
|
| rawMessage | rawMessage |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
Anchor |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequestField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | timestamp |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | aip |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | DomainName |
| str
|
| type | RequestType |
| str
|
| flags | - | null("")
| str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | aid |
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | - | null("")
| str
|
| answers | - | null("")
| str
|
| source | - | "edr.crowdstrike.cannon.dnsrequest"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
[ firewall.paloalto.traffic ] [ ids.bro.dns ] [ ids.corelight.dns ] Anchor |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.trafficField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | timestamp |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | srcIp |
| ip4
|
| dstIp | dstIp |
| ip4
|
| name | device_name |
| str
|
| type | - | null("")
| str
|
| flags | flags |
| str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | srcPort |
| int8
|
| destPort | dstPort |
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | category |
| str
|
| answers | - | null("")
| str
|
| source | - | "firewall.paloalto.traffic"
| str
|
| protocol | proto |
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
ids.bro.dnsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | origHost | ip4(origHost)
| ip4
|
| dstIp | destHost | ip4(destHost)
| ip4
|
| name | - | null("")
| str
|
| type | qtype | str(qtype)
| str
|
| flags | AA TC RD | add(add(add(add(AA,"+"),TC),"+"),RA);
| str
|
| dnsServer | host | ip4(host)
| ip4
|
| srcPort | origPort | int8(origPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | TTLs |
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | - | null("")
| str
|
| answers | answers |
| str
|
| source | - | "ids.bro.dns"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
Anchor |
---|
| ids.corelight.dns |
---|
| ids.corelight.dns |
---|
| ids.corelight.dnsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | ts |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | id_orig_h |
| ip4
|
| dstIp | id_resp_h |
| ip4
|
| name | - | null("")
| str
|
| type | qtype_name |
| str
|
| flags | AA TC RD | add(add(add(add(AA,"+"),TC),"+"),RA);
| str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | id_orig_p |
| int8
|
| destPort | id_resp_p | str(id_resp_p)
| str
|
| PID | - | null("")
| str
|
| TTL | TTLs |
| str
|
| requestCount | - | null("")
| str
|
| qclass | qclass_name |
| str
|
| category | - | null("")
| str
|
| answers | answers |
| str
|
| source | - | "ids.corelight.dns"
| str
|
| protocol | proto |
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
|