[ box.devo_ea.files.dns_windows ] [ cloud.azure.firewall.dns_proxy ] [ ddi.infoblox.dns.queries_response ] Anchor |
---|
| box.devo_ea.files.dns_windows |
---|
| box.devo_ea.files.dns_windows |
---|
| box.devo_ea.files.dns_windowsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | contentServerDate |
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | contentRemoteIpv4 |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | contentQuestionTokens |
| str
|
| type | contentQuestionType |
| str
|
| flags | contentFlagsCharCodes |
| str
|
| dnsServer | hostname | ip4(hostname)
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | contentThreadId |
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | contentOpCode |
| str
|
| answers | contentQueryResponse |
| str
|
| source | - | "box.devo_ea.files.dns_windows"
| str
|
| protocol | contentProtocol |
| str
|
| qr | contentFlagsHex | if startswith(contentFlagsHex, '0') or 2 startswith(contentFlagsHex, '1') or 3 startswith(contentFlagsHex, '3') or 4 startswith(contentFlagsHex, '7') ->'Q' 5 else 'R'
| str
|
| rawMessage | contentRaw |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layouterror | layouterror |
| str
| ✓ | raw | raw |
| str
| ✓ |
Anchor |
---|
| cloud.azure.firewall.dns_proxy |
---|
| cloud.azure.firewall.dns_proxy |
---|
| cloud.azure.firewall.dns_proxyField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
eventdate | eventdate | | timestamp
|
| serverdate | timestamp | | timestamp
|
| severity | - | | str
|
| srcIp | src | ip4(src)
| ip4
|
| dstIp | dst | ip4(dst)
| ip4
|
| name | name | | str
|
| type | type | | str
|
| flags | responseFlag | | str
|
| dnsServer | - | | ip4
|
| srcPort | srcPort | | int8
|
| destPort | - | | str
|
| PID | queryID | | str
|
| TTL | - | | str
|
| requestCount | - | | str
|
| qclass | class | | str
|
| category | category | | str
|
| answers | - | | str
|
| source | - | 'cloud.azure.firewall.dns_proxy'
| str
|
| protocol | protocol | | str
|
| qr | - | 'Q'
| str
|
| rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | raw | raw | | str
| ✓ |
Anchor |
---|
| ddi.infoblox.dns.queries_response |
---|
| ddi.infoblox.dns.queries_response |
---|
| ddi.infoblox.dns.queries_responsesField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | serverdate | serverdate | | timestamp
| | severity | - | | str
| | srcIp | client_ip | | ip4
| | dstIp | - | Code Block |
---|
null(ip4("0.0.0.0")) |
| ip4
| | name | query_name | | str
| | type | type | | str
| | flags | flags | | str
| | dnsServer | dnsServer | | ip4
| | srcPort | port | | int8
| | destPort | - | | str
| | PID | - | | str
| | TTL | - | | str
| | requestCount | - | | str
| | qclass | class | | str
| | category | ib_category | | str
| | answers | - | | str
| | source | - | Code Block |
---|
"ddi.infoblox.dns.queries_responses" |
| str
| | protocol | protocol | | str
| | qr | ib_category | Code Block |
---|
(ib_category = 'queries') ? 'Q' : 'R' |
| str
| | response | rr_text | | str
| | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
[ dns.bind.query ] [ dns.bluecat.named ] [ dns.bluecat.status ] [ dns.infoblox.bloxonethreatdefense.threats ] Anchor |
---|
| dns.bind.query |
---|
| dns.bind.query |
---|
| dns.bind.queryField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate |
| timestamp
|
| severity | severity |
| str
|
| srcIp | srcIp |
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | name |
| str
|
| type | type |
| str
|
| flags | flags |
| str
|
| dnsServer | dnsServer |
| ip4
|
| srcPort | srcPort | int8(srcPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | class |
| str
|
| category | - | null("")
| str
|
| answers | - | null("")
| str
|
| source | - | "dns.bind.query"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | raw | layout |
| str
| ✓ |
Anchor |
---|
| dns.bluecat.named |
---|
| dns.bluecat.named |
---|
| dns.bluecat.namedField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | - | null(timestamp(0))
| timestamp
|
| severity | severity | | str
|
| srcIp | src | | ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | cs1 | | str
|
| type | cat | split(cat,"_",0)
| str
|
| flags | flags | | str
|
| dnsServer | dnsServerIp | | ip4
|
| srcPort | srcPort | int8(srcPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | cs1Label | | str
|
| answers | - | null("")
| str
| source | - | "dns.bluecat.named"
| str
| protocol | protocol | str
| qr | name | (name->'DNS query') ? 'Q' : 'R'
| str
| rawMessage | rawSource | str
| ✓ | client | client | str
| ✓ | ("")
| str
|
| source | - | "dns.bluecat.named"
| str
|
| protocol | protocol | | str
|
| qr | name | (name->'DNS query') ? 'Q' : 'R'
| str
|
| rawMessage | rawSource | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
Anchor |
---|
| dns.bluecat.stats |
---|
| dns.bluecat.stats |
---|
| dns.bluecat.statsField in union table | Field in source table | Field transformation | Type | Extra fields |
---|
eventdate | eventdate | | timestamp
| | serverdate | time | Code Block |
---|
timestamp(time) |
| timestamp
| | severity | - | | str
| | srcIp | source_address | | ip4
| | dstIp | response_address | | ip4
| | name | response_data__question__domain_name request_data__question__domain_name query_zone request_data__zone__z_name | Code Block |
---|
isnotnull(query_zone[0]) ? query_zone : isnotnull(request_data__question__domain_name[0]) ? request_data__question__domain_name[0] : isnotnull(response_data__question__domain_name[0]) ? response_data__question__domain_name[0] : request_data__zone__z_name[0] |
| str
| | type | type | | str
| | flags | - | | str
| | dnsServer | - | | ip4
| | srcPort | source_port | Code Block |
---|
int8(source_port) |
| int8
| | destPort | response_port | Code Block |
---|
str(response_port) |
| str
| | PID | key | | str
| | TTL | response_data__answers__ttl_str response_data__authority__ttl_str request_data__update__ttl_str response_data__additional__ttl_str request_data__answers__ttl_str | Code Block |
---|
((response_data__additional__ttl_str != "null") ? response_data__additional__ttl_str + "," : "") + ((response_data__authority__ttl_str != "null") ? response_data__authority__ttl_str + "," : "") + ((request_data__answers__ttl_str != "null") ? request_data__answers__ttl_str + "," : "") + ((response_data__answers__ttl_str != "null") ? response_data__answers__ttl_str + "," : "") + request_data__update__ttl_str |
| str
| | requestCount | request_data__question__domain_name_str | Code Block |
---|
length(split(request_data__question__domain_name_str, ',')) |
| str
| | qclass | message_type | | str
| | category | payload_type | | str
| | answers | response_data__answers__domain_name | Code Block |
---|
isnotnull(join(response_data__answers__domain_name, ";")) ? join(response_data__answers__domain_name, ";") : null("") |
| str
| | source | - | Code Block |
---|
"dns.bluecat.stats" |
| str
| | protocol | socket_protocol | | str
| | qr | type | Code Block |
---|
(type -> 'query') ? 'Q' : 'R' |
| str
| | response | response_data__answers__r_data | Code Block |
---|
isnotnull(join(response_data__answers__r_data, ";")) ? join(response_data__answers__r_data, ";") : null("") |
| str
| | rawMessage | rawMessage | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ |
layout | layout | str
| ✓ | raw | layout | str
| ✓ | Anchor |
---|
| dns.infoblox.bloxonethreatdefense.threats |
---|
| dns.infoblox.bloxonethreatdefense.threats |
---|
| dns.infoblox.bloxonethreatdefense.threatsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | event_time |
| timestamp
|
| severity | severity |
| str
|
| srcIp | private_ip qip | nvl(private_ip, qip)
| ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | qname | if endswith(qname, '.') -> substring(qname,0,length(qname)-1) 2else qname
| str
|
| type | qtype |
| str
|
| flags | - | null("")
| str
|
| dnsServer | qip |
| ip4
|
| srcPort | port |
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | tclass |
| str
|
| category | tproperty |
| str
|
| answers | rdata |
| str
|
| source | - | "dns.infoblox.bloxonethreatdefense.threats"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource |
| str
| ✓ | client | client |
| str
| ✓ | hostchain | hostchain |
| str
| ✓ | tag | tag |
| str
| ✓ | layout | layout |
| str
| ✓ | raw | layout |
| str
| ✓ |
[ dns.infoblox.response ] [ dns.windows ] [ edr.crowdstrike.cannon.dnsrequest ] Anchor |
---|
| dns.infoblox.response |
---|
| dns.infoblox.response |
---|
| dns.infoblox.responseField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | - | null(timestamp(0))
| timestamp
|
| severity | - | null("")
| str
|
| srcIp | IP | | ip4
|
| dstIp | - | 1null(ip4("0.0.0.0"))
| ip4
|
| name | queried_domain | | str
|
| type | type | | str
|
| flags | flags | | str
|
| dnsServer | server_ip | | ip4
|
| srcPort | port | | int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | 1null("")
| str
|
| qclass | class | | str
|
| category | event_type | | str
|
| answers | - | 1null("")
| str
|
| source | - | "dns.infoblox.response"
| str
|
| protocol | protocol | | str
|
| qr | event_type | (event_type->'query') ? 'Q' : 'R'
| str
|
| rawMessage | rawSource | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
dns.windowsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate | | timestamp
|
| severity | - | null("")
| str
|
| srcIp | remote_ipremote_ip | | ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | question_dot | | str
|
| type | question_type | | str
|
| flags | flags_char_codes | | str
|
| dnsServer | hostname | ip4(hostname)
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | thread_id | | str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | op_code | | str
|
| answers | query_response | | str
|
| source | - | "dns.windows"
| str
|
| protocol | protocol | | str
|
| qr | flags_hex | if startswith(flags_hex, '0') or 2 startswith(flags_hex, '1') or 3 startswith(flags_hex, '3') or 4 startswith(flags_hex, '7') -> 'Q' 5else 'R'
| str
|
| rawMessage | rawMessage | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
Anchor |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequest |
---|
| edr.crowdstrike.cannon.dnsrequestField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | timestamp | | timestamp
|
| severity | - | null("")
| str
|
| srcIp | aip | | ip4
|
| dstIp | - | null(ip4("0.0.0.0"))
| ip4
|
| name | DomainName | | str
|
| type | RequestType | | str
|
| flags | - | null("")
| str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | - | null(int8(0))
| int8
|
| destPort | - | null("")
| str
|
| PID | aid | | str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | - | null("")
| str
|
| answers | - | null("")
| str
|
| source | - | "edr.crowdstrike.cannon.dnsrequest"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
[ firewall.paloalto.traffic ] [ ids.bro.dns ] [ ids.corelight.dns ] Anchor |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.traffic |
---|
| firewall.paloalto.trafficField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | timestamp | | timestamp
|
| severity | - | null("")
| str
|
| srcIp | srcIp | | ip4
|
| dstIp | dstIp | | ip4
|
| name | device_name | | str
|
| type | - | null("")
| str
|
| flags | flags | | str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | srcPort | | int8
|
| destPort | dstPort | | str
|
| PID | - | null("")
| str
|
| TTL | - | null("")
| str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | category |
| str
|
| answers | - | null("")
| str
|
| source | - | "firewall.paloalto.traffic"
| str
|
| protocol | proto | | str
|
| qr | - | "Q"
| str
|
| rawMessage | rawSource | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
ids.bro.dnsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | serverdate | | timestamp
|
| severity | - | null("")
| str
|
| srcIp | origHost | ip4(origHost)
| ip4
|
| dstIp | destHost | ip4(destHost)
| ip4
|
| name | - | null("")
| str
|
| type | qtype | str(qtype)
| str
|
| flags | AA TC RD | add(add(add(add(AA,"+"),TC),"+"),RA);
| str
|
| dnsServer | host | ip4(host)
| ip4
|
| srcPort | origPort | int8(origPort)
| int8
|
| destPort | - | null("")
| str
|
| PID | - | null("")
| str
|
| TTL | TTLs | | str
|
| requestCount | - | null("")
| str
|
| qclass | - | null("")
| str
|
| category | - | null("")
| str
|
| answers | answers | | str
|
| source | - | "ids.bro.dns"
| str
|
| protocol | - | null("")
| str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
Anchor |
---|
| ids.corelight.dns |
---|
| ids.corelight.dns |
---|
| ids.corelight.dnsField in union table | Field in source table | Field transformation | Data type | Extra fields |
---|
serverdate | ts | | timestamp
|
| severity | - | null("")
| str
|
| srcIp | id_orig_h | | ip4
|
| dstIp | id_resp_h | | ip4
|
| name | - | null("")
| str
|
| type | qtype_name | | str
|
| flags | AA TC RD | add(add(add(add(AA,"+"),TC),"+"),RA);
| str
|
| dnsServer | - | null(ip4("0.0.0.0"))
| ip4
|
| srcPort | id_orig_p | | int8
|
| destPort | id_resp_p | str(id_resp_p)
| str
|
| PID | - | null("")
| str
|
| TTL | TTLs | | str
|
| requestCount | - | null("")
| str
|
| qclass | qclass_name | | str
|
| category | - | null("")
| str
|
| answers | answers | | str
|
| source | - | "ids.corelight.dns"
| str
|
| protocol | proto | | str
|
| qr | - | "Q"
| str
|
| rawMessage | rawMessage | | str
| ✓ | client | client | | str
| ✓ | hostchain | hostchain | | str
| ✓ | tag | tag | | str
| ✓ | layout | layout | | str
| ✓ | raw | layout | | str
| ✓ |
|