threatintel.bandura

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 Table structure ] [ 4 How is data sent to Devo? ]

Introduction

The tags beginning with threatintel.bandura identify events generated by ThreatBlockr (formerly Bandura ThreatBlockr) belonging to ThreatBlockr.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as threatintel.bandura. The third level identifies the type of events sent, and the fourth level indicates the event subtypes.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
ThreatBlockr (formerly Bandura ThreatBlockr)	`threatintel.bandura.threatblockr.dnslog`	`threatintel.bandura.threatblockr.dnslog`
	`threatintel.bandura.threatblockr.dnsresplog`	`threatintel.bandura.threatblockr.dnsresplog`
	`threatintel.bandura.threatblockr.packetlog`	`threatintel.bandura.threatblockr.packetlog`

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

threatintel.bandura.threatblockr.dnslog

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
action	`str`
proto	`str`
reason	`str`
src	`ip4`
dst	`ip4`
src_port	`int4`
dst_port	`int4`
domain	`str`
dl_active	`str`
dl_inactive	`str`
al_active	`str`
al_inactive	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

threatintel.bandura.threatblockr.dnsresplog

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
action	`str`
proto	`str`
reason	`str`
src	`ip4`
dst	`ip4`
src_port	`int4`
dst_port	`int4`
query_type	`str`
query_name	`str`
answer_type	`str`
answer_name	`str`
answer_value	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

threatintel.bandura.threatblockr.packetlog

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
action	`str`
direction	`str`
_group	`str`
proto	`str`
country	`str`
as_num	`int4`
as_name	`str`
reason	`str`
src	`ip4`
dst	`ip4`
src_port	`int4`
dst_port	`int4`
dl_active	`str`
dl_inactive	`str`
al_active	`str`
al_inactive	`str`
flags	`str`
tl	`str`
tl_category	`str`
tl_threshold	`str`
tl_score	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

How is data sent to Devo?

Logs generated by Bandura are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.