MicrosoftMicrosoftHello,
Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ?
I am trying to test it, so far i found the following :
1. Infoblox DNS seems to generate only Threat Logs in CEF. The other logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following:
#<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200)
I am not even seeing these logs in the Sentinel Workspace. The logs arrive at the Syslog Agent and get forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere
Please advise:
1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them ?
2. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into ?
3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? the thing is all such vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having an xx vendor connector"
Thanks in advance.
