Forum Discussion

majo1's avatar
majo1
Copper Contributor
Dec 23, 2019

Infoblox and Parsing Questions

Hello,

 

Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ?

I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following:

##<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200)

 

I can't even see these logs in the Sentinel Workspace. The logs arrive at the on-repm Syslog Agent and are forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere.

The OMSAgent fluentd parsing checks that the incoming message has "CEF or ASA" keywords before processing the message further. Which seems to be a showstopper for the above mentioned syslog message.

 

Please advise:

1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them  ?

2. Does the syslog message(payload) parsing occur at the OMSAgent side or at the Azure Sentinel Workspace side ?

 

3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? I noticed that vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having a connector for X vendor".

 

4. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into  ?

 

Thanks in advance.

 

  • thomasdefise's avatar
    thomasdefise
    Brass Contributor

    Hello majo1 

     

    I would suggest checking that you configure to receive from the correct Syslog Facility from Infoblox devices.
    As there is no connector for Infoblox at the time being, it means that there are no pre-built queries, workbooks, notebooks that are already made by Microsoft inside Azure Sentinel. However, you can always look at the community GitHub to see if there is some work that has been made to enrich Infoblox logs.
    If you have a connector for an existing solution such as for instance Palo Alto Networks or Fortinet, you can use pre-build queries (Kusto queries), Dashboards (Notebooks), ... that have already been pre-made for you.

    Also, you could check at everything linked to the "DNS" connector as some of the hunting queries could be adapted to work with Infoblox logs.

    Hope it helps,

    Thomas

    • majo1's avatar
      majo1
      Copper Contributor

      thomasdefise 

       

      Thanks Thomas.

      I don't think "facility" has something to do with the case of infoblox query/response logs, because Fluentd settings match on two keywords in order to process logs further and those are CEF/ASA . Infoblox query/response logs doesn't have any of the two keywords.

       

      I understand from you that A Sentinel Connector has nothing to do with parsing. Correct ?

      Do you know where syslog payload parsing takes place ? At OMSAgent side or At Sentinel WA side ?

       

       

      • thomasdefise's avatar
        thomasdefise
        Brass Contributor

        majo1 According to my experience with Azure Sentinel, the parsing has to be done at the Syslog server.
        However, I would imagine that there could be a trick to parse it using Azure Logic App or Azure Functions but would come with additional cost.
        For your case, I would first check on the Syslog appliance if they Infoblox can send logs in the CEF format and if not parse the logs at the Syslog server and make sure they are in the CEF format which is an industry-standard log format on top of Syslog.

        I on the Infoblox documentation that for instance "Threat Protection Events" can be sent in the CEF format. https://docs.infoblox.com/display/nios84/Monitoring+through+Syslog

        Hope it helps.

      • mredbourne2405's avatar
        mredbourne2405
        Copper Contributor

        varunkohli 

        I've seen that - and the connector is indeed in Sentinel - InfoBlox NIOS (Preview). But neither InfoBlox, nor Microsoft describe in what fashion they expect the data to arrive in [from the documentation I've read]. I'm assuming given the poorly laid out logs, this is supposed to be a standardized syslog message. Can you confirm that?

         

        I've defined within the security-config-omsagent.conf file a line that handle its specific syslog. It amounts to nothing more than a policy which checks if the hostname is contained in the raw payload. 

         

        My problem here is that Sentinel refuses to recognize that InfoBlox NIOS logs are now flowing into the Syslog table. Attempts to manually add the Parser Functions through the Github link simply fail to execute (scalar problem with |project Source). Indeed, fi I do check the Syslog table with a DHCPD parser, I get results.

         

         

         

        Which is easy enough to fix, if all that's truly doing is considering the data source - which in this case will always contain "infoblox". But I'm still faced with problems concerning the data connector, which would be preferable to have operational. Any insights into this?

Resources