Forum Discussion

majo1's avatar
majo1
Copper Contributor
Dec 23, 2019

Infoblox and Parsing Questions

Hello,   Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logg...
analytics
majo1's avatar
majo1
Copper Contributor
Jan 08, 2020

thomasdefise 

 

Thanks Thomas.

I don't think "facility" has something to do with the case of infoblox query/response logs, because Fluentd settings match on two keywords in order to process logs further and those are CEF/ASA . Infoblox query/response logs doesn't have any of the two keywords.

 

I understand from you that A Sentinel Connector has nothing to do with parsing. Correct ?

Do you know where syslog payload parsing takes place ? At OMSAgent side or At Sentinel WA side ?

 

 

thomasdefise's avatar
thomasdefise
Brass Contributor
Jan 09, 2020

majo1 According to my experience with Azure Sentinel, the parsing has to be done at the Syslog server.
However, I would imagine that there could be a trick to parse it using Azure Logic App or Azure Functions but would come with additional cost.
For your case, I would first check on the Syslog appliance if they Infoblox can send logs in the CEF format and if not parse the logs at the Syslog server and make sure they are in the CEF format which is an industry-standard log format on top of Syslog.

I on the Infoblox documentation that for instance "Threat Protection Events" can be sent in the CEF format. https://docs.infoblox.com/display/nios84/Monitoring+through+Syslog

Hope it helps.

Resources