Forum Discussion

majo1's avatar
majo1
Copper Contributor
Dec 23, 2019

Infoblox and Parsing Questions

Hello,   Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logg...
analytics
mredbourne2405's avatar
mredbourne2405
Copper Contributor
Oct 26, 2022

varunkohli 

I've seen that - and the connector is indeed in Sentinel - InfoBlox NIOS (Preview). But neither InfoBlox, nor Microsoft describe in what fashion they expect the data to arrive in [from the documentation I've read]. I'm assuming given the poorly laid out logs, this is supposed to be a standardized syslog message. Can you confirm that?

 

I've defined within the security-config-omsagent.conf file a line that handle its specific syslog. It amounts to nothing more than a policy which checks if the hostname is contained in the raw payload. 

 

My problem here is that Sentinel refuses to recognize that InfoBlox NIOS logs are now flowing into the Syslog table. Attempts to manually add the Parser Functions through the Github link simply fail to execute (scalar problem with |project Source). Indeed, fi I do check the Syslog table with a DHCPD parser, I get results.

 

 

 

Which is easy enough to fix, if all that's truly doing is considering the data source - which in this case will always contain "infoblox". But I'm still faced with problems concerning the data connector, which would be preferable to have operational. Any insights into this?

  • JasonS1990's avatar
    JasonS1990
    Copper Contributor
    Feb 16, 2023
    I have been going back and forth with Microsoft support on this for months, I am experiencing the exact same issues as mredbourne2405. Has anyone found a solution or workaround?
    • mredbourne2405's avatar
      mredbourne2405
      Copper Contributor
      Feb 16, 2023

      JasonS1990 

      Hey Jason,

      I have about 2 dozen (or so) Infoblox sub-parsers attached to a primary parser. "Infoblox" is the primary one, and unions the other ones together.

      Here's one of the subparsers:

      I would also double check your Watchlists defined in Sentinel. There should be a Watchlist called "Sources_by_SourceType". In it you need a SourceType called "InfobloxNIOS" with one or more keys assigned to it.

      I set my both to the Hostname and the FQDN of the reporting log sources. (Some information scrubbed...)

       

      Double check that those are set up correctly. If they are, attach a couple error messages from Sentinel so I can review it. We did eventually get NIOS logs working - though without support from Microsoft.

       

      • JasonS1990's avatar
        JasonS1990
        Copper Contributor
        Feb 16, 2023
        Hey thanks for getting back to me!

        So I did try the watchlist solution before with support, I made the source type "infobloxNIOS" like the data connector seems to want and the source as our infoblox servers. Unfortunately it didn't seem to change anything. The data connector still hasn't changed to green indicating a connection..

        as far as errors there is none, that's the odd thing. I am technically getting the data its just not parsing correctly. Can you share that sub parser code though? I have not tried that yet

Resources