Forum Discussion

majo1's avatar
majo1
Copper Contributor
Dec 23, 2019

Infoblox and Parsing Questions

Hello,   Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logg...
analytics
GrcAA's avatar
GrcAA
Copper Contributor
Sep 08, 2022
hello, any luck on this one?
  • mredbourne2405's avatar
    mredbourne2405
    Copper Contributor
    Oct 26, 2022

    varunkohli 

    I've seen that - and the connector is indeed in Sentinel - InfoBlox NIOS (Preview). But neither InfoBlox, nor Microsoft describe in what fashion they expect the data to arrive in [from the documentation I've read]. I'm assuming given the poorly laid out logs, this is supposed to be a standardized syslog message. Can you confirm that?

     

    I've defined within the security-config-omsagent.conf file a line that handle its specific syslog. It amounts to nothing more than a policy which checks if the hostname is contained in the raw payload. 

     

    My problem here is that Sentinel refuses to recognize that InfoBlox NIOS logs are now flowing into the Syslog table. Attempts to manually add the Parser Functions through the Github link simply fail to execute (scalar problem with |project Source). Indeed, fi I do check the Syslog table with a DHCPD parser, I get results.

     

     

     

    Which is easy enough to fix, if all that's truly doing is considering the data source - which in this case will always contain "infoblox". But I'm still faced with problems concerning the data connector, which would be preferable to have operational. Any insights into this?

    • JasonS1990's avatar
      JasonS1990
      Copper Contributor
      Feb 16, 2023
      I have been going back and forth with Microsoft support on this for months, I am experiencing the exact same issues as mredbourne2405. Has anyone found a solution or workaround?
      • mredbourne2405's avatar
        mredbourne2405
        Copper Contributor
        Feb 16, 2023

        JasonS1990 

        Hey Jason,

        I have about 2 dozen (or so) Infoblox sub-parsers attached to a primary parser. "Infoblox" is the primary one, and unions the other ones together.

        Here's one of the subparsers:

        I would also double check your Watchlists defined in Sentinel. There should be a Watchlist called "Sources_by_SourceType". In it you need a SourceType called "InfobloxNIOS" with one or more keys assigned to it.

        I set my both to the Hostname and the FQDN of the reporting log sources. (Some information scrubbed...)

         

        Double check that those are set up correctly. If they are, attach a couple error messages from Sentinel so I can review it. We did eventually get NIOS logs working - though without support from Microsoft.

         

Resources