search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 421 forks source link

[Infoblox NIOS] Parse infoblox_nios.log.dns.message field #8930

Open jamiehynds opened 8 months ago

jamiehynds commented 8 months ago

There is a field infoblox_nios.log.dns.message which contains further informations about RPZ, not being currently mapped within our integration (v1.19.4). Can we adjust our pipeline to correctly parse/map that field. More information on the structure here.

Unsure if the same event is produced by Infoblox BloxOne, if it is, we should aim to update that integration pipeline too.

Custom pipeline shared by a user:

[
    {
        "remove": {
            "field": "related.ip",
            "ignore_missing": true,
            "ignore_failure": true
        }
    },
    {
        "gsub": {
            "field": "infoblox_nios.log.dns.message",
            "pattern": "\"",
            "replacement": ""
        }
    },
    {
        "dissect": {
            "field": "infoblox_nios.log.dns.message",
            "pattern": "rpz %{msg.rpz_rule_type} %{query_class} %{msg.action} %{msg.domain} %{msg.query_class_rewrite} via %{msg.domain_rewrite} CAT=%{msg.type}",
            "ignore_missing": true,
            "ignore_failure": true
        }
    }
]
elasticmachine commented 8 months ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6 commented 7 months ago

@jamiehynds AFAICS there is no data from the Infoblox BloxOne API that we hit that corresponds to this.

The documentation linked above also mentions "Security Policy Hit" log messages, but we have no example of that. Can you reach out to the user to ask if they have examples of these as well?