Infoblox Reporting. DNS Top RPZ Hits with Discovered Name.

This is a custom version of “DNS Top RPZ Hits” report with added Discovered Name/Network View fields and removed Time field.

The solution is not performance friendly (we don’t have a lookup table). You need to clone the report and change a search string for the table. I also got rid of Time field.

DNS TOP RPZ Hits with Discovered Name

index=ib_dns_summary report=si_dns_rpz_hits  $client_str$   $domain_name_str$   $dns_view_str$   $members$   $mitigation_action_str$   $rpz_zone_str$  $rpz_entry_str$ $severity_str$  
| eval DNS_VIEW =if(isnull(display_name), "NULL",display_name)             
| eval RECORD_DATA=if(isnull(RECORD_DATA),"",RECORD_DATA)             
| eval RPZ_QNAME=if(isnull(RPZ_QNAME),"",RPZ_QNAME)             
| eval RPZ_SEVERITY=if(isnull(RPZ_SEVERITY),"",RPZ_SEVERITY)             
| where MITIGATION_ACTION != "ER"             
| stats sum(COUNT) as QCOUNT by _time, CLIENT, DOMAIN_NAME, DNS_VIEW, orig_host, TOTAL_COUNT, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             
| stats sum(TOTAL_COUNT) as TOTAL_COUNT, sum(QCOUNT) as QCOUNT by CLIENT, DOMAIN_NAME, DNS_VIEW, MITIGATION_ACTION, RPZ_SEVERITY, RECORD_DATA RPZ_QNAME             
| sort -QCOUNT             | head $topn$             
| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX", "Block (No Such Domain)", MITIGATION_ACTION == "ND", "Block (No Data)", MITIGATION_ACTION == "SB", "Substitute", MITIGATION_ACTION == "A1", "Substitute (A)", MITIGATION_ACTION == "A4", "Substitute (AAAA)", MITIGATION_ACTION == "AA", "Substitute (A/AAAA)", MITIGATION_ACTION == "DN", "Substitute (Domain Name)", MITIGATION_ACTION == "ER", "Error")             
| eval RPZ_SEVERITY=case(RPZ_SEVERITY == "4", "INFORMATIONAL", RPZ_SEVERITY == "6", "WARNING", RPZ_SEVERITY == "7", "MAJOR", RPZ_SEVERITY == "8", "CRITICAL", RPZ_SEVERITY == "", "")     
| rename CLIENT as "Client ID", QCOUNT as "Total Client Hits", DOMAIN_NAME as "Domain Name", TOTAL_COUNT as "Total Rule Hits", RPZ_QNAME as "RPZ Entry", RPZ_SEVERITY as "RPZ Severity", MITIGATION_ACTION as "Mitigation Action", RECORD_DATA as "Substitute Addresses"     |  join  type=left "Client ID" [search index=ib_discovery source="ib:discovery:ipaddr_activity"| stats latest(_time) by IPADDR, DISCOVERED_NAME, NETWORK_VIEW| rename IPADDR as "Client ID"| table "Client ID", DISCOVERED_NAME, NETWORK_VIEW]     
| table "Client ID", DISCOVERED_NAME, NETWORK_VIEW, "Total Client Hits", "Domain Name", "RPZ Entry", "RPZ Severity", "Total Rule Hits", "Mitigation Action", "Substitute Addresses"

Vadim

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.