Infoblox and Parsing Questions

%3CLINGO-SUB%20id%3D%22lingo-sub-1078799%22%20slang%3D%22en-US%22%3EInfoblox%20and%20Parsing%20Questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1078799%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-quilt-column%20lia-quilt-column-24%20lia-quilt-column-single%20lia-quilt-column-main%22%3E%3CDIV%20class%3D%22lia-quilt-column-alley%20lia-quilt-column-alley-single%22%3E%3CDIV%20class%3D%22lia-message-body-wrapper%20lia-component-message-view-widget-body%22%3E%3CDIV%20class%3D%22lia-message-body%22%3E%3CDIV%20class%3D%22lia-message-body-content%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20Infoblox%20DNS%20Query%2FResponse%20logs%20been%20tested%20with%20Azure%20Sentinel%20%3F%3C%2FP%3E%3CP%3EI%20am%20testing%20it%20and%20have%20found%20that%20Infoblox%20DNS%20seems%20to%20generate%20only%20Threat%20Logs%20in%20CEF.%20The%20other%20DNS%20logging%20categories%2C%20such%20as%20DNS%20Queries%2FResponses%2C%20are%20logged%20in%20some%20non-CEF%20format%20over%20syslog%2C%20like%20the%20following%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E%23%23%26lt%3B166%26gt%3BDec%2023%2012%3A54%3A05%20infoblox1.localdomain%20named%5B12821%5D%3A%20client%20%400x7fbc3c0cc6e0%20192.168.80.1%2357296%20(server1.fwd1)%3A%20query%3A%20server1.fwd1%20IN%20A%20%2B%20(192.168.80.200)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20can't%20even%20see%20these%20logs%20in%20the%20Sentinel%20Workspace.%20The%20logs%20arrive%20at%20the%20on-repm%20Syslog%20Agent%20and%20are%20forwarded%20to%20omsagent%20process%20over%20port%2025226%2C%20but%20beyond%20that%20i%20don't%20see%20them%20anywhere.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20OMSAgent%20fluentd%20parsing%20checks%20that%20the%20incoming%20message%20has%20%22CEF%20or%20ASA%22%20keywords%20before%20processing%20the%20message%20further.%20Which%20seems%20to%20be%20a%20showstopper%20for%20the%20above%20mentioned%20syslog%20message.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20advise%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20Should%20we%20create%20a%20custom%20parser%20for%20Infoblox%20query%2Fresponse%20logs%20or%20Microsoft%20has%20already%20addressed%20them%26nbsp%3B%20%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20Does%20the%20syslog%20message(payload)%20parsing%20occur%20at%20the%20OMSAgent%20side%20or%20at%20the%20Azure%20Sentinel%20Workspace%20side%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20By%20having%20a%20vendor%20connector%20listed%20in%20Azure%20Sentinel%20connector%20list%2C%20such%20as%20ASA%2C%20Fortigate%2C%20..%2C%20does%20this%20mean%20having%20%22parser%22%20in%20the%20background%20%3F%20I%20noticed%20that%20vendor%20connectors%20do%20query%20the%20CommonSecurityLog%20with%20filter%20of%20%22device%20vendor%22%20%2C%20so%20i%20don't%20fully%20understand%20the%20technical%20meaning%20of%20%22having%20a%20connector%20for%20X%20vendor%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E4.%20How%20to%20troubleshoot%20logs%20processing%20and%20ingestion%20after%20the%20logs%20are%20delivered%20from%20the%20syslog%20daemon%20to%20the%20omsagent%20daemon%3F%20Any%20troublehsoot%20files%20or%20tables%20to%20look%20into%26nbsp%3B%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1078799%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOMS%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1084160%22%20slang%3D%22en-US%22%3ERe%3A%20Infoblox%20and%20Parsing%20Questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1084160%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20suggest%20checking%20that%20you%20configure%20to%20receive%20from%20the%20correct%20Syslog%20Facility%20from%20Infoblox%20devices.%3CBR%20%2F%3EAs%20there%20is%20no%20connector%20for%20Infoblox%20at%20the%20time%20being%2C%20it%20means%20that%20there%20are%20no%20pre-built%20queries%2C%20workbooks%2C%20notebooks%20that%20are%20already%20made%20by%20Microsoft%20inside%20Azure%20Sentinel.%20However%2C%20you%20can%20always%20look%20at%20the%20community%20GitHub%20to%20see%20if%20there%20is%20some%20work%20that%20has%20been%20made%20to%20enrich%20Infoblox%20logs.%3CBR%20%2F%3EIf%20you%20have%20a%20connector%20for%20an%20existing%20solution%20such%20as%20for%20instance%20Palo%20Alto%20Networks%20or%20Fortinet%2C%20you%20can%20use%20pre-build%20queries%20(Kusto%20queries)%2C%20Dashboards%20(Notebooks)%2C%20...%20that%20have%20already%20been%20pre-made%20for%20you.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20you%20could%20check%20at%20everything%20linked%20to%20the%20%22DNS%22%20connector%20as%20some%20of%20the%20hunting%20queries%20could%20be%20adapted%20to%20work%20with%20Infoblox%20logs.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20it%20helps%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThomas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096838%22%20slang%3D%22en-US%22%3ERe%3A%20Infoblox%20and%20Parsing%20Questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308071%22%20target%3D%22_blank%22%3E%40thomasdefise%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Thomas.%3C%2FP%3E%3CP%3EI%20don't%20think%20%22facility%22%20has%20something%20to%20do%20with%20the%20case%20of%20infoblox%20query%2Fresponse%20logs%2C%20because%20Fluentd%20settings%20match%20on%20two%20keywords%20in%20order%20to%20process%20logs%20further%20and%20those%20are%20CEF%2FASA%20.%20Infoblox%20query%2Fresponse%20logs%20doesn't%20have%20any%20of%20the%20two%20keywords.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20from%20you%20that%20A%20Sentinel%20Connector%20has%20nothing%20to%20do%20with%20parsing.%20Correct%20%3F%3C%2FP%3E%3CP%3EDo%20you%20know%20where%20syslog%20payload%20parsing%20takes%20place%20%3F%20At%20OMSAgent%20side%20or%20At%20Sentinel%20WA%20side%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098193%22%20slang%3D%22en-US%22%3ERe%3A%20Infoblox%20and%20Parsing%20Questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469462%22%20target%3D%22_blank%22%3E%40majo1%3C%2FA%3E%26nbsp%3BAccording%20to%20my%20experience%20with%20Azure%20Sentinel%2C%20the%20parsing%20has%20to%20be%20done%20at%20the%20Syslog%20server.%3CBR%20%2F%3EHowever%2C%20I%20would%20imagine%20that%20there%20could%20be%20a%20trick%20to%20parse%20it%20using%20Azure%20Logic%20App%20or%20Azure%20Functions%20but%20would%20come%20with%20additional%20cost.%3CBR%20%2F%3EFor%20your%20case%2C%20I%20would%20first%20check%20on%20the%20Syslog%20appliance%20if%20they%20Infoblox%20can%20send%20logs%20in%20the%20CEF%20format%20and%20if%20not%20parse%20the%20logs%20at%20the%20Syslog%20server%20and%20make%20sure%20they%20are%20in%20the%20CEF%20format%20which%20is%20%3CSPAN%3Ean%20industry-standard%20log%20format%20on%20top%20of%20Syslog.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20on%20the%20Infoblox%20documentation%20that%20for%20instance%20%22Threat%20Protection%20Events%22%20can%20be%20sent%20in%20the%20CEF%20format.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2Fnios84%2FMonitoring%2Bthrough%2BSyslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.infoblox.com%2Fdisplay%2Fnios84%2FMonitoring%2Bthrough%2BSyslog%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20it%20helps.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ?

I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following:

##<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200)

 

I can't even see these logs in the Sentinel Workspace. The logs arrive at the on-repm Syslog Agent and are forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere.

The OMSAgent fluentd parsing checks that the incoming message has "CEF or ASA" keywords before processing the message further. Which seems to be a showstopper for the above mentioned syslog message.

 

Please advise:

1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them  ?

2. Does the syslog message(payload) parsing occur at the OMSAgent side or at the Azure Sentinel Workspace side ?

 

3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? I noticed that vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having a connector for X vendor".

 

4. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into  ?

 

Thanks in advance.

 

3 Replies

Hello @majo1 

 

I would suggest checking that you configure to receive from the correct Syslog Facility from Infoblox devices.
As there is no connector for Infoblox at the time being, it means that there are no pre-built queries, workbooks, notebooks that are already made by Microsoft inside Azure Sentinel. However, you can always look at the community GitHub to see if there is some work that has been made to enrich Infoblox logs.
If you have a connector for an existing solution such as for instance Palo Alto Networks or Fortinet, you can use pre-build queries (Kusto queries), Dashboards (Notebooks), ... that have already been pre-made for you.

Also, you could check at everything linked to the "DNS" connector as some of the hunting queries could be adapted to work with Infoblox logs.

Hope it helps,

Thomas

@thomasdefise 

 

Thanks Thomas.

I don't think "facility" has something to do with the case of infoblox query/response logs, because Fluentd settings match on two keywords in order to process logs further and those are CEF/ASA . Infoblox query/response logs doesn't have any of the two keywords.

 

I understand from you that A Sentinel Connector has nothing to do with parsing. Correct ?

Do you know where syslog payload parsing takes place ? At OMSAgent side or At Sentinel WA side ?

 

 

@majo1 According to my experience with Azure Sentinel, the parsing has to be done at the Syslog server.
However, I would imagine that there could be a trick to parse it using Azure Logic App or Azure Functions but would come with additional cost.
For your case, I would first check on the Syslog appliance if they Infoblox can send logs in the CEF format and if not parse the logs at the Syslog server and make sure they are in the CEF format which is an industry-standard log format on top of Syslog.

I on the Infoblox documentation that for instance "Threat Protection Events" can be sent in the CEF format. https://docs.infoblox.com/display/nios84/Monitoring+through+Syslog

Hope it helps.

www.000webhost.com