Skip to main content

Infoblox NIOS

Download With Dependencies

Infoblox is a comprehensive solution that consolidates DNS, DHCP, and IP address management into a single platform. It is designed to simplify network management by automating these critical functions and providing a centralized console for managing them.

Infoblox NIOS

Infoblox NIOS

This pack includes XSIAM content.

Sample XQL Queries

The following XQL Queries demonstrate the XDM modeling for the ingested Infoblox syslog messages:

  1. DNS Queries
    javascript config timeframe = 1H | datamodel dataset = infoblox_infoblox_raw | filter xdm.event.type = "DNS Query" | fields xdm.source.process.name, xdm.source.process.pid, xdm.alert.severity, xdm.event.log_level, xdm.event.type, xdm.event.description, xdm.source.ipv4, xdm.source.port, xdm.intermediate.ipv4, xdm.network.dns.dns_question.name, xdm.network.dns.dns_question.type, xdm.network.dns.dns_question.class, xdm.event.outcome, xdm.event.outcome_reason, xdm.network.ip_protocol
  2. DNS Responses
    javascript config timeframe = 1H | datamodel dataset = infoblox_infoblox_raw | filter xdm.event.type = "DNS Response" | fields xdm.source.process.name, xdm.source.process.pid, xdm.alert.severity, xdm.event.log_level, xdm.event.type, xdm.event.description, xdm.source.ipv4, xdm.source.port, xdm.network.dns.authoritative, xdm.network.dns.dns_question.name, xdm.network.dns.dns_question.class, xdm.network.dns.dns_question.type, xdm.network.dns.is_response,xdm.network.dns.is_truncated, xdm.network.dns.response_code, xdm.network.dns.dns_resource_record.name, xdm.network.dns.dns_resource_record.value, xdm.network.dns.dns_resource_record.type, xdm.network.dns.dns_resource_record.class, xdm.target.host.ipv4_addresses, xdm.target.host.ipv6_addresses, xdm.target.ipv4, xdm.target.ipv6, xdm.network.ip_protocol, xdm.event.outcome, xdm.event.outcome_reason
  3. DHCP Events
    javascript config timeframe = 1H | datamodel dataset = infoblox_infoblox_raw | filter xdm.event.type = "DHCP" and xdm.network.dhcp.message_type != null | fields xdm.source.process.name, xdm.source.process.pid, xdm.alert.severity, xdm.event.log_level, xdm.event.type, xdm.event.description, xdm.network.dhcp.message_type, xdm.source.host.mac_addresses, xdm.source.host.device_id, xdm.source.interface, xdm.source.ipv4, xdm.intermediate.ipv4, xdm.network.dhcp.giaddr, xdm.target.ipv4, xdm.network.dhcp.siaddr, xdm.network.dhcp.chaddr, xdm.network.dhcp.ciaddr, xdm.network.dhcp.client_hostname, xdm.network.dhcp.lease, xdm.network.dhcp.requested_address, xdm.network.dhcp.yiaddr, xdm.event.operation_sub_type, xdm.session_context_id, xdm.event.outcome, xdm.event.outcome_reason

Configuration on Server Side

This section describes the configuration steps that need to be done on your Infoblox NIOS appliance for sending event logs to Cortex XSIAM Broker VM via syslog.

  1. Login to the Infoblox NIOS appliance.

  2. From the Grid tab, Navigate to Grid ManagerMembers, and then click Grid PropertiesEdit from the Toolbar.

  3. In the Grid Properties editor, select the Monitoring tab, and then complete the following:

    1. Select Log to External Syslog Servers to enable the appliance to send messages to a specified syslog server.
    2. Click the Add icon to add a new syslog server configuration and complete the following:
    Parameter Value
    Address Enter the IP address of the Cortex XSIAM Broker VM Syslog server.
    Transport Select whether the appliance should use UDP, TCP, or Secure TCP to connect to the Cortex XSIAM Broker VM.
    Server Certificate To transport the logs over Secure TCP, upload a self-signed or a CA-signed server certificate.
    Interface Select the interface through which the appliance should send the syslog messages to the Cortex XSIAM Broker VM.
    Source Select whether the appliance should send only Internal messages, External messages, or both (Any).
    Node ID Specify the host or node identification string that would be used in the syslog message header to identify the appliance from which the syslog messages originated.
    Port Enter the port number that the Cortex XSIAM Broker VM is listening on for receiving syslog messages from the Infoblox appliance.
    Severity Select the severity level of which messages from this level and above should be sent to Cortex XSIAM.
    Logging Category Select Send selected categories and use the arrows to move the requested logging categories from the Available table to the Selected table and vice versa.
    1. Click Add to add the external syslog server information.
    2. Optionally, click the Test button to test the connection to the Cortex XSIAM syslog server.
  4. If you want Audit logs to be forwarded to Cortex XSIAM Broker VM as well, select Copy Audit Log Messages to Syslog and select the facility that determines the processes and daemons from which the log messages are generated.

  5. Save the configuration and click Restart if it appears at the top of the screen.

Remark

Timestamp Parsing for syslog messages sent from Infoblox to Cortex XSIAM is supported in GMT time zone. The time zone configured on the grid member should be set accordingly. See Using a Syslog Server and Viewing the Syslog Infoblox docs for additional details.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

You will need to use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following parameters:
    | Parameter | Value
    | :--- | :---
    | Protocol | Select UDP, TCP, or Secure TCP, in accordance with the selected syslog transport method configured on the Infoblox appliance.
    | Port | Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from the Infoblox appliance.
    | Vendor | Enter Infoblox.
    | Product | Enter Infoblox.

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedDecember 13, 2020
Last ReleaseMarch 4, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.