[2022/01/18 18:40:04.516085] infoblox.localdomain (DEBUG): got: 0e335462-55be-4e9d-b5c6-61b74e525b16, stored: None [2022/01/18 18:40:04.527323] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Login [2022/01/18 18:40:04.527476] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-18T17:40:02Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-19T02:52:13Z', u'lease.fingerprint': u'Generic Windows', u'rule_name': u'test1.deny', u'sequence_id': 0, u'lease.starts': u'2022-01-18T14:52:13Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 33644} [2022/01/18 18:40:04.527627] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/18 18:40:04.529160] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": null, "content_type": "application/json", "headers": {}, "instance_variables": {}, "name": "Aruba ClearPass Login", "path": "", "quoting": "json", "steps": [ { "body": [ { "text": "{\"grant_type\": \"client_credentials\", \"client_secret\":\"" }, { "name": "KEY", "namespace": "S", "quoting": "asis" }, { "text": "\",\"client_id\":\"" }, { "name": "Client_ID", "namespace": "S", "quoting": "url" }, { "text": "\"}" } ], "content_type": "application/json", "headers": { "Authorization": "", "Content-Type": "application/json", "User-Agent": "Infoblox Security Integration", "X-Requested-With": "XMLHttpRequest" }, "name": "send login request", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/oauth" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "SESSID", "var1_namespace": "S", "var2_name": "access_token", "var2_namespace": "P" } ], "error": true, "statements": [ { "left": [ { "name": "RC", "namespace": "R", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "200" } ] } ] }, "content_type": "application/json", "name": "login. errorcheck", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "3.0" } [2022/01/18 18:40:04.529275] infoblox.localdomain (DEBUG): Executing step send login request (1) [2022/01/18 18:40:04.529743] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/18 18:40:04.529893] infoblox.localdomain (DEBUG): Sending a 'POST' request within connection: protocol='https', host='10.74.49.4', port='443', path='/api/oauth', headers={u'X-Requested-With': u'XMLHttpRequest', 'Content-Type': u'application/json', 'User-Agent': u'Infoblox Security Integration'}, body='{"grant_type": "client_credentials", "client_secret":"/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa","client_id":"BloxCS"}'. [2022/01/18 18:40:04.529983] infoblox.localdomain (DEBUG): closing connection due to keepalive_timeout [2022/01/18 18:40:04.530070] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/18 18:40:04.709725] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'content-length': '113', 'x-xss-protection': '1;mode=block', 'x-content-type-options': 'nosniff', 'set-cookie': '[*********]', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'vary': 'X-Forwarded-For', 'server': 'Apache', 'pragma': 'no-cache', 'cache-control': 'no-store', 'date': 'Tue, 18 Jan 2022 17:40:22 GMT', 'content-type': 'application/json'} data:{"access_token":"c3d3c44c951be5c3a7ca24d883505d72c5710d95","expires_in":28800,"token_type":"Bearer","scope":null} [2022/01/18 18:40:04.709891] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/18 18:40:04.710003] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '{"access_token":"c3d3c44c951be5c3a7ca24d883505d72c5710d95","expires_in":28800,"token_type":"Bearer","scope":null}', 'REASON': 'OK', 'RC': 200} [2022/01/18 18:40:04.710348] infoblox.localdomain (DEBUG): The parsing output is {u'access_token': u'c3d3c44c951be5c3a7ca24d883505d72c5710d95', u'token_type': u'Bearer', u'expires_in': 28800, u'scope': None} [2022/01/18 18:40:04.710694] infoblox.localdomain (DEBUG): Executing step Debug (1) [2022/01/18 18:40:04.710827] infoblox.localdomain (DEBUG): Namespace H contents are: {'Content-Type': u'application/json', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'} [2022/01/18 18:40:04.710976] infoblox.localdomain (DEBUG): Namespace E contents are: {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-18T17:40:02Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-19T02:52:13Z', u'lease.fingerprint': u'Generic Windows', u'rule_name': u'test1.deny', u'sequence_id': 0, u'lease.starts': u'2022-01-18T14:52:13Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 33644} [2022/01/18 18:40:04.711071] infoblox.localdomain (DEBUG): Namespace I contents are: {u'ThreatSeverity': u'Low', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS'} [2022/01/18 18:40:04.711152] infoblox.localdomain (DEBUG): Namespace L contents are: {} [2022/01/18 18:40:04.711242] infoblox.localdomain (DEBUG): Namespace S contents are: {'USER': u'admin', 'TIMEOUT': 30, u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS', 'URI': u'https://10.74.49.4'} [2022/01/18 18:40:04.711348] infoblox.localdomain (DEBUG): Namespace P contents are: {u'access_token': u'c3d3c44c951be5c3a7ca24d883505d72c5710d95', u'token_type': u'Bearer', u'expires_in': 28800, u'scope': None} [2022/01/18 18:40:04.711432] infoblox.localdomain (DEBUG): Namespace R contents are: {'BODY': '{"access_token":"c3d3c44c951be5c3a7ca24d883505d72c5710d95","expires_in":28800,"token_type":"Bearer","scope":null}', 'REASON': 'OK', 'RC': 200} [2022/01/18 18:40:04.711532] infoblox.localdomain (DEBUG): Namespace RH contents are: {'content-length': '113', 'x-xss-protection': '1;mode=block', 'x-content-type-options': 'nosniff', 'set-cookie': '[*********]', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'vary': 'X-Forwarded-For', 'server': 'Apache', 'pragma': 'no-cache', 'cache-control': 'no-store', 'date': 'Tue, 18 Jan 2022 17:40:22 GMT', 'content-type': 'application/json'} [2022/01/18 18:40:04.711741] infoblox.localdomain (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'ENDPOINT': 'notification:rest:endpoint/b25lLmVuZHBvaW50JDI', 'PROTOCOL': u'https', 'UUID': '73ba5d08-eb6b-42a3-9c8b-b3e6f855bb08', 'WAPIUSERNAME': u'admin', 'URI': u'https://10.74.49.4', 'HOST': u'10.74.49.4', 'EPOCH': '1642527604', 'TIME': '2022-01-18T17:40:04Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443} [2022/01/18 18:40:04.711837] infoblox.localdomain (DEBUG): Executing step login. errorcheck (1) [2022/01/18 18:40:04.711933] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/18 18:40:04.712057] infoblox.localdomain (DEBUG): Evaluating statement: 200 != 200 [2022/01/18 18:40:04.712134] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/18 18:40:04.712192] infoblox.localdomain (DEBUG): Executing the else_eval block [2022/01/18 18:40:04.712324] infoblox.localdomain (DEBUG): The template was executed successfully [2022/01/18 18:40:04.712450] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Security [2022/01/18 18:40:04.712570] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-18T17:40:02Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-19T02:52:13Z', u'lease.fingerprint': u'Generic Windows', u'rule_name': u'test1.deny', u'sequence_id': 0, u'lease.starts': u'2022-01-18T14:52:13Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 33644} [2022/01/18 18:40:04.712688] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/18 18:40:04.748895] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": "", "content_type": "application/json", "headers": { "Accept": "*/*" }, "instance_variables": { "ThreatSeverity": "Low" }, "name": "Aruba ClearPass Security", "path": "", "quoting": "json", "steps": [ { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#0", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "address", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "assign_type": "S", "assign_val": "ipv4addr", "namespace": "XC", "op": "ASSIGN", "var1_name": "addr", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "fixed", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "address", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "assign_type": "S", "assign_val": "ipv6addr", "namespace": "XC", "op": "ASSIGN", "var1_name": "addr", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "ipv6fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "fixed", "var1_namespace": "L" } ], "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "asis" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check if IPv4 or IPv6 for assigning variables", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "COPY", "var1_name": "ArubaAddDate", "var1_namespace": "L", "var2_name": "TIME", "var2_namespace": "UT" }, { "fmt": "TRUNCATE", "fmtstr": "10t", "namespace": "XC", "op": "FORMAT", "var1_name": "ArubaAddDate", "var1_namespace": "L" } ], "content_type": "application/json", "name": "assignTimeValue", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Get IPv6Fixed _ref", "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "json" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check for IPv6", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Accept": "application/json", "Authorization": "Basic YWRtaW46aW5mb2Jsb3g=", "Content-Type": "application/json" }, "name": "Get IPv4Fixed _ref", "nodebug": false, "operation": "GET", "override_headers": true, "parse": "JSON", "path": [ { "text": "/wapi/v2.7/fixedaddress?ipv4addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv4Fix_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Accept": "application/json", "Authorization": "Basic YWRtaW46aW5mb2Jsb3g=", "Content-Type": "application/json" }, "name": "Get HostIPv4 _ref", "nodebug": false, "operation": "GET", "override_headers": true, "parse": "JSON", "path": [ { "text": "/wapi/v2.7/record:host?ipv4addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_stop": true, "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "record:host", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv4Host_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get IPv6Fixed _ref", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/ipv6fixedaddress?ipv6addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "ipv6fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv6Fix_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get HostIPv6 _ref", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host?ipv6addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_stop": true, "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "record:host", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv6Host_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Obj_ref", "var1_namespace": "L", "var2_listindex": "0_ref", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Get_Objref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "op": "==", "right": [ { "text": "" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop if no Obj_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "listindex": "0extattrsAruba_Securevalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-21,{21-26" } ], "op": "==", "right": [ { "text": "" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop if no extattrs", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L", "var2_listindex": "0extattrsAruba_LastSecurityEventvalue", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-9,{9-32,{32-37" }, { "fmt": "TRUNCATE", "fmtstr": "10t", "namespace": "XC", "op": "FORMAT", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L" } ], "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0extattrsAruba_LastSecurityEventvalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-32,{32-37" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Set Old_Time", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "listindex": "0extattrsAruba_Securevalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-21,{21-26" } ], "op": "==", "right": [ { "text": "false" } ] } ], "stop": true }, "content_type": "application/json", "name": "check if secure external attribute set", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get Lease", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/lease?address=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=hardware" } ], "wapi": "v2.7" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug ADP", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "query_fqdn", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "event_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "RuleId", "var1_namespace": "L", "var2_name": "rule_sid", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "RuleCategory", "var1_namespace": "L", "var2_name": "rule_category", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "next": "Check if lease is present", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "check if ADP event", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "event_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "domain_name", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "rpz_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "query_name", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "RPZ" } ] } ] }, "content_type": "application/json", "name": "Check RPZ or Tunnel event to assign variables", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "client_hostname", "var1_namespace": "L", "var2_name": "client_hostname", "var2_namespace": "E" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] }, { "left": [ { "listindex": "Aruba_Securevalue", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-12,{12-17" } ], "op": "==", "right": [ { "text": "true" } ] } ] }, "content_type": "application/json", "name": "Check if lease is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ], "stop": true }, "content_type": "application/json", "name": "check if Lease and if so then stop", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "ip.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if location", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Get Host IPv6", "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "asis" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check if IPv4 or IPv6 for checking assets on Infoblox", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get Host IPv4", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host_ipv4addr?ipv4addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,host" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0host", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if Host IPv4 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get fixed IPv4", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/fixedaddress?ipv4addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,discovered_data.mac_address,discovered_data.vmhost_mac_address,discovered_data.vport_mac_address,extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if fixed IPv4 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop because there is no information IPv4", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get Host IPv6", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host?ipv6addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,host" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0host", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if Host IPv6 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get fixed IPv6", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/ipv6fixedaddress?ipv6addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=discovered_data.mac_address,discovered_data.vmhost_mac_address,discovered_data.vport_mac_address,extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if fixed IPv6 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop because there is no information IPv6", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "mac", "var1_namespace": "L", "var2_listindex": "0mac", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-4" } ], "next": "assignMac from P: for host", "statements": [ { "left": [ { "listindex": "0mac", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-4" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if mac is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop bacause there is no mac", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "COPY", "var1_name": "Mac1", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "2t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac1", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac2", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "5t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac2", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac2", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac3", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "8t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac3", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac3", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac4", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "11t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac4", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac4", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac5", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "14t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac5", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac5", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac6", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac6", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "MacFull", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" } ], "content_type": "application/json", "name": "assignMac from P: for host", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#test1", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Get Check if duplicate endpoint with host", "nodebug": false, "operation": "GET", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/api/endpoint/mac-address/" }, { "name": "Mac1", "namespace": "L", "quoting": "asis" }, { "name": "Mac2", "namespace": "L", "quoting": "asis" }, { "name": "Mac3", "namespace": "L", "quoting": "asis" }, { "name": "Mac4", "namespace": "L", "quoting": "asis" }, { "name": "Mac5", "namespace": "L", "quoting": "asis" }, { "name": "Mac6", "namespace": "L", "quoting": "asis" } ], "result": [ { "codes": "200,201,202,203,204,404,405", "next": "Create Endpoint if one is not present" } ] }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#test2", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "assign_type": "S", "assign_val": "true", "namespace": "XC", "op": "ASSIGN", "var1_name": "MacFound", "var1_namespace": "L" } ], "statements": [ { "left": [ { "name": "mac_address", "namespace": "P", "quoting": "asis" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Create Endpoint if one is not present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "managed", "var1_namespace": "L", "var2_listindex": "Infoblox Managed", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-16" } ], "eval": [ { "assign_type": "S", "assign_val": "False", "namespace": "XC", "op": "ASSIGN", "var1_name": "managed", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Managed", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if managed by infoblox", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "fingerpring", "var1_namespace": "L", "var2_listindex": "Infoblox DHCP Fingerprint", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-25" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "fingerpring", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox DHCP Fingerprint", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-25" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Fingerprint", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "vendor", "var1_namespace": "L", "var2_listindex": "Device Vendor", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-13" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "vendor", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Device Vendor", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-13" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Device Vendor", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "client_hostname", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-15" } ], "statements": [ { "left": [ { "listindex": "client_hostname", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-15" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for client_hostname", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "type", "var1_namespace": "L", "var2_listindex": "Device Type", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-11" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "type", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Device Type", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-11" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Device Type", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "rule_category", "var1_namespace": "L", "var2_listindex": "Infoblox Rule Category", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-22" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "rule_category", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Rule Category", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-22" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Rule Category", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "rule_id", "var1_namespace": "L", "var2_listindex": "Infoblox Rule Id", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-16" } ], "eval": [ { "assign_type": "I", "assign_val": "0", "namespace": "XC", "op": "ASSIGN", "var1_name": "rule_id", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Rule Id", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Rule id", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug ruleid1", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "all discovery information", "nodebug": false, "operation": "GET", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/wapi/v2.7/" }, { "name": "Path", "namespace": "L", "quoting": "asis" }, { "text": "?" }, { "name": "addr", "namespace": "L", "quoting": "asis" }, { "text": "=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&_return_fields=comment,device_description,device_location,device_type,device_vendor,name" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0name", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "statements": [ { "left": [ { "listindex": "0name", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "==", "right": [ { "text": "" } ] }, { "left": [ { "listindex": "0name", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "==", "right": [ { "text": "unknown" } ] } ] }, "content_type": "application/json", "name": "Check if name is unknown", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "description", "var1_namespace": "L", "var2_listindex": "0device_description", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-19" } ], "eval": [ { "assign_type": "S", "assign_val": "No Description", "namespace": "XC", "op": "ASSIGN", "var1_name": "description", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0device_description", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-19" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for description", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "comment", "var1_namespace": "L", "var2_listindex": "0comment", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-8" } ], "eval": [ { "assign_type": "S", "assign_val": "No Comment", "namespace": "XC", "op": "ASSIGN", "var1_name": "comment", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0comment", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-8" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for comment", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "vendor", "var1_namespace": "L", "var2_listindex": "0device_vendor", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-14" } ], "statements": [ { "left": [ { "listindex": "0device_vendor", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-14" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for vendor", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "type", "var1_namespace": "L", "var2_listindex": "0device_type", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-12" } ], "statements": [ { "left": [ { "listindex": "0device_type", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-12" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for type", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "ip.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "else_next": "check if mac was found on aruba", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for location EA", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "0device_location", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-16" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0device_location", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for location", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add endpoint event check", "statements": [ { "left": [ { "name": "MacFound", "namespace": "L", "quoting": "asis" } ], "op": "==", "right": [ { "text": "true" } ] } ] }, "content_type": "application/json", "name": "check if mac was found on aruba", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add a new ADP endpoint", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "check if new ADP event", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add a new endpoint", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/endpoint" }, { "body": null, "condition": { "condition_type": "AND", "next": "assign profiler values", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ] }, "content_type": "application/json", "name": "Jump to non ADP assign profiler values ", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Id\":\"" }, { "name": "RuleId", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Category\":\"" }, { "name": "RuleCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add a new ADP endpoint", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/endpoint" }, { "body": [ { "text": "{\"mac\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"ip\": \"" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "\",\"hostname\": \"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"device\":{\"family\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"category\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"name\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\"}}" } ], "content_type": "application/json", "headers": { "Accept": "*/*", "Content-Type": "application/json", "User-Agent": "Infoblox Security Integration" }, "name": "assign profiler values", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/async_netd/deviceprofiler/endpoints" }, { "body": null, "condition": { "condition_type": "AND", "next": "Update timestamp", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ] }, "content_type": "application/json", "name": "jump to update infoblox record", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add an endpoint", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "Add endpoint event check", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug ruleid2", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "I", "assign_val": "99999", "namespace": "XC", "op": "ASSIGN", "var1_name": "RuleId", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "RuleId", "var1_namespace": "L", "var2_name": "rule_id", "var2_namespace": "L" } ], "statements": [ { "left": [ { "name": "rule_id", "namespace": "L", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if ruleid found", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "RuleCategory", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "RuleCategory", "var1_namespace": "L", "var2_name": "rule_category", "var2_namespace": "L" } ], "statements": [ { "left": [ { "name": "rule_category", "namespace": "L", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if rule_category found", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Id\":\"" }, { "name": "RuleId", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Category\":\"" }, { "name": "RuleCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add an endpoint", "nodebug": false, "operation": "PUT", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/api/endpoint/mac-address/" }, { "name": "Mac1", "namespace": "L", "quoting": "asis" }, { "name": "Mac2", "namespace": "L", "quoting": "asis" }, { "name": "Mac3", "namespace": "L", "quoting": "asis" }, { "name": "Mac4", "namespace": "L", "quoting": "asis" }, { "name": "Mac5", "namespace": "L", "quoting": "asis" }, { "name": "Mac6", "namespace": "L", "quoting": "asis" } ] }, { "body": [ { "text": "{\"extattrs+\":{\"Aruba_LastSecurityEvent\": { \"value\": \"" }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": "\"}}}" } ], "content_type": "application/json", "name": "Update timestamp", "nodebug": false, "operation": "PUT", "override_headers": false, "path": [ { "text": "/wapi/v2.7/" }, { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "wapi": "v2.7", "wapi_quoting": "JSON" }, { "body": null, "condition": { "condition_type": "AND", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop everthing", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "4.0" } [2022/01/18 18:40:04.749255] infoblox.localdomain (DEBUG): Executing step Debug#0 (1) [2022/01/18 18:40:04.749384] infoblox.localdomain (DEBUG): Namespace H contents are: {'Content-Type': u'application/json', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'} [2022/01/18 18:40:04.749535] infoblox.localdomain (DEBUG): Namespace E contents are: {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-18T17:40:02Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-19T02:52:13Z', u'lease.fingerprint': u'Generic Windows', u'rule_name': u'test1.deny', u'sequence_id': 0, u'lease.starts': u'2022-01-18T14:52:13Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 33644} [2022/01/18 18:40:04.749629] infoblox.localdomain (DEBUG): Namespace I contents are: {u'ThreatSeverity': u'Low', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS'} [2022/01/18 18:40:04.749711] infoblox.localdomain (DEBUG): Namespace L contents are: {} [2022/01/18 18:40:04.749798] infoblox.localdomain (DEBUG): Namespace S contents are: {u'Client_ID': u'BloxCS', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', 'URI': u'https://10.74.49.4', u'SESSID': u'c3d3c44c951be5c3a7ca24d883505d72c5710d95', 'USER': u'admin', 'TIMEOUT': 30} [2022/01/18 18:40:04.749875] infoblox.localdomain (DEBUG): Namespace P contents are: {} [2022/01/18 18:40:04.749958] infoblox.localdomain (DEBUG): Namespace R contents are: {} [2022/01/18 18:40:04.750034] infoblox.localdomain (DEBUG): Namespace RH contents are: {} [2022/01/18 18:40:04.750295] infoblox.localdomain (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'ENDPOINT': 'notification:rest:endpoint/b25lLmVuZHBvaW50JDI', 'PROTOCOL': u'https', 'UUID': '1ad8d0f6-370d-43a8-a4bc-f8a41d4334cb', 'WAPIUSERNAME': u'admin', 'URI': u'https://10.74.49.4', 'HOST': u'10.74.49.4', 'EPOCH': '1642527604', 'TIME': '2022-01-18T17:40:04Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443} [2022/01/18 18:40:04.750412] infoblox.localdomain (DEBUG): Executing step check if IPv4 or IPv6 for assigning variables (1) [2022/01/18 18:40:04.750500] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/18 18:40:04.750603] infoblox.localdomain (DEBUG): Evaluating statement: 10.74.49.15 =~ : [2022/01/18 18:40:04.750684] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/18 18:40:04.750743] infoblox.localdomain (DEBUG): Executing the else_eval block [2022/01/18 18:40:04.750960] infoblox.localdomain (DEBUG): Executing step assignTimeValue (1) [2022/01/18 18:40:04.751152] infoblox.localdomain (DEBUG): Executing step check for IPv6 (1) [2022/01/18 18:40:04.751234] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/18 18:40:04.751427] infoblox.localdomain (DEBUG): Evaluating statement: "10.74.49.15" =~ : [2022/01/18 18:40:04.751506] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/18 18:40:04.751595] infoblox.localdomain (DEBUG): Executing step Get IPv4Fixed _ref (1) [2022/01/18 18:40:04.752116] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/18 18:40:04.752305] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='10.74.49.5', port='443', path='/wapi/v2.7/fixedaddress?ipv4addr=10.74.49.15&network_view=default&_return_fields=extattrs', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'. [2022/01/18 18:40:04.752404] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/18 18:40:04.819677] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'set-cookie': '[*********]', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'no-cache, no-store', 'date': 'Tue, 18 Jan 2022 17:40:04 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'application/json'} data:[] [2022/01/18 18:40:04.819791] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/18 18:40:04.819873] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '[]', 'REASON': 'OK', 'RC': 200} [2022/01/18 18:40:04.819999] infoblox.localdomain (DEBUG): The parsing output is {'PARSE': []} [2022/01/18 18:40:04.820106] infoblox.localdomain (DEBUG): Executing step wapi_response_getIPv4Fix_ref (1) [2022/01/18 18:40:04.820195] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/18 18:40:04.820338] infoblox.localdomain (DEBUG): Evaluating statement: != [2022/01/18 18:40:04.820412] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/18 18:40:04.820502] infoblox.localdomain (DEBUG): Executing step Get HostIPv4 _ref (1) [2022/01/18 18:40:04.820962] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/18 18:40:04.821144] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='10.74.49.5', port='443', path='/wapi/v2.7/record:host?ipv4addr=10.74.49.15&network_view=default&_return_fields=extattrs', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'. [2022/01/18 18:40:04.821243] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/18 18:40:04.865280] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'no-cache, no-store', 'date': 'Tue, 18 Jan 2022 17:40:04 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'application/json'} data:[] [2022/01/18 18:40:04.865406] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/18 18:40:04.865484] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '[]', 'REASON': 'OK', 'RC': 200} [2022/01/18 18:40:04.865614] infoblox.localdomain (DEBUG): The parsing output is {'PARSE': []} [2022/01/18 18:40:04.865725] infoblox.localdomain (DEBUG): Executing step wapi_response_getIPv4Host_ref (1) [2022/01/18 18:40:04.865816] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/18 18:40:04.865970] infoblox.localdomain (DEBUG): Evaluating statement: != [2022/01/18 18:40:04.866051] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/18 18:40:04.866112] infoblox.localdomain (DEBUG): A stop condition was triggered, exiting [2022/01/18 18:40:04.866189] infoblox.localdomain (DEBUG): The template was executed successfully [2022/01/18 18:40:05.714204] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Logout [2022/01/18 18:40:05.714436] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-18T17:40:02Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-19T02:52:13Z', u'lease.fingerprint': u'Generic Windows', u'rule_name': u'test1.deny', u'sequence_id': 0, u'lease.starts': u'2022-01-18T14:52:13Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 33644} [2022/01/18 18:40:05.714604] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/18 18:40:05.714982] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": null, "content_type": "application/json", "headers": {}, "instance_variables": {}, "name": "Aruba ClearPass Logout", "path": "", "quoting": "json", "steps": [ { "body": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "SESSID", "var1_namespace": "S" } ], "content_type": "application/json", "name": "Clear the session ID", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "3.0" } [2022/01/18 18:40:05.715078] infoblox.localdomain (DEBUG): Executing step Clear the session ID (1) [2022/01/18 18:40:05.715236] infoblox.localdomain (DEBUG): The template was executed successfully