[2022/01/26 10:02:39.165570] infoblox.localdomain (DEBUG): got: 988ee287-4d16-4916-bf0f-3f42885a532d, stored: None [2022/01/26 10:02:39.177876] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Login [2022/01/26 10:02:39.178022] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-26T09:02:37Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-26T19:55:45Z', u'lease.fingerprint': u'Generic Windows OS', u'rule_name': u'test1.deny', u'sequence_id': 4, u'lease.starts': u'2022-01-26T07:55:45Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 40459} [2022/01/26 10:02:39.178153] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/26 10:02:39.179629] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": null, "content_type": "application/json", "headers": {}, "instance_variables": {}, "name": "Aruba ClearPass Login", "path": "", "quoting": "json", "steps": [ { "body": [ { "text": "{\"grant_type\": \"client_credentials\", \"client_secret\":\"" }, { "name": "KEY", "namespace": "S", "quoting": "asis" }, { "text": "\",\"client_id\":\"" }, { "name": "Client_ID", "namespace": "S", "quoting": "url" }, { "text": "\"}" } ], "content_type": "application/json", "headers": { "Authorization": "", "Content-Type": "application/json", "User-Agent": "Infoblox Security Integration", "X-Requested-With": "XMLHttpRequest" }, "name": "send login request", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/oauth" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "SESSID", "var1_namespace": "S", "var2_name": "access_token", "var2_namespace": "P" } ], "error": true, "statements": [ { "left": [ { "name": "RC", "namespace": "R", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "200" } ] } ] }, "content_type": "application/json", "name": "login. errorcheck", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "3.0" } [2022/01/26 10:02:39.179780] infoblox.localdomain (DEBUG): Executing step send login request (1) [2022/01/26 10:02:39.180207] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/26 10:02:39.180352] infoblox.localdomain (DEBUG): Sending a 'POST' request within connection: protocol='https', host='10.74.49.4', port='443', path='/api/oauth', headers={u'X-Requested-With': u'XMLHttpRequest', 'Content-Type': u'application/json', 'User-Agent': u'Infoblox Security Integration'}, body='{"grant_type": "client_credentials", "client_secret":"/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa","client_id":"BloxCS"}'. [2022/01/26 10:02:39.180437] infoblox.localdomain (DEBUG): closing connection due to keepalive_timeout [2022/01/26 10:02:39.180522] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/26 10:02:39.370264] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'content-length': '113', 'x-xss-protection': '1;mode=block', 'x-content-type-options': 'nosniff', 'set-cookie': '[*********]', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'vary': 'X-Forwarded-For', 'server': 'Apache', 'pragma': 'no-cache', 'cache-control': 'no-store', 'date': 'Wed, 26 Jan 2022 09:03:04 GMT', 'content-type': 'application/json'} data:{"access_token":"17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0","expires_in":28800,"token_type":"Bearer","scope":null} [2022/01/26 10:02:39.370437] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/26 10:02:39.370520] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '{"access_token":"17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0","expires_in":28800,"token_type":"Bearer","scope":null}', 'REASON': 'OK', 'RC': 200} [2022/01/26 10:02:39.370777] infoblox.localdomain (DEBUG): The parsing output is {u'access_token': u'17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0', u'token_type': u'Bearer', u'expires_in': 28800, u'scope': None} [2022/01/26 10:02:39.370870] infoblox.localdomain (DEBUG): Executing step Debug (1) [2022/01/26 10:02:39.370974] infoblox.localdomain (DEBUG): Namespace H contents are: {'Content-Type': u'application/json', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'} [2022/01/26 10:02:39.371106] infoblox.localdomain (DEBUG): Namespace E contents are: {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-26T09:02:37Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-26T19:55:45Z', u'lease.fingerprint': u'Generic Windows OS', u'rule_name': u'test1.deny', u'sequence_id': 4, u'lease.starts': u'2022-01-26T07:55:45Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 40459} [2022/01/26 10:02:39.371208] infoblox.localdomain (DEBUG): Namespace I contents are: {u'ThreatSeverity': u'Low', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS'} [2022/01/26 10:02:39.371283] infoblox.localdomain (DEBUG): Namespace L contents are: {} [2022/01/26 10:02:39.371367] infoblox.localdomain (DEBUG): Namespace S contents are: {'USER': u'admin', 'TIMEOUT': 30, u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS', 'URI': u'https://10.74.49.4'} [2022/01/26 10:02:39.371454] infoblox.localdomain (DEBUG): Namespace P contents are: {u'access_token': u'17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0', u'token_type': u'Bearer', u'expires_in': 28800, u'scope': None} [2022/01/26 10:02:39.371532] infoblox.localdomain (DEBUG): Namespace R contents are: {'BODY': '{"access_token":"17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0","expires_in":28800,"token_type":"Bearer","scope":null}', 'REASON': 'OK', 'RC': 200} [2022/01/26 10:02:39.371619] infoblox.localdomain (DEBUG): Namespace RH contents are: {'content-length': '113', 'x-xss-protection': '1;mode=block', 'x-content-type-options': 'nosniff', 'set-cookie': '[*********]', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'vary': 'X-Forwarded-For', 'server': 'Apache', 'pragma': 'no-cache', 'cache-control': 'no-store', 'date': 'Wed, 26 Jan 2022 09:03:04 GMT', 'content-type': 'application/json'} [2022/01/26 10:02:39.371850] infoblox.localdomain (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'ENDPOINT': 'notification:rest:endpoint/b25lLmVuZHBvaW50JDI', 'PROTOCOL': u'https', 'UUID': 'c60fb84e-79a7-4f11-b590-6b5ffd054e19', 'WAPIUSERNAME': u'admin', 'URI': u'https://10.74.49.4', 'HOST': u'10.74.49.4', 'EPOCH': '1643187759', 'TIME': '2022-01-26T09:02:39Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443} [2022/01/26 10:02:39.371943] infoblox.localdomain (DEBUG): Executing step login. errorcheck (1) [2022/01/26 10:02:39.372035] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.372140] infoblox.localdomain (DEBUG): Evaluating statement: 200 != 200 [2022/01/26 10:02:39.372208] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.372264] infoblox.localdomain (DEBUG): Executing the else_eval block [2022/01/26 10:02:39.372410] infoblox.localdomain (DEBUG): The template was executed successfully [2022/01/26 10:02:39.373105] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Security [2022/01/26 10:02:39.373224] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-26T09:02:37Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-26T19:55:45Z', u'lease.fingerprint': u'Generic Windows OS', u'rule_name': u'test1.deny', u'sequence_id': 4, u'lease.starts': u'2022-01-26T07:55:45Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 40459} [2022/01/26 10:02:39.373341] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/26 10:02:39.411817] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": "", "content_type": "application/json", "headers": { "Accept": "*/*" }, "instance_variables": { "ThreatSeverity": "Low" }, "name": "Aruba ClearPass Security", "path": "", "quoting": "json", "steps": [ { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#0", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "address", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "assign_type": "S", "assign_val": "ipv4addr", "namespace": "XC", "op": "ASSIGN", "var1_name": "addr", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "fixed", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "address", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "assign_type": "S", "assign_val": "ipv6addr", "namespace": "XC", "op": "ASSIGN", "var1_name": "addr", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "ipv6fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "fixed", "var1_namespace": "L" } ], "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "asis" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check if IPv4 or IPv6 for assigning variables", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "COPY", "var1_name": "ArubaAddDate", "var1_namespace": "L", "var2_name": "TIME", "var2_namespace": "UT" }, { "fmt": "TRUNCATE", "fmtstr": "10t", "namespace": "XC", "op": "FORMAT", "var1_name": "ArubaAddDate", "var1_namespace": "L" } ], "content_type": "application/json", "name": "assignTimeValue", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Get IPv6Fixed _ref", "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "json" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check for IPv6", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Accept": "application/json", "Authorization": "Basic YWRtaW46aW5mb2Jsb3g=", "Content-Type": "application/json" }, "name": "Get IPv4Fixed _ref", "nodebug": false, "operation": "GET", "override_headers": true, "parse": "JSON", "path": [ { "text": "/wapi/v2.7/fixedaddress?ipv4addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv4Fix_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Accept": "application/json", "Authorization": "Basic YWRtaW46aW5mb2Jsb3g=", "Content-Type": "application/json" }, "name": "Get HostIPv4 _ref", "nodebug": false, "operation": "GET", "override_headers": true, "parse": "JSON", "path": [ { "text": "/wapi/v2.7/record:host?ipv4addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_next": "check if ADP event", "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "record:host", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv4Host_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get IPv6Fixed _ref", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/ipv6fixedaddress?ipv6addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "ipv6fixedaddress", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv6Fix_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get HostIPv6 _ref", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host?ipv6addr=" }, { "name": "source_ip", "namespace": "E", "quoting": "url" }, { "text": "&network_view=default&_return_fields=extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_next": "check if ADP event", "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "record:host", "namespace": "XC", "op": "ASSIGN", "var1_name": "Path", "var1_namespace": "L" } ], "next": "Get_Objref", "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "wapi_response_getIPv6Host_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Obj_ref", "var1_namespace": "L", "var2_listindex": "0_ref", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "statements": [ { "left": [ { "listindex": "0_ref", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Get_Objref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "op": "==", "right": [ { "text": "" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop if no Obj_ref", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "listindex": "0extattrsAruba_Securevalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-21,{21-26" } ], "op": "==", "right": [ { "text": "" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop if no extattrs", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L", "var2_listindex": "0extattrsAruba_LastSecurityEventvalue", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-9,{9-32,{32-37" }, { "fmt": "TRUNCATE", "fmtstr": "10t", "namespace": "XC", "op": "FORMAT", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L" } ], "eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "ArubaAddDateRecorded", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0extattrsAruba_LastSecurityEventvalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-32,{32-37" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Set Old_Time", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "listindex": "0extattrsAruba_Securevalue", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-9,{9-21,{21-26" } ], "op": "==", "right": [ { "text": "false" } ] } ], "stop": true }, "content_type": "application/json", "name": "check if secure external attribute set", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug ADP", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "query_fqdn", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "event_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "RuleId", "var1_namespace": "L", "var2_name": "rule_sid", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "RuleCategory", "var1_namespace": "L", "var2_name": "rule_category", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "next": "skipLeaseVarsIfHostOrFixed", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "check if ADP event", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "event_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "domain_name", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "ThreatCategory", "var1_namespace": "L", "var2_name": "rpz_type", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "Infoblox_Last_Known_IP", "var1_namespace": "L", "var2_name": "source_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatDetection", "var1_namespace": "L", "var2_name": "member_ip", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatName", "var1_namespace": "L", "var2_name": "query_name", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "ThreatSeverity", "var1_namespace": "L", "var2_name": "ThreatSeverity", "var2_namespace": "I" } ], "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "RPZ" } ] } ] }, "content_type": "application/json", "name": "Check RPZ or Tunnel event to assign variables", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Skip getting lease info if it is a host or fixed (meaning it will have an object reference).", "condition": { "condition_type": "OR", "next": "Check if location", "statements": [ { "left": [ { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "skipLeaseVarsIfHostOrFixed", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Verify EAs for lease checking from the IP.", "condition": { "condition_type": "AND", "next": "getLeaseMacFromEventNamespace", "statements": [ { "left": [ { "listindex": "Aruba_Secure", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-12" } ], "op": "==", "right": [ { "text": "true" } ] } ] }, "content_type": "application/json", "name": "verifyEAsforLease_IP", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Verify EAs for lease checking from the Network.", "condition": { "condition_type": "OR", "else_stop": true, "statements": [ { "left": [ { "listindex": "Aruba_Secure", "name": "network.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-12" } ], "op": "==", "right": [ { "text": "true" } ] } ] }, "content_type": "application/json", "name": "verifyEAsforLease_Network", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a MAC of the lease from the event namespace? If so, grab it. If not, terminate. Either the lease has no MAC or there is no object on the IP - either way terminate. ", "condition": { "condition_type": "AND", "else_stop": true, "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "mac", "var1_namespace": "L", "var2_name": "lease.hardware", "var2_namespace": "E" } ], "statements": [ { "left": [ { "name": "lease.hardware", "namespace": "E", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "getLeaseMacFromEventNamespace", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a client hostname of the lease from the event namespace? If so, grab it.", "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "client_hostname", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "client_hostname", "var1_namespace": "L", "var2_name": "lease.client_hostname", "var2_namespace": "E" }, { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_name": "lease.client_hostname", "var2_namespace": "E" } ], "statements": [ { "left": [ { "name": "lease.client_hostname", "namespace": "E", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "getLeaseClientHostnameFromEventNamespace", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a fingerprint of the lease from the event namespace? If so, grab it. Assign other null vars.", "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "fingerpring", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "Security Event with Lease", "namespace": "XC", "op": "ASSIGN", "var1_name": "description", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "fingerpring", "var1_namespace": "L", "var2_name": "lease.fingerprint", "var2_namespace": "E" }, { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "operating_system", "var1_namespace": "L" }, { "assign_type": "S", "assign_val": "Security Event with Lease", "namespace": "XC", "op": "ASSIGN", "var1_name": "description", "var1_namespace": "L" } ], "statements": [ { "left": [ { "name": "lease.fingerprint", "namespace": "E", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "getLeaseFingerprintFromEventNamespace", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a location of the lease from the IP? If so, grab it.", "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "ip.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "else_next": "assignMac from P: for host", "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "getLeaseLocationIP", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a location of the lease from the IP? If so, grab it.", "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "network.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "else_next": "assignMac from P: for host", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "next": "assignMac from P: for host", "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "network.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "getLeaseLocationNetwork", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "ip.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if location", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Get Host IPv6", "statements": [ { "left": [ { "name": "source_ip", "namespace": "E", "quoting": "asis" } ], "op": "=~", "right": [ { "text": ":" } ] } ] }, "content_type": "application/json", "name": "check if IPv4 or IPv6 for checking assets on Infoblox", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get Host IPv4", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host_ipv4addr?ipv4addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,host" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0host", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if Host IPv4 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get fixed IPv4", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/fixedaddress?ipv4addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,discovered_data.mac_address,discovered_data.vmhost_mac_address,discovered_data.vport_mac_address,extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if fixed IPv4 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop because there is no information IPv4", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get Host IPv6", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/record:host?ipv6addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=mac,host" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0host", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if Host IPv6 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "Get fixed IPv6", "nodebug": false, "operation": "GET", "override_headers": false, "path": [ { "text": "/wapi/v2.7/ipv6fixedaddress?ipv6addr=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&network_view=" }, { "name": "network.network_view", "namespace": "E", "quoting": "asis" }, { "text": "&_return_fields=discovered_data.mac_address,discovered_data.vmhost_mac_address,discovered_data.vport_mac_address,extattrs" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "next": "check if mac is present", "statements": [ { "left": [ { "listindex": "0", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Check if fixed IPv6 is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "stop because there is no information IPv6", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "mac", "var1_namespace": "L", "var2_listindex": "0mac", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-4" } ], "next": "assignMac from P: for host", "statements": [ { "left": [ { "listindex": "0mac", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-4" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if mac is present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop bacause there is no mac", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "COPY", "var1_name": "Mac1", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "2t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac1", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac2", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "5t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac2", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac2", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac3", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "8t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac3", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac3", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac4", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "11t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac4", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac4", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac5", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "14t", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac5", "var1_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac5", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "Mac6", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" }, { "fmt": "TRUNCATE", "fmtstr": "-2f", "namespace": "XC", "op": "FORMAT", "var1_name": "Mac6", "var1_namespace": "L" }, { "namespace": "XC", "op": "COPY", "var1_name": "MacFull", "var1_namespace": "L", "var2_name": "mac", "var2_namespace": "L" } ], "content_type": "application/json", "name": "assignMac from P: for host", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#test1", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Get Check if duplicate endpoint with host", "nodebug": false, "operation": "GET", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/api/endpoint/mac-address/" }, { "name": "Mac1", "namespace": "L", "quoting": "asis" }, { "name": "Mac2", "namespace": "L", "quoting": "asis" }, { "name": "Mac3", "namespace": "L", "quoting": "asis" }, { "name": "Mac4", "namespace": "L", "quoting": "asis" }, { "name": "Mac5", "namespace": "L", "quoting": "asis" }, { "name": "Mac6", "namespace": "L", "quoting": "asis" } ], "result": [ { "codes": "200,201,202,203,204,404,405", "next": "Create Endpoint if one is not present" } ] }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug#test2", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "assign_type": "S", "assign_val": "true", "namespace": "XC", "op": "ASSIGN", "var1_name": "MacFound", "var1_namespace": "L" } ], "statements": [ { "left": [ { "name": "mac_address", "namespace": "P", "quoting": "asis" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "Create Endpoint if one is not present", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "managed", "var1_namespace": "L", "var2_listindex": "Infoblox Managed", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-16" } ], "eval": [ { "assign_type": "S", "assign_val": "False", "namespace": "XC", "op": "ASSIGN", "var1_name": "managed", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Managed", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if managed by infoblox", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "vendor", "var1_namespace": "L", "var2_listindex": "Device Vendor", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-13" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "vendor", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Device Vendor", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-13" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Device Vendor", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "type", "var1_namespace": "L", "var2_listindex": "Device Type", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-11" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "type", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Device Type", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-11" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Device Type", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "rule_category", "var1_namespace": "L", "var2_listindex": "Infoblox Rule Category", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-22" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "rule_category", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Rule Category", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-22" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Rule Category", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "rule_id", "var1_namespace": "L", "var2_listindex": "Infoblox Rule Id", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-16" } ], "eval": [ { "assign_type": "I", "assign_val": "0", "namespace": "XC", "op": "ASSIGN", "var1_name": "rule_id", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox Rule Id", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Rule id", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "comment", "var1_namespace": "L", "var2_listindex": "Comment", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-7" } ], "eval": [ { "assign_type": "S", "assign_val": "No Comment", "namespace": "XC", "op": "ASSIGN", "var1_name": "comment", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Comment", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-7" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Comment", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "We don't want to overwrite new Lease info.", "condition": { "condition_type": "OR", "next": "check if mac was found on aruba", "statements": [ { "left": [ { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "skipClientHostname&FingerprintVarsIfLease", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "fingerpring", "var1_namespace": "L", "var2_listindex": "Infoblox DHCP Fingerprint", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-25" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "fingerpring", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Infoblox DHCP Fingerprint", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-25" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for Fingerprint", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "host", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "client_hostname", "var2_name": "attributes", "var2_namespace": "P", "var2_type": "{0-15" } ], "statements": [ { "left": [ { "listindex": "client_hostname", "name": "attributes", "namespace": "P", "quoting": "asis", "type": "{0-15" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for client_hostname", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "content_type": "application/json", "name": "all discovery information", "nodebug": false, "operation": "GET", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/wapi/v2.7/" }, { "name": "Path", "namespace": "L", "quoting": "asis" }, { "text": "?" }, { "name": "addr", "namespace": "L", "quoting": "asis" }, { "text": "=" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "&_return_fields=comment,device_description,device_location,device_type,device_vendor,name" } ], "wapi": "v2.7" }, { "body": null, "condition": { "condition_type": "OR", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "host", "var1_namespace": "L", "var2_listindex": "0name", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-5" } ], "statements": [ { "left": [ { "listindex": "0name", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "==", "right": [ { "text": "" } ] }, { "left": [ { "listindex": "0name", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-5" } ], "op": "==", "right": [ { "text": "unknown" } ] } ] }, "content_type": "application/json", "name": "Check if name is unknown", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "description", "var1_namespace": "L", "var2_listindex": "0device_description", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-19" } ], "eval": [ { "assign_type": "S", "assign_val": "No Description", "namespace": "XC", "op": "ASSIGN", "var1_name": "description", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0device_description", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-19" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for description", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "comment", "var1_namespace": "L", "var2_listindex": "0comment", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-8" } ], "eval": [ { "assign_type": "S", "assign_val": "No Comment", "namespace": "XC", "op": "ASSIGN", "var1_name": "comment", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0comment", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-8" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for comment", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "vendor", "var1_namespace": "L", "var2_listindex": "0device_vendor", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-14" } ], "statements": [ { "left": [ { "listindex": "0device_vendor", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-14" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for vendor", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "type", "var1_namespace": "L", "var2_listindex": "0device_type", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-12" } ], "statements": [ { "left": [ { "listindex": "0device_type", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-12" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for type", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "comment": "Can we get a fingerprint of a lease from the event namespace? If so, grab it.", "condition": { "condition_type": "AND", "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "fingerpring", "var1_namespace": "L", "var2_name": "lease.fingerprint", "var2_namespace": "E" } ], "statements": [ { "left": [ { "name": "lease.fingerprint", "namespace": "E", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for fingerprint", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "Aruba_Location", "var2_name": "ip.extattrs", "var2_namespace": "E", "var2_type": "{0-14" } ], "else_next": "check if mac was found on aruba", "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "Aruba_Location", "name": "ip.extattrs", "namespace": "E", "quoting": "asis", "type": "{0-14" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for location EA", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "Location", "var1_namespace": "L", "var2_listindex": "0device_location", "var2_name": "PARSE", "var2_namespace": "P", "var2_type": "[0-1,{1-16" } ], "eval": [ { "assign_type": "S", "assign_val": "Unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "Location", "var1_namespace": "L" } ], "statements": [ { "left": [ { "listindex": "0device_location", "name": "PARSE", "namespace": "P", "quoting": "asis", "type": "[0-1,{1-16" } ], "op": "==", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check for location", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add endpoint event check", "statements": [ { "left": [ { "name": "MacFound", "namespace": "L", "quoting": "asis" } ], "op": "==", "right": [ { "text": "true" } ] } ] }, "content_type": "application/json", "name": "check if mac was found on aruba", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add a new ADP endpoint", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "check if new ADP event", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add a new endpoint", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/endpoint" }, { "body": null, "condition": { "condition_type": "AND", "next": "assign profiler values", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ] }, "content_type": "application/json", "name": "Jump to non ADP assign profiler values ", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Id\":\"" }, { "name": "RuleId", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Category\":\"" }, { "name": "RuleCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add a new ADP endpoint", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/api/endpoint" }, { "body": [ { "text": "{\"mac\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"ip\": \"" }, { "name": "address", "namespace": "L", "quoting": "asis" }, { "text": "\",\"hostname\": \"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"device\":{\"family\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"category\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"name\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\"}}" } ], "content_type": "application/json", "headers": { "Accept": "*/*", "Content-Type": "application/json", "User-Agent": "Infoblox Security Integration" }, "name": "assign profiler values", "nodebug": false, "operation": "POST", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": "/async_netd/deviceprofiler/endpoints" }, { "body": null, "condition": { "condition_type": "AND", "next": "Update timestamp", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ] }, "content_type": "application/json", "name": "jump to update infoblox record", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "next": "Add an endpoint", "statements": [ { "left": [ { "name": "event_type", "namespace": "E", "quoting": "asis" } ], "op": "==", "right": [ { "text": "ADP" } ] } ] }, "content_type": "application/json", "name": "Add endpoint event check", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "H" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "E" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "I" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "L" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "S" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "P" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "R" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "RH" }, { "namespace": "XC", "op": "DEBUG", "var1_name": "", "var1_namespace": "UT" } ], "content_type": "application/json", "name": "Debug ruleid2", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "I", "assign_val": "99999", "namespace": "XC", "op": "ASSIGN", "var1_name": "RuleId", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "RuleId", "var1_namespace": "L", "var2_name": "rule_id", "var2_namespace": "L" } ], "statements": [ { "left": [ { "name": "rule_id", "namespace": "L", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if ruleid found", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": null, "condition": { "condition_type": "AND", "else_eval": [ { "assign_type": "S", "assign_val": "unknown", "namespace": "XC", "op": "ASSIGN", "var1_name": "RuleCategory", "var1_namespace": "L" } ], "eval": [ { "namespace": "XC", "op": "COPY", "var1_name": "RuleCategory", "var1_namespace": "L", "var2_name": "rule_category", "var2_namespace": "L" } ], "statements": [ { "left": [ { "name": "rule_category", "namespace": "L", "quoting": "asis" } ], "op": "!=", "right": [ { "text": "" } ] } ] }, "content_type": "application/json", "name": "check if rule_category found", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" }, { "body": [ { "text": "{\"mac_address\":\"" }, { "name": "MacFull", "namespace": "L", "quoting": "asis" }, { "text": "\",\"status\":\"Known\",\"description\":\"Added via API at " }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": " - " }, { "name": "description", "namespace": "L", "quoting": "asis" }, { "text": "\",\"attributes\":{\"client_hostname\":\"" }, { "name": "host", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Type\":\"" }, { "name": "type", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Device Vendor\":\"" }, { "name": "vendor", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Location\":\"" }, { "name": "Location", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Model\":\"Unknown\",\"Comment\":\"" }, { "name": "comment", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Last Known IP\":\"" }, { "name": "Infoblox_Last_Known_IP", "namespace": "L", "quoting": "asis" }, { "text": "\",\"OS Version\":\"Unknown\",\"Infoblox Managed\":\"" }, { "name": "managed", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox DHCP Fingerprint\":\"" }, { "name": "fingerpring", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Category\":\"" }, { "name": "ThreatCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Detection Device IP\":\"" }, { "name": "ThreatDetection", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Name\":\"" }, { "name": "ThreatName", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Severity\":\"" }, { "name": "ThreatSeverity", "namespace": "I", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Id\":\"" }, { "name": "RuleId", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Rule Category\":\"" }, { "name": "RuleCategory", "namespace": "L", "quoting": "asis" }, { "text": "\",\"Infoblox Threat Status\":\"Unresolved\"}}" } ], "content_type": "application/json", "headers": { "Authorization": [ { "text": "Bearer " }, { "name": "SESSID", "namespace": "S", "quoting": "asis" } ] }, "name": "Add an endpoint", "nodebug": false, "operation": "PUT", "override_headers": false, "parse": "JSON", "parse_regex": null, "path": [ { "text": "/api/endpoint/mac-address/" }, { "name": "Mac1", "namespace": "L", "quoting": "asis" }, { "name": "Mac2", "namespace": "L", "quoting": "asis" }, { "name": "Mac3", "namespace": "L", "quoting": "asis" }, { "name": "Mac4", "namespace": "L", "quoting": "asis" }, { "name": "Mac5", "namespace": "L", "quoting": "asis" }, { "name": "Mac6", "namespace": "L", "quoting": "asis" } ] }, { "body": [ { "text": "{\"extattrs+\":{\"Aruba_LastSecurityEvent\": { \"value\": \"" }, { "name": "TIME", "namespace": "UT", "quoting": "asis" }, { "text": "\"}}}" } ], "content_type": "application/json", "name": "Update timestamp", "nodebug": false, "operation": "PUT", "override_headers": false, "path": [ { "text": "/wapi/v2.7/" }, { "name": "Obj_ref", "namespace": "L", "quoting": "asis" } ], "wapi": "v2.7", "wapi_quoting": "JSON" }, { "body": null, "condition": { "condition_type": "AND", "statements": [ { "left": [ { "text": "1" } ], "op": "==", "right": [ { "text": "1" } ] } ], "stop": true }, "content_type": "application/json", "name": "Stop everthing", "nodebug": false, "operation": "COND", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "4.0" } [2022/01/26 10:02:39.412183] infoblox.localdomain (DEBUG): Executing step Debug#0 (1) [2022/01/26 10:02:39.412304] infoblox.localdomain (DEBUG): Namespace H contents are: {'Content-Type': u'application/json', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'} [2022/01/26 10:02:39.412437] infoblox.localdomain (DEBUG): Namespace E contents are: {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-26T09:02:37Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-26T19:55:45Z', u'lease.fingerprint': u'Generic Windows OS', u'rule_name': u'test1.deny', u'sequence_id': 4, u'lease.starts': u'2022-01-26T07:55:45Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 40459} [2022/01/26 10:02:39.412528] infoblox.localdomain (DEBUG): Namespace I contents are: {u'ThreatSeverity': u'Low', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', u'Client_ID': u'BloxCS'} [2022/01/26 10:02:39.412603] infoblox.localdomain (DEBUG): Namespace L contents are: {} [2022/01/26 10:02:39.412697] infoblox.localdomain (DEBUG): Namespace S contents are: {u'Client_ID': u'BloxCS', u'KEY': u'/ss+y9sP/kD83QdRZF2TDkuS+jNsmP58U16AlaPB2Hsa', 'URI': u'https://10.74.49.4', u'SESSID': u'17fa297ad2b6f7bc9067e4ba3b5c8586ac86efb0', 'USER': u'admin', 'TIMEOUT': 30} [2022/01/26 10:02:39.412771] infoblox.localdomain (DEBUG): Namespace P contents are: {} [2022/01/26 10:02:39.412842] infoblox.localdomain (DEBUG): Namespace R contents are: {} [2022/01/26 10:02:39.412912] infoblox.localdomain (DEBUG): Namespace RH contents are: {} [2022/01/26 10:02:39.413114] infoblox.localdomain (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'ENDPOINT': 'notification:rest:endpoint/b25lLmVuZHBvaW50JDI', 'PROTOCOL': u'https', 'UUID': '71ce5d12-b472-4c34-9f10-fd25405a09d3', 'WAPIUSERNAME': u'admin', 'URI': u'https://10.74.49.4', 'HOST': u'10.74.49.4', 'EPOCH': '1643187759', 'TIME': '2022-01-26T09:02:39Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443} [2022/01/26 10:02:39.413227] infoblox.localdomain (DEBUG): Executing step check if IPv4 or IPv6 for assigning variables (1) [2022/01/26 10:02:39.413308] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.413407] infoblox.localdomain (DEBUG): Evaluating statement: 10.74.49.15 =~ : [2022/01/26 10:02:39.413484] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.413540] infoblox.localdomain (DEBUG): Executing the else_eval block [2022/01/26 10:02:39.413735] infoblox.localdomain (DEBUG): Executing step assignTimeValue (1) [2022/01/26 10:02:39.413910] infoblox.localdomain (DEBUG): Executing step check for IPv6 (1) [2022/01/26 10:02:39.413990] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.414102] infoblox.localdomain (DEBUG): Evaluating statement: "10.74.49.15" =~ : [2022/01/26 10:02:39.414192] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.414277] infoblox.localdomain (DEBUG): Executing step Get IPv4Fixed _ref (1) [2022/01/26 10:02:39.414770] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/26 10:02:39.414942] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='10.74.49.5', port='443', path='/wapi/v2.7/fixedaddress?ipv4addr=10.74.49.15&network_view=default&_return_fields=extattrs', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'. [2022/01/26 10:02:39.415038] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/26 10:02:39.440263] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "default-src 'self' *.splunk.com img-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: style-src 'self' 'unsafe-inline' 'unsafe-eval'", 'transfer-encoding': 'chunked', 'set-cookie': '[*********]', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'no-cache, no-store', 'date': 'Wed, 26 Jan 2022 09:02:39 GMT', 'x-frame-options': 'SAMEORIGIN', 'referrer-policy': 'no-referrer-when-downgrade', 'content-type': 'application/json'} data:[] [2022/01/26 10:02:39.440390] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/26 10:02:39.440464] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '[]', 'REASON': 'OK', 'RC': 200} [2022/01/26 10:02:39.440586] infoblox.localdomain (DEBUG): The parsing output is {'PARSE': []} [2022/01/26 10:02:39.440691] infoblox.localdomain (DEBUG): Executing step wapi_response_getIPv4Fix_ref (1) [2022/01/26 10:02:39.440778] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.440914] infoblox.localdomain (DEBUG): Evaluating statement: != [2022/01/26 10:02:39.440985] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.441071] infoblox.localdomain (DEBUG): Executing step Get HostIPv4 _ref (1) [2022/01/26 10:02:39.441507] infoblox.localdomain (DEBUG): Sleeping for 0 seconds [2022/01/26 10:02:39.441683] infoblox.localdomain (DEBUG): Sending a 'GET' request within connection: protocol='https', host='10.74.49.5', port='443', path='/wapi/v2.7/record:host?ipv4addr=10.74.49.15&network_view=default&_return_fields=extattrs', headers={'Content-Type': 'application/json', 'Cookie': '[*********]', 'Accept': 'application/json', 'Authorization': '[*********]'}, body='(no body)'. [2022/01/26 10:02:39.441778] infoblox.localdomain (DEBUG): Request timeout is 30 [2022/01/26 10:02:39.468613] infoblox.localdomain (DEBUG): Response status:200 reason:OK headers:{'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'content-security-policy': "default-src 'self' *.splunk.com img-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: style-src 'self' 'unsafe-inline' 'unsafe-eval'", 'transfer-encoding': 'chunked', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'connection': 'close', 'pragma': 'no-cache', 'cache-control': 'no-cache, no-store', 'date': 'Wed, 26 Jan 2022 09:02:39 GMT', 'x-frame-options': 'SAMEORIGIN', 'referrer-policy': 'no-referrer-when-downgrade', 'content-type': 'application/json'} data:[] [2022/01/26 10:02:39.468830] infoblox.localdomain (DEBUG): The previous endpoint request returned status 200 [2022/01/26 10:02:39.468908] infoblox.localdomain (DEBUG): Parsing the endpoint message {'BODY': '[]', 'REASON': 'OK', 'RC': 200} [2022/01/26 10:02:39.469034] infoblox.localdomain (DEBUG): The parsing output is {'PARSE': []} [2022/01/26 10:02:39.469192] infoblox.localdomain (DEBUG): Executing step wapi_response_getIPv4Host_ref (1) [2022/01/26 10:02:39.469372] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.469523] infoblox.localdomain (DEBUG): Evaluating statement: != [2022/01/26 10:02:39.469624] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.469710] infoblox.localdomain (DEBUG): Jumping to step `check if ADP event` [2022/01/26 10:02:39.469792] infoblox.localdomain (DEBUG): We are jumping from step wapi_response_getIPv4Host_ref (#8) to check if ADP event (#19) [2022/01/26 10:02:39.469962] infoblox.localdomain (DEBUG): Executing step check if ADP event (1) [2022/01/26 10:02:39.470053] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.470262] infoblox.localdomain (DEBUG): Evaluating statement: RPZ == ADP [2022/01/26 10:02:39.470332] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.470477] infoblox.localdomain (DEBUG): Executing step Check RPZ or Tunnel event to assign variables (1) [2022/01/26 10:02:39.470646] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.470745] infoblox.localdomain (DEBUG): Evaluating statement: RPZ == RPZ [2022/01/26 10:02:39.470812] infoblox.localdomain (DEBUG): The condition matched! [2022/01/26 10:02:39.470969] infoblox.localdomain (DEBUG): Executing the eval block [2022/01/26 10:02:39.471350] infoblox.localdomain (DEBUG): Executing step skipLeaseVarsIfHostOrFixed (1) [2022/01/26 10:02:39.471438] infoblox.localdomain (DEBUG): Found a/an OR condition step! [2022/01/26 10:02:39.471530] infoblox.localdomain (DEBUG): Evaluating statement: != [2022/01/26 10:02:39.471598] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.471842] infoblox.localdomain (DEBUG): Executing step verifyEAsforLease_IP (1) [2022/01/26 10:02:39.471930] infoblox.localdomain (DEBUG): Found a/an AND condition step! [2022/01/26 10:02:39.472044] infoblox.localdomain (DEBUG): Evaluating statement: == true [2022/01/26 10:02:39.472161] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.472246] infoblox.localdomain (DEBUG): Executing step verifyEAsforLease_Network (1) [2022/01/26 10:02:39.472325] infoblox.localdomain (DEBUG): Found a/an OR condition step! [2022/01/26 10:02:39.472537] infoblox.localdomain (DEBUG): Evaluating statement: == true [2022/01/26 10:02:39.472607] infoblox.localdomain (DEBUG): The condition did not match! [2022/01/26 10:02:39.472723] infoblox.localdomain (DEBUG): A stop condition was triggered, exiting [2022/01/26 10:02:39.472798] infoblox.localdomain (DEBUG): The template was executed successfully [2022/01/26 10:02:40.375072] infoblox.localdomain (DEBUG): Executing the template Aruba ClearPass Logout [2022/01/26 10:02:40.375307] infoblox.localdomain (DEBUG): Event {u'event_type': 'RPZ', u'ip.extattrs': {u'Aruba_Sync': u'true'}, u'range.end_addr': u'10.74.49.15', u'ip.username': u'', u'thread_id': 0, 'network.netmask': 27, u'lease.hardware': u'00:50:56:a4:30:54', u'member_name': u'infoblox.localdomain', u'rpz_policy': u'NXDOMAIN', 'network.ipv4addr': '10.74.49.0', u'query_type': 1, u'query_view_name': u'_default', u'rpz_severity': u'MAJOR', u'range.start_addr': u'10.74.49.8', u'ip.discovered_data.first_discovered': u'2022-01-18T13:39:35Z', u'destination_ip': u'10.74.49.5', u'network.network': u'10.74.49.0/27', u'network.extattrs': {u'Aruba_Sync': u'true'}, u'timestamp': u'2022-01-26T09:02:37Z', u'vnode_oid': 0, u'lease.ends': u'2022-01-26T19:55:45Z', u'lease.fingerprint': u'Generic Windows OS', u'rule_name': u'test1.deny', u'sequence_id': 4, u'lease.starts': u'2022-01-26T07:55:45Z', u'rpz_type': u'QNAME', u'network.network_view': u'default', u'threat_origin': u'NIOS', u'member_ip': u'10.74.49.5', u'lease.binding_state': u'ACTIVE', u'source_ip': u'10.74.49.15', u'ip.discovered_data.mac_address': u'00:50:56:a4:30:54', u'query_name': u'test1', u'ip.names': [u'peter-ubuntu'], u'lease.client_hostname': u'peter-ubuntu', u'source_port': 40459} [2022/01/26 10:02:40.375438] infoblox.localdomain (DEBUG): Event fields with no value ['atc_hit_type', 'atc_hit_values', 'ip.discovered_data.device_model', 'ip.discovered_data.device_port_name', 'ip.discovered_data.device_type', 'ip.discovered_data.device_port_type', 'ip.discovered_data.vendor', 'ip.discovered_data.discovered_name', 'ip.discovered_data.duid', 'ip.discovered_data.netbios_name', 'ip.discovered_data.port_link_status', 'ip.discovered_data.port_speed', 'ip.discovered_data.port_status', 'ip.discovered_data.port_vlan_name', 'ip.discovered_data.port_vlan_description', 'lease.ipv6_duid'] [2022/01/26 10:02:40.375886] infoblox.localdomain (DEBUG): Deserialized template in use: { "comment": null, "content_type": "application/json", "headers": {}, "instance_variables": {}, "name": "Aruba ClearPass Logout", "path": "", "quoting": "json", "steps": [ { "body": [ { "assign_type": "S", "assign_val": "", "namespace": "XC", "op": "ASSIGN", "var1_name": "SESSID", "var1_namespace": "S" } ], "content_type": "application/json", "name": "Clear the session ID", "nodebug": false, "operation": "NOP", "override_headers": false, "path": "" } ], "template_variables": {}, "vendor_identifier": "Aruba ClearPass", "version": "3.0" } [2022/01/26 10:02:40.375980] infoblox.localdomain (DEBUG): Executing step Clear the session ID (1) [2022/01/26 10:02:40.376134] infoblox.localdomain (DEBUG): The template was executed successfully