Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Generate a reports on DNS records changes

[ Edited ]
Techie
Posts: 8
6710     1

Hi,

 

Is there any way I can produce a report which shows all the DNS record changes done within a time frame in a DNS view?

 

I would like to generate a report which shows all the new, edited and deleted records inside the Internal view.

Re: Generate a reports on DNS records changes

Moderator
Moderator
Posts: 72
6710     1

Hi,

This should do it. Pretty straight forward.

index=ib_audit sourcetype=ib:audit earliest=@d DnsView=NAME ACTION=Created OR Modified OR Deleted OBJECT_TYPE=*Record |table TIMESTAMP, ADMIN, ACTION, OBJECT_TYPE, OBJECT_NAME |rename ACTION as Action, TIMESTAMP as Time, ADMIN as User, OBJECT_TYPE as "Record Type", OBJECT_NAME as "Record Name/Data"

 

 

Note:
Replace DnsView=NAME with the name of your DNS View
earliest=@d --> Data for the day from 00:00hrs
earliest=-2d or -1w or -24h --> Data from days ago or 1 week ago or 24 hours ago, till now
earliest=-2d@d --> Data from 00:00 hrs day before yesterday

 

 

Sample output.PNG

 

 

 



Best Regards,
Bibin Thomas

Re: Generate a reports on DNS records changes

Techie
Posts: 8
6711     1

HI 

 

Re: Generate a reports on DNS records changes

Moderator
Moderator
Posts: 72
6711     1

No field extraction needed since the field is already available. You just need to add it to your table.

index=ib_audit sourcetype=ib:audit earliest=-7d DnsView=Axe ACTION=Created OR Modified OR Deleted OBJECT_TYPE=*Record |table TIMESTAMP, ADMIN, ACTION, OBJECT_TYPE, OBJECT_NAME, comment |rename ACTION as Action, TIMESTAMP as Time, ADMIN as User, OBJECT_TYPE as "Record Type", OBJECT_NAME as "Record Name/Data". comment as Comment


Capture.PNG

 

Best Regards,
Bibin Thomas

Showing results for 
Search instead for 
Did you mean: 

Recommended for You