Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

Reporting on RPZ hits at caching layer
pnewcomb
New Member
Posts: 6

‎06-12-2019 07:40 AM

2366     1

We have a secondary dns layer that is supposed to be the dns server layer for all clients.

The secondary DNS servers forward to the caching layer.

 

While RPZ is on both layers now, I want to only have RPZ at the secondary layer.

First I must determine that RPZ hits are only being reported from the secondary layer before I move the RPZ licenses off the caching layer.

 

I want to run a report that will demonstrate that clients are not sending queries to the caching layer.

 

The dns secondary server names begin with “usqasb01dns”

The dns Caching server names begin with “usqasb01dnf”

 

This is the current search criteria:

 

index=ib_dns_summary report=si_dns_rpz_hits| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX" or MITIGATION_ACTION == "ND", "Block", MITIGATION_ACTION == "SB" or MITIGATION_ACTION =="A1" or MITIGATION_ACTION =="A4" or MITIGATION_ACTION =="AA" or MITIGATION_ACTION =="DN", "Substitute") | fields _time  MITIGATION_ACTION   TOTAL_COUNT   | timechart bins=1000 avg(TOTAL_COUNT) by MITIGATION_ACTION  useother=f | interpolate 1200| fillnull | addtotals row=true col=false | rename Total as "ClientHits"

 

Can I add a condition to look for the caching servers?

Usqasb01dnf101.na.pg.com

Usqasb01dnf102.na.pg.com

 

Your help is greatly appreciated

Reply
0 Kudos

Re: Reporting on RPZ hits at caching layer

[ Edited ]
malman
Superuser
Posts: 81

‎06-20-2019 03:49 PM - edited ‎06-27-2023 02:15 PM

2366     1

Hello Gentleman,

 

You can do that by including the ‘orig_host’ value like this :

 

index=ib_dns_summary report=si_dns_rpz_hits orig_host=" Usqasb01dnf101.na.pg.com" OR orig_host=" Usqasb01dnf102.na.pg.com" | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX" or MITIGATION_ACTION == "ND", "Block", MITIGATION_ACTION == "SB" or MITIGATION_ACTION =="A1" or MITIGATION_ACTION =="A4" or MITIGATION_ACTION =="AA" or MITIGATION_ACTION =="DN", "Substitute") | fields _time  MITIGATION_ACTION   TOTAL_COUNT   | timechart bins=1000 avg(TOTAL_COUNT) by MITIGATION_ACTION  useother=f | interpolate 1200| fillnull | addtotals row=true col=false | rename Total as "ClientHits"

 

Exclusions can be done by using the following in the above string :

 

orig_host!="Usqasb01dnf101.na.pg.com" 

 

I hope you'll find that to be usefull.


All the best.

Reply
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community