Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Reporting

Reply

DNS Client Query Analysis Dashboard

[ Edited ]
Authority
Posts: 15
2637     1

Attached is the XML code necessary to produce the DNS Client Query Analysis Dashboard within the Infoblox Reporting & Analytics solution.  The purpose of this dashboard is to answer two basic questions often asked in a security context:

 

1. What clients have queried a given FQDN?

2. What FQDNs has a given source IP looked up?

 

Both of those questions can be answered quickly using this dashboard.  The top half of the dashboard provides a view of source IP addresses listed by queried FQDN.  The bottom half provides a view of all FQDNs queried in the requested timeframe listed by source IP.  Below are some screenshots showing searches for a domain name, and for a specific source IP.  It should be noted that the domain name search only applies to the top half of the dashboard, and the source IP search only applies to the bottom half of the dashboard, allowing the two to be filtered independently.

 

REQUIREMENT:  This dashboard requires that you are using the Infoblox Data Connector in conjunction with NIOS query capture and that you are forwarding the query capture data in to the Reporting Member.

 

INSTALLATION:  To install and run this dashboard:

  1. Click Reporting -> Dashboards -> Create New Dashboard
  2. Enter a temporary value for Title (this will be overwritten in a subsequent step) -> click Create Dashboard
  3. Click Source or Edit Source (depending on the NIOS version you are running)
  4. Copy the entire contents of the XML attached and completely replace the XML source of the newly created Dashboard
  5. Optionally change the value of the <label> and <description> tags at the top of the XML.  By default the Dashboard will be called "DNS Client Query Analysis Dashboard".
  6. Click Save

 

Searching by domain nameSearching by domain nameSearching by client IPSearching by client IP

Re: DNS Client Query Analysis Dashboard

New Member
Posts: 1
2638     1

I followed your article step by step but even for google.com I have No result found.
I tried few other built in reports and non of them shows any data. Only search comes with any result. Any idea what is wrongly configured?

Thanks,

A.

Re: DNS Client Query Analysis Dashboard

Authority
Posts: 15
2638     1

If you are not seeing data in this report, I would first ask whether or not you have enabled query capture to a Cloud Data Connector that is configured to send the query capture data to your reporting server.  You mentioned missing data in other reports, which could mean that you don't have the indexing set up properly in your Grid reporting properties or that the reporting service isn't running on members that would produce the data.

Re: DNS Client Query Analysis Dashboard

New Member
Posts: 1
2638     1

In my case the ib:dns:capture has the last update in 5/27/19 11:18:30.000 PM. Looks like that something change in this date.

Re: DNS Client Query Analysis Dashboard

Authority
Posts: 15
2638     1

Is query capture enabled and is the CDC configured to send it to the reporting member?  If not, that is your issue.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You