V 2.0 : DNS Logs
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: DNS Logs | Base Rule | General DNS Information | Information |
| V 2.0: DNS Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0: DNS Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Action | <action> <tag1> | Text/String | Whether the request was allowed or blocked. |
| Blocked Categories | <result> | Text/String | The categories that resulted in the destination being blocked. Available in version 4 and above. |
| Categories | <subject> | Text/String | The security or content categories that the destination matches. For category definitions, see Understanding Security Categories and Understanding Content Categories. |
| Domain | <domainimpacted> | Text/String | The domain that was requested. |
| External IP | <dip> | IP Address | The external IP address that made the request. |
| Identities | <object> <login> | Text/String | All identities associated with this request. |
| Identity Types | <objecttype> | Text/String | The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above. |
| Internal IP | <sip> | IP Address | The internal IP address that made the request. |
| Most Granular Identity | N/A | N/A | The first identity matched with this request in order of granularity. |
| Most Granular Identity Type | N/A | N/A | The first identity type matched with this request in order of granularity. Available in version 3 and above. |
| Query Type | N/A | N/A | The type of DNS request that was made. For more information, see Common DNS Request Types. |
| Response Code | <responsecode> | Number | The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella). |
| Timestamp | N/A | N/A | When this request was made in UTC. This is different from the Umbrella dashboard, which converts the time to your specified time zone |