splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Infoblox Advanced DNS Protection (ADP) - host extration issue

Open Mosstrow opened this issue 5 months ago • 0 comments

Hello Team,

The HOSTNAME extraction is not working for CEF Infoblox Advanced DNS Protection (ADP). The sourcetype is working well: infoblox:threatprotect

Here is a sample where the extracted host is "ADP" instead of "HOSTNAME.srv.local": <30>May 26 16:08:18 HOSTNAME.srv.local threat-protect-log[6551]: adp: CEF:0|Infoblox|NIOS Threat|9.0.6-53318-82020f7ffaad|130502880|DNS HTTPS record|4|src=185.245.255.103 spt=43120 dst=1.1.1.1 dpt=53 act="DROP" cat="DNS Message Types" nat=0 nfpt=0 nlpt=0 fqdn=test.local hit_count=1

Thanks

Mosstrow avatar May 26 '25 14:05 Mosstrow