diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index cf9ac2ae58fe9..7d3b34c4bc24e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -803,6 +803,11 @@ plaid/assets/logs/ @DataDog/saa /ide-shepherd/manifest.json @DataDog/agent-integrations @DataDog/documentation /ide-shepherd/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers +/bluecat_integrity/ @DataDog/saas-integrations +/bluecat_integrity/*.md @DataDog/saas-integrations @DataDog/documentation +/bluecat_integrity/manifest.json @DataDog/saas-integrations @DataDog/documentation +/bluecat_integrity/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers + # To keep Security up-to-date with changes to the signing tool. /datadog_checks_dev/datadog_checks/dev/tooling/signing.py @DataDog/agent-integrations # As well as the secure downloader. diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index f22853ee31de5..7d6fd6ab8ef14 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -206,6 +206,10 @@ integration/bluecat_edge: - changed-files: - any-glob-to-any-file: - bluecat_edge/**/* +integration/bluecat_integrity: +- changed-files: + - any-glob-to-any-file: + - bluecat_integrity/**/* integration/boundary: - changed-files: - any-glob-to-any-file: diff --git a/bluecat_integrity/CHANGELOG.md b/bluecat_integrity/CHANGELOG.md new file mode 100644 index 0000000000000..d7d24c805209b --- /dev/null +++ b/bluecat_integrity/CHANGELOG.md @@ -0,0 +1,7 @@ +# CHANGELOG - BlueCat Integrity + +## 1.0.0 / 2026-02-18 + +***Added***: + +* Initial Release \ No newline at end of file diff --git a/bluecat_integrity/README.md b/bluecat_integrity/README.md new file mode 100644 index 0000000000000..3d10b1a5d8cd2 --- /dev/null +++ b/bluecat_integrity/README.md @@ -0,0 +1,75 @@ +# BlueCat Integrity + +## Overview + +[BlueCat Integrity][1] is a centralized DDI platform that automates and secures enterprise network infrastructure management. + +Integrate BlueCat Integrity with Datadog's pre-built dashboard visualizations to gain insights into DNS and DHCP activity events. With Datadog's built-in log pipelines, you can parse and enrich these logs to facilitate easy search and detailed insights. Additionally, this integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. + +## Setup + +### Configuration + +#### Webhook Configuration + +Configure the Datadog endpoint to forward BlueCat Integrity DHCP activity events as logs to Datadog. + +1. Copy the generated URL inside the **Configuration** tab on the Datadog [BlueCat Integrity][2] tile. +2. Sign in to BlueCat Integrity Portal. +3. Click the **Servers** tab in the sidebar, then choose **Servers**. +4. From the list, click the name of the server to configure the log collection. +5. Open the **Services** tab. +6. Under **Monitoring and analytics**, locate the **DHCP activity service** panel and click **Edit service**. +7. Under **General**, set the following parameters: + - **Enabled**: Select this check box to enable DHCP activity service. + - **DHCPv4 enabled**: Select this check box to collect DHCPv4 activity events. + - **DHCPv6 enabled**: Select this check box to collect DHCPv6 activity events. +8. On the **Destination tab**, set the following parameters: + - **Sink type**: Select HTTP. + - On selecting HTTP, the following fields appear: + - Output URI: Enter the webhook URL generated in step 1. +9. On the **Certificate** tab, under CA certificate, export the public SSL certificate for *.datadoghq.com from your browser's certificate viewer (the certificate presented when accessing Datadog over HTTPS) and upload it here. +10. Click **Save**. +11. Perform steps 5-10 on every server from which logs need to be collected. + + +Configure the Datadog endpoint to forward BlueCat Integrity DNS activity events as logs to Datadog. + +1. Copy the generated URL inside the **Configuration** tab on the Datadog [BlueCat Integrity][2] tile. +2. Sign in to BlueCat Integrity Portal. +3. Click the **Servers** tab in the sidebar, then choose **Servers**. +4. From the list, click the name of the server to configure the log collection. +5. Open the **Services** tab. +6. Under **Monitoring and analytics**, locate the **DNS activity service** panel and click **Edit service**. +7. Under **General**, set the following parameters: + - **Enabled**: Select this check box to enable the service. +8. On the **Destination tab**, set the following parameters: + - **Sink type**: Select HTTP + - On selecting HTTP, the following fields appear: + - **Output URI**: Enter the webhook URL generated in step 1. +9. On the **Certificate** tab, under CA certificate, export the public SSL certificate for *.datadoghq.com from your browser's certificate viewer (the certificate presented when accessing Datadog over HTTPS) and upload it here. +10. Click **Save**. +11. Perform steps 5-10 on every server from which logs need to be collected. + + +## Data Collected + +### Logs + +The BlueCat Integrity integration collects DHCP and DNS activity events. + +### Metrics + +The BlueCat Integrity integration does not include any metrics. + +### Events + +The BlueCat Integrity integration does not include any events. + +## Support + +For further assistance, contact [Datadog support][3]. + +[1]: https://bluecatnetworks.com/products/integrity/ +[2]: /integrations/bluecat-integrity +[3]: https://docs.datadoghq.com/help/ \ No newline at end of file diff --git a/bluecat_integrity/assets/bluecat-integrity.svg b/bluecat_integrity/assets/bluecat-integrity.svg new file mode 100644 index 0000000000000..5f263c62d3397 --- /dev/null +++ b/bluecat_integrity/assets/bluecat-integrity.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/bluecat_integrity/assets/dashboards/bluecat_integrity_dhcp_insights.json b/bluecat_integrity/assets/dashboards/bluecat_integrity_dhcp_insights.json new file mode 100644 index 0000000000000..054c98ed0712f --- /dev/null +++ b/bluecat_integrity/assets/dashboards/bluecat_integrity_dhcp_insights.json @@ -0,0 +1,1622 @@ +{ + "title": "BlueCat Integrity DHCP Insights", + "description": "This dashboard provides a comprehensive summary of DHCP insights.", + "widgets": [ + { + "id": 6151879075626458, + "definition": { + "type": "image", + "url": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "url_dark_theme": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 7661804533108844, + "definition": { + "type": "note", + "content": "This dashboard provides a comprehensive summary of DHCP insights.\n\nFor more information, see the [BlueCat Integrity Integration Documentation](https://docs.datadoghq.com/integrations/bluecat_integrity/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 2 + } + }, + { + "id": 2780380458538478, + "definition": { + "title": "Traffic Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4007510612577807, + "definition": { + "type": "note", + "content": "Provides an overall view of DHCP traffic, tracking packet volumes, trends over time, and the distribution between DHCPv4 and DHCPv6. It helps teams understand message flows, monitor network behavior, and analyze client-server interactions efficiently.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 6834340530898074, + "definition": { + "title": "Total DHCP messages", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:(dhcpv4-packet OR dhcpv6-packet) $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 2893346216134267, + "definition": { + "title": "DHCP messages over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Messages", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:(dhcpv4-packet OR dhcpv6-packet) $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 833518703407602, + "definition": { + "title": "DHCPv4 messages breakdown", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 6100946744742176, + "definition": { + "title": "DHCPv6 messages breakdown", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv6Message.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 1565572164578323, + "definition": { + "title": "DHCP type distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:(dhcpv4-packet OR dhcpv6-packet) $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@payloadType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 8525080093851180, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:bluecat-integrity @payloadType:(dhcpv4-packet OR dhcpv6-packet) $server_id $payload_type $dhcpv4_message_type $dhcpv6_message_type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "payloadType", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 2, + "width": 12, + "height": 13 + } + }, + { + "id": 5856038612515279, + "definition": { + "title": "DHCPv4 Packet Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8664653851282909, + "definition": { + "type": "note", + "content": "Provides a detailed view of DHCPv4 traffic, tracking the volume and types of packets over time. It helps teams understand client-server interactions, monitor message flows, and identify trends or anomalies in DHCPv4 communication.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5735444963876529, + "definition": { + "title": "DHCPv4 messages", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 8541533520873031, + "definition": { + "title": "DHCPv4 messages type over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Messages", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 1466849116384218, + "definition": { + "title": "DHCP outbound message type distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet @message_direction_value:BOOTREQUEST $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 6277358687483292, + "definition": { + "title": "DHCP inbound message type distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet @message_direction_value:BOOTREPLY $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 4224141363724107, + "definition": { + "title": "Inbound vs outbound", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@message_direction_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 1283029601363087, + "definition": { + "title": "Top hosts", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.hostName" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 1230212418562855, + "definition": { + "title": "Top DHCPv4 client hardware addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.chaddr" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 8, + "width": 3, + "height": 4 + } + }, + { + "id": 23460823039540, + "definition": { + "title": "Server activity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@serverId" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 6, + "height": 4 + } + }, + { + "id": 2430939503445951, + "definition": { + "title": "Top requested IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.options.requestedAddr" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 78452959689241, + "definition": { + "title": "Top assigned IPv4 addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv4Message.yiaddr" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 12, + "width": 3, + "height": 4 + } + }, + { + "id": 314049111045030, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:bluecat-integrity @payloadType:dhcpv4-packet $server_id $payload_type $dhcpv4_message_type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 16, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 30, + "width": 12, + "height": 21, + "is_column_break": true + } + }, + { + "id": 3747769284629770, + "definition": { + "title": "DHCPv6 Packet Details", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8760944639687471, + "definition": { + "type": "note", + "content": "Provides a detailed view of DHCPv6 traffic, tracking the volume and types of packets over time. It helps teams understand client-server interactions, monitor message flows, and analyze trends in DHCPv6 communication.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 8422131148558737, + "definition": { + "title": "DHCPv6 messages", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 7633017829894756, + "definition": { + "title": "DHCPv6 messages type over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Messages", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv6Message.messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 6184357821344938, + "definition": { + "title": "Top assigned IPv6 addresses", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@data.dhcpv6Message.options.iaNaOptions.ipv6Addr" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 3, + "height": 4 + } + }, + { + "id": 5689497245405360, + "definition": { + "title": "Server activity", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv6_message_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@serverId" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 3, + "y": 4, + "width": 9, + "height": 4 + } + }, + { + "id": 5660829832627764, + "definition": { + "title": "Log details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:bluecat-integrity @payloadType:dhcpv6-packet $server_id $payload_type $dhcpv6_message_type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "@data.dhcpv6Message.messageType", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 12 + } + } + ], + "template_variables": [ + { + "name": "server_id", + "prefix": "@serverId", + "available_values": [], + "default": "*" + }, + { + "name": "payload_type", + "prefix": "@payloadType", + "available_values": [], + "default": "*" + }, + { + "name": "dhcpv4_message_type", + "prefix": "@data.dhcpv4Message.options.messageType", + "available_values": [], + "default": "*" + }, + { + "name": "dhcpv6_message_type", + "prefix": "@data.dhcpv6Message.messageType", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/bluecat_integrity/assets/dashboards/bluecat_integrity_dns_insights.json b/bluecat_integrity/assets/dashboards/bluecat_integrity_dns_insights.json new file mode 100644 index 0000000000000..da720f3bfee07 --- /dev/null +++ b/bluecat_integrity/assets/dashboards/bluecat_integrity_dns_insights.json @@ -0,0 +1,1600 @@ +{ + "title": "BlueCat Integrity DNS Insights", + "description": "This dashboard provides a comprehensive summary of DNS insights.", + "widgets": [ + { + "id": 6151879075626458, + "definition": { + "type": "image", + "url": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "url_dark_theme": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 7661804533108844, + "definition": { + "type": "note", + "content": "This dashboard provides a comprehensive summary of DNS insights.\n\nFor more information, see the [BlueCat Integrity Integration Documentation](https://docs.datadoghq.com/integrations/bluecat_integrity/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 2 + } + }, + { + "id": 2780380458538478, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4007510612577807, + "definition": { + "type": "note", + "content": "Provides actionable insights into DNS activity by tracking event volumes, analyzing trends over time, breaking down traffic by message types, and highlighting the most frequent queries and servers to support operational visibility and troubleshooting.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 6834340530898074, + "definition": { + "title": "DNS events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 8347109012862062, + "definition": { + "title": "DNS events over time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 7273853121013714, + "definition": { + "title": "DNS events by message types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@messageType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 4187553057440913, + "definition": { + "title": "Top requested DNS queries", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@requestData.question.domainName" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 6, + "height": 4 + } + }, + { + "id": 3844180593697973, + "definition": { + "title": "Top DNS servers", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@serverId" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 8, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 2, + "width": 12, + "height": 13 + } + }, + { + "id": 8222518606397731, + "definition": { + "title": "DNS Insights", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4770492289869124, + "definition": { + "type": "note", + "content": "Provides comprehensive view of DNS activity, showing overall traffic patterns, trends, and network interactions. Designed to help monitor and analyze DNS operations efficiently.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5273836143035735, + "definition": { + "title": "DNS query events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap @requestData.time:* $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 2 + } + }, + { + "id": 1177437160266726, + "definition": { + "title": "DNS response codes over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@dns.flags.rcode" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 4 + } + }, + { + "id": 5655075394484984, + "definition": { + "title": "DNS response events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap @responseData.time:* $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 3, + "height": 2 + } + }, + { + "id": 6366132574396879, + "definition": { + "title": "Top client IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 3486801237803111, + "definition": { + "title": "Top client ports", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.client.port" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 5, + "width": 3, + "height": 4 + } + }, + { + "id": 8820392117030601, + "definition": { + "title": "Geolocation distribution of DNS client IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 1281956041851919, + "definition": { + "title": "Top responder IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.ip" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 76828664147989, + "definition": { + "title": "Top responder ports", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.port" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 3, + "y": 9, + "width": 3, + "height": 4 + } + }, + { + "id": 4002868118994987, + "definition": { + "title": "Geolocation distribution of responder IPs", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@network.destination.geoip.country.iso_code" + ], + "limit": 250, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 9, + "width": 6, + "height": 4 + } + }, + { + "id": 7912671157154355, + "definition": { + "title": "Top socket families", + "title_size": "16", + "title_align": "left", + "type": "bar_chart", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@socketFamily" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 2856035586396965, + "definition": { + "title": "Transport protocols distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@socketProtocol" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 13, + "width": 6, + "height": 4 + } + }, + { + "id": 2248480185574051, + "definition": { + "title": "Response code distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@dns.flags.rcode" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 17, + "width": 6, + "height": 4 + } + }, + { + "id": 7030649668652850, + "definition": { + "title": "DNS response data details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@responseData.question.domainName", + "limit": 25, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@responseData.question.questionType", + "limit": 25, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@responseData.question.class", + "limit": 15, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 9375, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 6, + "y": 17, + "width": 6, + "height": 4 + } + }, + { + "id": 714393923545946, + "definition": { + "title": "DNS request opcode distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@request_op_code_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 6, + "height": 4 + } + }, + { + "id": 3806033036135510, + "definition": { + "title": "DNS response opcode distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@response_op_code_value" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 21, + "width": 6, + "height": 4 + } + }, + { + "id": 7178056582026261, + "definition": { + "title": "DNS event details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:bluecat-integrity @payloadType:dnstap $message_type $server_id $request_domain $response_domain", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "messageType", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 15, + "width": 12, + "height": 30 + } + } + ], + "template_variables": [ + { + "name": "message_type", + "prefix": "@messageType", + "available_values": [], + "default": "*" + }, + { + "name": "server_id", + "prefix": "@serverId", + "available_values": [], + "default": "*" + }, + { + "name": "request_domain", + "prefix": "@requestData.question.domainName", + "available_values": [], + "default": "*" + }, + { + "name": "response_domain", + "prefix": "@responseData.question.domainName", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/bluecat_integrity/assets/dashboards/bluecat_integrity_overview.json b/bluecat_integrity/assets/dashboards/bluecat_integrity_overview.json new file mode 100644 index 0000000000000..7fabb8ade37f3 --- /dev/null +++ b/bluecat_integrity/assets/dashboards/bluecat_integrity_overview.json @@ -0,0 +1,867 @@ +{ + "title": "BlueCat Integrity Overview", + "description": "This dashboard provides a comprehensive summary of all events.", + "widgets": [ + { + "id": 6151879075626458, + "definition": { + "type": "image", + "url": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "url_dark_theme": "https://bluecatnetworks.com/wp-content/uploads/2024/02/bluecat-logo.svg", + "sizing": "contain", + "margin": "sm", + "has_background": false, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 3 + } + }, + { + "id": 7661804533108844, + "definition": { + "type": "note", + "content": "[BlueCat Integrity](https://bluecatnetworks.com/products/integrity/) is a centralized DDI platform that automates and secures enterprise network infrastructure management.\n\nThis dashboard provides a comprehensive summary of all events.\n\nFor more information, see the [BlueCat Integrity Integration Documentation](https://docs.datadoghq.com/integrations/bluecat_integrity/).\n\n**Tips**\n- Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": true, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 3 + } + }, + { + "id": 2780380458538478, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4007510612577807, + "definition": { + "type": "note", + "content": "Provides a unified, high-level view of DNS, DHCPv4, and DHCPv6 events from BlueCat Integrity, showing overall event volume, distribution by event type, and trends over time. This overview enables teams to monitor service activity, review event patterns, and efficiently investigate detailed log records across all supported protocol events.", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 6834340530898074, + "definition": { + "title": "Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity $payload_type" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d3e3f3" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 3, + "height": 3 + } + }, + { + "id": 2004986447717672, + "definition": { + "title": "Events over time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity $payload_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@payloadType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + } + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 1, + "width": 9, + "height": 3 + } + }, + { + "id": 4866286559106529, + "definition": { + "title": "Events by type", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:bluecat-integrity $payload_type" + }, + "indexes": [ + "*" + ], + "group_by": { + "fields": [ + "@payloadType" + ], + "limit": 10, + "sort": { + "aggregation": "count", + "metric": "count", + "order": "desc" + }, + "should_exclude_missing": true + }, + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 6, + "height": 4 + } + }, + { + "id": 7899668072371820, + "definition": { + "title": "Event details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:bluecat-integrity $payload_type", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "payloadType", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 9 + } + }, + { + "id": 463348310375533, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2251087589862596, + "definition": { + "type": "note", + "content": "Datadog Cloud SIEM analyzes and correlates the **BlueCat Integrity** logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security/overview).", + "background_color": "blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 5121774409606058, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:critical" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 590853671552729, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:high" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1080646652865832, + "definition": { + "title": "Critical security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:critical" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#bc303c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 92354634494159, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:medium" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 2996913897935465, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:low" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#ffb52b" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 5893381204783135, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:info" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#84c1e0" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 5235052164294211, + "definition": { + "title": "High security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:high" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#d33043" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 3156655384270406, + "definition": { + "title": "Medium security signals", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "security_signals", + "search": { + "query": "@workflow.rule.type:(\"Application Security\" OR \"Workload Security\" OR \"Log Detection\" OR \"Signal Correlation\") source:bluecat-integrity status:medium" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5a21c" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 1 + } + } + ], + "template_variables": [ + { + "name": "payload_type", + "prefix": "@payloadType", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/bluecat_integrity/assets/logs/bluecat-integrity.yaml b/bluecat_integrity/assets/logs/bluecat-integrity.yaml new file mode 100644 index 0000000000000..58f209374b9dd --- /dev/null +++ b/bluecat_integrity/assets/logs/bluecat-integrity.yaml @@ -0,0 +1,886 @@ +id: bluecat-integrity +metric_id: bluecat-integrity +backend_only: false +facets: + - groups: + - DNS + name: Response Code + path: dns.flags.rcode + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - Web Access + name: Client Port + path: network.client.port + source: log + - groups: + - Geoip + name: Destination City Name + path: network.destination.geoip.city.name + source: log + - groups: + - Geoip + name: Destination Continent Code + path: network.destination.geoip.continent.code + source: log + - groups: + - Geoip + name: Destination Continent Name + path: network.destination.geoip.continent.name + source: log + - groups: + - Geoip + name: Destination Country ISO Code + path: network.destination.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Destination Country Name + path: network.destination.geoip.country.name + source: log + - groups: + - Geoip + name: Destination Subdivision ISO Code + path: network.destination.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Destination Subdivision Name + path: network.destination.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Destination IP + path: network.destination.ip + source: log + - groups: + - Web Access + name: Destination Port + path: network.destination.port + source: log +pipeline: + type: pipeline + name: BlueCat Integrity + enabled: true + filter: + query: source:bluecat-integrity + processors: + - type: date-remapper + name: Define `timestamp` as the official date of the log + enabled: true + sources: + - timestamp + - type: pipeline + name: Parse DNS activity events + enabled: true + filter: + query: "@payloadType:dnstap" + processors: + - type: attribute-remapper + name: Map `sourceAddress` to `network.client.ip` + enabled: true + sources: + - sourceAddress + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `sourcePort` to `network.client.port` + enabled: true + sources: + - sourcePort + sourceType: attribute + target: network.client.port + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `responseAddress` to `network.destination.ip` + enabled: true + sources: + - responseAddress + sourceType: attribute + target: network.destination.ip + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `responsePort` to `network.destination.port` + enabled: true + sources: + - responsePort + sourceType: attribute + target: network.destination.port + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: attribute-remapper + name: Map `requestData.rcodeName`, `responseData.rcodeName` to `dns.flags.rcode` + enabled: true + sources: + - requestData.rcodeName + - responseData.rcodeName + sourceType: attribute + target: dns.flags.rcode + targetType: attribute + preserveSource: true + overrideOnConflict: false + - name: Lookup `responseData.header.opcode` to `response_op_code_value` + enabled: true + source: responseData.header.opcode + target: response_op_code_value + lookupTable: |- + 0,Query + 1,IQuery + 2,Status + 3,Unassigned + 4,Notify + 5,Update + 6,DSO Message + 7,Unassigned + 8,Unassigned + 9,Unassigned + 10,Unassigned + 11,Unassigned + 12,Unassigned + 13,Unassigned + 14,Unassigned + 15,Unassigned + type: lookup-processor + - name: Lookup `requestData.header.opcode` to `request_op_code_value` + enabled: true + source: requestData.header.opcode + target: request_op_code_value + lookupTable: |- + 0,Query + 1,IQuery + 2,Status + 3,Unassigned + 4,Notify + 5,Update + 6,DSO Message + 7,Unassigned + 8,Unassigned + 9,Unassigned + 10,Unassigned + 11,Unassigned + 12,Unassigned + 13,Unassigned + 14,Unassigned + 15,Unassigned + type: lookup-processor + - type: geo-ip-parser + name: Extract Geolocation information from Client IP + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: geo-ip-parser + name: Extract Geolocation information from Destination IP + enabled: true + sources: + - network.destination.ip + target: network.destination.geoip + ip_processing_behavior: do-nothing + - type: pipeline + name: Parse DHCP activity events + enabled: true + filter: + query: "@payloadType:(dhcpv4-packet OR dhcpv6-packet)" + processors: + - name: Lookup `data.dhcpv4Message.op` to `message_direction_value` + enabled: true + source: data.dhcpv4Message.op + target: message_direction_value + lookupTable: |- + 1,BOOTREQUEST + 2,BOOTREPLY + type: lookup-processor + - type: pipeline + name: OCSF pre transformations + enabled: true + filter: + query: "" + processors: + - type: string-builder-processor + name: Add product name + enabled: true + template: BlueCat Integrity + target: ocsf.metadata.product.name + replaceMissing: false + - type: string-builder-processor + name: Add product vendor + enabled: true + template: BlueCat + target: ocsf.metadata.product.vendor_name + replaceMissing: false + - type: grok-parser + name: Parse `timestamp` to `ocsf.time` + enabled: true + source: timestamp + samples: + - 2026-03-13T11:00:44.434252399Z + grok: + supportRules: "" + matchRules: rule_time %{date("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSZ"):ocsf.time} + - type: pipeline + name: OCSF sub pipeline for class DNS Activity [4003] + enabled: true + filter: + query: "@payloadType:dnstap" + processors: + - type: string-builder-processor + name: Add query class for responseData + enabled: true + template: "%{responseData.question.class}" + target: ocsf.query.class + replaceMissing: false + - type: string-builder-processor + name: Add query class for requestData + enabled: true + template: "%{requestData.question.class}" + target: ocsf.query.class + replaceMissing: false + - type: string-builder-processor + name: Add query hostname for responseData + enabled: true + template: "%{responseData.question.domainName}" + target: ocsf.query.hostname + replaceMissing: false + - type: string-builder-processor + name: Add query hostname for requestData + enabled: true + template: "%{requestData.question.domainName}" + target: ocsf.query.hostname + replaceMissing: false + - type: string-builder-processor + name: Add query type for responseData + enabled: true + template: "%{responseData.question.questionType}" + target: ocsf.query.type + replaceMissing: false + - type: string-builder-processor + name: Add query type for requestData + enabled: true + template: "%{requestData.question.questionType}" + target: ocsf.query.type + replaceMissing: false + - type: schema-processor + name: Apply OCSF schema for 4003 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: DNS Activity + classUid: 4003 + extensions: [] + profiles: [] + mappers: + - name: ocsf.activity_id + categories: + - filter: + query: "@requestData:*" + name: Query + id: 1 + - filter: + query: "@responseData:*" + name: Response + id: 2 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.rcode_id + categories: + - filter: + query: "@responseData.fullRcode:0 OR @requestData.fullRcode:0" + name: NoError + id: 0 + - filter: + query: "@responseData.fullRcode:1 OR @requestData.fullRcode:1" + name: FormError + id: 1 + - filter: + query: "@responseData.fullRcode:2 OR @requestData.fullRcode:2" + name: ServError + id: 2 + - filter: + query: "@responseData.fullRcode:3 OR @requestData.fullRcode:3" + name: NXDomain + id: 3 + - filter: + query: "@responseData.fullRcode:4 OR @requestData.fullRcode:4" + name: NotImp + id: 4 + - filter: + query: "@responseData.fullRcode:5 OR @requestData.fullRcode:5" + name: Refused + id: 5 + - filter: + query: "@responseData.fullRcode:6 OR @requestData.fullRcode:6" + name: YXDomain + id: 6 + - filter: + query: "@responseData.fullRcode:7 OR @requestData.fullRcode:7" + name: YXRRSet + id: 7 + - filter: + query: "@responseData.fullRcode:8 OR @requestData.fullRcode:8" + name: NXRRSet + id: 8 + - filter: + query: "@responseData.fullRcode:9 OR @requestData.fullRcode:9" + name: NotAuth + id: 9 + - filter: + query: "@responseData.fullRcode:10 OR @requestData.fullRcode:10" + name: NotZone + id: 10 + - filter: + query: "@responseData.fullRcode:11 OR @requestData.fullRcode:11" + name: DSOTYPENI + id: 11 + - filter: + query: "@responseData.fullRcode:16 OR @requestData.fullRcode:16" + name: BADSIG_VERS + id: 16 + - filter: + query: "@responseData.fullRcode:17 OR @requestData.fullRcode:17" + name: BADKEY + id: 17 + - filter: + query: "@responseData.fullRcode:18 OR @requestData.fullRcode:18" + name: BADTIME + id: 18 + - filter: + query: "@responseData.fullRcode:19 OR @requestData.fullRcode:19" + name: BADMODE + id: 19 + - filter: + query: "@responseData.fullRcode:20 OR @requestData.fullRcode:20" + name: BADNAME + id: 20 + - filter: + query: "@responseData.fullRcode:21 OR @requestData.fullRcode:21" + name: BADALG + id: 21 + - filter: + query: "@responseData.fullRcode:22 OR @requestData.fullRcode:22" + name: BADTRUNC + id: 22 + - filter: + query: "@responseData.fullRcode:23 OR @requestData.fullRcode:23" + name: BADCOOKIE + id: 23 + - filter: + query: "@responseData.fullRcode:([12 TO 15] OR [24 TO 3840] OR [4096 TO 65534]) + OR @requestData.fullRcode:([12 TO 15] OR [24 TO 3840] OR + [4096 TO 65534])" + name: Unassigned + id: 24 + - filter: + query: "@responseData.fullRcode:([3841 TO 4095] OR 65535) OR + @requestData.fullRcode:([3841 TO 4095] OR 65535)" + name: Reserved + id: 25 + targets: + name: ocsf.rcode + id: ocsf.rcode_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `payloadType` to `ocsf.metadata.log_name` + sources: + - payloadType + sourceType: attribute + target: ocsf.metadata.log_name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `schemaVersion` to `ocsf.metadata.log_version` + sources: + - schemaVersion + sourceType: attribute + target: ocsf.metadata.log_version + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `messageType` to `ocsf.metadata.event_code` + sources: + - messageType + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `key` to `ocsf.metadata.uid` + sources: + - key + sourceType: attribute + target: ocsf.metadata.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `timestamp` to `ocsf.metadata.original_time` + sources: + - timestamp + sourceType: attribute + target: ocsf.metadata.original_time + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.query.class` to `ocsf.query.class` + sources: + - ocsf.query.class + sourceType: attribute + target: ocsf.query.class + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.query.hostname` to `ocsf.query.hostname` + sources: + - ocsf.query.hostname + sourceType: attribute + target: ocsf.query.hostname + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.query.type` to `ocsf.query.type` + sources: + - ocsf.query.type + sourceType: attribute + target: ocsf.query.type + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.query.opcode_id + categories: + - filter: + query: "@request_op_code_value:Query OR @response_op_code_value:Query" + name: Query + id: 0 + - filter: + query: "@request_op_code_value:IQuery OR @response_op_code_value:IQuery" + name: Inverse Query + id: 1 + - filter: + query: "@request_op_code_value:Status OR @response_op_code_value:Status" + name: Status + id: 2 + - filter: + query: "@request_op_code_value:Notify OR @response_op_code_value:Notify" + name: Notify + id: 4 + - filter: + query: "@request_op_code_value:Update OR @response_op_code_value:Update" + name: Update + id: 5 + - filter: + query: '@request_op_code_value:"DSO Message" OR @response_op_code_value:"DSO + Message"' + name: DSO Message + id: 6 + - filter: + query: "@request_op_code_value:Unassigned OR @response_op_code_value:Unassigned" + name: Other + id: 99 + targets: + name: ocsf.query.opcode + id: ocsf.query.opcode_id + fallback: + values: + ocsf.query.opcode: Other + ocsf.query.opcode_id: "99" + sources: + ocsf.query.opcode: + - Unassigned + type: schema-category-mapper + - name: Map `sourceAddress` to `ocsf.src_endpoint.ip` + sources: + - sourceAddress + sourceType: attribute + target: ocsf.src_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `sourcePort` to `ocsf.src_endpoint.port` + sources: + - sourcePort + sourceType: attribute + target: ocsf.src_endpoint.port + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `responseAddress` to `ocsf.dst_endpoint.ip` + sources: + - responseAddress + sourceType: attribute + target: ocsf.dst_endpoint.ip + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `responsePort` to `ocsf.dst_endpoint.port` + sources: + - responsePort + sourceType: attribute + target: ocsf.dst_endpoint.port + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `sourceId` to `ocsf.dst_endpoint.uid` + sources: + - sourceId + sourceType: attribute + target: ocsf.dst_endpoint.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `serverId` to `ocsf.dst_endpoint.name` + sources: + - serverId + sourceType: attribute + target: ocsf.dst_endpoint.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - type: pipeline + name: OCSF sub pipeline for class DHCP Activity [4004] + enabled: true + filter: + query: "@payloadType:(dhcpv4-packet OR dhcpv6-packet)" + processors: + - type: string-builder-processor + name: Add event code + enabled: true + template: "%{data.dhcpv4Message.options.messageType}" + target: ocsf.metadata.event_code + replaceMissing: false + - type: category-processor + name: ocsf.is_renewal + enabled: true + categories: + - filter: + query: "@payloadType:dhcpv6-packet @data.dhcpv6Message.messageType:(RENEW OR + REBIND)" + name: "True" + - filter: + query: "@payloadType:dhcpv6-packet -@data.dhcpv6Message.messageType:(RENEW OR + REBIND)" + name: "False" + target: ocsf.is_renewal + - type: grok-parser + name: Convert `ocsf.is_renewal` to boolean type + enabled: true + source: ocsf.is_renewal + samples: + - "True" + - "False" + grok: + supportRules: "" + matchRules: convert_to_boolen_type %{boolean("True","False"):ocsf.is_renewal} + - type: schema-processor + name: Apply OCSF schema for 4004 + enabled: true + schema: + schemaType: ocsf + version: 1.5.0 + className: DHCP Activity + classUid: 4004 + extensions: [] + profiles: [] + mappers: + - name: Map `ocsf.time` to `ocsf.time` + sources: + - ocsf.time + sourceType: attribute + target: ocsf.time + targetFormat: integer + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.activity_id + categories: + - filter: + query: '@data.dhcpv6Message.messageType:SOLICIT OR + @data.dhcpv4Message.options.messageType:"DHCP Discover"' + name: Discover + id: 1 + - filter: + query: '@data.dhcpv6Message.messageType:ADVERTISE OR + @data.dhcpv4Message.options.messageType:"DHCP Offer"' + name: Offer + id: 2 + - filter: + query: '@data.dhcpv6Message.messageType:(REQUEST OR RENEW OR REBIND) OR + @data.dhcpv4Message.options.messageType:"DHCP Request"' + name: Request + id: 3 + - filter: + query: '@data.dhcpv6Message.messageType:DECLINE OR + @data.dhcpv4Message.options.messageType:"DHCP Decline"' + name: Decline + id: 4 + - filter: + query: '@data.dhcpv4Message.options.messageType:"DHCP Ack"' + name: Ack + id: 5 + - filter: + query: '@data.dhcpv4Message.options.messageType:"DHCP Nak"' + name: Nak + id: 6 + - filter: + query: '@data.dhcpv6Message.messageType:RELEASE OR + @data.dhcpv4Message.options.messageType:"DHCP Release"' + name: Release + id: 7 + - filter: + query: '@data.dhcpv6Message.messageType:INFORMATION-REQUEST OR + @data.dhcpv4Message.options.messageType:"DHCP Inform"' + name: Inform + id: 8 + - filter: + query: '@data.dhcpv4Message.options.messageType:"DHCP Expire"' + name: Expire + id: 9 + - filter: + query: -(@data.dhcpv6Message.messageType:(SOLICIT OR ADVERTISE OR REQUEST OR + RENEW OR REBIND OR DECLINE OR RELEASE OR + INFORMATION-REQUEST) OR @data.dhcpv4Message.options.messageType:("DHCP Discover" + OR "DHCP Offer" OR "DHCP Request" OR "DHCP Decline" OR + "DHCP Ack" OR "DHCP Nak" OR "DHCP Release" OR + "DHCP Inform" OR "DHCP Expire")) + name: Other + id: 99 + targets: + name: ocsf.activity_name + id: ocsf.activity_id + fallback: + values: + ocsf.activity_id: "99" + ocsf.activity_name: Other + sources: + ocsf.activity_name: + - data.dhcpv6Message.messageType + - data.dhcpv4Message.options.messageType + type: schema-category-mapper + - name: ocsf.severity_id + categories: + - filter: + query: "*" + name: Informational + id: 1 + targets: + name: ocsf.severity + id: ocsf.severity_id + fallback: + values: {} + sources: {} + type: schema-category-mapper + - name: Map `ocsf.metadata.product.vendor_name` to `ocsf.metadata.product.vendor_name` + sources: + - ocsf.metadata.product.vendor_name + sourceType: attribute + target: ocsf.metadata.product.vendor_name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `ocsf.metadata.product.name` to `ocsf.metadata.product.name` + sources: + - ocsf.metadata.product.name + sourceType: attribute + target: ocsf.metadata.product.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `data.dhcpv6Message.messageType`, `ocsf.metadata.event_code` to `ocsf.metadata.event_code` + sources: + - data.dhcpv6Message.messageType + - ocsf.metadata.event_code + sourceType: attribute + target: ocsf.metadata.event_code + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `payloadType` to `ocsf.metadata.log_name` + sources: + - payloadType + sourceType: attribute + target: ocsf.metadata.log_name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `key` to `ocsf.metadata.uid` + sources: + - key + sourceType: attribute + target: ocsf.metadata.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `schemaVersion` to `ocsf.metadata.log_version` + sources: + - schemaVersion + sourceType: attribute + target: ocsf.metadata.log_version + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `timestamp` to `ocsf.metadata.original_time` + sources: + - timestamp + sourceType: attribute + target: ocsf.metadata.original_time + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `data.dhcpv6Message.transactionId` to `ocsf.transaction_uid` + sources: + - data.dhcpv6Message.transactionId + sourceType: attribute + target: ocsf.transaction_uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `sourceId` to `ocsf.dst_endpoint.uid` + sources: + - sourceId + sourceType: attribute + target: ocsf.dst_endpoint.uid + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: Map `serverId` to `ocsf.dst_endpoint.name` + sources: + - serverId + sourceType: attribute + target: ocsf.dst_endpoint.name + targetFormat: string + preserveSource: true + overrideOnConflict: true + type: schema-remapper + - name: ocsf.connection_info.direction_id + categories: + - filter: + query: "@message_direction_value:BOOTREQUEST" + name: Outbound + id: 2 + - filter: + query: "@message_direction_value:BOOTREPLY" + name: Inbound + id: 1 + targets: + name: ocsf.connection_info.direction + id: ocsf.connection_info.direction_id + fallback: + values: {} + sources: {} + type: schema-category-mapper diff --git a/bluecat_integrity/assets/logs/bluecat-integrity_tests.yaml b/bluecat_integrity/assets/logs/bluecat-integrity_tests.yaml new file mode 100644 index 0000000000000..7eaafa805aba0 --- /dev/null +++ b/bluecat_integrity/assets/logs/bluecat-integrity_tests.yaml @@ -0,0 +1,1516 @@ +id: "bluecat-integrity" +tests: + - + sample: |- + { + "sourceId" : "4201fad9-b30e-1dc5-0833-123456789123", + "sourcePort" : 57895, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "source_type" : "dnstap", + "serverId" : "bdds2", + "socketProtocol" : "UDP", + "messageType" : "ClientQuery", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 5, + "requestData" : { + "rcodeName" : "NoError", + "question" : [ { + "domainName" : "C-Lab-24.contoso.local.", + "questionTypeId" : 6, + "class" : "IN", + "questionType" : "SOA" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 0, + "ad" : false, + "nsCount" : 0, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 19267 + }, + "time" : 1772082903782342100, + "fullRcode" : 0 + }, + "key" : "3f87546e-54ad-4022-9dbc-123456789123", + "timestamp" : "2026-02-26T05:15:04.884701163Z" + } + result: + custom: + dns: + flags: + rcode: "NoError" + key: "3f87546e-54ad-4022-9dbc-123456789123" + messageType: "ClientQuery" + messageTypeId: 5 + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 57895 + destination: + geoip: {} + ip: "10.1.1.1" + port: 53 + ocsf: + activity_id: 1 + activity_name: "Query" + category_name: "Network Activity" + category_uid: 4 + class_name: "DNS Activity" + class_uid: 4003 + dst_endpoint: + ip: "10.1.1.1" + name: "bdds2" + port: 53 + uid: "4201fad9-b30e-1dc5-0833-123456789123" + metadata: + event_code: "ClientQuery" + log_name: "dnstap" + log_version: "1.0" + original_time: "2026-02-26T05:15:04.884701163Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "3f87546e-54ad-4022-9dbc-123456789123" + version: "1.5.0" + query: + class: "IN" + hostname: "C-Lab-24.contoso.local." + opcode: "Query" + opcode_id: 0 + type: "SOA" + rcode: "NoError" + rcode_id: 0 + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "10.10.10.10" + port: 57895 + time: 1772082904884 + payloadType: "dnstap" + requestData: + fullRcode: 0 + header: + aa: false + ad: false + anCount: 0 + arCount: 0 + cd: false + id: 19267 + nsCount: 0 + opcode: 0 + qdCount: 1 + qr: 0 + ra: false + rcode: 0 + rd: true + tc: false + question: + - + domainName: "C-Lab-24.contoso.local." + questionTypeId: 6 + class: "IN" + questionType: "SOA" + rcodeName: "NoError" + time: 1772082903782342100 + request_op_code_value: "Query" + responseAddress: "10.1.1.1" + responsePort: 53 + schemaVersion: "1.0" + serverId: "bdds2" + socketFamily: "INET" + socketProtocol: "UDP" + sourceAddress: "10.10.10.10" + sourceId: "4201fad9-b30e-1dc5-0833-123456789123" + sourcePort: 57895 + source_type: "dnstap" + timestamp: "2026-02-26T05:15:04.884701163Z" + message: |- + { + "sourceId" : "4201fad9-b30e-1dc5-0833-123456789123", + "sourcePort" : 57895, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "source_type" : "dnstap", + "serverId" : "bdds2", + "socketProtocol" : "UDP", + "messageType" : "ClientQuery", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 5, + "requestData" : { + "rcodeName" : "NoError", + "question" : [ { + "domainName" : "C-Lab-24.contoso.local.", + "questionTypeId" : 6, + "class" : "IN", + "questionType" : "SOA" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 0, + "ad" : false, + "nsCount" : 0, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 19267 + }, + "time" : 1772082903782342100, + "fullRcode" : 0 + }, + "key" : "3f87546e-54ad-4022-9dbc-123456789123", + "timestamp" : "2026-02-26T05:15:04.884701163Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1772082904884 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "sourcePort" : 39927, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "responseData" : { + "rcodeName" : "Refused", + "question" : [ { + "domainName" : "google.com", + "questionTypeId" : 1, + "class" : "IN", + "questionType" : "A" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 1, + "ad" : false, + "nsCount" : 0, + "rcode" : 5, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 45402 + }, + "time" : 1771522139229097200, + "fullRcode" : 5 + }, + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "ClientResponse", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 6, + "key" : "2683dd13-0065-4985-b1a0-123456789123", + "timestamp" : "2026-02-19T17:29:00.526674843Z" + } + result: + custom: + dns: + flags: + rcode: "Refused" + key: "2683dd13-0065-4985-b1a0-123456789123" + messageType: "ClientResponse" + messageTypeId: 6 + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 39927 + destination: + geoip: {} + ip: "10.1.1.1" + port: 53 + ocsf: + activity_id: 2 + activity_name: "Response" + category_name: "Network Activity" + category_uid: 4 + class_name: "DNS Activity" + class_uid: 4003 + dst_endpoint: + ip: "10.1.1.1" + name: "bdds1" + port: 53 + uid: "42014a36-eed1-b7bd-5786-123456789123" + metadata: + event_code: "ClientResponse" + log_name: "dnstap" + log_version: "1.0" + original_time: "2026-02-19T17:29:00.526674843Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "2683dd13-0065-4985-b1a0-123456789123" + version: "1.5.0" + query: + class: "IN" + hostname: "google.com" + opcode: "Query" + opcode_id: 0 + type: "A" + rcode: "Refused" + rcode_id: 5 + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "10.10.10.10" + port: 39927 + time: 1771522140526 + payloadType: "dnstap" + responseAddress: "10.1.1.1" + responseData: + fullRcode: 5 + header: + aa: false + ad: false + anCount: 0 + arCount: 0 + cd: false + id: 45402 + nsCount: 0 + opcode: 0 + qdCount: 1 + qr: 1 + ra: false + rcode: 5 + rd: true + tc: false + question: + - + domainName: "google.com" + questionTypeId: 1 + class: "IN" + questionType: "A" + rcodeName: "Refused" + time: 1771522139229097200 + responsePort: 53 + response_op_code_value: "Query" + schemaVersion: "1.0" + serverId: "bdds1" + socketFamily: "INET" + socketProtocol: "UDP" + sourceAddress: "10.10.10.10" + sourceId: "42014a36-eed1-b7bd-5786-123456789123" + sourcePort: 39927 + source_type: "dnstap" + timestamp: "2026-02-19T17:29:00.526674843Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "sourcePort" : 39927, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "responseData" : { + "rcodeName" : "Refused", + "question" : [ { + "domainName" : "google.com", + "questionTypeId" : 1, + "class" : "IN", + "questionType" : "A" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 1, + "ad" : false, + "nsCount" : 0, + "rcode" : 5, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 45402 + }, + "time" : 1771522139229097200, + "fullRcode" : 5 + }, + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "ClientResponse", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 6, + "key" : "2683dd13-0065-4985-b1a0-123456789123", + "timestamp" : "2026-02-19T17:29:00.526674843Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771522140526 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-869e412e536f", + "sourcePort" : 18456, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "queryZone" : "google.local.", + "responsePort" : 53, + "socketFamily" : "INET", + "responseData" : { + "rcodeName" : "NoError", + "opt" : { + "ednsVersion" : 0, + "udpPayloadSize" : 1232, + "options" : [ { + "optName" : "Expire", + "optCode" : 9, + "optValue" : "ACeNAA==" + } ], + "do" : false, + "extendedRcode" : 0 + }, + "question" : [ { + "domainName" : "google.local.", + "questionTypeId" : 6, + "class" : "IN", + "questionType" : "SOA" + } ], + "additional" : [ { + "recordTypeId" : 1, + "recordType" : "A", + "domainName" : "bdds1.google.local.", + "rData" : "10.10.10.10", + "class" : "IN", + "ttl" : 3600 + }, { + "recordTypeId" : 1, + "recordType" : "A", + "domainName" : "bdds2.google.local.", + "rData" : "10.10.10.10", + "class" : "IN", + "ttl" : 3600 + }, { + "recordTypeId" : 28, + "recordType" : "AAAA", + "domainName" : "bdds1.google.local.", + "rData" : "::1", + "class" : "IN", + "ttl" : 86400 + } ], + "authority" : [ { + "recordTypeId" : 2, + "recordType" : "NS", + "domainName" : "google.local.", + "rData" : "bdds1.google.local.", + "class" : "IN", + "ttl" : 86400 + }, { + "recordTypeId" : 2, + "recordType" : "NS", + "domainName" : "google.local.", + "rData" : "bdds2.google.local.", + "class" : "IN", + "ttl" : 86400 + } ], + "answers" : [ { + "recordTypeId" : 6, + "recordType" : "SOA", + "domainName" : "google.local.", + "rData" : "bdds1.google.local.postmaster.no.email.please.783096803360060025920003600", + "class" : "IN", + "ttl" : 3600 + } ], + "header" : { + "aa" : true, + "cd" : false, + "qr" : 1, + "ad" : false, + "nsCount" : 2, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : false, + "qdCount" : 1, + "anCount" : 1, + "arCount" : 5, + "id" : 45925 + }, + "time" : 1772001593205088500, + "fullRcode" : 0 + }, + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "AuthResponse", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 2, + "key" : "8ccd65b4-28f4-4681-a11e-ea12c4f42b25", + "timestamp" : "2026-02-25T06:39:54.423618065Z" + } + result: + custom: + dns: + flags: + rcode: "NoError" + key: "8ccd65b4-28f4-4681-a11e-ea12c4f42b25" + messageType: "AuthResponse" + messageTypeId: 2 + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 18456 + destination: + geoip: {} + ip: "10.1.1.1" + port: 53 + ocsf: + activity_id: 2 + activity_name: "Response" + category_name: "Network Activity" + category_uid: 4 + class_name: "DNS Activity" + class_uid: 4003 + dst_endpoint: + ip: "10.1.1.1" + name: "bdds1" + port: 53 + uid: "42014a36-eed1-b7bd-5786-869e412e536f" + metadata: + event_code: "AuthResponse" + log_name: "dnstap" + log_version: "1.0" + original_time: "2026-02-25T06:39:54.423618065Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "8ccd65b4-28f4-4681-a11e-ea12c4f42b25" + version: "1.5.0" + query: + class: "IN" + hostname: "google.local." + opcode: "Query" + opcode_id: 0 + type: "SOA" + rcode: "NoError" + rcode_id: 0 + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "10.10.10.10" + port: 18456 + time: 1772001594423 + payloadType: "dnstap" + queryZone: "google.local." + responseAddress: "10.1.1.1" + responseData: + additional: + - + recordTypeId: 1 + recordType: "A" + domainName: "bdds1.google.local." + rData: "10.10.10.10" + class: "IN" + ttl: 3600 + - + recordTypeId: 1 + recordType: "A" + domainName: "bdds2.google.local." + rData: "10.10.10.10" + class: "IN" + ttl: 3600 + - + recordTypeId: 28 + recordType: "AAAA" + domainName: "bdds1.google.local." + rData: "::1" + class: "IN" + ttl: 86400 + answers: + - + recordTypeId: 6 + recordType: "SOA" + domainName: "google.local." + rData: "bdds1.google.local.postmaster.no.email.please.783096803360060025920003600" + class: "IN" + ttl: 3600 + authority: + - + recordTypeId: 2 + recordType: "NS" + domainName: "google.local." + rData: "bdds1.google.local." + class: "IN" + ttl: 86400 + - + recordTypeId: 2 + recordType: "NS" + domainName: "google.local." + rData: "bdds2.google.local." + class: "IN" + ttl: 86400 + fullRcode: 0 + header: + aa: true + ad: false + anCount: 1 + arCount: 5 + cd: false + id: 45925 + nsCount: 2 + opcode: 0 + qdCount: 1 + qr: 1 + ra: false + rcode: 0 + rd: false + tc: false + opt: + do: false + ednsVersion: 0 + extendedRcode: 0 + options: + - + optName: "Expire" + optCode: 9 + optValue: "ACeNAA==" + udpPayloadSize: 1232 + question: + - + domainName: "google.local." + questionTypeId: 6 + class: "IN" + questionType: "SOA" + rcodeName: "NoError" + time: 1772001593205088500 + responsePort: 53 + response_op_code_value: "Query" + schemaVersion: "1.0" + serverId: "bdds1" + socketFamily: "INET" + socketProtocol: "UDP" + sourceAddress: "10.10.10.10" + sourceId: "42014a36-eed1-b7bd-5786-869e412e536f" + sourcePort: 18456 + source_type: "dnstap" + timestamp: "2026-02-25T06:39:54.423618065Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-869e412e536f", + "sourcePort" : 18456, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "queryZone" : "google.local.", + "responsePort" : 53, + "socketFamily" : "INET", + "responseData" : { + "rcodeName" : "NoError", + "opt" : { + "ednsVersion" : 0, + "udpPayloadSize" : 1232, + "options" : [ { + "optName" : "Expire", + "optCode" : 9, + "optValue" : "ACeNAA==" + } ], + "do" : false, + "extendedRcode" : 0 + }, + "question" : [ { + "domainName" : "google.local.", + "questionTypeId" : 6, + "class" : "IN", + "questionType" : "SOA" + } ], + "additional" : [ { + "recordTypeId" : 1, + "recordType" : "A", + "domainName" : "bdds1.google.local.", + "rData" : "10.10.10.10", + "class" : "IN", + "ttl" : 3600 + }, { + "recordTypeId" : 1, + "recordType" : "A", + "domainName" : "bdds2.google.local.", + "rData" : "10.10.10.10", + "class" : "IN", + "ttl" : 3600 + }, { + "recordTypeId" : 28, + "recordType" : "AAAA", + "domainName" : "bdds1.google.local.", + "rData" : "::1", + "class" : "IN", + "ttl" : 86400 + } ], + "authority" : [ { + "recordTypeId" : 2, + "recordType" : "NS", + "domainName" : "google.local.", + "rData" : "bdds1.google.local.", + "class" : "IN", + "ttl" : 86400 + }, { + "recordTypeId" : 2, + "recordType" : "NS", + "domainName" : "google.local.", + "rData" : "bdds2.google.local.", + "class" : "IN", + "ttl" : 86400 + } ], + "answers" : [ { + "recordTypeId" : 6, + "recordType" : "SOA", + "domainName" : "google.local.", + "rData" : "bdds1.google.local.postmaster.no.email.please.783096803360060025920003600", + "class" : "IN", + "ttl" : 3600 + } ], + "header" : { + "aa" : true, + "cd" : false, + "qr" : 1, + "ad" : false, + "nsCount" : 2, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : false, + "qdCount" : 1, + "anCount" : 1, + "arCount" : 5, + "id" : 45925 + }, + "time" : 1772001593205088500, + "fullRcode" : 0 + }, + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "AuthResponse", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 2, + "key" : "8ccd65b4-28f4-4681-a11e-ea12c4f42b25", + "timestamp" : "2026-02-25T06:39:54.423618065Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1772001594423 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "sourcePort" : 39927, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "AuthQuery", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 1, + "requestData" : { + "rcodeName" : "NoError", + "question" : [ { + "domainName" : "google.com", + "questionTypeId" : 1, + "class" : "IN", + "questionType" : "A" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 0, + "ad" : false, + "nsCount" : 0, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 45402 + }, + "time" : 1771522139229097200, + "fullRcode" : 0 + }, + "key" : "3d047532-8644-474d-a58b-123456789123", + "timestamp" : "2026-02-19T17:29:00.526703911Z" + } + result: + custom: + dns: + flags: + rcode: "NoError" + key: "3d047532-8644-474d-a58b-123456789123" + messageType: "AuthQuery" + messageTypeId: 1 + network: + client: + geoip: {} + ip: "10.10.10.10" + port: 39927 + destination: + geoip: {} + ip: "10.1.1.1" + port: 53 + ocsf: + activity_id: 1 + activity_name: "Query" + category_name: "Network Activity" + category_uid: 4 + class_name: "DNS Activity" + class_uid: 4003 + dst_endpoint: + ip: "10.1.1.1" + name: "bdds1" + port: 53 + uid: "42014a36-eed1-b7bd-5786-123456789123" + metadata: + event_code: "AuthQuery" + log_name: "dnstap" + log_version: "1.0" + original_time: "2026-02-19T17:29:00.526703911Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "3d047532-8644-474d-a58b-123456789123" + version: "1.5.0" + query: + class: "IN" + hostname: "google.com" + opcode: "Query" + opcode_id: 0 + type: "A" + rcode: "NoError" + rcode_id: 0 + severity: "Informational" + severity_id: 1 + src_endpoint: + ip: "10.10.10.10" + port: 39927 + time: 1771522140526 + payloadType: "dnstap" + requestData: + fullRcode: 0 + header: + aa: false + ad: false + anCount: 0 + arCount: 0 + cd: false + id: 45402 + nsCount: 0 + opcode: 0 + qdCount: 1 + qr: 0 + ra: false + rcode: 0 + rd: true + tc: false + question: + - + domainName: "google.com" + questionTypeId: 1 + class: "IN" + questionType: "A" + rcodeName: "NoError" + time: 1771522139229097200 + request_op_code_value: "Query" + responseAddress: "10.1.1.1" + responsePort: 53 + schemaVersion: "1.0" + serverId: "bdds1" + socketFamily: "INET" + socketProtocol: "UDP" + sourceAddress: "10.10.10.10" + sourceId: "42014a36-eed1-b7bd-5786-123456789123" + sourcePort: 39927 + source_type: "dnstap" + timestamp: "2026-02-19T17:29:00.526703911Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "sourcePort" : 39927, + "schemaVersion" : "1.0", + "sourceAddress" : "10.10.10.10", + "responsePort" : 53, + "socketFamily" : "INET", + "source_type" : "dnstap", + "serverId" : "bdds1", + "socketProtocol" : "UDP", + "messageType" : "AuthQuery", + "payloadType" : "dnstap", + "responseAddress" : "10.1.1.1", + "messageTypeId" : 1, + "requestData" : { + "rcodeName" : "NoError", + "question" : [ { + "domainName" : "google.com", + "questionTypeId" : 1, + "class" : "IN", + "questionType" : "A" + } ], + "header" : { + "aa" : false, + "cd" : false, + "qr" : 0, + "ad" : false, + "nsCount" : 0, + "rcode" : 0, + "opcode" : 0, + "ra" : false, + "tc" : false, + "rd" : true, + "qdCount" : 1, + "anCount" : 0, + "arCount" : 0, + "id" : 45402 + }, + "time" : 1771522139229097200, + "fullRcode" : 0 + }, + "key" : "3d047532-8644-474d-a58b-123456789123", + "timestamp" : "2026-02-19T17:29:00.526703911Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771522140526 + - + sample: |- + { + "sourceId" : "4201fad9-b30e-1dc5-0833-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv4Message" : { + "chaddr" : "::1", + "op" : 1, + "hType" : 1, + "flags" : "0x0000", + "giaddr" : "10.10.10.10", + "yiaddr" : "10.10.10.10", + "ciaddr" : "10.10.10.10", + "xId" : "0xcef7266d", + "hLength" : 6, + "siaddr" : "10.10.10.10", + "secs" : 0, + "options" : [ { + "messageType" : "DHCP Discover", + "messageTypeId" : 1, + "optionId" : 53 + }, { + "clientId" : "00 50 56 81 89 9a", + "optionId" : 61, + "type" : 1 + }, { + "hostName" : "C-Lab-18", + "optionId" : 12 + }, { + "optionData" : "4d 53 46 54 20 35 2e 30", + "optionId" : 60 + }, { + "parameterRequest" : [ 1 ], + "optionId" : 55 + } ], + "hops" : 0 + } + }, + "payloadType" : "dhcpv4-packet", + "time" : 1771457402, + "serverId" : "bdds2", + "key" : "9644c2bc-2391-4176-a964-123456789123", + "timestamp" : "2026-02-18T23:30:02.663295550Z" + } + result: + custom: + data: + dhcpv4Message: + chaddr: "::1" + ciaddr: "10.10.10.10" + flags: "0x0000" + giaddr: "10.10.10.10" + hLength: 6 + hType: 1 + hops: 0 + op: 1 + options: + - + messageType: "DHCP Discover" + messageTypeId: 1 + optionId: 53 + - + clientId: "00 50 56 81 89 9a" + optionId: 61 + type: 1 + - + hostName: "C-Lab-18" + optionId: 12 + - + optionData: "4d 53 46 54 20 35 2e 30" + optionId: 60 + - + parameterRequest: + - 1 + optionId: 55 + secs: 0 + siaddr: "10.10.10.10" + xId: "0xcef7266d" + yiaddr: "10.10.10.10" + key: "9644c2bc-2391-4176-a964-123456789123" + message_direction_value: "BOOTREQUEST" + ocsf: + activity_id: 1 + activity_name: "Discover" + category_name: "Network Activity" + category_uid: 4 + class_name: "DHCP Activity" + class_uid: 4004 + connection_info: + direction: "Outbound" + direction_id: 2 + dst_endpoint: + name: "bdds2" + uid: "4201fad9-b30e-1dc5-0833-123456789123" + metadata: + event_code: "DHCP Discover" + log_name: "dhcpv4-packet" + log_version: "1.0.0" + original_time: "2026-02-18T23:30:02.663295550Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "9644c2bc-2391-4176-a964-123456789123" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1771457402663 + payloadType: "dhcpv4-packet" + schemaVersion: "1.0.0" + serverId: "bdds2" + sourceId: "4201fad9-b30e-1dc5-0833-123456789123" + time: 1771457402 + timePrecision: "s" + timestamp: "2026-02-18T23:30:02.663295550Z" + message: |- + { + "sourceId" : "4201fad9-b30e-1dc5-0833-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv4Message" : { + "chaddr" : "::1", + "op" : 1, + "hType" : 1, + "flags" : "0x0000", + "giaddr" : "10.10.10.10", + "yiaddr" : "10.10.10.10", + "ciaddr" : "10.10.10.10", + "xId" : "0xcef7266d", + "hLength" : 6, + "siaddr" : "10.10.10.10", + "secs" : 0, + "options" : [ { + "messageType" : "DHCP Discover", + "messageTypeId" : 1, + "optionId" : 53 + }, { + "clientId" : "00 50 56 81 89 9a", + "optionId" : 61, + "type" : 1 + }, { + "hostName" : "C-Lab-18", + "optionId" : 12 + }, { + "optionData" : "4d 53 46 54 20 35 2e 30", + "optionId" : 60 + }, { + "parameterRequest" : [ 1 ], + "optionId" : 55 + } ], + "hops" : 0 + } + }, + "payloadType" : "dhcpv4-packet", + "time" : 1771457402, + "serverId" : "bdds2", + "key" : "9644c2bc-2391-4176-a964-123456789123", + "timestamp" : "2026-02-18T23:30:02.663295550Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771457402663 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv4Message" : { + "chaddr" : "::1", + "op" : 2, + "hType" : 1, + "flags" : "0x0000", + "giaddr" : "10.10.10.10", + "yiaddr" : "10.10.10.10", + "ciaddr" : "10.10.10.10", + "xId" : "0xbc7964fc", + "hLength" : 6, + "siaddr" : "10.10.10.10", + "secs" : 7168, + "options" : [ { + "messageType" : "DHCP Ack", + "messageTypeId" : 5, + "optionId" : 53 + }, { + "optionId" : 54, + "serverId" : "10.10.10.10" + }, { + "leaseTime" : 53801, + "optionId" : 51 + }, { + "optionId" : 1, + "subnetMask" : "10.10.10.10" + }, { + "router" : [ "10.10.10.10" ], + "optionId" : 3 + }, { + "domainNameSever" : [ "10.10.10.10", "10.10.10.10" ], + "optionId" : 6 + } ], + "hops" : 0 + } + }, + "payloadType" : "dhcpv4-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "61f167bc-e954-4399-8ee2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + result: + custom: + data: + dhcpv4Message: + chaddr: "::1" + ciaddr: "10.10.10.10" + flags: "0x0000" + giaddr: "10.10.10.10" + hLength: 6 + hType: 1 + hops: 0 + op: 2 + options: + - + messageType: "DHCP Ack" + messageTypeId: 5 + optionId: 53 + - + optionId: 54 + serverId: "10.10.10.10" + - + leaseTime: 53801 + optionId: 51 + - + optionId: 1 + subnetMask: "10.10.10.10" + - + router: + - "10.10.10.10" + optionId: 3 + - + domainNameSever: + - "10.10.10.10" + - "10.10.10.10" + optionId: 6 + secs: 7168 + siaddr: "10.10.10.10" + xId: "0xbc7964fc" + yiaddr: "10.10.10.10" + key: "61f167bc-e954-4399-8ee2-123456789123" + message_direction_value: "BOOTREPLY" + ocsf: + activity_id: 5 + activity_name: "Ack" + category_name: "Network Activity" + category_uid: 4 + class_name: "DHCP Activity" + class_uid: 4004 + connection_info: + direction: "Inbound" + direction_id: 1 + dst_endpoint: + name: "bdds1" + uid: "42014a36-eed1-b7bd-5786-123456789123" + metadata: + event_code: "DHCP Ack" + log_name: "dhcpv4-packet" + log_version: "1.0.0" + original_time: "2026-02-19T00:32:46.977179413Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "61f167bc-e954-4399-8ee2-123456789123" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1771461166977 + payloadType: "dhcpv4-packet" + schemaVersion: "1.0.0" + serverId: "bdds1" + sourceId: "42014a36-eed1-b7bd-5786-123456789123" + time: 1771461166 + timePrecision: "s" + timestamp: "2026-02-19T00:32:46.977179413Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv4Message" : { + "chaddr" : "::1", + "op" : 2, + "hType" : 1, + "flags" : "0x0000", + "giaddr" : "10.10.10.10", + "yiaddr" : "10.10.10.10", + "ciaddr" : "10.10.10.10", + "xId" : "0xbc7964fc", + "hLength" : 6, + "siaddr" : "10.10.10.10", + "secs" : 7168, + "options" : [ { + "messageType" : "DHCP Ack", + "messageTypeId" : 5, + "optionId" : 53 + }, { + "optionId" : 54, + "serverId" : "10.10.10.10" + }, { + "leaseTime" : 53801, + "optionId" : 51 + }, { + "optionId" : 1, + "subnetMask" : "10.10.10.10" + }, { + "router" : [ "10.10.10.10" ], + "optionId" : 3 + }, { + "domainNameSever" : [ "10.10.10.10", "10.10.10.10" ], + "optionId" : 6 + } ], + "hops" : 0 + } + }, + "payloadType" : "dhcpv4-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "61f167bc-e954-4399-8ee2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771461166977 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv6Message" : { + "messageType" : "REPLY", + "messageTypeId" : 7, + "options" : [ { + "iaid" : "14005056", + "optionId" : 3, + "t1" : 0, + "t2" : 0, + "iaNaOptions" : [ { + "preferredLifetime" : 54000, + "ipv6Addr" : "::1", + "validLifetime" : 86400, + "optionId" : 5 + } ] + }, { + "duid" : "000100013125ebe8005056831e56", + "optionId" : 1 + }, { + "duid" : "0001000131301668005056815d9e", + "optionId" : 2 + } ], + "transactionId" : "0x353d6d" + } + }, + "payloadType" : "dhcpv6-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "d24f3877-7ae8-4794-aed2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + result: + custom: + data: + dhcpv6Message: + messageType: "REPLY" + messageTypeId: 7 + options: + - + iaid: "14005056" + optionId: 3 + t1: 0 + t2: 0 + iaNaOptions: + - + preferredLifetime: 54000 + ipv6Addr: "::1" + validLifetime: 86400 + optionId: 5 + - + duid: "000100013125ebe8005056831e56" + optionId: 1 + - + duid: "0001000131301668005056815d9e" + optionId: 2 + transactionId: "0x353d6d" + key: "d24f3877-7ae8-4794-aed2-123456789123" + ocsf: + activity_id: 99 + activity_name: "REPLY" + category_name: "Network Activity" + category_uid: 4 + class_name: "DHCP Activity" + class_uid: 4004 + dst_endpoint: + name: "bdds1" + uid: "42014a36-eed1-b7bd-5786-123456789123" + is_renewal: false + metadata: + event_code: "REPLY" + log_name: "dhcpv6-packet" + log_version: "1.0.0" + original_time: "2026-02-19T00:32:46.977179413Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "d24f3877-7ae8-4794-aed2-123456789123" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1771461166977 + transaction_uid: "0x353d6d" + payloadType: "dhcpv6-packet" + schemaVersion: "1.0.0" + serverId: "bdds1" + sourceId: "42014a36-eed1-b7bd-5786-123456789123" + time: 1771461166 + timePrecision: "s" + timestamp: "2026-02-19T00:32:46.977179413Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv6Message" : { + "messageType" : "REPLY", + "messageTypeId" : 7, + "options" : [ { + "iaid" : "14005056", + "optionId" : 3, + "t1" : 0, + "t2" : 0, + "iaNaOptions" : [ { + "preferredLifetime" : 54000, + "ipv6Addr" : "::1", + "validLifetime" : 86400, + "optionId" : 5 + } ] + }, { + "duid" : "000100013125ebe8005056831e56", + "optionId" : 1 + }, { + "duid" : "0001000131301668005056815d9e", + "optionId" : 2 + } ], + "transactionId" : "0x353d6d" + } + }, + "payloadType" : "dhcpv6-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "d24f3877-7ae8-4794-aed2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771461166977 + - + sample: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv6Message" : { + "messageType" : "ADVERTISE", + "messageTypeId" : 2, + "options" : [ { + "iaid" : "14005056", + "optionId" : 3, + "t1" : 0, + "t2" : 0, + "iaNaOptions" : [ { + "preferredLifetime" : 54000, + "ipv6Addr" : "::1", + "validLifetime" : 86400, + "optionId" : 5 + } ] + }, { + "duid" : "000100013125ebe8005056831e56", + "optionId" : 1 + }, { + "duid" : "0001000131301668005056815d9e", + "optionId" : 2 + } ], + "transactionId" : "0x433b40" + } + }, + "payloadType" : "dhcpv6-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "f8ede4f0-1ac7-4d0e-acc2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + result: + custom: + data: + dhcpv6Message: + messageType: "ADVERTISE" + messageTypeId: 2 + options: + - + iaid: "14005056" + optionId: 3 + t1: 0 + t2: 0 + iaNaOptions: + - + preferredLifetime: 54000 + ipv6Addr: "::1" + validLifetime: 86400 + optionId: 5 + - + duid: "000100013125ebe8005056831e56" + optionId: 1 + - + duid: "0001000131301668005056815d9e" + optionId: 2 + transactionId: "0x433b40" + key: "f8ede4f0-1ac7-4d0e-acc2-123456789123" + ocsf: + activity_id: 2 + activity_name: "Offer" + category_name: "Network Activity" + category_uid: 4 + class_name: "DHCP Activity" + class_uid: 4004 + dst_endpoint: + name: "bdds1" + uid: "42014a36-eed1-b7bd-5786-123456789123" + is_renewal: false + metadata: + event_code: "ADVERTISE" + log_name: "dhcpv6-packet" + log_version: "1.0.0" + original_time: "2026-02-19T00:32:46.977179413Z" + product: + name: "BlueCat Integrity" + vendor_name: "BlueCat" + uid: "f8ede4f0-1ac7-4d0e-acc2-123456789123" + version: "1.5.0" + severity: "Informational" + severity_id: 1 + time: 1771461166977 + transaction_uid: "0x433b40" + payloadType: "dhcpv6-packet" + schemaVersion: "1.0.0" + serverId: "bdds1" + sourceId: "42014a36-eed1-b7bd-5786-123456789123" + time: 1771461166 + timePrecision: "s" + timestamp: "2026-02-19T00:32:46.977179413Z" + message: |- + { + "sourceId" : "42014a36-eed1-b7bd-5786-123456789123", + "timePrecision" : "s", + "schemaVersion" : "1.0.0", + "data" : { + "dhcpv6Message" : { + "messageType" : "ADVERTISE", + "messageTypeId" : 2, + "options" : [ { + "iaid" : "14005056", + "optionId" : 3, + "t1" : 0, + "t2" : 0, + "iaNaOptions" : [ { + "preferredLifetime" : 54000, + "ipv6Addr" : "::1", + "validLifetime" : 86400, + "optionId" : 5 + } ] + }, { + "duid" : "000100013125ebe8005056831e56", + "optionId" : 1 + }, { + "duid" : "0001000131301668005056815d9e", + "optionId" : 2 + } ], + "transactionId" : "0x433b40" + } + }, + "payloadType" : "dhcpv6-packet", + "time" : 1771461166, + "serverId" : "bdds1", + "key" : "f8ede4f0-1ac7-4d0e-acc2-123456789123", + "timestamp" : "2026-02-19T00:32:46.977179413Z" + } + tags: + - "source:LOGS_SOURCE" + timestamp: 1771461166977 diff --git a/bluecat_integrity/images/bluecat_integrity_dhcp_insights_dark.png b/bluecat_integrity/images/bluecat_integrity_dhcp_insights_dark.png new file mode 100644 index 0000000000000..948d69c3ae0ed Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_dhcp_insights_dark.png differ diff --git a/bluecat_integrity/images/bluecat_integrity_dhcp_insights_light.png b/bluecat_integrity/images/bluecat_integrity_dhcp_insights_light.png new file mode 100644 index 0000000000000..41b3da45467c9 Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_dhcp_insights_light.png differ diff --git a/bluecat_integrity/images/bluecat_integrity_dns_insights_dark.png b/bluecat_integrity/images/bluecat_integrity_dns_insights_dark.png new file mode 100644 index 0000000000000..d3ccc437d13c7 Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_dns_insights_dark.png differ diff --git a/bluecat_integrity/images/bluecat_integrity_dns_insights_light.png b/bluecat_integrity/images/bluecat_integrity_dns_insights_light.png new file mode 100644 index 0000000000000..2d244d0c1d723 Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_dns_insights_light.png differ diff --git a/bluecat_integrity/images/bluecat_integrity_overview_dark.png b/bluecat_integrity/images/bluecat_integrity_overview_dark.png new file mode 100644 index 0000000000000..e734b07c0ae9c Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_overview_dark.png differ diff --git a/bluecat_integrity/images/bluecat_integrity_overview_light.png b/bluecat_integrity/images/bluecat_integrity_overview_light.png new file mode 100644 index 0000000000000..24f077ed9b678 Binary files /dev/null and b/bluecat_integrity/images/bluecat_integrity_overview_light.png differ diff --git a/bluecat_integrity/manifest.json b/bluecat_integrity/manifest.json new file mode 100644 index 0000000000000..282c22cd24f13 --- /dev/null +++ b/bluecat_integrity/manifest.json @@ -0,0 +1,78 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "9cd27dbc-d163-4604-8781-dbf39d8a195a", + "app_id": "bluecat-integrity", + "owner": "saas-integrations", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "Gain insights into BlueCat Integrity DHCP and DNS activity events", + "title": "BlueCat Integrity", + "media": [ + { + "media_type": "image", + "caption": "BlueCat Integrity Overview", + "image_url": "images/bluecat_integrity_overview_light.png" + }, + { + "media_type": "image", + "caption": "BlueCat Integrity Overview", + "image_url": "images/bluecat_integrity_overview_dark.png" + }, + { + "media_type": "image", + "caption": "BlueCat Integrity DNS Insights", + "image_url": "images/bluecat_integrity_dns_insights_light.png" + }, + { + "media_type": "image", + "caption": "BlueCat Integrity DNS Insights", + "image_url": "images/bluecat_integrity_dns_insights_dark.png" + }, + { + "media_type": "image", + "caption": "BlueCat Integrity DHCP Insights", + "image_url": "images/bluecat_integrity_dhcp_insights_light.png" + }, + { + "media_type": "image", + "caption": "BlueCat Integrity DHCP Insights", + "image_url": "images/bluecat_integrity_dhcp_insights_dark.png" + } + ], + "classifier_tags": [ + "Category::Network", + "Category::Security", + "Category::Log Collection", + "Submitted Data Type::Logs", + "Offering::Integration" + ] + }, + "assets": { + "integration": { + "auto_install": false, + "source_type_id": 71394034, + "source_type_name": "BlueCat Integrity", + "events": { + "creates_events": false + } + }, + "dashboards": { + "BlueCat Integrity Overview": "assets/dashboards/bluecat_integrity_overview.json", + "BlueCat Integrity DNS Insights": "assets/dashboards/bluecat_integrity_dns_insights.json", + "BlueCat Integrity DHCP Insights": "assets/dashboards/bluecat_integrity_dhcp_insights.json" + }, + "logs": { + "source": "bluecat-integrity" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} \ No newline at end of file