Collect BloxOne Threat Defense logs

Supported in:

This document explains how to ingest BloxOne Threat Defense logs to Google Security Operations using the Bindplane agent.

Infoblox BloxOne Threat Defense is a cloud-managed DNS security service that generates syslog messages in CEF format for DNS queries, threat intelligence events, and policy actions. The parser normalizes fields and maps them to the Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • Network connectivity between the Bindplane agent and the Infoblox BloxOne platform
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to the Infoblox Portal

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File

  4. Save the file securely on the system where the Bindplane agent will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.

  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector

    The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector

    The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo nano /etc/bindplane-agent/config.yaml

  • Windows:

    notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/bloxone:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: BLOXONE
        raw_log_field: body

service:
    pipelines:
        logs/bloxone_to_chronicle:
            receivers:
                - udplog
            exporters:
                - chronicle/bloxone

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • listen_address: IP address and port to listen on:
      • 0.0.0.0 to listen on all interfaces (recommended)
      • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

  • Exporter configuration:

    • creds_file_path: Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • customer_id: Customer ID copied from the Google SecOps console
    • endpoint: Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O, then Enter, then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

    1. Verify the service is running:

      sudo systemctl status observiq-otel-collector

    2. Check logs for errors:

      sudo journalctl -u observiq-otel-collector -f

  • To restart the Bindplane agent in Windows, choose one of the following options:

    • Command Prompt or PowerShell as administrator:

      net stop observiq-otel-collector && net start observiq-otel-collector

    • Services console:

      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.

      4. Verify the service is running:

        sc query observiq-otel-collector

      5. Check logs for errors:

        type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure syslog in Infoblox BloxOne

  1. Sign in to the Infoblox Portal.
  2. Go to Configure > Administration > Data Connector.
  3. Select the Destination Configuration tab.
  4. Click Create > Syslog.
  5. Provide the following configuration details:
    • Name: Provide a descriptive name (for example, Google SecOps collector).
    • Description: Provide a brief description.
    • State: Select Enable.
    • Tags: Click Add and specify the following to associate a key with the destination:
      • KEY: Enter a descriptive name for the key.
      • VALUE: Enter your value for the key.
    • Format: Select CEF.
    • Protocol: Select UDP or TCP (depending on your Bindplane agent configuration).
    • FQDN/IP: Enter the Bindplane agent IP address.
    • Port: Enter the Bindplane agent port (default is 514 for UDP).
  6. Click Save & Close.

UDM mapping table

Log field UDM mapping Logic
additional_list.key This field is used in a loop to iterate over the additional_list array and extract data based on the value of the key field. It is not directly mapped to the UDM.
additional_list.value principal.location.region_latitude, principal.location.region_longitude, target.location.region_latitude, target.location.region_longitude This field is used in conjunction with additional_list.key to extract specific values from the additional_list array. The logic for extracting and mapping the value depends on the corresponding key. For example:
- If additional_list.key is intel:source:ip:geoIP:location, extract latitude and longitude values using grok and map them to principal.location.region_latitude and principal.location.region_longitude, respectively.
- If additional_list.key is intel:destination:ip:geoIP:location, extract latitude and longitude values using grok and map them to target.location.region_latitude and target.location.region_longitude, respectively.
additional_string.key Similar to additional_list.key, this field is used in a loop to iterate over the additional_string array and extract data based on the key value. It is not directly mapped to the UDM.
additional_string.value additional.fields.value.string_value, principal.location.country_or_region, target.location.country_or_region, src.ip, src.port, src.hostname, network.ip_protocol Used with additional_string.key to extract values from the additional_string array. The logic for mapping the value depends on the corresponding key. For example:
- If additional_string.key is intel:source:ip:ip2asn:start_ip, intel:source:ip:ip2asn:finish_ip, intel:destination:ip:ip2asn:start_ip, or intel:destination:ip:ip2asn:finish_ip, map the value to additional.fields.value.string_value with the corresponding key.
- If additional_string.key is intel:source:ip:geoIP:country, map the value to principal.location.country_or_region.
- If additional_string.key is intel:destination:ip:geoIP:country, map the value to target.location.country_or_region.
- If additional_string.key is log:source:ip, map the value to src.ip.
- If additional_string.key is log:source:port, map the value to src.port after converting it to an integer.
- If additional_string.key is log:source:hostname, map the value to src.hostname.
- If additional_string.key is log:cdh:input:protocol, map the value to network.ip_protocol after converting it to uppercase.
app_category security_result.category_details Directly mapped.
confidence security_result.confidence Mapped based on the following logic:
- If confidence is LOW, map to LOW_CONFIDENCE.
- If confidence is MEDIUM, map to MEDIUM_CONFIDENCE.
- If confidence is HIGH, map to HIGH_CONFIDENCE.
country principal.location.name Directly mapped, but only if raw.infobloxb1region is empty.
device principal.ip, principal.asset.ip Directly mapped, but only if raw.dvc is empty.
dhcp_fingerprint security_result.detection_fields.value Directly mapped with the key dhcp_fingerprint.
dns_view security_result.detection_fields.value Directly mapped with the key dns_view.
endpoint_groups security_result.detection_fields.value Directly mapped with the key endpoint_groups.
event_time metadata.event_timestamp.seconds Parsed as an ISO8601 timestamp and the seconds value is extracted. Used only if the timestamp field is empty.
feed_name principal.resource.name feed_name is mapped to principal.resource.name.
feed_type principal.resource.attribute.labels.value Directly mapped with the key feed_type.
mac_address principal.mac Directly mapped after converting to lowercase.
network principal.hostname, principal.asset.hostname Directly mapped, but only if both raw.dvchost and raw.dvc are empty.
os_version principal.platform_version Directly mapped.
policy_action security_result.action_details, security_result.action policy_action is directly mapped to security_result.action_details.
security_result.action is derived based on the following logic:
- If policy_action is Redirect or Log, map to ALLOW.
- If policy_action is BLOCK, map to BLOCK.
policy_name security_result.detection_fields.value Directly mapped with the key policy_name.
qname network.dns.questions.name Directly mapped.
qtype network.dns.questions.type Mapped based on the following logic:
- If qtype is A, map to 1 (converted to unsigned integer).
- If qtype is PTR, map to 12 (converted to unsigned integer).
raw.act security_result.action_details Directly mapped.
raw.app network.application_protocol Directly mapped after converting to uppercase.
raw.deviceeventclassid metadata.product_event_type Concatenated with raw.name (separated by -) and mapped to metadata.product_event_type.
raw.devicevendor metadata.vendor_name Directly mapped.
raw.deviceproduct metadata.product_name Directly mapped.
raw.deviceversion metadata.product_version Directly mapped.
raw.deviceseverity security_result.severity_details, security_result.severity raw.deviceseverity is directly mapped to security_result.severity_details.
security_result.severity is derived based on the following logic:
- If raw.deviceseverity is in [0, 1, 2, 3], map to LOW.
- If raw.deviceseverity is in [4, 5, 6], map to MEDIUM.
- If raw.deviceseverity is in [7, 8], map to HIGH.
- If raw.deviceseverity is in [9, 10], map to CRITICAL.
raw.dvc principal.ip, principal.asset.ip Directly mapped.
raw.dvchost principal.hostname, principal.asset.hostname Directly mapped, but only if it's not equal to raw.dvc.
raw.infobloxb1connectiontype additional.fields.value.string_value Directly mapped with the key infobloxb1connectiontype.
raw.infobloxb1ophname observer.hostname, observer.asset.hostname Directly mapped.
raw.infobloxb1ophipaddress observer.ip Directly mapped.
raw.infobloxb1policyname security_result.detection_fields.value Directly mapped with the key infobloxb1policyname.
raw.infobloxdnsqclass dns_question.class, dns_answer.class Used to derive dns_question.class and dns_answer.class based on a lookup table defined in the dns_query_class_mapping.include file.
raw.infobloxdnsqtype dns_question.type, dns_answer.type Used to derive dns_question.type and dns_answer.type based on a lookup table defined in the dns_record_type.include file.
raw.infobloxdnsrcode network.dns.response_code Used to derive network.dns.response_code based on a lookup table defined in the dns_response_code.include file.
raw.infobloxpolicyid security_result.detection_fields.value Directly mapped with the key infobloxpolicyid.
raw.msg metadata.description raw.msg is directly mapped to metadata.description after removing leading and trailing quotes.
raw.name metadata.product_event_type Concatenated with raw.deviceeventclassid (separated by -) and mapped to metadata.product_event_type.
rcode security_result.detection_fields.value, network.dns.response_code rcode is directly mapped to security_result.detection_fields.value with the key rcode.
If rcode is NXDOMAIN, network.dns.response_code is set to 3 (converted to unsigned integer).
rdata network.dns.answers.data Directly mapped.
rip target.ip, target.asset.ip Directly mapped.
severity security_result.severity Mapped based on the following logic:
- If severity is INFO (case-insensitive), map to INFORMATIONAL.
- If severity is HIGH, map to HIGH.
tclass security_result.detection_fields.value Directly mapped with the key tclass.
threat_indicator security_result.detection_fields.value Directly mapped with the key threat_indicator.
timestamp metadata.event_timestamp.seconds Parsed as an ISO8601 timestamp and the seconds value is extracted.
user principal.user.user_display_name Directly mapped.
user_groups security_result.detection_fields.value Directly mapped with the key user_groups.
N/A principal.resource.resource_subtype Set to Feed if feed_name is not empty.
N/A metadata.log_type Set to BLOXONE.
N/A additional.fields.key Set to infobloxancount, infobloxarcount, infobloxb1connectiontype, infobloxnscount, intel:destination:ip:ip2asn:finish_ip, intel:destination:ip:ip2asn:start_ip, intel:source:ip:ip2asn:finish_ip, or intel:source:ip:ip2asn:start_ip based on the corresponding raw fields.
N/A metadata.event_type Set to STATUS_UPDATE if has_principal is true, otherwise set to GENERIC_EVENT.
N/A network.dns.questions.type Set to 1 for A records and 12 for PTR records, converted to unsigned integer.
N/A network.dns.answers.name, network.dns.answers.type, network.dns.answers.class Extracted from raw.msg by parsing the DNS response string.
N/A intermediary.hostname, intermediary.ip, intermediary.asset.ip Extracted from raw.msg by parsing the DNS response string.

Need more help? Get answers from Community members and Google SecOps professionals.