4003 - DNS Activity¶
CIM Data Models: DNS
OCSF Version: 1.0.0¶
| CIM Field | Mapping |
|---|---|
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_mac | src_endpoint.mac |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| query | query.hostname |
| message_type | case(activity_id==1, "Query", activity_id==2, "Response", true(), activity_name) |
| answer_count | mvcount('answers{}.rdata') |
| answer | answers{}.rdata |
| name | message |
| query_type | query.opcode_id |
| record_type | query.type |
| reply_code | rcode |
| reply_code_id | rcode_id |
| vendor_product | metadata.product.name |
| ttl | answers{}.ttl |
OCSF Version: 1.1.0¶
| CIM Field | Mapping |
|---|---|
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_mac | src_endpoint.mac |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| query | query.hostname |
| message_type | case(activity_id==1, "Query", activity_id==2, "Response", true(), activity_name) |
| answer_count | mvcount('answers{}.rdata') |
| answer | answers{}.rdata |
| name | message |
| query_type | query.opcode_id |
| record_type | query.type |
| reply_code | rcode |
| reply_code_id | rcode_id |
| vendor_product | metadata.product.name |
| ttl | answers{}.ttl |
OCSF Version: 1.2.0¶
| CIM Field | Mapping |
|---|---|
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_mac | src_endpoint.mac |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| query | query.hostname |
| message_type | case(activity_id==1, "Query", activity_id==2, "Response", true(), activity_name) |
| answer_count | mvcount('answers{}.rdata') |
| answer | answers{}.rdata |
| name | message |
| query_type | query.opcode_id |
| record_type | query.type |
| reply_code | rcode |
| reply_code_id | rcode_id |
| vendor_product | metadata.product.name |
| ttl | answers{}.ttl |
OCSF Version: 1.0.0*¶
| CIM Field | Mapping |
|---|---|
| src | coalesce('src_endpoint.hostname', 'src_endpoint.ip') |
| src_ip | src_endpoint.ip |
| src_port | src_endpoint.port |
| src_mac | src_endpoint.mac |
| src_host | src_endpoint.hostname |
| dest | coalesce('dst_endpoint.hostname', 'dst_endpoint.ip', 'dst_endpoint.name') |
| dest_ip | dst_endpoint.ip |
| dest_port | dst_endpoint.port |
| dest_mac | dst_endpoint.mac |
| dest_host | dst_endpoint.hostname |
| query | query.hostname |
| message_type | case(activity_id==1, "Query", activity_id==2, "Response", true(), activity_name) |
| answer_count | mvcount('answers{}.rdata') |
| answer | answers{}.rdata |
| name | message |
| query_type | query.opcode_id |
| record_type | query.type |
| reply_code | rcode |
| reply_code_id | rcode_id |
| vendor_product | metadata.product.name |
| ttl | answers{}.ttl |