[Infoblox BloxOne DDI] DNS Data Records Not Populating ECS Fields

[MakoWish]

We recently started leveraging the Infoblox BloxOne DDI integration, and I am noticing on the DNS Data events, there is absolutely no population of the ECS DNS fields. Why is that?

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[jamiehynds]

Hey @MakoWish, based the fields within our sample data , you're absolutely right, there is no population of the ECS DNS fields (except for dns.answers.ttl). This is generally down to the absence of suitable ECS fields to map to. Based on the DNS Data you have, are there any fields currently mapped to infoblox. but could be mapped to an ECS DNS field?

[MakoWish]

Hi Jamie,

We just recently started using Infloblox (I absolutely hate it), but just a quick look without scouring all the logs, I can see at least these:

infoblox_bloxone_ddi.dns_data.type --> dns.question.type
infoblox_bloxone_ddi.dns_data.type --> dns.answers.type
infoblox_bloxone_ddi.dns_data.absolute.name.spec --> dns.question.name
infoblox_bloxone_ddi.dns_data.absolute.zone.name --> dns.question.registered_domain
infoblox_bloxone_ddi.dns_data.name_in.zone --> dns.question.subdomain
infoblox_bloxone_ddi.dns_data.rdata_value --> dns.answers

Also, not sure if it is just in our environment, but these appear to be duplicates in 100% of the cases I can see:

infoblox_bloxone_ddi.dns_data.absolute_name.spec == infoblox_bloxone_ddi.dns_data.absolute.name.spec
infoblox_bloxone_ddi.dns_data.absolute_zone.name == infoblox_bloxone_ddi.dns_data.absolute.zone.name

If the question or answer is a hostname, I think those should also be appended to related.hosts, but that is also not happening.

Eric