Functions/BloxOneDDI/Get-B1DNSEvent.ps1
|
function Get-B1DNSEvent { <# .SYNOPSIS Queries the BloxOne Threat Defense DNS Events .DESCRIPTION This function is used to query the BloxOne Threat Defense DNS Events. This is the log which contains all security policy hits. .PARAMETER Query Use this parameter to filter the DNS Events by hostname or FQDN .PARAMETER Source Used to filter the DNS Events by IP Address .PARAMETER Policy Used to filter the DNS Events by Policy Name .PARAMETER Policy Used to filter the DNS Events by Threat Level .PARAMETER Response Use this parameter to filter the DNS Log by the response, i.e "NXDOMAIN" .PARAMETER Start A date parameter used as the starting date/time of the log seatrch. By default, the search will start from 24hrs ago and returns the latest results first. You may need to increase the -Limit parameter or reduce the -End date/time to view earlier events. .PARAMETER End A date parameter used as the end date/time of the log search. .PARAMETER Limit Use this parameter to limit the quantity of results. The default number of results is 100. .PARAMETER Offset Use this parameter to offset the results by the value entered for the purpose of pagination .PARAMETER Fields Specify a list of fields to return. The default is to return all fields. .EXAMPLE PS> Get-B1DNSEvent -Start (Get-Date).AddDays(-7) .FUNCTIONALITY BloxOneDDI .FUNCTIONALITY Logs #> param( [String]$Query, [String]$IP, [String[]]$Response, [ValidateSet("RPZ","Analytic","Category")] [String[]]$Source, [String[]]$Network, [String[]]$Policy, [ValidateSet("Info","Low","Medium","High")] [String[]]$ThreatLevel, [String[]]$ThreatClass, [String[]]$FeedName, [String[]]$FeedType, [String[]]$UserGroup, [String[]]$AppCategory, [String[]]$ThreatProperty, [String[]]$ThreatIndicator, [ValidateSet("Log","Block","Default","Redirect")] [String[]]$PolicyAction, [String[]]$EndpointGroup, [String[]]$AppName, [String[]]$DNSView, [datetime]$Start = $(Get-Date).AddDays(-1), [datetime]$End = $(Get-Date), [String[]]$Fields, [int]$Limit = 100, [int]$Offset = 0 ) $StartEpoch = [math]::round($((Get-Date -Date ($Start) -UFormat %s))) $EndEpoch = [math]::round($((Get-Date -Date ($End) -UFormat %s))) $Filters = @() if ($StartEpoch) { $Filters += "t0=$StartEpoch" } if ($EndEpoch) { $Filters += "t1=$EndEpoch" } if ($Query) { $Filters += "qname=$Name" } if ($IP) { $Filters += "qip=$IP" } if ($Source) { $Filters += "source=$Source" } if ($Network) { $Filters += "network=$Network" } if ($Policy) { $Filters += "policy_name=$Policy" } if ($PolicyAction) { $Filters += "policy_action=$PolicyAction" } if ($ThreatLevel) { $Filters += "threat_level=$ThreatLevel" } if ($ThreatClass) { $Filters += "threat_class=$ThreatClass" } if ($ThreatProperty) { $Filters += "threat_property=$ThreatProperty" } if ($ThreatIndicator) { $Filters += "threat_indicator=$ThreatIndicator" } if ($FeedName) { $Filters += "feed_name=$FeedName" } if ($UserGroup) { $Filters += "user_group=$UserGroup" } if ($AppCategory) { $Filters += "app_category=$AppCategory" } if ($AppName) { $Filters += "app_name=$AppName" } $Filters += "_limit=$Limit" $Filters += "_offset=$Offset" if ($DNSView) { $DNSViewReturned = Get-B1DNSView -Name $DNSView -Strict $DNSViewReturnedId = $($DNSViewReturned).id.Substring(9) $Filters += "dns_view=$DNSView,$DNSViewReturnedId" } if ($Fields) { $Filters += "_fields=$($Fields -join ",")" } $Filters += "_format=json" if ($Filters) { $Filter = ConvertTo-QueryString($Filters) } if ($Filter) { Query-CSP -Method GET -Uri "$(Get-B1CSPUrl)/api/dnsdata/v2/dns_event$Filter" | Select-Object -ExpandProperty result -ErrorAction SilentlyContinue -WarningAction SilentlyContinue } else { Query-CSP -Method GET -Uri "$(Get-B1CSPUrl)/api/dnsdata/v2/dns_event" | Select-Object -ExpandProperty result -ErrorAction SilentlyContinue -WarningAction SilentlyContinue } } |