Filters - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

You can filter DNS query data using the filter menu or advanced filter command bar.

  1. Click the Advanced toggle to switch between the filter menu and advanced filter command bar.
  2. Click Add filter to select additional filter parameters. For filters that accept input, once you have selected that filter, the input field auto completes values as you begin to type:
    • Time: Sets the data filter for the specified time frame.
      • You can specify whether you want date returned within the Last 10 minutes, Last 1 hour, Last 24 hours, Yesterday, Last 7 days, or a Custom time frame. By default, the DNS activity page returns all queries logged.
      • When using Custom, select two dates on the calendar to specify the time frame. You can also manually enter the date and time in the Start and End fields. This can include both the date and time, or only a date or only a time. If no time is specified, results are returned from 00:00:00 (midnight).
        Note: If you are using keyboard navigation, you can use the Page Up and Page Down keys to navigate between months and years on the calendar.
      • By default, DNS Insights tab is optimized to display data collected within the last 7 days. Changing the time frame doesn't modify this default period.
    • Site: Sets the data filter for the specified site name.
    • Source IP: Sets the data filter for the specified source IP address(es). Must be a valid IPv4 or IPv6 address, or list of IPv4 or IPv6 addresses.
    • Query Name: Sets the data filter for the specified query name.
    • Query Type: Sets the data filter for the specified query type.
    • Response Code: Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
    • Response IP: Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).
    • Policy: Sets the data filter for the specified policy name.
    • Policy Action: Sets the data filter for the specified policy action (Trust, Block, Monitor, Redirect, None).
    • Threat Type: Sets the data filter for the specified threat type (DGA, Tunneling).
    • Threat Indicator: Sets the data filter for the specified threat indicator (Entropy, Advanced DGA, Host Size, Suspect DNS, Suspect TLD, Uncommon Rec, Unique Char, Vol Tunnel).
    • Protocol: Sets the data filter for the specified query protocol (TCP, UDP).
    • Namespace Name: Sets the data filter for the specified namespace.
    • Latency: Sets the data filter for the specified latency range for DNS queries. Select None (0 - 1 ms), Low, (1- 20 ms), Medium (20 - 100 ms), High (100 and above ms), or Custom (in milliseconds). If you select Custom, FROM must be less than or equal to TO.
    • User ID: Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site.
    Click Save to save a filter parameter.

    You can edit filter parameters by selecting the name of the parameter or delete filter parameters by clicking the x icon next to the filter.

Filter commands

Use the following filter commands in the BlueCat Edge advanced filter command bar.

/time last10minutes | last1hour | last24hours | yesterday | last7days Sets the data filter start date and time.
  • You can specify whether you want date returned within the last10minutes, last1hour, last24hours, yesterday, or last7days time frame. By default, the DNS activity page returns all queries logged.
  • When using Custom, select two dates on the calendar to specify the time frame. You can also manually enter the date and time in the Start and End fields. This can include both the date and time, or only a date or only a time. If no time is specified, results are returned from 00:00:00 (midnight).
    Note: If you are using keyboard navigation, you can use the Page Up and Page Down keys to navigate between months and years on the calendar.
  • By default, DNS Insights tab is optimized to display data collected within the last 7 days. Changing the time frame doesn't modify this default period.
/time from MM-DD-YYYY HH:MM:SS to MM-DD-YYYY HH:MM:SS Sets the data filter date and end time, exclusively. For example, if you set /time from 06-28-2023 10:10:10 to 06-28-2023 23:59:59, the filter returns data from June 28, 2023 at 10:10:10 to June 28, 2023 at 23:59:58.
/site SiteName Sets the data filter for the specified site name.
/source SourceIp Sets the data filter for the specified source IP address(es). Must be a valid IPv4 address or a list of IPv4 addresses.
/querytype QueryType Sets the data filter for the specified query type.
/queryname QueryName Sets the data filter for the specified query name.
/responsecode ResponseCode Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
/responseip IPAddress Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).
/policyname PolicyName Sets the data filter for the specified policy name.
/policyaction PolicyAction Sets the data filter for the specified policy action (none, allow, block, monitor, redirect).
/protocol QueryProtocol Sets the data filter for the specified query protocol (TCP, UDP).
/namespace QueryNamespace Sets the data filter for the specified namespace.
/threattype threat Sets the data filter for the specified threat type (dga, tunneling).
/threatind indicator Sets the data filter for the specified threat indicator (entropy, advdga, hostSize, uniqueChar, uncommonRec, SusTLD, SusDNS, voltunnel).
/latency none Sets the data filter for the none (0 - 1 ms) latency range for DNS queries.
/latency low Sets the data filter for the low (1 - 20 ms) latency range for DNS queries.
/latency medium Sets the data filter for the medium (20 - 100 ms) latency range for DNS queries.
/latency high Sets the data filter for the medium (100 and above ms) latency range for DNS queries.
/latency [from <int>] [to <int>] Sets the data filter for the selected latency range for DNS queries. from must be less than or equal to to.
/userId UserId Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site.

Filter command tips

  • Enter times in 24-hour format (HH:MM:SS). All digits are required.
  • Enter dates in MM-DD-YYYY format (03-15-2023). All digits are required.
  • You can copy a list of filter values and paste them to advanced filter command bar.

    For example:

    If you copy the following list for the /queryname filter command:

    abc.com

    meow.com

    ham.com

    Then paste them to the advanced filter command bar, the list of items will display as comma separated:

  • If you enter the incorrect filter commands and values, a list of errors will display below the advanced filter command bar. The number on the error indicates the location of the error in the command bar. When you click on the error, the cursor moves to the location of the error.

  • Filters become active when you press Enter and remain active until you change the text in the command bar. Active filters are indicated by green text in the command bar.
  • Click to view the filter history. You can delete and pin items in the list.
    Note: You can pin up to 10 items in the list.

  • You can copy the URL of a filter by clicking , then right-clicking the filter > Copy Link Address. You can also copy the URL in the URL field of your browser.
  • You can extend your search for more than one item at a time by adding multiple items, separated by commas. For example:

    /policyaction block, redirect

    Note: The extended search is only available for the following filters:
    • /site
    • /source
    • /querytype
    • /queryname
    • /protocol
    • /namespace
    • /response
    • /policyname
    • /policyaction
    • /threattype
    • /threatind
  • You can use one or more filters at a time on the command line. For example, you can combine filters for date/time, policy action, and site name.
  • Using the BlueCat Edge dashboard, you can select a time range on the graph to filter DNS queries in the DNS Activity window. You can deselect one or more policy actions to filter both by the selected time range, and the visible policy actions.

    dashboard select time range