/v2/api/customer/dnsQueryLog/stream - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

Retrieves DNS queries matching active policies logged in the last 5 minutes to an external SIEM, if configured. Note that this API is only accessible with an applicable API access key. For more information, contact your BlueCat representative.

Attention: The API does not return queries that do not match a policy or queries that match a policy with the action set to None.

To learn how to install and configure the BlueCat Edge for Splunk app, see BlueCat Edge for Splunk app.

GET https://api-<BlueCat.edge.url>/v2/api/customer/dnsQueryLog/stream
Authorization: Basic passphrase

ETag: <etag from previous call>
Note: ETag is optional, and has the following results:
  • If no value is sent, then the API returns query data for the last five minutes.
  • When an ETag referencing a point in time beyond five minutes ago, the API still returns query data for the last five minutes.
  • When an ETag referencing a point in time less than five minutes ago, the API returns query data logged since that point.

Successful response

200 OK
Content-Type: application/JSON
{
    "actionTaken": "block",
    "matchedPolicies: [
        {
            "id":<id>,
            "name":<name>,
        },
        ....
    ],
    "source":"192.168.100.101", 
    "time": 1464278471000,
    "site":"BlueCat Headquarters",
    "query":"test.uat.local.",
    "queryType":"A",
    "response":"NXDOMAIN",
    "recordId":"1464278471000XXXXXXXXXXXXXXXXXXXX",
    "threats: [
        {
            "type": "dga",
            "indicators": ["UNIQUE_CHARACTERS",...]
        },
        ....
    ],
    "answers: [
        {
            "domainName": "example.domain.name.",
            "recordType": "A",
            "rData": "127.0.0.1",
            "parsed": "true",
        },
        ....
    ],
    "latency": 0
}
Returns the following information:
  • Time: Unix time (in milliseconds) when the DNS query was made. (This is the request time, not the response time or logging time.)
  • Source: The IP address of the client making the DNS query.
  • Site: The site name of the service point handling the query.
  • Query: The domain name being queried.
  • QueryType: The query type.
  • Response: The response code (for example NXDOMAIN, NOERROR or SERVFAIL).
  • Record ID: An identifier that can be passed to key in subsequent requests (used for paging through lots of data).
  • Action Taken: If no policy was matched, this will be "query-response", otherwise this will be either block, redirect, or monitor.
  • Matched Policies: List of policy IDs and names that matched the given query.
  • Latency: The latency (in milliseconds) of the DNS query measured.

The number of entries in the list depends on the number of queries within specified period. The list returned may be empty.

Response on unsuccessful authorization

401 Unauthorized
Content-Type: application/JSON
{"code": "UNAUTHORIZED", "brief": "You are not authorized to perform this action"}
Possible error codes
  • CANNOT_GET_SITES
  • UNEXPECTED_ERROR