Retrieves DNS queries matching active policies logged in the last 5 minutes to an external SIEM, if configured. Note that this API is only accessible with an applicable API access key. For more information, contact your BlueCat representative.
Attention: The API does not return queries that do not match a policy or queries
that match a policy with the action set to None.
To learn how to install and configure the BlueCat Edge for Splunk app, see BlueCat Edge for Splunk app.
GET https://api-<BlueCat.edge.url>/v2/api/customer/dnsQueryLog/stream
Authorization: Basic passphrase
ETag: <etag from previous call>Note: ETag is optional, and has the following results:
- If no value is sent, then the API returns query data for the last five minutes.
- When an ETag referencing a point in time beyond five minutes ago, the API still returns query data for the last five minutes.
- When an ETag referencing a point in time less than five minutes ago, the API returns query data logged since that point.
Successful response
200 OK
Content-Type: application/JSON
{
"actionTaken": "block",
"answers: [
{
"domainName": "example.domain.name.",
"recordType": "A",
"rData": "127.0.0.1",
"parsed": "true",
},
....
],
"drsId": "7b759f9d-9e7e-4eab-9fbc-2ba2067d48d3"
"extracted_source":"192.168.100.101",
"latency": 0,
"matchedPolicies: [
{
"id":<id>,
"name":<name>,
},
....
],
"queriedNamespace": "Namespace 1",
"query":"test.uat.local.",
"queryType":"A",
"recordId":"1464278471000XXXXXXXXXXXXXXXXXXXX",
"response":"NXDOMAIN",
"site":"BlueCat Headquarters",
"socketProtocol": "UDP",
"threats: [
{
"type": "dga",
"indicators": ["UNIQUE_CHARACTERS",...]
},
....
],
"time": 1464278471000
}Returns the following information:
- Action taken: If no policy was matched, this will be "query-response", otherwise this will be either block, redirect, or monitor.
- Answers: The answer section of the DNS query.
- DRS ID: The ID of the DNS Resolver Service that the query passed through.
- Extracted source: The IP address of the client making the DNS query.
- Latency: The latency (in milliseconds) of the DNS query measured.
- Matched policies: List of policy IDs and names that matched the given query.
- Queried namespace: The namespace that was queried.
- Query: The domain name being queried.
- Query type: The query type.
- Record ID: An identifier that can be passed to key in subsequent requests (used for paging through lots of data).
- Response: The response code (for example NXDOMAIN, NOERROR or SERVFAIL).
- Site: The site name of the service point handling the query.
- Socket protocol: The protocol of the DNS query (usually UDP or TCP).
- Threats: The threat associated with the DNS query.
- Time: Unix time (in milliseconds) when the DNS query was made. (This is the request time, not the response time or logging time.)
The number of entries in the list depends on the number of queries within specified period. The list returned may be empty.
Response on unsuccessful authorization
401 Unauthorized
Content-Type: application/JSON
{"code": "UNAUTHORIZED", "brief": "You are not authorized to perform this action"}Possible error codes
- CANNOT_GET_SITES
- UNEXPECTED_ERROR