Explore and Analyze Infoblox Events

After Logpoint ingests Infoblox logs:

• Use Search to access and examine events.

• View events in real time through Dashboards.

• Configure Alerts to get notified of critical or suspicious activity.

Dashboards

LP_InfoBlox - Operational

The LP_InfoBlox – Operational dashboard displays time-based trends of DHCP-related events, highlights the top sources and users involved in successful and failed login attempts, and lists detailed login and logoff activities. The dashboard also tracks user-driven changes, such as DNS or IPAM records created, modified, or deleted, and shows the number of fixed IP addresses added, updated, or removed. Additionally, it monitors peer device statuses, service health, frequently executed processes, and denied DNS zone transfers, helping you assess operational performance, user activity, and potential security issues within your Infoblox environment.

LP_Infoblox - DHCP

The LP_InfoBlox – DHCP dashboard visualizes DHCP-related events over time and highlights the most frequent event types, including lease assignments, renewals, and releases. The dashboard identifies the top sources generating DHCP requests, the IPs or subnets with the most active leases, and displays metrics for declined or expired requests, helping detect address conflicts or configuration issues. It also tracks failed DNS bind updates linked to DHCP lease events, enabling effective monitoring and troubleshooting of DHCP performance and reliability.

LP_Infoblox - DNS

The LP_InfoBlox – DNS dashboard visualizes the volume of DNS queries over time and highlights the most frequently queried internal and external domains. The dashboard identifies sources and systems generating the most errors or failed requests, helping detect misconfigurations or potential threats. It also tracks the busiest Infoblox DNS servers, failed dynamic DNS updates, and records associated with recurring errors, enabling administrators to monitor query trends, troubleshoot DNS issues, and ensure the reliability and security of DNS operations.

Infoblox Alerts

LP_Infoblox Key Authentication Fail

Trigger Condition: This alert is triggered whenever an authentication fails.

ATT&CK Category: Persistence, Initial Access, Credential Access, Defense Evasion, Privilege Escalation

ATT&CK Tag: Brute Force, Valid Accounts

ATT&CK ID: T1110, T1078

Minimum Log Source Requirement: InfoBlox

Query:

LP_Infoblox Scheduled Backup Fail

Trigger Condition: This alert is triggered whenever a backup fails.

ATT&CK Category: Impact

ATT&CK Tag: Inhibit System Recovery

ATT&CK ID: T1490

Minimum Log Source Requirement: InfoBlox

Query:

LP_Infoblox User Login Fail

Trigger Condition: This alert is triggered whenever a user login fails.

ATT&CK Category: Persistence, Initial Access, Credential Access, Defense Evasion, Privilege Escalation

ATT&CK Tag: Brute Force, Valid Accounts

ATT&CK ID: T1110, T1078

Minimum Log Source Requirement: InfoBlox

Query:

LP_Infoblox Zone Update Fail

Trigger Condition: This alert is triggered whenever a zone update fails.

ATT&CK Category: Impact

ATT&CK Tag: Network Denial of Service

ATT&CK ID: T1498

Minimum Log Source Requirement: InfoBlox

Query: