To create data filters for your source data, complete the following:
- Log in to the Cloud Services Portal.
- Click Manage > Data Connector.
- Select the ETL Configuration tab and click Create.
- From the Create drop-down list, select the filtering criterion for the ETL configuration. You can select one of the following: Regex, IP/Network, FQDN, NIOS HOST, IP/Network, FQDN DNS Record Type, OPHID, or ON-PREM HOST.
- Depending on your selection, complete the following in the Create ETL Filter wizard and then click Save & Close:
- Name: Enter the name of the ETL configuration. Select a name that best describes the filtering function.
- Description: Enter the description of the ETL configuration. The field length is 256 characters.
- State: Use the slider to enable or disable the ETL configuration. Note that the ETL configuration is in effect only when you enable it. If you disable the configuration, the ETL filter is not in effect even if you have applied the ETL configuration to a traffic flow configuration.
- Expand the Regex, IP/Network, FQDN, NIOS HOST, IP/Network, FQDN DNS Record Type, OPHID, or ON-PREM HOST section and click Add to the applicable parameters.
Regex: The Regex filter applies to DNS query/response events and RPZ events. You can specify any regular expressions for the member name. You can specify the Grid member name that processed the query.
Regex filter for RPZ flow works by ipaddress, not by hostname. For all other workflows, Regex works with hostname.
- IP/Network: The IP/Network filter applies to DNS query/response events, IP metadata, and RPZ events. You can specify the query source IP address when the event is a query and the destination IP address when the event is a response. You can specify the client_ip filter in the following format:
CIDR block: Example: 10.10.0.1/15, 2001:cdba:9abc:5678::/64, etc.
- FQDN: The FQDN filter applies to DNS query/response events and RPZ events. A query filter is a combination of valid FQDN and wildcards. Note the following about wildcards:
- You can specify a wildcard either on the left or on the right side of the domain name.
- A rule can have either 0, 1, or 2 wildcards.
- If a rule has 2 wildcards, they have to be on the opposite ends of the FQDN.
- A wildcard on the left side must be followed by a dot (.), except for the '?' wildcard.
- A wildcard on the right side must be preceded by a dot (.) except for the '?' wildcard.
DNS Record Type: The DNS Record Type filter can be applied on DNS query/response events and RPZ events. These records provide an important and relevant details about domains and hostnames. DNS Record Type filters include the following:
- A Record
- AAAA Record
- CAA Record
- CNAME Record
- MX Record
- NAPTR Record
- NS Reocrd
- PTR Record
- SRV Record
- TXT Reocrd
For a full list of supported filter types, see Data Connector ETL Data Filter Types.
OPHID: This is a unique identifier for the on-prem host. The user can provide custom defined ophid as well. OPHID filters include the following:
ON-PREM HOST: ON-PREM HOST is a display name of the on-prem host. ON-PREM HOST filters include the following:
Inblox Test OnPrem
List of supported wildcards
Applicable for zero or more domain name labels. It can be specified only on the left side of the domain name.
Applicable for one or more domain name labels. It can be specified only on the left side of the domain name.
For exactly one domain name label. It can be specified either on the left or right side of the domain name.
?.foo.com, ?, ?., corp.?., test.?, etc.
For more information on ETL configurations, see the following:
This page has no comments.