Infoblox Community
Reply
Highlighted
Accepted Solution

Outbound API - Proofpoint Threat Response DNS Firewall alert integration

[ Edited ]
Authority
Posts: 24
Registered: ‎05-19-2012
Authority
Posts: 24


Outbound API available in NIOS 8.0 allows to cover the following usecase:
"When a end host is requesting a fqdn that my teams have confirmed to be an IOC, I want to automatically deny any service for the client source IP and/or the target IP addresses in a firewall rule on our firewalls."

The following video shows the endpoint & notification configuration:

Link to the video

 

The template to import is also attached.

 

{
    "content_type": "application/json",
    "event_type": [
        "RPZ"
    ],
    "name": "Proofpoint Threat Response",
    "steps": [
        {
            "body_list": [
                "{\"target\": ${E::source_ip},",
                "\"category\": \"malware\",",
                "\"url\": ${E::query_name},",
                "\"severity\": ${E::rpz_severity}}"
            ],
            "name": "postsomething",
            "operation": "POST",
            "transport": {
                "path": ""
            }
        }
    ],
    "type": "REST_EVENT",
    "vendor_identifier": "Proofpoint",
    "version": "1.0"
}

Re: Outbound API - Proofpoint Threat Response DNS Firewall alert integration

Community Manager
Posts: 35
Registered: ‎03-01-2017
spenumaka Community Manager
Community Manager
Posts: 35

Hi NIcolas - thank you very much sharing.