Outbound API - Proofpoint Threat Response DNS Firewall alert integration

NJeanselme · ‎11-21-2016

Outbound API available in NIOS 8.0 allows to cover the following usecase:
"When a end host is requesting a fqdn that my teams have confirmed to be an IOC, I want to automatically deny any service for the client source IP and/or the target IP addresses in a firewall rule on our firewalls."

The following video shows the endpoint & notification configuration:

Link to the video

The template to import is also attached.

{
    "content_type": "application/json",
    "event_type": [
        "RPZ"
    ],
    "name": "Proofpoint Threat Response",
    "steps": [
        {
            "body_list": [
                "{\"target\": ${E::source_ip},",
                "\"category\": \"malware\",",
                "\"url\": ${E::query_name},",
                "\"severity\": ${E::rpz_severity}}"
            ],
            "name": "postsomething",
            "operation": "POST",
            "transport": {
                "path": ""
            }
        }
    ],
    "type": "REST_EVENT",
    "vendor_identifier": "Proofpoint",
    "version": "1.0"
}

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products.

spenumaka · ‎05-05-2017

Hi NIcolas - thank you very much sharing.

--------------------------------------
Check out our new Tech docs website for latest documentation on Infoblox products.

API & Integration

Outbound API - Proofpoint Threat Response DNS Firewall alert integration

Re: Outbound API - Proofpoint Threat Response DNS Firewall alert integration