Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Infoblox TIDE Solution Integrations

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Intergaration of RPZ with SIEM and Proxy
Authority
Posts: 23
Registered: ‎09-11-2018
Authority
Posts: 21

Hi,

 

I have Grid deployed with RPZ feeds configured, in addition to that we have bloxone license this means that we can do eco system integration.

 

My queries are below

How we can integrate our RPZ feeds  to below controls , and it should be automatically done as feeds gets updated via zone transfer it gets transfer to the below soloutions.

 

  • Sophos (Proxy)
  • IBM QRADAR (SIEM)

 

Thanks

Shaukat

Re: Intergaration of RPZ with SIEM and Proxy
[ Edited ]
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi,

 

TIDE is included in B1TD Advanced package only. So you will be able to pull indicators using REST API in different formats (STIX, json, csv). 

 

I'm not an expect in QRadar and Sophos proxy so you need to take a look:

- QRadar may use external lookup lists with IoCs to enrich logs. We do not support TAXII so you need to invistigate how to do that.

Here is an example how you can do it with Splunk https://github.com/Homas/Splunk_AT_Lookup

- QRadar you may be able to execute external tools/open websites so you can open Dossier from QRadar by accessing the following URL and passing an indicator:

https://csp.infoblox.com/atlas/app/analyze/dossier/dossier/search?indicator=infoblox.com

- Sophos should have possibility to use external lists as well. 

 

 

If you are on B1TD Business on-prem you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only.

 

BR,

Vadim

Re: Intergaration of RPZ with SIEM and Proxy
Authority
Posts: 23
Registered: ‎09-11-2018
Authority
Posts: 21

Hi Vadim.

 

Thanks for detail reply .

 

 

 

"If you are on B1TD Business on-prem or Essentials you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only."

I have B1 on prem can you guide me a little more detail how i will do zone tranfer of my feeds on sophos or qradar   and how i will do some post  processing 

 

Thanks

 

Showing results for 
Search instead for 
Did you mean: