I have Grid deployed with RPZ feeds configured, in addition to that we have bloxone license this means that we can do eco system integration.
My queries are below
How we can integrate our RPZ feeds to below controls , and it should be automatically done as feeds gets updated via zone transfer it gets transfer to the below soloutions.
- Sophos (Proxy)
- IBM QRADAR (SIEM)
TIDE is included in B1TD Advanced package only. So you will be able to pull indicators using REST API in different formats (STIX, json, csv).
I'm not an expect in QRadar and Sophos proxy so you need to take a look:
- QRadar may use external lookup lists with IoCs to enrich logs. We do not support TAXII so you need to invistigate how to do that.
Here is an example how you can do it with Splunk https://github.com/Homas/Splunk_AT_Lookup
- QRadar you may be able to execute external tools/open websites so you can open Dossier from QRadar by accessing the following URL and passing an indicator:
- Sophos should have possibility to use external lists as well.
If you are on B1TD Business on-prem you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only.
Thanks for detail reply .
"If you are on B1TD Business on-prem or Essentials you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only."
I have B1 on prem can you guide me a little more detail how i will do zone tranfer of my feeds on sophos or qradar and how i will do some post processing