Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API & Integration, DevOps,NetOps,SecOps

Reply

phantom infoblox block domain tweak

Techie
Posts: 2
1834     0

I found the following customization of the block domain action for infoblox in phantom useful.  The block domain action allows you to add an entry to the selected rp_zone.  The cusomization appends the timestamp and "added by phantom playbook" to the comment field so you can easily see when blacklist entries can be aged out, if needed.

    phantom.debug('block_domain_1() called')  

    parameters = []

    start_time = datetime.datetime.now().strftime("%m-%d-%y")

    name_value=phantom.collect(container, "artifact:*.cef.destinationDnsDomain")[0]['cef']['destinationDnsDomain']

    parameters.append({

        'domain': name_value,

        'rp_zone': "blacklist",

        'network_view': "Internal",

        'comment': start_time + " block from Phantom Playbook ",

    })

    phantom.act("block domain", parameters=parameters, app={ "name": 'Infoblox DDI' }, callback=format_create_ticket, name="block_domain_1")

 

Unbolded code shuold be the default for block domain action.
HTH

Showing results for 
Search instead for 
Did you mean: 

Recommended for You