Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

API & Integration, DevOps,NetOps,SecOps

Reply

phantom infoblox block domain tweak

Techie
Posts: 2
1930     0

I found the following customization of the block domain action for infoblox in phantom useful.  The block domain action allows you to add an entry to the selected rp_zone.  The cusomization appends the timestamp and "added by phantom playbook" to the comment field so you can easily see when blacklist entries can be aged out, if needed.

    phantom.debug('block_domain_1() called')  

    parameters = []

    start_time = datetime.datetime.now().strftime("%m-%d-%y")

    name_value=phantom.collect(container, "artifact:*.cef.destinationDnsDomain")[0]['cef']['destinationDnsDomain']

    parameters.append({

        'domain': name_value,

        'rp_zone': "blacklist",

        'network_view': "Internal",

        'comment': start_time + " block from Phantom Playbook ",

    })

    phantom.act("block domain", parameters=parameters, app={ "name": 'Infoblox DDI' }, callback=format_create_ticket, name="block_domain_1")

 

Unbolded code shuold be the default for block domain action.
HTH

Showing results for 
Search instead for 
Did you mean: 

Recommended for You