Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

BloxOne Threat Defense and Threat Intelligence

Reply

API access to Blacklist

New Member
Posts: 4
5634     0

It is some years since I looked at this and I know that back then one could not use the API to manage the DNS black list.

 

Has this changed?

 

 

Re: API access to Blacklist

[ Edited ]
Techie
Posts: 17
5634     0

Hi rful011,

 

I'm not sure if you're speaking of NIOS or BloxOne Threat Defense, but there are ways to access these lists on both platforms via the API.

 

For NIOS please see the 'Response Policy Zones' header (page 38) in this document: https://www.infoblox.com/wp-content/uploads/infoblox-deployment-infoblox-rest-api.pdf

 

For BloxOne Threat Defense see the BloxOne Swagger, specifically 'BloxOne Threat Defense Cloud' -> 'named_lists' and 'named_list_items': https://csp.infoblox.com/apidoc?url=https%3A%2F%2Fcsp.infoblox.com%2Fapidoc%2Fdocs%2FAtcfw#/named_li...

 

Thank you,

David

Re: API access to Blacklist

New Member
Posts: 4
5634     0

Thanks for the response David

 

Ah! I should have been more expicit!  I should have said "without paying for a feed" .

 

We are not subscribed to either of the threat feeds.  We already have multiple threat feeds, what I want tp do is maintain the blacklist myself from them.

Re: API access to Blacklist

New Member
Posts: 1
5634     0

Hey, have you figured out if this changed or not

Re: API access to Blacklist

New Member
Posts: 4
5634     0

Not definitely, but I interpret the silence as "yes you have to pay"

Re: API access to Blacklist

Superuser
Posts: 115
5634     0

You can purchase just the RPZ license, reach out to your account team

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

Re: API access to Blacklist

New Member
Posts: 4
5634     0
Thanks for a definite answer!

Last time we looked it was prohibitively expensive given that we are doing this now on the firewall.

It would be more convenient to do it on the DNS servers.

Will check again.

R

Re: API access to Blacklist

Superuser
Posts: 115
5634     0

Here is a link to do it via API CSV import

https://github.com/seefor/infoblox-random-scripts/tree/main/csv_to_rpz_import

 

Follow me on LinkedIn: https://www.linkedin.com/in/sifbaksh
Twitter: https://twitter.com/sifbaksh

https://sifbaksh.com

Re: API access to Blacklist

Superuser
Posts: 17
5635     0

I'll elaborate a little on what Sif posted. Blacklist (free of charge) is very basic, and can only be managed via CSV import. RPZ (DNS Firewall) is the much better supported product that relies on a feed, and the policies can be manipulated from WAPI.

 

However, you can create CSV files using whatever program/script you want, and use WAPI CSV function to upload and import it (that's what Sif posted). It's not as clean as RPZ, but it achieves the goal of automating the management of your blacklist rules without paying.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You