Re: Intergaration of RPZ with SIEM and Proxy
[ Edited ]
Adviser
Adviser
Vadim
Posts: 172
Registered: ‎09-09-2015

‎09-17-2019 10:08 AM - edited ‎09-17-2019 10:33 AM

Vadim
Adviser
Posts: 82

Hi,

 

TIDE is included in B1TD Advanced package only. So you will be able to pull indicators using REST API in different formats (STIX, json, csv). 

 

I'm not an expect in QRadar and Sophos proxy so you need to take a look:

- QRadar may use external lookup lists with IoCs to enrich logs. We do not support TAXII so you need to invistigate how to do that.

Here is an example how you can do it with Splunk https://github.com/Homas/Splunk_AT_Lookup

- QRadar you may be able to execute external tools/open websites so you can open Dossier from QRadar by accessing the following URL and passing an indicator:

https://csp.infoblox.com/atlas/app/analyze/dossier/dossier/search?indicator=infoblox.com

- Sophos should have possibility to use external lists as well. 

 

 

If you are on B1TD Business on-prem you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only.

 

BR,

Vadim