Intergaration of RPZ with SIEM and Proxy

THE GAME HAS CHANGED

Introducing Infoblox Universal DDI Management^TM

Watch the launch to discover the new era of management for critical network services. Watch Now

Infoblox

Third-Party Integrations

Infoblox TIDE Solution Integrations

Intergaration of RPZ with SIEM and Proxy

Infoblox TIDE Solution Integrations

Reply

Topic Options

Subscribe to RSS Feed

Mark Topic as New

Mark Topic as Read

Float this Topic for Current User

Printer Friendly Page

Message Listing

Next

This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.

Intergaration of RPZ with SIEM and Proxy

Options

Mark as New

Subscribe to RSS Feed

Permalink

Print

Report Inappropriate Content

mrshaukat

Authority

Posts: 23

Registered: ‎09-11-2018

‎09-17-2019 03:38 AM

mrshaukat
Authority

Posts: 21

Hi,

I have Grid deployed with RPZ feeds configured, in addition to that we have bloxone license this means that we can do eco system integration.

My queries are below
How we can integrate our RPZ feeds to below controls , and it should be automatically done as feeds gets updated via zone transfer it gets transfer to the below soloutions.

Sophos (Proxy)
IBM QRADAR (SIEM)

Thanks
Shaukat

Reply

0 Kudos

Re: Intergaration of RPZ with SIEM and Proxy
[ Edited ]

Options

Mark as New

Subscribe to RSS Feed

Permalink

Print

Report Inappropriate Content

Vadim

Adviser

Posts: 172

Registered: ‎09-09-2015

‎09-17-2019 10:08 AM - edited ‎09-17-2019 10:33 AM

Vadim
Adviser

Posts: 78

Hi,

TIDE is included in B1TD Advanced package only. So you will be able to pull indicators using REST API in different formats (STIX, json, csv).

I'm not an expect in QRadar and Sophos proxy so you need to take a look:

- QRadar may use external lookup lists with IoCs to enrich logs. We do not support TAXII so you need to invistigate how to do that.

Here is an example how you can do it with Splunk https://github.com/Homas/Splunk_AT_Lookup

- QRadar you may be able to execute external tools/open websites so you can open Dossier from QRadar by accessing the following URL and passing an indicator:

https://csp.infoblox.com/atlas/app/analyze/dossier/dossier/search?indicator=infoblox.com

- Sophos should have possibility to use external lists as well.

If you are on B1TD Business on-prem you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only.

BR,

Vadim

Reply

0 Kudos

Re: Intergaration of RPZ with SIEM and Proxy

Options

Mark as New

Subscribe to RSS Feed

Permalink

Print

Report Inappropriate Content

mrshaukat

Authority

Posts: 23

Registered: ‎09-11-2018

‎09-17-2019 10:31 AM

mrshaukat
Authority

Posts: 21

Hi Vadim.

Thanks for detail reply .

"If you are on B1TD Business on-prem or Essentials you still able to pull the indicators via DNS zone transfer but you will need to do some post processing and the enrichment can be done via Dossier or threat lookup tool only."
I have B1 on prem can you guide me a little more detail how i will do zone tranfer of my feeds on sophos or qradar and how i will do some post processing

Thanks

Reply

0 Kudos

Message Listing

Next

Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Search instead for

Did you mean:

PRODUCTS

SOLUTIONS

COMPANY

SUPPORT

© Infoblox. All rights reserved.

Feedback

Terms & Conditions

Legal

Privacy Policy