Infoblox
Connector Category: API Feed Source
About Infoblox
Infoblox TIDE leverages highly accurate machine-readable threat intelligence data via a flexible TIDE (Threat Intelligence Data Exchange) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease consumption of threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyber threats. TIDE threat indicators are enriched with threat classification, scoring, TTL and is backed by the Infoblox threat intelligence team that normalizes and refines high-quality threat intelligence data feeds.
Configure Infoblox as an API Feed Source
Configure Infoblox as an API feed source to retrieve IP, URL, email, and hash feeds from Infoblox TIDE.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL and API key of your Infoblox TIDE account.
Important
Ensure that the API key includes the permissions to retrieve IP, URL, email, and hash feeds. If the API key does not have permission to retrieve a specific feed, then the respective feed channel is disabled automatically and displays a connection error.
Steps
To configure Infoblox as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES .
Click Add API Source.
Search and select the Infoblox app.
Click Add Instance and enter the following details:
Instance Name: Enter a unique name to identify the instance. For example, Prod-Infoblox.
Base URL: Enter the base URL of your Infoblox instance. The default base URL is
https://csp.infoblox.com/tide/api/data/threats/state/.API Token: Enter the API token to authenticate communication between the Intel Exchange and Infoblox TIDE servers.
Verify SSL: Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and Infoblox TIDE servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
After the Infoblox instance is configured successfully, you can view the Infoblox feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure Retrieve IP Feeds Feed Channels
Configure the Retrieve IP Feeds feed channel to retrieve threat intel feeds related to IP addresses from Infoblox TIDE.
Steps
To configure the Retrieve IP Feeds feed channel, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the Infoblox app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select the Retrieve IP Feeds feed channel and turn on the toggle to enable the channel.
Enter the following details:
Start Date and Time: Enter the date and time within 15 days from the current time to start polling feeds.
Collection Name: Enter the collection name to group the feeds retrieved from Infoblox. For example, Infoblox Team Feeds. A new collection is created and all the feeds retrieved from the feed channel are stored in the collection.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Default TLP: Set a default TLP to assign to the feeds that do not include a source TLP. By default, the default TLP is set to Amber.
Default Source Confidence: Set a default Confidence Score to assign to the feeds that do not include a source Confidence Score. By default, the default Confidence Score is set to 100.
Default Tags: Select the tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel. Similarly, you can configure other feed channels of the Infoblox API feed source. For more information about polling feeds and viewing the ingested feeds, see API Integrations.
Test Infoblox Feed Channel Connectivity
Test the connectivity of the Infoblox API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.
Before you Start
Ensure that the Infoblox API integration is enabled.
Ensure that the feed channel you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, do the following:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the Infoblox app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity testing results in an error, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When the connectivity of a feed channel breaks, Intel Exchange disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
Infoblox Feed Channels
The following table lists all the feed channels and the Infoblox API endpoints used for each feed channel.
Feed Channel | API URL |
|---|---|
Retrieve IP Feeds |
|
Retrieve URL Feeds |
|
Retrieve E-mail Feeds |
|
Retrieve Hash Feeds |
|