Re: IOC Feed from Infoblox

SriniKrish · ‎2024-01-09

Hello,

I am trying to get Exernal Threat Intel feed for DNS from Infoblox but the expected format from CP is different from the API request format I get from Infoblox.

Has anyone tried this before ? I am not sure how to feed in the API Key into the feed URL.

Below is the API Request format from IB and I have attached the smartconsole parameters in CP for the IOC feed.

curl -X GET -H "Authorization: Token token=<API_KEY>" "https://csp.infoblox.com/tide/api/data/threats?type=host&type=ip&type=url&type=email&type=hash"

Appreciate any directions here !

Cheers,

Srini

phoneboyapi · ‎2024-01-16

What format does Infoblox provide information in?
If it's JSON, I recommend upgrading to R81.20 and using the Network Feeds option, which can read JSON with a provided jq filter.
If your IOC feed is large, you should upgrade to R81.20 as the supported number of IoCs is much higher (at least 2 million IoCs have been tested) and they are imported significantly faster to boot.

SriniKrish · ‎2024-01-16

It is pretty much in the format above. I did try to feed through Mgmt_cli but getting the API key across has been challenge. I see Andy was able to connect via the Smartconsole. keen to know how he used the API key.

Srini

the_rock · ‎2024-01-16

Let me test it in my R81.20 lab

Andy

the_rock · ‎2024-01-16

this worked for me

SriniKrish · ‎2024-01-16

Interesting !

How did you key in the API key ? I don't see an option in the IOC Feed pop up dialog.

Regards,

Srini

the_rock · ‎2024-01-17

I just did it exactly how you see in the screencap, via smart console.

Andy

SriniKrish · ‎2024-01-17

Sorry I don't understand. there are no fields to key in the API key. How will it map user authentication in the cs portal without the API key ?

the_rock · ‎2024-01-17

K, I gotcha now. Sorry, I just tested the actual link in the smart console feed menu, thats all.

You may need to confirm with TAC.

Andy

the_rock · ‎2024-01-17

Here is file I created and worked fine. Just convert it to csv format to import.

Andy

SriniKrish · ‎2024-01-17

Hi Andy,

I tried the same by using the api service username and API key as password in the Advanced field and it did accept.

IS there a way to validate if it is receiving any feeds at all ?

Cheers,

Srini

the_rock · ‎2024-01-18

https://support.checkpoint.com/results/sk/sk132193

Blason_R · ‎2024-01-16

Those feeds are only available to Infoblox customers or are those open to anyone to test that out?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

SriniKrish · ‎2024-01-16

Infoblox customers only. But you can set up a test environment with 60 day licensing and it pretty much gives access to DHCP, DNS and Threat feeds as well.

Regards,

Srini

Are you a member of CheckMates?

IOC Feed from Infoblox