Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SriniKrish
Collaborator

IOC Feed from Infoblox

Hello,

I am trying to get Exernal Threat Intel feed for DNS from Infoblox but the expected format from CP is different from the API request  format I get from Infoblox.

Has anyone tried this before ? I am not sure how to feed in the API Key into the feed URL.

Below is the API Request format from IB and I have attached the smartconsole parameters in CP for the IOC feed.

curl -X GET -H "Authorization: Token token=<API_KEY>" "https://csp.infoblox.com/tide/api/data/threats?type=host&type=ip&type=url&type=email&type=hash"

 

Appreciate any directions here !

Cheers,

Srini

0 Kudos
13 Replies
phoneboyapi
Admin
Admin

What format does Infoblox provide information in?
If it's JSON, I recommend upgrading to R81.20 and using the Network Feeds option, which can read JSON with a provided jq filter.
If your IOC feed is large, you should upgrade to R81.20 as the supported number of IoCs is much higher (at least 2 million IoCs have been tested) and they are imported significantly faster to boot.

0 Kudos
SriniKrish
Collaborator

It is pretty much in the format above. I did try to feed through Mgmt_cli but getting the API key across has been challenge. I see Andy was able to connect via the Smartconsole. keen to know how he used the API key.

Srini

0 Kudos
the_rock
Legend
Legend

Let me test it in my R81.20 lab

Andy

0 Kudos
the_rock
Legend
Legend

this worked for me

 

Screenshot_1.png

SriniKrish
Collaborator

Interesting !

How did you key in the API key ? I don't see an option in the IOC Feed pop up dialog.

 

Regards,

Srini

0 Kudos
the_rock
Legend
Legend

I just did it exactly how you see in the screencap, via smart console.

Andy

0 Kudos
SriniKrish
Collaborator

Sorry I don't understand.  there are no fields to key in the API key. How will it map user authentication in the cs portal without the API key ?

Screenshot_20240117_233033_Firefox.jpg

0 Kudos
the_rock
Legend
Legend

K, I gotcha now. Sorry, I just tested the actual link in the smart console feed menu, thats all.

You may need to confirm with TAC.

Andy

0 Kudos
the_rock
Legend
Legend

Here is file I created and worked fine. Just convert it to csv format to import.

Andy

0 Kudos
SriniKrish
Collaborator

Hi Andy,

 

I tried the same by using the api service username and API key as password in the Advanced field and it did accept.

 

IS there a way to validate if it is receiving any feeds at all ?

 

Cheers,

Srini

0 Kudos
the_rock
Legend
Legend

0 Kudos
Blason_R
Leader
Leader

Those feeds are only available to Infoblox customers or are those open to anyone to test that out?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
SriniKrish
Collaborator

Infoblox customers only. But you can set up a test environment with 60 day licensing and it pretty much gives access to DHCP, DNS and Threat feeds as well.

 

Regards,

Srini

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events