This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriniKrish
Collaborator
‎2024-01-09 10:13 PM

IOC Feed from Infoblox

Hello,

I am trying to get Exernal Threat Intel feed for DNS from Infoblox but the expected format from CP is different from the API request  format I get from Infoblox.

Has anyone tried this before ? I am not sure how to feed in the API Key into the feed URL.

Below is the API Request format from IB and I have attached the smartconsole parameters in CP for the IOC feed.

curl -X GET -H "Authorization: Token token=<API_KEY>" "https://csp.infoblox.com/tide/api/data/threats?type=host&type=ip&type=url&type=email&type=hash"

 

Appreciate any directions here !

Cheers,

Srini

CP_External Feed.png
Preview file
163 KB
0 Kudos
13 Replies
phoneboyapi
Admin
Admin
‎2024-01-16 10:55 AM

What format does Infoblox provide information in?
If it's JSON, I recommend upgrading to R81.20 and using the Network Feeds option, which can read JSON with a provided jq filter.
If your IOC feed is large, you should upgrade to R81.20 as the supported number of IoCs is much higher (at least 2 million IoCs have been tested) and they are imported significantly faster to boot.

0 Kudos
SriniKrish
Collaborator
‎2024-01-16 10:57 PM
In response to phoneboyapi

It is pretty much in the format above. I did try to feed through Mgmt_cli but getting the API key across has been challenge. I see Andy was able to connect via the Smartconsole. keen to know how he used the API key.

Srini

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 11:29 AM

Let me test it in my R81.20 lab

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 11:43 AM

this worked for me

 

Screenshot_1.png

SriniKrish
Collaborator
‎2024-01-16 10:49 PM
In response to the_rock

Interesting !

How did you key in the API key ? I don't see an option in the IOC Feed pop up dialog.

 

Regards,

Srini

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 04:28 AM
In response to SriniKrish

I just did it exactly how you see in the screencap, via smart console.

Andy

0 Kudos
SriniKrish
Collaborator
‎2024-01-17 04:35 AM
In response to the_rock

Sorry I don't understand.  there are no fields to key in the API key. How will it map user authentication in the cs portal without the API key ?

Screenshot_20240117_233033_Firefox.jpg

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 05:21 AM
In response to SriniKrish

K, I gotcha now. Sorry, I just tested the actual link in the smart console feed menu, thats all.

You may need to confirm with TAC.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 05:55 AM
In response to SriniKrish

Here is file I created and worked fine. Just convert it to csv format to import.

Andy

infoblox.xlsx
Preview file
9 KB
0 Kudos
SriniKrish
Collaborator
‎2024-01-17 09:11 PM
In response to the_rock

Hi Andy,

 

I tried the same by using the api service username and API key as password in the Advanced field and it did accept.

 

IS there a way to validate if it is receiving any feeds at all ?

 

Cheers,

Srini

feed.png
Preview file
70 KB
0 Kudos
Blason_R
Leader
Leader
‎2024-01-16 07:07 PM

Those feeds are only available to Infoblox customers or are those open to anyone to test that out?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
SriniKrish
Collaborator
‎2024-01-16 10:51 PM
In response to Blason_R

Infoblox customers only. But you can set up a test environment with 60 day licensing and it pretty much gives access to DHCP, DNS and Threat feeds as well.

 

Regards,

Srini

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top