Versions Compared

Old Version 1

changes.mady.by.user Panna .

Saved on

compared with

New Version 2

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To mitigate DNS data exfiltration, Infoblox Threat Insight (also referred to as Threat Analytics in the Infoblox GUI or Grid Manager) employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see AboutDataExfiltration.

Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. These types of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat AnalyticsInsight license installed on the Grid member on which you want to start the threat analytics insight service. To download updates for threat analytics insight module and whitelist allowlist sets, you must have at least one Threat AnalyticsInsight license installed in the Grid. When you enable the threat analytics insight service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blacklists blocklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blacklisted blocklisted domain.

Infoblox Threat Insight also includes a whitelist allowlist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The whitelist allowlist is extensible so new whitelisted allowlisted domains can be added and rolled out accordingly. For Threat Insight running on an On-Prem Infoblox DDI appliances, internal governance and vetting applied by Infoblox ensures all whitelist allowlist entries are accurate and curated, and contain only valid entries.

You can also add custom whitelisted allowlisted domains or move blacklisted blocklisted domains to the whitelistallowlist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight below. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information about Guidelines for Using Infoblox Threat Insight, see below.

Infoblox Threat Insight came installed with a module set and a whitelist allowlist set. To receive subsequent module set and whitelist allowlist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Analytics Insight Update Policy below.

Licensing Requirements and Admin Permissions

...

Infoblox Threat Insight

To start the threat analytics insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the ThreatAnalyticsInsightlicense installed on the Grid member on which you want to start the threat analytics insight service. To download updates for threat analytics insight module and whitelist allowlist sets, you must have at least one ThreatAnalytics Insight license installed in the Grid.

Note that running the threat analytics insight service might affect your system performance if the appliance has a small capacity and is taking on heavy traffic. Evaluate your Grid and Grid members to ensure that you select an appliance that is appropriate for running the threat analytics insight service. For more information about  supported appliances, see Supported Appliances for Infoblox Threat Insight below.

...

Superusers can configure all threat protection and analytics insight related tasks. You can assign SecurityPermissions to specific admin groups and roles so these users can configure security related tasks. You can also add a global permission for managing Grid security properties or add an object permission for managing member security properties.

To manage the analytics insight related tasks, you must assign appropriate read-only or read/write AnalyticsThreat InsightPermissions to the specified admin groups and roles. You can also add the GlobalAnalyticsThreat InsightPermission as a global permission or add MemberAnalyticsThreat InsightPermission to specific Grid members as an object permission. For more information about how to assign admin permissions, see Managing Permissions.

...

Anchor
GuidelinesforUsingInfobloxThreatInsight
GuidelinesforUsingInfobloxThreatInsight
Guidelines for Using Infoblox Threat Insight

Following are some guidelines to take into consideration when using Infoblox Threat Insight:

  • To start the threat analytics insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the ThreatAnalyticsInsight license installed on the Grid member on which you want to start the threat analytics insight service. To download updates for threat analytics insight module and whitelist allowlist sets, you must have at least one Threat Analytics threat insight license installed in the Grid.

  • Infoblox recommends that you run the threat analytics insight service for a limited time to monitor and preview what has been detected before actually blocking blacklisted blocklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the analytics whitelistinsight allowlist. You should review the blacklisted blocklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the analytics whitelist insight allowlist by adding new whitelisted allowlisted domains, moving legitimate domains from the blacklisted blocklisted domain list, or using CVS import and export. For more information about Configuring a Local RPZ as the Mitigation Blacklist Blocklist Feed, see below.

  • Analytics whitelisted Insight allowlist domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date whitelistallowlist, upgrade to the next NIOS release or configure the appliance to download threat analytics insight updates. For information about upgrades, see Upgrading NIOS Software. Note that this process may change in future NIOS releases.

  • There are no configurable parameters for Infoblox Threat Insight. Infoblox uses the build-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.

  • DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the analytics insight to determine positive DNS tunneling activities.

  • During an HA failover, analytics insight data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the analytics insight to reach its normal state. If there is no connection between the Grid Master and Grid member, blacklisted blocklisted domains detected by the analytics insight cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat analytics insight service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight below.

  • The threat analytics insight service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.

  • The analytics whitelist insight allowlist only applies to Infoblox Threat Insight; it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the Infoblox Threat Protection Rules available on the Support web site.

  • Infoblox Threat Insight does not support RESTful APIs.

...

Due to memory and capacity required to perform analyticsinsight, ensure that you install the Threat Analytics Insight and RPZ licenses, and enable the threat analytics insight service on an appliance that has a big enough capacity. Following are the supported Infoblox appliance models on which you can run the threat analytics insight service:

  • PT-1405, and PT-2205.

  • IB-4015, and IB-4030-10GE.

  • TE-1415, TE-1425, TE-2215, and TE-2225.

  • TE-V1415, TE-V1425, TE-V2215, TE-V2225, TE-V4010, and TE-V4015.

...

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics Insight license installed on the Grid member on which you want to start the threat analytics insight service. You must also create a new RPZ and use it as the designated mitigation blacklist blocklist feed so the appliance can transfer all blacklisted blocklisted domains to this feed.

NIOS continuously collects and analyzes statistics of incoming queries and responses, detects possible DNS tunneling activities, blocks offending domains that match the known data, and updates the mitigation blacklist blocklist feed (a designated local RPZ) of any known malicious domains. For supported appliance models for Infoblox Threat Insight, see Supported Appliances for Infoblox Threat Insight.

To configure Infoblox Threat Insight, complete the following:

  1. Obtain and install valid RPZ and Threat

...

  1. Insight licenses on the appliance that is used to support

...

  1. insight. Note that you must have the threat

...

  1. insight service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.

  2. Create and add a new local RPZ and use it as the designated mitigation

...

  1. blocklist feed so the appliance can transfer all

...

  1. blocklisted domains to this feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat

...

  1. insight service before actually blocking domains, set PolicyOverride to LogOnly(Disabled). When you are ready to block offending domains, set PolicyOverride to None(Given).

  2. Configure admin permissions so admin users can manage the threat

...

  1. insight service and

...

  1. insight related tasks. For information about how to configure admin permission, see About Administrative Permissions.

  2. Start the threat

...

  1. insight service on the appliance that has the Threat

...

  1. Insight license installed, as described in Starting and Stopping the Threat

...

  1. Insight Service.

Note

Note

The analytics insght functionality only works on recursive servers and forwarding servers that use BIND as the DNS resolver; it does not function on authoritative servers.

After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:

  • View supported whitelisted allowlisted domains for analyticsinsight, as described in Viewing the Analytics Whitelist Insight Allowlist below. Note that these domains are specific to analytics insight only. They are not used in the anti-DNS tunneling threat protection rules.

  • Manually add a custom domain to the analytics whitelistinsight allowlist, as described in Adding Custom Whitelisted Allowlisted Domains below.

  • Review the blacklisted blocklisted domains and make decisions about whether to move them to the analytics whitelist insiight allowlist so future DNS activities will not be blocked. For more information, see Viewing Blacklisted Blocklisted Domains below.

  • Move a blacklisted blocklisted domain to the analytics whitelistinsight allowlist, as described in Moving Blacklisted Blocklisted Domains to the WhitelistAllowlist.

  • Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities below.

Starting and Stopping the Threat

...

Insight Service

To start the threat analytics insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics Insight license installed on the Grid member on which you want to start the threat analytics insight service. You can also stop the service when necessary.

To start or stop the threat analytics insight service:

  1. From the Grid tab, select the GridManager tab -> Services tab, click the Threat

...

  1. Insight service link. Grid Manager displays only the member or members with the RPZ license installed. Select the member checkbox.

  2. From the Toolbar, click Start to start the service or Stop to stop the service.

When you stop the threat analytics insight service, the appliance does not detect or protect against non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.

Note

Note

After you enable the threat analytics insight service, you must restart DNS service for the analytics insight to start working.

Viewing the

...

Insight Allowlist

The DataManagement tab -> ThreatAnalytics tab -> WhitelistThreat Insight tab → Allowlist tab of Grid Manager lists the trusted domains on which NIOS allows DNS traffic by default. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. They are marked as System domains, and you cannot delete them; but you can disable them so NIOS does not treat them as trusted domains. You can also add custom domains or move blacklisted Blocklisted domains to the analytics whitelistinsight allowlist. For more information, see Adding Custom Whitelisted Allowlist Domains and Moving Blacklisted Blocklisted Domains to the Whitelist Allowlist below.

To view a complete list of trusted domains in the analytics whitelistinsight allowlist:

  1. From the DataManagement tab, select the Threat

...

  1. Insight tab ->

...

  1. Allowlist tab.

  2. The appliance displays the following for each trusted domain:

    • Actions: Click the Action icon Image Modified next to a domain and select one of the following:

      • Disable: Click this to disable the domain. When you disable a domain, the appliance does not treat this domain as trusted domain until you enable it.

      • Edit: Click this to open the

...

      • Allowlist editor. For system domains, the only property you can modify is to disable or enable them. For custom domains however, you can also add information to the Comment field.

      • Delete: This is only applicable to custom domains. You cannot delete system domains. Select this to delete the custom domain.

    • DomainName: The name of the trusted domain.

    • Type: Displays the domain type. This can be System or Custom. A system domain is a trusted domain that carries legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. A custom domain is one that you have added to the

...

    • allowlist or moved from the mitigation

...

    • blocklist RPZ.

    • Disabled: Indicates whether this domain is disabled or not. The appliance does not treat disabled domains as trusted domains. You can disable both system and custom domains.

    • Comment: Additional information about the domain.

Note

Note

When you upgrade to a future NIOS release or update the analytics whitelistinsight allowlist, all changes made to the whitelist allowlist will be preserved.


You can also do the following in this panel:

  • Click Go to Mitigation Response Policy Zone to access the blacklisted blocklisted domains that are identified as offenders for DNS tunneling. Blacklisted Blocklisted domains are detected through Infoblox Threat Insight and automatically transferred to the blacklist blocklist RPZ feed. For information about these domains, see Viewing Blacklisted Blocklisted Domains below.

  • Export or import whitelisted allowlisted domain names using the CSV import and export functionality.

  • Navigate to the next or last page of the whitelist allowlist using the paging buttons at the bottom of the panel.

  • Refresh the analytics whitelist insight allowlist by clicking the Refresh button.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Select a quick filter to search for System or Custom whitelist allowlist entries, or both.

  • Print the whitelist allowlist or export it in CSV format.

Adding Custom

...

Allowlisted Domains

The analytics whitelist insight allowlist is populated with trusted domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others.You can add domains that you deem trustworthy to this list. When you add a custom domain, it is marked as Custom in the whitelistallowlist.

To add a custom whitelisted allowlisted domain, complete the following:

  1. From the DataManagement tab, select the Threat

...

  1. Insight tab ->

...

  1. Allowlist tab, click the Add icon or click AddCustom

...

  1. Allowlist from the Toolbar.

  2. In the AddCustom

...

  1. Allowlist wizard, complete the following:

    • DomainName: Enter the name of the domain that you want to add to the

...

    • insight allowlist.

    • Comment: Enter additional information about this domain.

    • Disable: When you select this, the appliance does not treat this domain as a trusted domain. When you enable the domain again, it is considered as a

...

    • allowlisted domain.

  2. Save the configuration. You do not need to restart DNS service to update the

...

  1. insight allowlist.

Configuring a Local RPZ as the Mitigation

...

Blocklist Feed

For the threat analytics insight service to function properly and for NIOS to properly report detected backlisted domains, you must create and designate local RPZs as the mitigation for the Grid. You can add any Response Policy Zones to the list of RPZs from different Network and DNS Views. When a domain is detected as malicious, NIOS will update all RPZs in the list. If you assign an existing RPZ that is used for other purposes as the mitigation blacklist blocklist feed, you may experience the following:

  • Existing RPZ hits are reported as hits detected by the analytics insight after an upgrade.

  • If you manually add rules to the RPZ, all RPZ hits are reported as hits detected by the analyticsinsight, regardless of whether they match the manually created rules or are detected through the threat analytics insight service.

Infoblox recommends that you run the threat analytics insight service for a limited time to monitor and preview what has been detected before actually blocking domains. To do so, set PolicyOverride to LogOnly(Disabled) when you create the RPZ so you can monitor blacklisted blocklisted domains without actually blocking them.

Note

Note

You can designate only one local RPZ as the Grid-wide mitigation blacklist blocklist feed.

To create and designate a local RPZ as the blacklist blocklist feed:

  1. Create a local RPZ by completing the procedure described in Configuring Local RPZs.

    Note to monitor the threat

...

  1. insight service without blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block

...

  1. blocklisted domains, set Policy Override to None (Given).

  2. From the DataManagement tab, select the Threat

...

  1. Insight tab ->

...

  1. Allowlist tab, click the GridThreat

...

  1. InsightProperties from the Toolbar.

  2. In the GridThreat

...

  1. InsightProperties editor, click the DNS Threat

...

  1. Insight tab, and complete the following:

    • Click the Add icon to open the Zone Selector dialog box and select the RPZs. You must configure at least one local RPZ. To remove an RPZ, select it from the table and click Delete.

    • Save the configuration.

Note

Note

You cannot delete an RPZ that is used as the mitigation blacklist blocklist feed until you remove or clear it from the Grid Threat Analytics Insight Properties editor.

Enabling Integration with

...

Infoblox Threat Defense Cloud for Threat Insight

If your network configuration includes BloxOne includes Infoblox Threat Defense Business On-premises, BloxOne Infoblox Threat Defense Business Cloud, or BloxOne Infoblox Threat Defense Advanced, you can configure a cloud integration client to collect malicious domains detected by Threat Insight in the BloxOne Infoblox Threat Defense cloud. NIOS then applies the detected domains to RPZs that were configured for the on-premises Grid. This feature ensures that all malicious domains detected in BloxOne Infoblox Threat Defense Cloud are also applied on Grid members on-prem.

You can use this feature when you have BloxOne Infoblox Threat Defense Business On-premises, BloxOne Infoblox Threat Defense Business Cloud, or BloxOne Infoblox Threat Defense Advanced license. Note that you can configure only one cloud client per on-premises Grid. Ensure that you configure the email address and password in the Grid PropertiesEditor before you enable the integration with BloxOne Infoblox Threat Defense Cloud Client. For more information about Configuring Integration with BloxOne Infoblox Threat Defense Cloud, see Configuring Integration with BloxOne Infoblox Threat Defense Infoblox Cloud.

To enable the integration with BloxOne Infoblox Threat Defense Cloud, complete the following steps:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar and click

...

  1. Infoblox Threat Defense Cloud Client.

  2. In the

...

  1.  Infoblox Threat Defense Cloud Integration Client editor, complete the following:

    • Enable Cloud Client: Select this checkbox to enable NIOS to get Threat Insight results in

...

    • Infoblox Threat Defense Cloud.
      The results are periodically synchronized based on the interval you set. NIOS requests only subsequent data since the last data timestamp.

    • Interval: You can specify how often to request Threat Insight results detected in

...

    • Infoblox Threat Defense Cloud in seconds or minutes. The default is 10 minutes.

    • The list of Response Policy Zones to use for

...

    • blocklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add RPZs from different network and DNS views.

  2. Click Save & Close.

Note

Note

Whenever a new RPZ is added and NIOS requests Threat Insight results, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in BloxOne Infoblox Threat Defense Cloud. If you click No in the Warning dialog box, you can use the set cloud_services_portal_force_refresh CLI command in maintenance mode and set the flag to request all domains detected in BloxOne Infoblox Threat Defense Cloud.

Viewing

...

Blocklisted Domains

To review the list of blacklisted blocklisted domains, complete the following:

  1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab, click the mitigation

...

  1. blocklist RPZ name.

  2. Grid Manager displays the following for each

...

  1. blocklisted domain:

    • Name or Address: Displays the name or IP address of the

...

    • blocklisted domain.

    • Policy: Displays the policy used to handle the responses when NIOS detected the

...

    • blocklisted domain.

    • Data: Displays the target data about this domain.

    • Comment: Displays additional information about this domain.

    • Site: This is a pre-defined extensible attribute (if configured) that is used to indicate the location of the domain.

    • Disable: Indicates whether this domain is disabled or not. When the domain is disabled, the appliance does not block activities on this domain, and configuration for this domain does not change. When the domain is enabled, it is considered as a

...

    • blocklisted domain and all DNS activities are blocked.

You can also do the following in the blacklisted blocklisted domain panel:

  • Click Go to Analytics Whitelist Threat Insight Allowlist View to view the analytics whitelistinsight allowlist. In the Whitelist Allowlist panel, you can see all the trusted domains for Infoblox Threat Insight, and DNS activities are allowed on these domains.

  • If you want to move a blacklisted blocklisted domain to the analytics whitelist insght allowlist so it becomes a trusted domain, select the domain checkbox and click the Action icon next to the domain, and then select Move to WhitelistAllowlist.

  • Navigate to the next or last page of the whitelist allowlist using the paging buttons at the bottom of the panel.

  • Refresh the blacklist blocklist feed by clicking the Refresh button.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Select a quick filter to search for specific entries.

  • Print the blacklist blocklist or export it in CSV format.

Moving

...

Blocklisted Domains to the

...

Allowlist

When the appliance detects an offending domain for possible DNS tunneling, it responds according to the policy defined in the mitigation blacklist blocklist RPZ and adds the domain to the blacklist blocklist RPZ feed. You can view all blacklisted blocklisted domains and turn those you deem trustworthy into trusted domains by moving them to the analytics whitelistinsight allowlist. Note that once you move a blacklisted blocklisted domain to the whitelistallowlist, you cannot reverse the action.

To move a blacklisted blocklisted domain to the analytics whitelistinsight allowlist:

  1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab.

  2. Select a

...

  1. blocklisted domain and click the Action icon next to a domain and select Move to

...

  1. Allowlist.

The appliance removes the selected domain from the blacklist blocklist and adds it to the analytics whitelistinsight allowlist. You can click Go to Analytics Whitelist Insight Allowlist View to verify that the domain has been successfully moved.

Updating Threat

...

Insight Module and

...

Allowlist Sets

Infoblox periodically releases threat analytics insight module and whitelist allowlist sets. To ensure that you can import threat analytics insight updates, you must have at least one Threat Analytics Insight license installed in the Grid. The threat analytics insight module set consists of the analytics insight application .jar file, which delivers changes and updates for DNS tunneling detection; and the whitelist allowlist set consists of updated trusted domains that carry legitimate DNS tunneling traffic. You can download updates for the module set and whitelist allowlist set independently depending on how often Infoblox rolls them out. The appliance displays the version numbers of the module set and whitelist allowlist set that your Grid is currently using. To view this information before downloading updates, see Viewing Module and Whitelist Allowlist Versions below.

You can configure the appliance to automatically receive and apply the latest module set and/or whitelist allowlist set. When you define an automatic update policy, the appliance checks both the analytics insight module and whitelist allowlist files and automatically downloads the files that have changed. You can also configure a manual update policy in which the appliance notifies you through the message banner when there are updates available. You can then decide whether you want to apply the updates to your Grid or not. For information about how to define the update policy, see Defining the Threat Analytics Insight Update Policy below. For information about how to perform manual updates, see Manually Uploading Uploading Threat Analytics Insight Updates below.

Note

Note

Only the Grid Master receives module set and whitelist allowlist set updates. Grid member receives these updates through standard Grid replication from the Grid Master. Module and whitelist allowlist data is only replicated to Grid members that have the threat analytics insight service enabled (an RPZ license is required to start this service on the members). The appliance uses the port 443 (HTTPS) for downloading the module set and whitelist allowlist data updates.

Infoblox recommends that you configure the appliance to automatically receive module and whitelist allowlist updates, so your appliance receives the latest information periodically. If you prefer to manually upload updates to your Grid, ensure that you apply them frequently to receive the most updated information.

Viewing Module and

...

Allowlist Versions

  1. On the Data Management tab ->Threat

...

  1. Insight tab ->

...

  1. Allowlist tab, expand the Toolbar, and then click Grid Threat

...

  1. Insight Properties.

  2. In the Grid Threat

...

  1. Insight Properties editor, click the Updates tab. This tab displays the following information:

    • Active

...

    • Allowlist Version: Displays the version number of the threat

...

    • insight allowlist set that is currently running on the Grid.

    • Active Module Set Version: Displays the version number of the threat

...

    • insight module set that is currently active on the Grid.

Defining the Threat

...

Insight Update Policy

You can configure the settings to obtain policy updates independently for Whitelist Allowlist or module set, or for both. To configure how you want to obtain the latest threat analytics Threat Insight updates, complete the following:

  1. On the DataManagement tab -> Threat

...

  1. Insight tab ->

...

  1. Allowlist tab, expand the Toolbar, and then click GridThreat

...

  1. InsightProperties.

  2. In the GridThreat

...

  1. InsightProperties editor, click the Updates tab,

  2. In the

...

  1. Allowlist Updates section, complete the following:

    • Latest Available

...

    • Allowlist: Displays the latest

...

    • allowlist that is available for download.

    • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.

...

    • Allowlist Update Policy: When you select Automatic, the appliance automatically downloads the latest

...

    • allowlist updates based on the default or custom schedule. The appliance checks

...

    • allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, latest updates are activated automatically. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat

...

    • Insight Updates below.

    • Enable Automatic

...

    • Allowlist Updates: Select this checkbox to enable the automatic upload feature. When necessary, you can click Download

...

    • Allowlist Now to override the automatic update policy.
      In the Schedule section, set up a recurring schedule for automatic updates as described in step 5.

  2. In the Module Set Updates section, complete the following:

    • LatestAvailableModuleSet: Displays the latest module set that is available for download.

    • LastCheckedForUpdates: Displays the timestamp when the Grid last checked for updates.

    • ModuleSetUpdatePolicy: When you select Automatic, the appliance automatically downloads the latest module set and/or

...

    • allowlist set based on the default or custom schedule. The appliance checks both the module and

...

    • allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, the threat

...

    • insight service on the Grid members is restarted automatically to activate the latest updates. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat

...

    • Insight Updates below.

    • EnableAutomaticModuleSetUpdates: Select this checkbox to enable the automatic upload feature. When necessary, you can click DownloadModuleSetNow to override the automatic update policy.
      set up a recurring schedule for automatic updates as described in step 5.

  2. In the Schedule section, select one of the following to set up a recurring schedule for automatic downloads:

    • Default: When you select this, the appliance downloads the updates between 12:00 a.m. and 6:00 a.m. local time based on the time zone configured on your appliance. The appliance automatically selects a time between this time window the first time it performs an automatic update. All subsequent updates then follow the same schedule based on the selected time.

    • Custom: Select this and click the calendar icon to configure a custom schedule. Based on the policy you are configuring, in the 

...

    • Automatic Allowlist Updates Scheduler or Automatic Module Set Updates Scheduler, you can select Hourly, Daily, Weekly, or Monthly based on how often you want to update the module set and

...

    • allowlist set.

      Note that the scheduled time does not indicate the exact time for the download. Downloads occur during the mid-point during of a 30-minute time frame. Therefore, the actual download can happen 15 minutes before or after the scheduled time.

      • When you select Hourly, complete the following:

        • Schedule every hour(s) at: Enter the number of hours between each update instance. You can enter a value from 1 to 24.

        • Minutes past the hour: Enter the number of minutes past the hour. For example, enter 5 if you want to schedule the rule update five minutes after the hour.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Daily, you can select either Everyday or EveryWeekday, and then complete the following:

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Weekly, complete the following:

        • Schedule every week on: Select any day of the week.

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Monthly, complete the following:

        • Schedule the day of the month: Enter the day of the month and the monthly interval. For example, to schedule the rule update on the first day after every 2 months, you can enter Day 1 every 2 month(s).

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

  2. Save the configuration.

Manually Uploading Threat

...

Insight Updates

When you configure a manual update policy, the appliance notifies you about newly available module set and/or whitelist allowlist set updates. You can manually upload the updated files and apply them to the Grid.

To manually upload threat analytics insight updates:

  1. From the DataManagement tab, select the Threat

...

  1. Insight tab ->

...

  1. Allowlist tab, click Updates -> ManualUpdate from the Toolbar.

  2. The Threat

...

  1. InsightUpload dialog displays the following:

    • Current

...

    • AllowlistVersion: Displays the version of the

...

    • allowlist set that is currently running on the Grid.

    • LastAppliedOn: Displays the timestamp and time zone when the last

...

    • allowlist set was applied to the Grid. This field changes each time when a

...

    • allowlist set is applied.

    • LatestAvailableModuleSet: Displays the version string of the latest available module set. This field changes each time when the module set is updated.

    • LastAppliedOn: Displays the timestamp and time zone when the last module set was applied to the Grid. This field changes each time when a module is applied.

      To upload the module set or

...

    • allowlist set:

    • File: Click Select to navigate to the file location, and then upload the file. The appliance displays the file name in this field. You can upload either a module set or a

...

    • allowlist set. Check the current version numbers of the

...

    • allowlist and module sets to verify if they have changed before uploading new files.

Note

Note

You can only update to a newer whitelist allowlist set even though you can switch back to an older version of module set, if any. However, if you have configured an Automatic update policy, the appliance overwrites the older file version with the new one. To avoid this, you can change the update policy to Manual or disable automatic downloads.

Click Test to check the changes that will occur during the update, without actually applying the update. You can view update details in the Syslog Viewer. The appliance preserves the uploaded file if you do not click Update to update the module set or whitelist allowlist set. When you manually upload next time, this file name is displayed in the dialog. You can then choose to apply the update from this file or upload a new file before performing the update. Uploading a new file will remove the file that has not been applied.

3. Click Update to update the module set or whitelist allowlist set. You can also click ViewUpdateResults to view the update results.

...