Versions Compared

Old Version 1

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Active Indicators search tool allows for filter-based searches of threat indicators by data type, threat class/property, and data provider. The indicator data returned from a search is displayed on the Active Indicators page. The returned indicator search data can also be exported in CSV, JSON, and XML formats. Active indicators searches have a return limit of 1000 records. In cases where all active indicator data is needed, it can be pulled via the API using a CURL Command. The Active Indicators tool is available to subscribers of BloxOne Infoblox Threat Defense Business On-Premises,BloxOne  Infoblox Threat Defense Business CloudBloxOne ,and  and Infoblox Threat Defense Advanced packages. 


Note
titleNote

SURBL Multi - FRESH Domains Feed

Infoblox  Threat Defense subscribers can obtain SURBL data as RPZ feeds and can also query the indicators via Dossier. The ability to query SURBL indicators using Active indicators or with the TIDE API requires an additional subscription to the SURBL Multi - FRESH Domains Feed.

Viewing Active Indicators

To view active indicators, perform the following:

  1. From the Cloud Services the Infoblox Portal, click MonitorResearch ->  > Active Indicators.
  2. On the Active Indicators page, you can view the following information:
    • INDICATOR: The location of the indicator. 
    • DATA TYPE: Host, IP, and URL.
    • THREAT CLASS: The threat class, such as Phishing, MalwareC2DGA, and others.
    • THREAT PROPERTY: The nature of the threat.
    • DETECTED: The timestamp when the indicator was detected.
    • DATA PROVIDER: The data provider reporting the indicator.
    • THREAT: Threat severity rating based on a scale from 0 to 100.

Performing an Active Indicators Search

...

Using the Filter Tool

To perform an active indicators search using the filter tool, perform the following:

  1. From the Cloud Services the Infoblox Portal, click MonitorResearch ->  > Active Indicators.
  2. On the Active Indicators page, you can apply filtering to select and narrow down the indicator search data you want to be returned.
    • To apply filtering, complete the following:
      • Select a DATA TYPE: Choices include Email, Hash, Host, IP, and URL. You can choose one or more Data Types, in any combination, when selecting data type filters.
      • Select a THREAT CLASS/PROPERTY: The threat class/property list includes all active threat types. You can select one or more threat classes or properties from the list. The user can only open "class" filters to select "properties" under that class. Properties cannot be opened.
      • Select a DATA PROVIDER: You can select one or more Data providers as search filters.
      • After you select your filters, click Apply Filters to run the active indicators search and view the search results.

...

To pull all Active Threats indicator data, perform the following:

  1. From the Cloud Services the Infoblox Portal, click MonitorResearch ->  > Active Indicators.
  2. Click Generate API Request to generate the CURL command for downloading all records.
  3. From the Generate API Request pop-up window, copy the CURL command to run the PULL request.

...