Visualizing Infoblox Sentinel Workbooks
- Shirly Tsang
Analytics
Once you have successfully installed and deployed all the components of Infoblox Sentinel Integration, follow these steps to visualize workbooks.
Infoblox Sentinel Integration consists of 2 workbooks.
Infoblox Workbook
Infoblox Lookup Workbook
Infoblox workbook contains tabs of SOC Insights, Blocked DNS, DNS, DHCP, Service Log, Audit, Threat Intelligence.
Make sure the prerequisites mentioned in all the tabs are properly configured.Blocked DNS, DNS, DHCP, Service and Audit Logs in the Infoblox Workbook showcase the CEF data of Infoblox Sentinel. Make sure that the Infoblox CEF data connector is deployed and configured.
For DHCP and Service Logs, two logic apps are required to be configured first in order to visualize the data. Please make sure that these playbooks are configured, enabled as well as the user needs to run this playbook manually for the first time after configuring it before using this workbook.
Infoblox-Get-IP-Space-Data - This playbook retrieved IP space name from the IP space ID present in the CEF DHCP data to make it user friendly.
Infoblox-Get-Service-Name - This playbook retrieved Service name from the Service ID present in the CEF Service Logs data to make it user friendly.
To open this workbook, go to Microsoft Sentinel -> <Your Workspace> and go to Workbooks. Select any workbook and click on View Template.
In Infoblox Workbook click on any panel to visualize data. Users can select any filter to get the filtered data.
The Infoblox Lookup Workbook can be used to perform TIDE and Dossier Lookup. There are two approaches for both the lookups and it contains 4 tabs for the same.
TIDE Lookup Input Based - In this approach the user needs to provide Resource Group, Subscription ID, Type and Target. Type represents type of the Indicator and the target includes the value of the Indicator to perform the TIDE lookup.
Note: You can find Subscription ID from Log Analytics Workspace → <your workspace> → Overview.Once you provide all the parameters mentioned above, you will be able to see a GET TIDE DATA button which will execute the mentioned logic app in the background and get the TIDE lookup information.
You can click on Refresh until you get the data.
To check the status of the playbook follow the steps mentioned in Executing and Monitoring Infoblox Sentinel Logic Apps section.
Note: To perform TIDE lookup via this approach, Infoblox-TIDE-Lookup logic app needs to be configured and should be in enabled state.
TIDE Lookup Incident Based - This lookup can be performed on indicators present in Incidents.
The following inputs are required.
Resource Group, Subscription ID, Tenant ID, Time Range and Type for the Incidents.From the list of available Incidents, you can click on the GET TIDE DATA link, to perform TIDE lookup for the Indicator available in the Incident.
After clicking on the GET TIDE DATA link, you will see a pop up. Then click on the Run ARM action button which will execute the above mentioned playbook in the background.
To check the status of the playbook follow the steps mentioned in Executing and Monitoring Infoblox Sentinel Logic Apps section.
Click on that Incident to get the Lookup Result Panel.
Click on refresh until you get the data.
Note: This workbook tab requires Infoblox-TIDE-Lookup-via-Incident playbook to be configured and enabled first.
Dossier Lookup Input Based - In this approach the user needs to provide Dossier Function App Name, Type and Target. Type represents the type of the Indicator and the target includes the value of the Indicator to perform the Dossier lookup.
Select the Dossier Function App from the dropdown
Once you provide all the parameters mentioned above, you will be able to see a GET DOSSIER DATA link which will execute the mentioned function app in the background and get the Dossier lookup information. After clicking on that link, you will be able to see a message like Refresh to check for Dossier data availability.
You can Click on the refresh button above the message until you get a message like Click here to view the data.
Once you click on that message, you can see the Dossier Lookup result.
Note: To perform Dossier lookup via this approach, the Dossier Lookup function app needs to be configured and should be in enabled state
NOTE: It is suggested to perform a hard refresh before getting Dossier data for the new target. Otherwise, the source drill down panels will not be populated properly.
Dossier Lookup Incident Based - This lookup is performed from the Incidents.
The following inputs are required.
Function App Name (Same as above), Time Range and Type for the Incidents.From the list of available Incidents, you can click on the GET DOSSIER DATA link, to perform Dossier lookup for the Indicator available in the Incident.
After clicking on the GET DOSSIER DATA link, you will see a similar message like Refresh to check for Dossier data availability.
To check the status of the function app, follow the steps mentioned in Executing and Monitoring Infoblox TIDE Data Connector section.
You can Click on the refresh button above the message until you get a message like Click here to view the data. You will be able to see various sources data for that Indicator.
Note: This workbook requires the same Function App as mentioned above.
For both TIDE and Dossier Lookup, there is a possibility that no lookup information is available, in that case, even after refreshing multiple times, you will get message in Panels like
You will get a similar message until the logic app or function app for (TIDE and Dossier Lookup respectively) is in running state.
Hence, it is advisable to check the status of the logic app and data connector in such cases.