Acquire Information for a Lambda function
- Shirly Tsang
Analytics
In order to download TIDE feeds a Lambda function is used. This lambda function requires parameters specific to your environment. To acquire these parameters, perform the steps in following subsections:
Acquire a TIDE API Call URL
The lambda function that will be created in this guide requires an API call to acquire feeds from BloxOne. Please note that it is possible to return a large data set via a TIDE API call. By default, AWS Route53 DNS Firewall allows adding up to 100.000 domains per list. If you need to publish more entries, please contact AWS. To create a TIDE API call, perform the following steps:
Log into the Infoblox CSP. Once logged in, highlight Research located in the bottom left of the navigation panel, then click on Active Indicators in the list that is revealed.
Here you can see the list of Active indicators. Due to the quantity of data, it is suggested to filter the API call. Click Clear for each section, until all sections are unchecked.
Under the DATA TYPE header, click the checkbox associated with the Host data type.
Under the THREAT CLASS/PROPERTY header, click the checkboxes associated with the Threat Class / Properties you would like to add to your AWS Route 53 Domain Firewall list. Note that it is suggested to only select one threat class/property per lambda function as duplicates may occur for domains that are associated with one or more threat class/property. Route 53 DNS Domain lists do not allow duplicate entries.
Click Apply Filter to apply the selected filter.
At the top of the Active Indicators page, click Generate API request. Note this will create a simple API call for the IOC defined, this API call can be modified further with additional parameters.
Copy the API call in the dialog box that has been revealed.
Paste the API call to a text editor of your choice.
Modify the API call by deleting all text until /tide/. Additionally, keep all following text except for the closing quotation mark.
Append the text &field=host&data_format=csv to the end of the string. Note these parameters tell the API to only retrieve the Host field, and to return it in a CSV format.
(Optional) Add additional parameters to specify which IOCs will be imported. For more information on the parameters accepted by the TIDE API, please see the TIDE documentation located here. Note, If you choose to import a large quantity of IOCs, the transfer of data may take a very long time.
In the example screenshot, the API call has been altered to only acquire IOCs from a 30 day period via the text &period=30d. The call has also been altered to only accept 20 domains via the text &rlimit=20.
Save this API call for use later.
Acquire an AWS Route 53 DNS Firewall domain list ID
To acquire an AWS Route 53 DNS Firewall domain list ID, perform the following steps:
Log in to your AWS account. Once logged in, input Route53 into the search bar located at the top of the AWS interface.
Click the text Route 53 in the list that is revealed.
In the Route 53 navigation pane, click Domain List located under the DNS Firewall header.
On the Domain Lists page, in the Owned domain lists panel locate the Domain list you intend to add TIDE IOCs to. Copy the ID and Save it to a text file for use later. Note, in the example screenshot the Domain list ID is rslvr-fdl-879a58dca13641a3.
