Install the Infoblox Data Connector

1. Go to Microsoft Sentinel Workspace in which you have installed the template, go to Data Connectors, search for the Infoblox Data Connector.

2. From the list of available components of the Infoblox Data Connector Integration, click on the Infoblox Data Connector via REST API and click on the Open connector page.

3. From this connector page click on the Deploy to Azure button.

4. After clicking, you will be redirected to the actual configuration screen of the Data Connector.
   You need to provide the below information and click on the “Review + Create” button

   1. Infoblox Base Url: Base URL of Infoblox (Default value is present)

   2. Infoblox API Token: API Token of Infoblox

   3. Confidence: To fetch the indicators greater than provided confidence score

   4. ThreatLevel:  To fetch the indicators greater than provided threat level

   5. Azure_Client_Id: Azure clientId of your app registered on Microsoft Entra ID

   6. Azure_Client_Secret: Azure clientSecret created in app in Microsoft Entra ID

   7. Azure_Tenant_Id: Azure Tenant ID found in Microsoft Entra ID

   8. Workspace ID: Provide Workspace ID.

   9. Workspace Key :Provide Workspace Key.
      You can find Workspace ID and Workspace Key in the Data Connector page itself.

      

   10. Log Level: Log level or log severity value. By default it is set to INFO

   11. AppInsightsWorkspaceResourceID: Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}.

       

       NOTE: In this integration, We are going to create/update Threat Intelligence Indicators using Microsoft Sentinel REST APIs. To use these REST APIs we need Azure Client ID(Application ID) and Client Secret. To generate this Client ID and Client Secret follow below steps

       1. App Registration steps for the Application in Microsoft Entra ID
          This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:

          1. Sign in to the Azure portal.

          2. Search for and select Microsoft Entra ID.

             

          3. Under Manage, select App registrations

             

          4. Click on New Registration

             

          5. Enter a display Name for your application.

             

          6. Select Register to complete the initial app registration.

          7. When registration finishes, the Azure portal displays the app registration's Overview pane.

          8. You see the Application (client) ID and Tenant ID. The client ID and Tenant ID are required as configuration parameters for the execution of Infoblox MS Sentinel Data Connector.

       2. Add a client secret for application in Microsoft Entra ID

          1. Sometimes called an application password, a client secret is a string value required for the execution of Infoblox MS Sentinel Data Connector. Follow the steps in this section to create a new Client Secret

          2. In the Azure portal, in App registrations, select your application.

             

          3. From Manage, Select Certificates & secrets > Client secrets > New client secret.

             

          4. Add a Description for your client secret.

          5. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.

             

          6. Select Add.

          7. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. The secret value is required as a configuration parameter for the execution of Infoblox MS Sentinel Data Connector.

       3. Assign role of Contributor to application in Microsoft Entra ID

          1. In the Azure portal, Go to Resource Group and select your resource group.

             

          2. Go to Access control (IAM) from left panel.

             

          3. Click on Add, and then select Add role assignment.

             

          4. Select Contributor as role from Privileged administrator roles and click on next.

             

          5. In Assign access to, select User, group, or service principal.

             

          6. Click on add members and type your app name that you have created and Select it. Now click on Review + assign and then again click on Review + assign.

Once, the application is created, enter the details in the connector deployment page and click on Review + Create

5. Now click on the “Create” button to install the Data connector.

6.After that you can see the deployment status as shown in the image below.

7. Once the data connector gets installed successfully. It can be found under the Function App

8. Search and go to the “Function App”

9. This data connector contains a total of 15 function apps. Search installed function apps with the names starting with hist, curr and dossierlook.

10. To execute all the 15 functions together, please run the playbook Infoblox-Data-Connector-Trigger-Sync. To deploy and configure this  playbook, follow the steps mentioned in the Steps to Configure Playbook section.
    User needs to manually run the playbook to execute all the function apps. To do so, go to Logic Apps-> Select the playbook and click on Run button.

11. After successfully adding integration settings, you will start receiving Indicators after around 1:15 hours in Microsoft Sentinel via the configured function app. You can see the threat indicators created in the Threat Intelligence section of Microsoft Sentinel. 

12. It can also be viewed in the Log Analytics Workspace table named ThreatIntelligenceIndicator.