Document toolboxDocument toolbox

About Infoblox Threat Insight

Owned by Panna .
Last updated: Oct 01, 2024 by Shwetha S
22 min read

To mitigate DNS data exfiltration, Infoblox Threat Insight employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see About Data Exfiltration.

Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. These types of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the Threat Insight service. To download updates for Threat Insight module and allowlist sets, you must have at least one Threat Insight license installed in the Grid. When you enable the Threat Insight service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blocklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blocklisted domain.

Infoblox Threat Insight also includes a allowlist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The allowlist is extensible so new allowlisted domains can be added and rolled out accordingly. For Threat Insight running on an On-Prem Infoblox DDI appliances, internal governance and vetting applied by Infoblox ensures all allowlist entries are accurate and curated, and contain only valid entries.

You can also add custom allowlisted domains or move blocklisted domains to the allowlist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight below. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information about Guidelines for Using Infoblox Threat Insight, see below.

Infoblox Threat Insight came installed with a module set and a allowlist set. To receive subsequent module set and allowlist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Insight Update Policy below.

See Prerequisites to Integrate Cisco ISE with NIOS.

Licensing Requirements and Admin Permissions

You must obtain and install valid licenses on your appliance before using Infoblox Threat Insight. Contact your Infoblox representative to obtain these licenses. For more information, see Managing Licenses.

Infoblox Threat Insight

To start the Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the Threat Insight service. To download updates for Threat Insight module and allowlist sets, you must have at least one Threat Insight license installed in the Grid.

Note that running the Threat Insight service might affect your system performance if the appliance has a small capacity and is taking on heavy traffic. Evaluate your Grid and Grid members to ensure that you select an appliance that is appropriate for running the Threat Insight service. For more information about  supported appliances, see Supported Appliances for Infoblox Threat Insight below.

Admin Permissions

Superusers can configure all threat protection and insight related tasks. You can assign Security Permissions to specific admin groups and roles so these users can configure security related tasks. You can also add a global permission for managing Grid security properties or add an object permission for managing member security properties.

To manage the insight related tasks, you must assign appropriate read-only or read/write Threat Insight Permissions to the specified admin groups and roles. You can also add the Global Threat Insight Permission as a global permission or add Member Threat Insight Permission to specific Grid members as an object permission. For more information about how to assign admin permissions, see Managing Permissions.

Guidelines for Using Infoblox Threat Insight

Following are some guidelines to take into consideration when using Infoblox Threat Insight:

  • To start the Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the Threat Insight service. To download updates for Threat Insight module and allowlist sets, you must have at least one Threat Insight license installed in the Grid.

  • Infoblox recommends that you run the Threat Insight service for a limited time to monitor and preview what has been detected before actually blocking blocklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the insight allowlist. You should review the blocklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the insight allowlist by adding new allowlisted domains, moving legitimate domains from the blocklisted domain list, or using CVS import and export. For more information about Configuring a Local RPZ as the Mitigation Blocklist Feed, see below.

  • Insight allowlist domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date allowlist, upgrade to the next NIOS release or configure the appliance to download Threat Insight updates. For information about upgrades, see Upgrading NIOS Software. Note that this process may change in future NIOS releases.

  • There are no configurable parameters for Infoblox Threat Insight. Infoblox uses the build-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.

  • DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the insight to determine positive DNS tunneling activities.

  • During an HA failover, insight data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the insight to reach its normal state. If there is no connection between the Grid Master and Grid member, blocklisted domains detected by the insight cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the Threat Insight service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight below.

  • The Threat Insight service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.

  • The insight allowlist only applies to Infoblox Threat Insight; it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the Infoblox Threat Protection Rules available on the Support web site.

  • Infoblox Threat Insight does not support RESTful APIs.

Supported Appliances for Infoblox Threat Insight

Due to memory and capacity required to perform insight, ensure that you install the Threat Insight and RPZ licenses, and enable the Threat Insight service on an appliance that has a big enough capacity. Following are the supported Infoblox appliance models on which you can run the Threat Insight service:

  • PT-1405, and PT-2205.

  • IB-4015.

  • TE-1415, TE-1425, TE-2215, and TE-2225

  • TE-V1415, TE-V1425, TE-V2215, TE-V2225, TE-V4010, and TE-V4015.

  • TE-2326, TE-2215, TE-2225, TE-4126, TE-4015 and TE-4025.

Note

Using unsupported appliance models for Infoblox Threat Insight might cause performance issues.

Configuring Infoblox Threat Insight

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the Threat Insight service. You must also create a new RPZ and use it as the designated mitigation blocklist feed so the appliance can transfer all blocklisted domains to this feed.

NIOS continuously collects and analyzes statistics of incoming queries and responses, detects possible DNS tunneling activities, blocks offending domains that match the known data, and updates the mitigation blocklist feed (a designated local RPZ) of any known malicious domains. For supported appliance models for Infoblox Threat Insight, see Supported Appliances for Infoblox Threat Insight.

To configure Infoblox Threat Insight, complete the following:

  1. Obtain and install valid RPZ and Threat Insight licenses on the appliance that is used to support insight. Note that you must have the Threat Insight service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.

  2. Create and add a new local RPZ and use it as the designated mitigation blocklist feed so the appliance can transfer all blocklisted domains to this feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the Threat Insight service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).

  3. Configure admin permissions so admin users can manage the Threat Insight service and insight related tasks. For information about how to configure admin permission, see About Administrative Permissions.

  4. Start the Threat Insight service on the appliance that has the Threat Insight license installed, as described in Starting and Stopping the Threat Insight Service.

Note

The insght functionality only works on recursive servers and forwarding servers that use BIND as the DNS resolver; it does not function on authoritative servers.

After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:

  • View supported allowlisted domains for insight, as described in Viewing the Insight Allowlist below. Note that these domains are specific to insight only. They are not used in the anti-DNS tunneling threat protection rules.

  • Manually add a custom domain to the insight allowlist, as described in Adding Custom Allowlisted Domains below.

  • Review the blocklisted domains and make decisions about whether to move them to the insiight allowlist so future DNS activities will not be blocked. For more information, see Viewing Blocklisted Domains below.

  • Move a blocklisted domain to the insight allowlist, as described in Moving Blocklisted Domains to the Allowlist.

  • Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities below.

Starting and Stopping the Threat Insight Service

To start the Threat Insight service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Insight license installed on the Grid member on which you want to start the Threat Insight service. You can also stop the service when necessary.

To start or stop the Threat Insight service:

  1. From the Grid tab, select the Grid Manager tab -> Services tab, click the Threat Insight service link. Grid Manager displays only the member or members with the RPZ license installed. Select the member checkbox.

  2. From the Toolbar, click Start to start the service or Stop to stop the service.

When you stop the Threat Insight service, the appliance does not detect or protect against non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.

Note

After you enable the Threat Insight service, you must restart DNS service for the insight to start working.

Viewing the Insight Allowlist

The DataManagement tab -> Threat Insight tab → Allowlist tab of Grid Manager lists the trusted domains on which NIOS allows DNS traffic by default. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. They are marked as System domains, and you cannot delete them; but you can disable them so NIOS does not treat them as trusted domains. You can also add custom domains or move Blocklisted domains to the insight allowlist. For more information, see Adding Custom Allowlist Domains and Moving Blocklisted Domains to the Allowlist below.

To view a complete list of trusted domains in the insight allowlist:

  1. From the Data Management tab, select the Threat Insight tab -> Allowlist tab.

  2. The appliance displays the following for each trusted domain:

    • Actions: Click the Action icon  next to a domain and select one of the following:

      • Disable: Click this to disable the domain. When you disable a domain, the appliance does not treat this domain as trusted domain until you enable it.

      • Edit: Click this to open the Allowlist editor. For system domains, the only property you can modify is to disable or enable them. For custom domains however, you can also add information to the Comment field.

      • Delete: This is only applicable to custom domains. You cannot delete system domains. Select this to delete the custom domain.

    • Domain Name: The name of the trusted domain.

    • Type: Displays the domain type. This can be System or Custom. A system domain is a trusted domain that carries legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. A custom domain is one that you have added to the allowlist or moved from the mitigation blocklist RPZ.

    • Disabled: Indicates whether this domain is disabled or not. The appliance does not treat disabled domains as trusted domains. You can disable both system and custom domains.

    • Comment: Additional information about the domain.


You can also do the following in this panel:

  • Click Go to Mitigation Response Policy Zone to access the blocklisted domains that are identified as offenders for DNS tunneling. Blocklisted domains are detected through Infoblox Threat Insight and automatically transferred to the blocklist RPZ feed. For information about these domains, see Viewing Blocklisted Domains below.

  • Export or import allowlisted domain names using the CSV import and export functionality.

  • Navigate to the next or last page of the allowlist using the paging buttons at the bottom of the panel.

  • Refresh the insight allowlist by clicking the Refresh button.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Select a quick filter to search for System or Custom allowlist entries, or both.

  • Print the allowlist or export it in CSV format.

Adding Custom Allowlisted Domains

The insight allowlist is populated with trusted domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others.You can add domains that you deem trustworthy to this list. When you add a custom domain, it is marked as Custom in the allowlist.

To add a custom allowlisted domain, complete the following:

  1. From the Data Management tab, select the Threat Insight tab -> Allowlist tab, click the Add icon or click Add Custom Allowlist from the Toolbar.

  2. In the Add Custom Allowlist wizard, complete the following:

    • Domain Name: Enter the name of the domain that you want to add to the insight allowlist.

    • Comment: Enter additional information about this domain.

    • Disable: When you select this, the appliance does not treat this domain as a trusted domain. When you enable the domain again, it is considered as a allowlisted domain.

  3. Save the configuration. You do not need to restart DNS service to update the insight allowlist.

Configuring a Local RPZ as the Mitigation Blocklist Feed

For the Threat Insight service to function properly and for NIOS to properly report detected backlisted domains, you must create and designate local RPZs as the mitigation for the Grid. You can add any Response Policy Zones to the list of RPZs from different Network and DNS Views. When a domain is detected as malicious, NIOS will update all RPZs in the list. If you assign an existing RPZ that is used for other purposes as the mitigation blocklist feed, you may experience the following:

  • Existing RPZ hits are reported as hits detected by the insight after an upgrade.

  • If you manually add rules to the RPZ, all RPZ hits are reported as hits detected by the insight, regardless of whether they match the manually created rules or are detected through the Threat Insight service.

Infoblox recommends that you run the Threat Insight service for a limited time to monitor and preview what has been detected before actually blocking domains. To do so, set Policy Override to Log Only (Disabled) when you create the RPZ so you can monitor blocklisted domains without actually blocking them.

To create and designate a local RPZ as the blocklist feed:

  1. Create a local RPZ by completing the procedure described in Configuring Local RPZs.

    Note to monitor the Threat Insight service without blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block blocklisted domains, set Policy Override to None (Given).

  2. From the Data Management tab, select the Threat Insight tab -> Allowlist tab, click the Grid Threat Insight Properties from the Toolbar.

  3. In the Grid Threat Insight Properties editor, click the DNS Threat Insight tab, and complete the following:

    • Click the Add icon to open the Zone Selector dialog box and select the RPZs. You must configure at least one local RPZ. To remove an RPZ, select it from the table and click Delete.

    • Save the configuration.

Enabling Integration with Infoblox Threat Defense Cloud for Threat Insight

If your network configuration includes Infoblox Threat Defense Business On-premises, Infoblox Threat Defense Business Cloud, or Infoblox Threat Defense Advanced, you can configure a cloud integration client to collect malicious domains detected by Threat Insight in the Infoblox Threat Defense cloud. NIOS then applies the detected domains to RPZs that were configured for the on-premises Grid. This feature ensures that all malicious domains detected in Infoblox Threat Defense Cloud are also applied on Grid members on-prem.

You can use this feature when you have Infoblox Threat Defense Business On-premises, Infoblox Threat Defense Business Cloud, or Infoblox Threat Defense Advanced license. Note that you can configure only one cloud client per on-premises Grid. Ensure that you configure the email address and password in the Grid Properties Editor before you enable the integration with Infoblox Threat Defense Cloud Client. For more information about Configuring Integration with Infoblox Threat Defense Cloud, see Configuring Integration with Infoblox Threat Infoblox Cloud.

To enable the integration with Infoblox Threat Defense Cloud, complete the following steps:

  1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar and click Infoblox Threat Defense Cloud Client.

  2. In the Infoblox Threat Defense Cloud Integration Client editor, complete the following:

    • Enable Cloud Client: Select this checkbox to enable NIOS to get Threat Insight results in Infoblox Threat Defense Cloud.
      The results are periodically synchronized based on the interval you set. NIOS requests only subsequent data since the last data timestamp.

    • Interval: You can specify how often to request Threat Insight results detected in Infoblox Threat Defense Cloud in seconds or minutes. The default is 10 minutes.

    • The list of Response Policy Zones to use for blocklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add RPZs from different network and DNS views.

  3. Click Save & Close.

Viewing Blocklisted Domains

To review the list of blocklisted domains, complete the following:

  1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab, click the mitigation blocklist RPZ name.

  2. Grid Manager displays the following for each blocklisted domain:

    • Name or Address: Displays the name or IP address of the blocklisted domain.

    • Policy: Displays the policy used to handle the responses when NIOS detected the blocklisted domain.

    • Data: Displays the target data about this domain.

    • Comment: Displays additional information about this domain.

    • Site: This is a pre-defined extensible attribute (if configured) that is used to indicate the location of the domain.

    • Disable: Indicates whether this domain is disabled or not. When the domain is disabled, the appliance does not block activities on this domain, and configuration for this domain does not change. When the domain is enabled, it is considered as a blocklisted domain and all DNS activities are blocked.

You can also do the following in the blocklisted domain panel:

  • Click Go to Threat Insight Allowlist View to view the insight allowlist. In the Allowlist panel, you can see all the trusted domains for Infoblox Threat Insight, and DNS activities are allowed on these domains.

  • If you want to move a blocklisted domain to the insght allowlist so it becomes a trusted domain, select the domain checkbox and click the Action icon next to the domain, and then select Move to Allowlist.

  • Navigate to the next or last page of the allowlist using the paging buttons at the bottom of the panel.

  • Refresh the blocklist feed by clicking the Refresh button.

  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.

  • Select a quick filter to search for specific entries.

  • Print the blocklist or export it in CSV format.

Moving Blocklisted Domains to the Allowlist

When the appliance detects an offending domain for possible DNS tunneling, it responds according to the policy defined in the mitigation blocklist RPZ and adds the domain to the blocklist RPZ feed. You can view all blocklisted domains and turn those you deem trustworthy into trusted domains by moving them to the insight allowlist. Note that once you move a blocklisted domain to the allowlist, you cannot reverse the action.

To move a blocklisted domain to the insight allowlist:

  1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab.

  2. Select a blocklisted domain and click the Action icon next to a domain and select Move to Allowlist.

The appliance removes the selected domain from the blocklist and adds it to the insight allowlist. You can click Go to Insight Allowlist View to verify that the domain has been successfully moved.

Updating Threat Insight Module and Allowlist Sets

Infoblox periodically releases Threat Insight module and allowlist sets. To ensure that you can import Threat Insight updates, you must have at least one Threat Insight license installed in the Grid. The Threat Insight module set consists of the insight application .jar file, which delivers changes and updates for DNS tunneling detection; and the allowlist set consists of updated trusted domains that carry legitimate DNS tunneling traffic. You can download updates for the module set and allowlist set independently depending on how often Infoblox rolls them out. The appliance displays the version numbers of the module set and allowlist set that your Grid is currently using. To view this information before downloading updates, see Viewing Module and Allowlist Versions below.

You can configure the appliance to automatically receive and apply the latest module set and/or allowlist set. When you define an automatic update policy, the appliance checks both the insight module and allowlist files and automatically downloads the files that have changed. You can also configure a manual update policy in which the appliance notifies you through the message banner when there are updates available. You can then decide whether you want to apply the updates to your Grid or not. For information about how to define the update policy, see Defining the Threat Insight Update Policy below. For information about how to perform manual updates, see Manually Uploading Threat Insight Updates below.

Infoblox recommends that you configure the appliance to automatically receive module and allowlist updates, so your appliance receives the latest information periodically. If you prefer to manually upload updates to your Grid, ensure that you apply them frequently to receive the most updated information.

Viewing Module and Allowlist Versions

  1. On the Data Management tab ->Threat Insight tab -> Allowlist tab, expand the Toolbar, and then click Grid Threat Insight Properties.

  2. In the Grid Threat Insight Properties editor, click the Updates tab. This tab displays the following information:

    • Active Allowlist Version: Displays the version number of the Threat Insight allowlist set that is currently running on the Grid.

    • Active Module Set Version: Displays the version number of the Threat Insight module set that is currently active on the Grid.

Defining the Threat Insight Update Policy

You can configure the settings to obtain policy updates independently for Allowlist or module set, or for both. To configure how you want to obtain the latest Threat Insight updates, complete the following:

  1. On the Data Management tab -> Threat Insight tab -> Allowlist tab, expand the Toolbar, and then click Grid Threat Insight Properties.

  2. In the Grid Threat Insight Properties editor, click the Updates tab,

  3. In the Allowlist Updates section, complete the following:

    • Latest Available Allowlist: Displays the latest allowlist that is available for download.

    • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.

    • Allowlist Update Policy: When you select Automatic, the appliance automatically downloads the latest allowlist updates based on the default or custom schedule. The appliance checks allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, latest updates are activated automatically. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat Insight Updates below.

    • Enable Automatic Allowlist Updates: Select this checkbox to enable the automatic upload feature. When necessary, you can click Download Allowlist Now to override the automatic update policy.
      In the Schedule section, set up a recurring schedule for automatic updates as described in step 5.

  4. In the Module Set Updates section, complete the following:

    • Latest Available Module Set: Displays the latest module set that is available for download.

    • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.

    • Module Set Update Policy: When you select Automatic, the appliance automatically downloads the latest module set and/or allowlist set based on the default or custom schedule. The appliance checks both the module and allowlist files and automatically downloads only the files that have changed. When you select an automatic policy, the Threat Insight service on the Grid members is restarted automatically to activate the latest updates. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat Insight Updates below.

    • Enable Automatic Module Set Updates: Select this checkbox to enable the automatic upload feature. When necessary, you can click Download Module Set Now to override the automatic update policy.
      set up a recurring schedule for automatic updates as described in step 5.

  5. In the Schedule section, select one of the following to set up a recurring schedule for automatic downloads:

    • Default: When you select this, the appliance downloads the updates between 12:00 a.m. and 6:00 a.m. local time based on the time zone configured on your appliance. The appliance automatically selects a time between this time window the first time it performs an automatic update. All subsequent updates then follow the same schedule based on the selected time.

    • Custom: Select this and click the calendar icon to configure a custom schedule. Based on the policy you are configuring, in the Automatic Allowlist Updates Scheduler or Automatic Module Set Updates Scheduler, you can select Hourly, Daily, Weekly, or Monthly based on how often you want to update the module set and allowlist set.

      Note that the scheduled time does not indicate the exact time for the download. Downloads occur during the mid-point during of a 30-minute time frame. Therefore, the actual download can happen 15 minutes before or after the scheduled time.

      • When you select Hourly, complete the following:

        • Schedule every hour(s) at: Enter the number of hours between each update instance. You can enter a value from 1 to 24.

        • Minutes past the hour: Enter the number of minutes past the hour. For example, enter 5 if you want to schedule the rule update five minutes after the hour.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Daily, you can select either Every day or Every Weekday, and then complete the following:

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Weekly, complete the following:

        • Schedule every week on: Select any day of the week.

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

      • When you select Monthly, complete the following:

        • Schedule the day of the month: Enter the day of the month and the monthly interval. For example, to schedule the rule update on the first day after every 2 months, you can enter Day 1 every 2 month(s).

        • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.

        • Time Zone: Select the time zone for the scheduled time from the drop-down list.

  6. Save the configuration.

Manually Uploading Threat Insight Updates

When you configure a manual update policy, the appliance notifies you about newly available module set and/or allowlist set updates. You can manually upload the updated files and apply them to the Grid.

To manually upload Threat Insight updates:

  1. From the Data Management tab, select the Threat Insight tab -> Allowlist tab, click Updates -> Manual Update from the Toolbar.

  2. The Threat Insight Upload dialog displays the following:

    • Current Allowlist Version: Displays the version of the allowlist set that is currently running on the Grid.

    • Last Applied On: Displays the timestamp and time zone when the last allowlist set was applied to the Grid. This field changes each time when a allowlist set is applied.

    • Latest Available Module Set: Displays the version string of the latest available module set. This field changes each time when the module set is updated.

    • Last Applied On: Displays the timestamp and time zone when the last module set was applied to the Grid. This field changes each time when a module is applied.

      To upload the module set or allowlist set:

    • File: Click Select to navigate to the file location, and then upload the file. The appliance displays the file name in this field. You can upload either a module set or a allowlist set. Check the current version numbers of the allowlist and module sets to verify if they have changed before uploading new files.

Click Test to check the changes that will occur during the update, without actually applying the update. You can view update details in the Syslog Viewer. The appliance preserves the uploaded file if you do not click Update to update the module set or allowlist set. When you manually upload next time, this file name is displayed in the dialog. You can then choose to apply the update from this file or upload a new file before performing the update. Uploading a new file will remove the file that has not been applied.

3. Click Update to update the module set or allowlist set. You can also click View Update Results to view the update results.

Monitoring DNS Tunneling Activities

You can monitor DNS tunneling activities through the following:

  • Pre-defined Reports: If you have a reporting appliance configured in the Grid, you can generate the following reports that include DNS tunneling data. 
    For more information about the following topics, see Security Dashboards:  

    • DNS Top Tunneling Activity.

    • DNS Tunneling Traffic by Category. 

    • Top Malware and DNS Tunneling Events by Client. 

  • Syslog: All DNS tunneling activities are logged to the syslog. You can view this log to identify specific activities related to DNS tunneling. For more information, see Using a Syslog Server. 

Â