Differences

This shows you the differences between two versions of the page.

--- infoblox_nios:threat_insight [2023/10/31 13:13] – bstafford
+++ infoblox_nios:threat_insight [2025/07/30 08:41] (current) – bstafford
@@ Line 1: / Line 1: @@
 ====== NIOS Threat Insight ======
+===== Threat Insight =====
 NOT SUPPORTED ON TE-926 or TE-825 or TE-815
@@ Line 16: / Line 17: @@
 To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
-When running Threat Insight and/or ADP on the Grid, to download the latest module updates and whitelist updates or ADP updates , the Grid Master needs to resolve and access ''https://ts.infoblox.com'' on tcp-443. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.
+When running Threat Insight and/or ADP on the Grid, to download the latest module updates and whitelist updates or ADP updates , the Grid Master needs to resolve and access ''https://ts.infoblox.com'' on tcp-443 (from NIOS 9.0.7 onwards, ''https://csp.infoblox.com'' is the default and preferred but will fallback to 'https://ts.infoblox.com'' if it can't reach ''https://csp.infoblox.com''. You may need to configure the proxy settings in the Grid and you may need to disable TLS inspection on the proxy.
 Threat Insight requires "TE-1415" or higher. Using unsupported appliance models (e.g. TE-825) for Infoblox Threat Insight might cause performance issues.
@@ Line 39: / Line 40: @@
 The documentation says that Threat Insight supports BIND only - not Unbound. This is because there was a version of the 40xx series that had an unbound option created for a specific use case. It was removed from the code in NIOS 9.0.0
+===== NIOS Client for Threat Insight =====
+NIOS can access Threat Insight in the BloxOne Cloud using API.
+Called "Infoblox Threat Defense Cloud Client" under Data Management > DNS > Response Policy Zones (option on right of screen).
+Documentation [[https://docs.infoblox.com/space/nios90/280759852/Configuring+Infoblox+Threat+Defense+Cloud+Clients+for+Outbound|here]].
+The Threat Insight in the Cloud Integration Client will request all detected domains from the Cloud. So you must configure at least one RPZ. You can force a refresh using ''set cloud_services_portal_force_refresh'' CLI command. Do you want to force a refresh?
 ===== Notes =====
-Domains in "Infoblox Allowlist" do not get considered by Threat Insight.
+Domains in "Infoblox Allowlist" do not get considered by Threat Insight. The "Infoblox Allowlist" is an internal list at Infoblox of well known/used domains and is designed to prevent false positives from taking services offline for customers.
 Bad domains in the TIDNST feed get removed after 30 days.
-BloxOne Cloud Integration for Threat Insight can use API KEY.
+BloxOne Cloud Integration (BloxOne Threat Defense Cloud Client) for Threat Insight can use API KEY.
@@ Line 67: / Line 76: @@
 In the cloud, high profile TLD in FQDN won't block detection. Nameservers are taken into consideration now.
+Another NIOS log
+  * Facility = user
+  * Level = INFO
+  * server = analytics[]
+  * Message =
+    * DNS Tunneling detected: Domain name *.nw44.domain.com has been detected with tunneling activity. The analytics classification was triggered by 100 queries from client IP: 192.168.1.1 to domain nw44.domain.com. The likelihood of the detection is 0.9954415716903586. Trigger 100 of 100 :
+    * {
+    * "timestamp":"2024-02-15T11:51:57",
+    * "qName":"23897.GFC27BGHH2YS3M2AHFBW.nw44.domain.com",
+    * "qType":"A",
+    * "rData":"",
+    * "ttl":604800,
+    * "delay":16
+    * }