Differences

This shows you the differences between two versions of the page.

--- infoblox_threat_defense:threat_insight [2025/07/17 00:14] – bstafford
+++ infoblox_threat_defense:threat_insight [2026/01/21 09:17] (current) – bstafford
@@ Line 2: / Line 2: @@
 Page on types of Threat Insight events in cloud [[https://docs.infoblox.com/space/BloxOneThreatDefense/203358417/Threat+Insight+Guide|here]].
+A nice blog post on Infoblox's TI detection [[https://blogs.infoblox.com/security/dns-a-small-but-effective-c2-system/|here]].
+In the cloud portal, the Exfiltration custom list will show a description that says why a domain was flagged as exfiltration. This may include
+Number:
+  * Number of queries in a session
+  * Number of unique queries in a session
+  * Number of unique answers in a session
+QNames:
+  * Mean length of qnames
+  * Distinct characters found in qnames
+  * Relatively normalcy of the qnames
+  * Number of words found in qnames relative to its length
+Entropy:
+  * Entropy of answers
+  * Entropy of answers
+Other:
+  * The name servers used for the domain is not reputable
+Syslog of Hit (src = client that made the query to NIOS)
+<code>src=10.10.20.20 spt=53198 view=_default qtype=A msg="rpz QNAME CNAME rewrite ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com [A] via ws-zw9yt1viqsxqrc8ilpp06my7qoinq3kxphttfio969l15lqsvw.example.com.threatinsightfeed.local" CAT=RPZ</code>
+A major differentiator between Threat Insight and Threat Insight in the Cloud is that Threat Insight in the Cloud, although slower due to the time spent transporting data to the cloud, blocking of malicious DNS traffic is more advanced and has a greater processing capability to deal with a wider range of threats. For example, it can protect against DGA and Fast Flux activity and deal with "lower and slower" exfiltration attempts, while Threat Insight on-premise is faster it can’t protect against Data Exfiltration, DNS Messenger, Fast Flux, DGA.