Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:tide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
infoblox_threat_defense:tide [2024/12/27 15:12] – created bstaffordinfoblox_threat_defense:tide [2026/03/31 22:44] (current) bstafford
Line 1: Line 1:
 ====== TIDE ====== ====== TIDE ======
 TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated. TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated.
 +
 +NOTE: When you add indicators via TIDE, be aware that the associated RPZ feed will filter out anything that is in Infoblox's internal Global Allow list (e.g. brave[.]com)
  
 ===== Active Indicators ===== ===== Active Indicators =====
Line 7: Line 9:
 Infoblox has harmless test domains that are in various RPZ feeds. This allows you to test that a given RPZ feed is active and working as well as generate example logs, etc. Infoblox has harmless test domains that are in various RPZ feeds. This allows you to test that a given RPZ feed is active and working as well as generate example logs, etc.
  
-Test RPZ data [[infoblox:test_domains|here]].+Test RPZ data [[infoblox_threat_defense:test_domains|here]]
 + 
 +NOTE: If you upload data to a custom TIDE profile, then if any indicator in that profile matches the Infoblox Allowlist feed, that indicator will be suppressed from the customer TIDE profile RPZ feed. i.e. if you try to add brave[.]com to your custom TIDE data, it won't appear in the associate RPZ feed because that indicator is also on Infoblox Allowlist. You can't download the Infoblox Allowlist but you can check any specific indicator against Dossier to see if it is on the Infoblox Allowlist (JSON data via API will have it as 'whitelist'). You can block such indicators using a custom list.
 ===== List TIDE Data ===== ===== List TIDE Data =====
  
Line 141: Line 145:
 SUBRL is SPAM URI (Uniform Resource Identifier) Real-time Block List. SUBRL is SPAM URI (Uniform Resource Identifier) Real-time Block List.
  
 +  * Infoblox Curated Data - Data created by Infoblox
 +  * Infoblox 3rd Party Data - Data from Infoblox 3rd Parties that make into Infoblox 3rd party feeds (e.g. DHS, Farsight, etc)
 +  * Your Uploaded Data - Your data that you uploaded to TIDE
 =====Your Uploaded Data===== =====Your Uploaded Data=====
   * 0011A00001AaA1aAAA:name-of-custom-data-profile   * 0011A00001AaA1aAAA:name-of-custom-data-profile
Line 177: Line 184:
 Upload with CURL Upload with CURL
 <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code> <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code>
 +You will see output like
 +<code>{"link":[{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a","rel":"self"},{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a/detail","rel":"detail"}],"id":"353eb26e-0024-11f1-bd69-9f833fd2874a","submitted":"2026-02-02T10:44:53.752Z","imported":"2026-02-02T10:44:53.752Z","profile":"0011M00002TfW3wZZF:SampleDataProfile","status":"DONE","user":"user@domain.com","organization":"0011M00002TfW3wZZF","method":"api","type":"HOST","total":1,"num_successful":1,"num_errors":0}</code>
  
 The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time. The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time.
Line 232: Line 241:
 APIKEY=SET_APIKEY APIKEY=SET_APIKEY
 curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code> curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code>
 +
 +====Sitting ducks====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,threat,tld&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats/state/host?property=Policy_SittingDucks&show_full_profiles=t&data_format=ndjson</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,detected,property,tld&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&profile=iid&data_format=csv&field=host</code>
 +
 +====Lookalikes====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=Policy_LookalikeDomains&field=host,tld,detected&data_format=csv<code>
 +
 +
 +
 +====Compromised Domains====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=CompromisedDomain_SittingDucks&field=host,tld,detected&data_format=csv</code>
 +
 ==== Get Newly Observed Domains==== ==== Get Newly Observed Domains====
 <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code> <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code>
infoblox_threat_defense/tide.1735312330.txt.gz · Last modified: by bstafford