| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| infoblox_threat_defense:tide [2025/01/19 19:12] – [What is In the Custom RPZ Feed Options] bstafford | infoblox_threat_defense:tide [2026/03/31 22:44] (current) – bstafford |
|---|
| ====== TIDE ====== | ====== TIDE ====== |
| TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated. | TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated. |
| | |
| | NOTE: When you add indicators via TIDE, be aware that the associated RPZ feed will filter out anything that is in Infoblox's internal Global Allow list (e.g. brave[.]com) |
| |
| ===== Active Indicators ===== | ===== Active Indicators ===== |
| Infoblox has harmless test domains that are in various RPZ feeds. This allows you to test that a given RPZ feed is active and working as well as generate example logs, etc. | Infoblox has harmless test domains that are in various RPZ feeds. This allows you to test that a given RPZ feed is active and working as well as generate example logs, etc. |
| |
| Test RPZ data [[infoblox:test_domains|here]]. | Test RPZ data [[infoblox_threat_defense:test_domains|here]]. |
| | |
| | NOTE: If you upload data to a custom TIDE profile, then if any indicator in that profile matches the Infoblox Allowlist feed, that indicator will be suppressed from the customer TIDE profile RPZ feed. i.e. if you try to add brave[.]com to your custom TIDE data, it won't appear in the associate RPZ feed because that indicator is also on Infoblox Allowlist. You can't download the Infoblox Allowlist but you can check any specific indicator against Dossier to see if it is on the Infoblox Allowlist (JSON data via API will have it as 'whitelist'). You can block such indicators using a custom list. |
| ===== List TIDE Data ===== | ===== List TIDE Data ===== |
| |
| Upload with CURL | Upload with CURL |
| <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code> | <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code> |
| | You will see output like |
| | <code>{"link":[{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a","rel":"self"},{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a/detail","rel":"detail"}],"id":"353eb26e-0024-11f1-bd69-9f833fd2874a","submitted":"2026-02-02T10:44:53.752Z","imported":"2026-02-02T10:44:53.752Z","profile":"0011M00002TfW3wZZF:SampleDataProfile","status":"DONE","user":"user@domain.com","organization":"0011M00002TfW3wZZF","method":"api","type":"HOST","total":1,"num_successful":1,"num_errors":0}</code> |
| |
| The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time. | The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time. |
| APIKEY=SET_APIKEY | APIKEY=SET_APIKEY |
| curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code> | curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code> |
| | |
| | ====Sitting ducks==== |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,threat,tld&data_format=csv</code> |
| | <code>https://csp.infoblox.com/tide/api/data/threats/state/host?property=Policy_SittingDucks&show_full_profiles=t&data_format=ndjson</code> |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code> |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,detected,property,tld&data_format=csv</code> |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code> |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&profile=iid&data_format=csv&field=host</code> |
| | |
| | ====Lookalikes==== |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=Policy_LookalikeDomains&field=host,tld,detected&data_format=csv<code> |
| | |
| | |
| | |
| | ====Compromised Domains==== |
| | <code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=CompromisedDomain_SittingDucks&field=host,tld,detected&data_format=csv</code> |
| | |
| ==== Get Newly Observed Domains==== | ==== Get Newly Observed Domains==== |
| <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code> | <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code> |
