Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:tide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:tide [2025/01/19 19:18] – [Test RPZ Data] bstaffordinfoblox_threat_defense:tide [2026/03/31 22:44] (current) bstafford
Line 1: Line 1:
 ====== TIDE ====== ====== TIDE ======
 TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated. TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated.
 +
 +NOTE: When you add indicators via TIDE, be aware that the associated RPZ feed will filter out anything that is in Infoblox's internal Global Allow list (e.g. brave[.]com)
  
 ===== Active Indicators ===== ===== Active Indicators =====
Line 8: Line 10:
  
 Test RPZ data [[infoblox_threat_defense:test_domains|here]]. Test RPZ data [[infoblox_threat_defense:test_domains|here]].
 +
 +NOTE: If you upload data to a custom TIDE profile, then if any indicator in that profile matches the Infoblox Allowlist feed, that indicator will be suppressed from the customer TIDE profile RPZ feed. i.e. if you try to add brave[.]com to your custom TIDE data, it won't appear in the associate RPZ feed because that indicator is also on Infoblox Allowlist. You can't download the Infoblox Allowlist but you can check any specific indicator against Dossier to see if it is on the Infoblox Allowlist (JSON data via API will have it as 'whitelist'). You can block such indicators using a custom list.
 ===== List TIDE Data ===== ===== List TIDE Data =====
  
Line 180: Line 184:
 Upload with CURL Upload with CURL
 <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code> <code> curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'</code>
 +You will see output like
 +<code>{"link":[{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a","rel":"self"},{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a/detail","rel":"detail"}],"id":"353eb26e-0024-11f1-bd69-9f833fd2874a","submitted":"2026-02-02T10:44:53.752Z","imported":"2026-02-02T10:44:53.752Z","profile":"0011M00002TfW3wZZF:SampleDataProfile","status":"DONE","user":"user@domain.com","organization":"0011M00002TfW3wZZF","method":"api","type":"HOST","total":1,"num_successful":1,"num_errors":0}</code>
  
 The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time. The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time.
Line 235: Line 241:
 APIKEY=SET_APIKEY APIKEY=SET_APIKEY
 curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code> curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT</code>
 +
 +====Sitting ducks====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,threat,tld&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats/state/host?property=Policy_SittingDucks&show_full_profiles=t&data_format=ndjson</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,detected,property,tld&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv</code>
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&profile=iid&data_format=csv&field=host</code>
 +
 +====Lookalikes====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=Policy_LookalikeDomains&field=host,tld,detected&data_format=csv<code>
 +
 +
 +
 +====Compromised Domains====
 +<code>https://csp.infoblox.com/tide/api/data/threats?type=host&property=CompromisedDomain_SittingDucks&field=host,tld,detected&data_format=csv</code>
 +
 ==== Get Newly Observed Domains==== ==== Get Newly Observed Domains====
 <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code> <code>curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt</code>
infoblox_threat_defense/tide.1737314280.txt.gz · Last modified: by bstafford