====== Infoblox Licencing ====== ===== Infoblox Tokens ===== [[https://docs.infoblox.com/space/BloxOneDDI/846954761/Universal+DDI+Licensing|Token documentation page]]. ==== Reporting Tokens ==== Reporting tokens are only needed for * DDI DHCP Lease Log * DDI Query/Response Log The following logs are available even if no reporting tokens have been purchased. A data connector VM can be deployed and used to get the logs off the Infoblox Portal (without requiring Server Tokens) * Audit Log * Internal Notifications * Service Log The following logs are available only to customers of the Infoblox Threat Defense Advanced and Infoblox Threat Defense Business Cloud subscriptions. They do not require reporting tokens as this is covered by the Threat Defense subscription. * Threat Defense Query/Response * Threat Defense Threat Feeds Hits Logs ===== Universal DDI ===== [[https://docs.infoblox.com/space/BloxOneDDI/846954761/Universal+DDI+Licensing|Here]] =====BloxOne Threat Defense ===== [[https://docs.infoblox.com/space/BloxOneThreatDefense/35403512|Here]] =====BloxOne Threat Defense Features ===== ==== Essentials (On-Prem Only) ==== * Live threat feeds in DNS RPZ format * DNS Firewall capable of stopping threats at your GRID * Threat Insight to detect advanced threats and data exfiltration * Threat Lookup to research basic attacker data (Dossier is not included in BloxOne Threat Defense Essentials) * Predefined Reports (Infoblox reporting appliance is required if On-Prem) * [[infoblox:rpz_feeds|This page lists feeds available]] in Essentials ====Business (On-Prem or Cloud) ==== * Dossier advanced threat research portal * Security Ecosystem to integrate Infoblox data with your 3rd party security tools * (**Cloud Only**) Endpoint Protection for your roaming Windows and Mac computers * (**Cloud Only**) Web Content Filtering * Access to the Active indicators tool * [[infoblox:rpz_feeds|This page lists feeds available]] in Business (Business + Essentials) ====Advanced==== * Threat Intelligence Data Exchange (TIDE) Manage and share threat intelligence between all of your security environment in multiple machine-readable formats * Access to Application Discovery tool * Application filtering * [[infoblox:rpz_feeds|This page lists feeds available]] in Advanced (Advanced + Business + Essentials) ===== BloxOne Licencing ===== BloxOne DDI data is [[https://docs.infoblox.com/display/BloxOneDDI/Licensing+and+Subscription|here]] BloxOne Threat Defence data is [[https://docs.infoblox.com/display/BloxOneThreatDefense/Licensing+and+Subscription|here]]. ===== Universal DDI ===== NIOS-X QPS calculation: We capture data ever 5 minutes so each value is averaged for each 5 minute collection interval. ===== BloxOne Threat Defense License Caveat ===== From [[https://www.infoblox.com/company/legal/infoblox-bloxone-threat-defense-supplemental-terms-and-conditions/|B1TD Supplemental Terms and Conditions]]. //BloxOne Threat Defense Advanced and On-Prem offerings are subject to an **average monthly DNS query limit of 3,500 DNS queries per Protected User per day**. Usage of B1TD is continuously monitored to determine a customer’s average monthly DNS queries.The monthly DNS query average is calculated based on the number of DNS queries for any particular month (the number of days in that month) divided by the Customer’s Licensed Capacity. Infoblox may work with each Customer when their usage exceeds the current Licensed Capacity. If a Customer’s usage cannot be modified to align to the current Licensed Capacity, the Customer will need to purchase additional Licensed Capacity to ensure query limits are within the license terms.// Remember. B1TD Advanced is licensed based on employee count. Why? Because it is simple and it works for the most part. However, the caveat above is in place to protect Infoblox from a 100 employee company protection 10,000 busy servers, etc. ===== Sandbox Restriction ===== From [[https://www.infoblox.com/company/legal/infoblox-bloxone-ddi-supplemental-terms-and-conditions/|here]] //"Allowable Usage" means, unless otherwise specified in the applicable Order, no more than **5.5 million DNS Queries per month per SANDBOX Instance**.// ===== Other ===== NIOS Grid Connector Notes: * NIOS Grid connector requires NIOS 8.5 and can only export data to BloxOne. The exported data in BloxOne will be read only in BloxOne. * The NIOS Grid Connector service does not support the importing of DHCP lease data from NIOS Grid. * NIOS Grid connector requires that the appliance be TE-14xx or higher. * Only IPv4 objects are imported it seems. See [[https://docs.infoblox.com/display/BloxOneDDI/Configuring+NIOS+Grid+Connector|here]]. * Data managed by NIOS and synced to BloxOne via NIOS Grid Connector (NGC) does not count towards licence usage of BloxOne. However, if devices that are "managed" by NIOS then go and query DNS services run by BloxOne, they will contribute to the BloxOne Active IP usage. **Active IP address** * A Fixed (Static) Address - Just IP or does it have to include a MAC address? * IP Address found in DHCP leases * Source IP Address found in a DNS Query. **Instance** * A single online Host running DHCP and/or DNS services * A pair of hosts configured in co-located DHCP HA groups [A/A or A/P]) - Note, if the pair of hosts configured in a co-located DHCP HA group also run DNS, they are counted as two hosts. Advanced A/P members are counted separately ===== External Licences ===== External "BYOL" licences (purchased from other vendors) can be added to the BloxOne CSP to allow Dossier to pull more data for its reports. * ProofPoint - Emerging Threats * Mandiant - APIv4 * Virus Total (IF YOU HAVE B1TD ADVANCED) You can also purchase (from Infoblox) licences to allow access to RPZ threat feeds from other sources (these feeds are then accessible via the BloxOne portal along with all the other Infoblox RPZ feeds. * FarSight - Security Newly Observed Domains (NOD) * Proofpoint - Emerging Threats (ET) IP and Domain Reputation Note that the following sources of Threat Intelligence and/or Threat Intelligence feeds are no longer supported. * CrowdStrike * FireEye - iSight Threat Intelligence * ThreatTrack - Security BorderPatrol