====== TIDE ======
TIDE is Threat Intelligence Data Exchange. It is effectively a very large Threat Database that is managed by the Infoblox Threat Intelligence Team. From its database, the Infoblox RPZ feeds are generated.
NOTE: When you add indicators via TIDE, be aware that the associated RPZ feed will filter out anything that is in Infoblox's internal Global Allow list (e.g. brave[.]com)
===== Active Indicators =====
In the CSP > Research > Active Indicators, we can't see RPZ membership of threats. This is expected as this page is a simple GUI interface to the Threat Intel database. RPZ membership can be found in Dossier lookups or (ideally) via API lookups.
===== Test RPZ Data =====
Infoblox has harmless test domains that are in various RPZ feeds. This allows you to test that a given RPZ feed is active and working as well as generate example logs, etc.
Test RPZ data [[infoblox_threat_defense:test_domains|here]].
NOTE: If you upload data to a custom TIDE profile, then if any indicator in that profile matches the Infoblox Allowlist feed, that indicator will be suppressed from the customer TIDE profile RPZ feed. i.e. if you try to add brave[.]com to your custom TIDE data, it won't appear in the associate RPZ feed because that indicator is also on Infoblox Allowlist. You can't download the Infoblox Allowlist but you can check any specific indicator against Dossier to see if it is on the Infoblox Allowlist (JSON data via API will have it as 'whitelist'). You can block such indicators using a custom list.
===== List TIDE Data =====
The following can be made into CURL Commands with this template where you replace PATH_HERE with the path below and APIKEY_HERE with the API key.
curl -s -X GET "https://csp.infoblox.com/PATH_HERE" -H "Authorization: Token token=APIKEY_HERE" -H "Content-Type: application/json"
Get data on FQDN
/tide/api/data/threats?host=www.google.com
Get data on FQDN but limit to 1 record
/tide/api/data/threats?host=www.google.com&rlimit=1
Use filtering on query of all data. Show host data (could be URL, IP, etc), limit results to 2 results, show host field and TLD field. Make sure threat level = 100. Make sure confidence is 80 or 100. Make sure class is API or MalwareDownload or Bot.
/tide/api/data/threats/state/host?rlimit=2&data_format=csv&field=host&field=tld&threat_level=100&class=MalwareC2&class=APT&class=MalwareDownload&class=Bot&threat_level=80&confidence=100&confidence=80
Filter options:
* "type": "URL",
* "url": "http://www.example.local/index.php",
* "host": "www.example.local",
* "domain": "example.local",
* "tld": "local",
* "profile": "IID",
* "property": "MalwareC2_Lokibot",
* "class": "MalwareC2",
* "threat_level": 80,
* "confidence": 100,
* "detected": "20220328T081748Z",
* "received": "20220328T082213Z",
* "imported": "20220328T082213Z",
* "expiration": "20220626T081748Z"
* "dga": "false",
* "up": "true",
* "bric_score": 13,
* "threat_score": 7.6,
* "threat_score_rating": "High",
* "threat_score_vector": "TSIS:1.0/AV:N/AC:L/PR:L/UI:N/EX:H/MOD:L/AVL:L/CI:N/ASN:N/TLD:N/DOP:N/P:F",
* "confidence_score": 9.2,
* "confidence_score_rating": "Confirmed",
* "confidence_score_vector": "COSIS:1.0/SR:H/POP:N/TLD:H/CP:T",
* "risk_score": 9.7,
* "risk_score_rating": "Critical",
* "risk_score_vector": "RSIS:1.0/TSS:H/TLD:H/CVSS:H/EX:H/MOD:L/AVL:L/T:M/DT:M",
* "original_profile": "IID:ANALYST"
* "etcategory": "Known Trojan Command and Control Server",
* "ports": "80"
* "threat_actor": "VexTrio",
* "threat_actor_vector": "STARS:1.0/NAME:VEXTRIO/AKA:N/OPS:N/OVLP:N/REGN:UNKNOWN/DESC:Y/TACT:Y/TRGT:Y/TOOL:N/REFS:Y"
* "cyberint_guid": "a8be9ac3390b5a779d9f68fe3b329d02",
* "no_whitelist": "false",
* "protocol": "http",
* "url_hash": "c9a88ab928cd0535a874dc96ddac2e20"
* "notes": "Part of the domains cluster from various related Lokibot campaigns ",
* "attack_chain": "ACIS:1.0/FWK:MTK/PLT:['M', 'W', 'L']/PE:{EWMI:[]},{PI:['KOAD', 'HTRAN', 'EMP', 'PUP', 'REMC', 'POWS', 'COBS', 'POSH']}/DE:{EWMI:[]},{FD:['CMD', 'SDEL']},{OFI:['EMP', 'POWS', 'INVKS', 'REMC']},{PI:['KOAD', 'HTRAN', 'EMP', 'PUP', 'REMC', 'POWS', 'COBS', 'POSH']},{WS:['EMP']}/CA:{CRD:['GSEC', 'CDMP', 'MIMP', 'POSH', 'LSLS', 'FGDMP', 'LAZAG', 'COBS', 'POWS', 'EMP', 'WCED', 'IMP', 'KOAD', 'QRAT', 'PWDMP', 'MIMK', 'PUP']}/DIS:{BBD:['EMP']}/C2:{SALP:['EMP', 'COBS', 'PUP', 'POSH']},{WS:['EMP']}/EXF:{EOAP:['FTP', 'EMP', 'BTSA']},{EOONM:[]}"
Get available RPZ feeds
/tide/api/entitlements/feeds
Get all custom RPZ feeds and Country Based RPZ feeds
api/custom_feeds/v1/feeds
The custom RPZ query above will get a lot of data back. Each feed has an ID. Use the ID to limit further queries to pull just that feed.
api/custom_feeds/v1/feeds/
List available Threat Classes
/tide/api/data/threat_classes
Retrieve a List of Provider Organizations
tide/admin/v1/resources/shared/dataprofiles
Retrieve list of target types
tide/api/services/intel/lookup/targets
View data by provider (this example limits the results to 2 lines)
tide/api/data/threats?profile=IID&rlimit=2
List available Data Profiles
tide/admin/v1/resources/dataprofiles
Get list of Lookalikes for a domain being monitored (google.com in this example)
api/atclad/v1/lookalikes?_order_by=detected_at desc&_filter=target_domain=="google.com"
The TIDE calls of interest here:
tide/api/data/threats?type=host&property=suspicious_emergentdomain
tide/api/data/threats?type=host&profile=farsightsecurity
tide/api/data/threats?type=host&class=phishing
The ''data_format='' parameter may need adjusting. (say ''csv'') and ''field=host'' may need to be appended on there. Trying the ''/recent'' variants of these will provide limited coverage but in some cases will fit under their limitation.
tide/api/data/threats?type=url&threat_level=100
Examples (domains defanged)
{{base_url}}/tide/api/data/threats?domain=chrisupdated[.]xyz
{{base_url}}/tide/api/data/threats?domain=pinkgoat.com
===== What is In the Custom RPZ Feed Options =====
* IID
* AISCOMM
* EmergingThreats
* FarsightSecurity
* SURBL (no longer available?)
* 0011A00002BcDwEFG
Infoblox Curated Data
* IID:ANALYST
* IID:CRIME
* IID:DTQ_IP
* IID:IID
* IID:IID Internal
* IID:IID_BH_DECLARED
* IID:IID_IRD
* IID:IID_TTL
* IID:LookalikeDomains
* IID:OTHER
* IID:PARTNER
* IID:PORTAL_AK
* IID:POWERSHARK
* IID:RateShark
* IID:IB_NOC
* IID:IB_PM
* IID:IB_DS
* IID:IB_SE
Infoblox 3rd Party Data
* AISCOMM:AIS-COMMERCIAL (Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS))
* EmergingThreats:Hostnames_Feed (ProofPoint)
* EmergingThreats:IP_Feed (ProofPoint)
* EmergingThreats:URL_Feed (ProofPoint)
* FarsightSecurity:NOD (Farsight Security - now part of DomainTools)
* SURBL:FRESH
* SURBL:SURBL_multi_list
SUBRL is SPAM URI (Uniform Resource Identifier) Real-time Block List.
* Infoblox Curated Data - Data created by Infoblox
* Infoblox 3rd Party Data - Data from Infoblox 3rd Parties that make into Infoblox 3rd party feeds (e.g. DHS, Farsight, etc)
* Your Uploaded Data - Your data that you uploaded to TIDE
=====Your Uploaded Data=====
* 0011A00001AaA1aAAA:name-of-custom-data-profile
You can upload data to TIDE via the BloxOne portal (Manage > TIDE Data > Data Upload )
Documentation [[https://docs.infoblox.com/space/BloxOneThreatDefense/35434535|here]].
Example XML file here:
SampleProfile
host
www.testtesttest0.com
Phishing_Phish
20230101T154742Z
www.testtesttest1.com
Phishing_Phish
20230101T154742Z
JSON FILE
Notice that the second domain doesn't have a duration.
{
"feed": {
"record_type": "host",
"record": [
{"host": "www.baddomain.com", "property": "Scanner_Generic", "detected": "19980927T154242Z", "duration": "1y0m0w0d42h"},
{"host": "www.example.com", "property": "Phishing_Phish", "detected": "20170602T154742Z"} ]
}
}
Upload with CURL
curl -H "AUTHORIZATION:TOKEN APIKEY" -H 'Content-Type: application/json;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleDataProfile" --data-binary '@/home/name/DATA_FILE_NAME.json'
You will see output like
{"link":[{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a","rel":"self"},{"href":"/data/batches/353eb24e-0024-11f1-bd68-9f833fd2874a/detail","rel":"detail"}],"id":"353eb26e-0024-11f1-bd69-9f833fd2874a","submitted":"2026-02-02T10:44:53.752Z","imported":"2026-02-02T10:44:53.752Z","profile":"0011M00002TfW3wZZF:SampleDataProfile","status":"DONE","user":"user@domain.com","organization":"0011M00002TfW3wZZF","method":"api","type":"HOST","total":1,"num_successful":1,"num_errors":0}
The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time.
Documentation [[https://docs.infoblox.com/space/BloxOneThreatDefense/35434535/TIDE+Data+Submission+Overview|here]], [[https://docs.infoblox.com/space/BloxOneThreatDefense/236028376/Submitting+Threat+Indicators|here]], and [[https://docs.infoblox.com/space/BloxOneThreatDefense/236159529/Data+Profiles|here]].
Example of CSV file
record_type,property,threat_level,duration,host
host,"Threat",100,"0y0m0w2d0h","test007.testing.local"
host,"Threat",100,"0y0m0w2d0h","test008.testing.local"
and CSV upload command is:
curl -H "AUTHORIZATION:TOKEN API_KEY_HERE" -H 'Content-Type: text/csv;' -X POST "https://csp.infoblox.com/tide/api/data/batches?profile=SampleProfile" --data-binary '@/home/user/baddomains.csv'
===== Palo Alto Networks Integration =====
curl -X GET "https://csp.infoblox.com/tide/api/data/threats?type=host&threat_level_from=80&class=suspicious&field=host,threat_level&period=24h" -H "Authorization: Token token=PUT_KEY_HERE" > tide-output
cat tide-output | sed s/},{\"host\":\"/\\t/g | sed s/\",\"threat_level\":/\\t/g | sed s/\\t80//g | sed s/\\t100//g | sed s/\\t/\\r\\n/g | sed s/\{\"threat\"\:\\[\{\"host\":\"//g | sed s/\}\],\"record_count\"//g | sed s/\:.*$//g > palo-list
sudo cp ./palo-list /var/www/html/
Make sure NGINX is installed and serving up /var/www/html. Edit as needed. Add certificates as needed.#
On PAN-OS Web UI
* Objects > External Dynamic Lists > Add :
* Type = Domain List (So we can use it in Anti-Spyware Profiles)
* Tick "Automatically expand to include sub-domains"
* Set "Check for updates" as required
* Click "Test Source URL"
===== Palo Alto Networks Integration Direct =====
You can update the External Dynamic List in Palo Alto Networks to use the following URL and download directly from CSP
https://apikey:API-KEY-HERE@csp.infoblox.com/tide/api/data/threats?data_format=csv&field=domain&rlimit=10&type=host&class=cryptocurrency
Note the use of the username ''apikey'' and also an API key.
If you set a Server Certificate in the EDL you can also user username/password (e.g. ''apiuser'' and APIKEY) in addition to csp.infoblox.com/tide/api/data/threats?data_format=csv&field=domain&rlimit=10&type=host&class=cryptocurrency
I got this working for domains but not IP feeds. URL feeds don't work directly from Infoblox CSP because the Palo Alto can't handle the inclusion of https:// at the start when setting a URL feed.
===== API Examples =====
==== Get Latest Threats From TIDE ====
PROPERTY=Suspicious_Generic
LIMIT=100
MIN_THREAT_LEVEL=80
SOURCE=iid
AGE=7d
APIKEY=APIKEY
curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > suspicious-domains-last-week.txt
==== Get Bad Nameservers ====
Get all bad nameservers from the last year.
PROPERTY=MaliciousNameserver_Generic
OUTPUT="threat-domain-$PROPERTY.txt"
LIMIT=100
MIN_THREAT_LEVEL=80
SOURCE=iid
AGE=1y
APIKEY=SET_APIKEY
curl -X GET -H "Authorization: Token token=$APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=$SOURCE&property=$PROPERTY&threat_level_from=$MIN_THREAT_LEVEL&period=$AGE&rlimit=$LIMIT&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > $OUTPUT
====Sitting ducks====
https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,threat,tld&data_format=csv
https://csp.infoblox.com/tide/api/data/threats/state/host?property=Policy_SittingDucks&show_full_profiles=t&data_format=ndjson
https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv
https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,detected,property,tld&data_format=csv
https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&field=host,tld,detected&data_format=csv
https://csp.infoblox.com/tide/api/data/threats?type=host&property=policy_sittingducks&profile=iid&data_format=csv&field=host
====Lookalikes====
https://csp.infoblox.com/tide/api/data/threats?type=host&property=Policy_LookalikeDomains&field=host,tld,detected&data_format=csv
====Compromised Domains====
https://csp.infoblox.com/tide/api/data/threats?type=host&property=CompromisedDomain_SittingDucks&field=host,tld,detected&data_format=csv
==== Get Newly Observed Domains====
curl -s -X GET -H "Authorization: Token token=$API_KEY" "https://csp.infoblox.com/tide/api/data/threats/host/hourly?property=Policy_NewlyObservedDomains&data_format=csv&field=host" > new-domains.txt
==== Recent Data ====
{{TIDE_url}}/data/threats/host/recent?fields=detected,property,host&data_format=csv
{{TIDE_url}}/data/threats/host/daily?fields=detected,property,host&data_format=csv
/tide/api/data/threats?type=host&class=suspicious&field=host,threat_level,detected,notes&period=24h&rlimit=50000
==== Get Top 10 Suspicious Emergent Domains ====
Using GREP, show top 10 suspicious emergent domains from Infoblox that have been added in the last 48 hours. This list can be fed to External Dynamic List for third party security vendors.
curl -X GET -H "Authorization: Token token=APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=iid&property=Suspicious_EmergentDomain&threat_level_from=80&period=48h&rlimit=10&field=host,detected" | sed s/,/\\n/g | grep host | awk -F "\"" '{print $4}' > emergent-domains-last-48h.txt
===== Summary of Count of Each Threat Type =====
https://csp.infoblox.com/tide/api/v1/iid_atp/dossier/threat_counts
==== Get All Critical MalwareC2DGA Threats ====
Show all critical MalwareC2DGA threats detected in the last 48 hours. Limit results to 10 items.
curl -X GET -H "Authorization: Token token=APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=host&profile=iid&class=MalwareC2DGA&threat_level_from=100&rlimit=10&period=48h&field=host,property,threat_level,detected" > critical-malware-threats-last-2days.txt
Main bit
curl -X GET -H "Authorization: Token token=APIKEY" "https://csp.infoblox.com/tide/api/data/threats/state?type=..." > critical-malware-threats-last-2days.txt
... bit - in this case we change class to property = MalwareC2DGA_Locky
host&profile=iid&property=MalwareC2DGA_Locky&threat_level_from=100&rlimit=10&period=48h&field=host,property,threat_level,detected
* Type = Host (type=host)
* Profile = IID (profile=iid)
* Threat Level >= 100 (threat_level_from=100)
* Max Results = 10 (rlimit=10)
* Period = 24h (Results added to TIDE in last 24 Hours)
* Field = detected,host,property (Data to include in result)
* Property = MalwareC2DGA_Locky (Property to detect)
* Class = MalwareC2DGA (Class to detect)
Format is the following. Replace ''type=...'' with examples belowcurl -X GET 'https://csp.infoblox.com/tide/api/data/threats?type=...' -H 'Authorization: Token token='
==== Get Notes ====
Retrieve notes in TIDE for a domain example.com:
type=host&profile=IID&host=example.com
Retrieve new suspicious indicators:
type=host&profile=IID&class=suspicious&rlimit=2
==== Get Notes ====
(Possibly) "Absolutely safe to block" and almost certainly not available via any other source or vendor today as verified. However, this is only true of the results where the threat_level >= 50.
type=host&class=suspicious&field=host,detected,threat_level,notes&period=24h
/tide/api/services/intel/lookup/indicator/host?value=example.com&wait=true&data_format=json
====== Dossier ======
Dossier [[https://docs.infoblox.com/space/BloxOneThreatDefense/271975091/Dossier+Source+Descriptions|sources]].
* iSIGHT is available as a separate subscription and is not automatically included with Dossier.
===== RPZ =====
Remember, if you only have Business Cloud and a threat exists in one of the "Advanced only" RPZ feeds, you won't see those RPZ feeds be identified if you send a Dossier query for the domain.
In the event that you query Dossier for a domain that is in both AntiMalware and (e.g.) Suspicious-Lookalikes, then, as a Business Cloud customer, you will only see AntiMalware in the "Matched RPZ" list. You will, however, see the relevant "suspicious" tag in the activity timeline which gives you a clue it might also be in suspicious. Only Advanced customers will see (in Dossier) that the domain is in both AntiMalware and Suspicious Lookalikes RPZ feeds.
===== API =====
Simply query for
* type = HOST
* profile = IID Data
* class= MalwareC2
* property = MalwareC2_BackdoorRAT
* threatlevel = 80+
* period = (last) 24h
==== Get MalwareC2 Threats from Last 24 Hours ====
curl -X GET -H "Authorization: Token token=APIKEY" "https://csp.infoblox.com/tide/api/data/threats?type=host&profile=iid&class=malwarec2&property=malwarec2_backdoorrat&threat_level_from=100&period=24h"
==== Check Which RPZ Feeds a Domain is In ====
curl -s -X POST "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true" -H "Authorization: Token token=APIKEY" -H "Content-Type: application/json" -d '{"target": {"one": {"type": "host", "target": "google.com","sources":["rpz_feeds"]}}}'
Same command but use GREP to filter out everything but the feed names.
curl -s -X POST "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true" -H "Authorization: Token token=APIKEY" -H "Content-Type: application/json" -d '{"target": {"one": {"type": "host", "target": "google.com","sources":["rpz_feeds"]}}}' | grep feed_name | grep -v ib- | awk -F ":" '{print $2}' | sed 's/\ //g' | sed 's/,//g' | sed 's/"//g'
Sam command but with BASH
#!/bin/bash
DOMAIN=$1
APIKEY="PUT_KEY_HERE"
COMMAND="{\"target\": {\"one\": {\"type\": \"host\", \"target\": \"$1\",\"sources\":[\"rpz_feeds\"]}}}"
echo "List of RPZ feeds that contain $1"
curl -s -X POST "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true" -H "Authorization: Token token=$APIKEY" -H "Content-Type: application/json" -d "$COMMAND" | grep feed_name | grep -v ib- | awk -F ":" '{print $2}' | sed 's/,//g' | sed 's/"//g'
==== Get Infoblox Web Category for Domain ====
#!/bin/bash
DOMAIN=$1
APIKEY="PUT_KEY_HERE"
COMMAND="{\"target\": {\"one\": {\"type\": \"host\", \"target\": \"$DOMAIN\",\"sources\":[\"infoblox_web_cat\"]}}}"
echo "Infoblox Web Category for $DOMAIN: "
curl -s -X POST "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true" -H "Authorization: Token token=$APIKEY" -H "Content-Type: application/json" -d "$COMMAND" | grep name | awk -F ":" '{print $2}'
==== List of Dossier Fields for Domain ====
"acs","activity","atp","ccb","custom_lists","dns","gcs","geo","gsb","infoblox_web_cat","inforank","isi
ght","malware_analysis","malware_analysis_v3","pdns","ptr","rlabs","rpz_feeds","rwhois","whitelist","whois","s
sl_cert","urlhaus","nameserver","threatfox"
==== Values for ACS ====
batch_id
class
confidence
confidence_score
confidence_score_rating
confidence_score_vector
detected
dga
domain
expiration
extended (can contain {"notes":"notes put here"})
full_profile
host
id
imported
profile
property
received
risk_score
risk_score_rating
risk_score_vector
threat_level
threat_score
threat_score_rating
threat_score_vector
tld
type
up
===== Script To Check RPZ Feeds (Python) =====
#!/usr/bin/env python3
# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
import requests
import json
# Needed to read CLI parameters
import sys
# Needed to check the valid domain name regex
import re
# Needed to manipulate the data
from datetime import datetime
APIKEY = "API_KEY"
def is_valid_domain_name(domain_name):
# Regular expression pattern to match a valid domain name
pattern = r"^(?!:\/\/)(?!www\.)(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+(?:[a-zA-Z]{2,})$"
# Check if the domain name matches the pattern
if re.match(pattern, domain_name):
return True
else:
return False
def is_date_in_future(date_str):
current_date = datetime.now().date()
date = datetime.strptime(date_str, '%Y-%m-%d').date()
if date > current_date:
return True
else:
return False
if len(sys.argv) < 1:
print("Usage: python script_name.py domain-to-test.corp.")
sys.exit(1) # Exit the script with a non-zero status code indicating an error
parameter1 = sys.argv[1] # The first parameter
if not is_valid_domain_name(parameter1):
print("Error: Parameter ",parameter1," is not a valid domain name.")
sys.exit(1)
DATA = "{\"target\": {\"one\": {\"type\": \"host\", \"target\": \"" + parameter1 + "\",\"sources\":[\"rpz_feeds\"]}}}"
# Make the cURL request
url = "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true"
headers = {
"Content-Type": "application/json",
"Authorization": "Token " + APIKEY
}
response = requests.post(url, data=DATA, headers=headers)
# Check if the request was successful (status code 200)
if response.status_code == 200:
data = response.json()
results = data["results"]
for result in results:
records = result['data']['records']
if len(records) == 0:
print("RPZ for ",parameter1,":NONE")
else:
print("RPZ for ",parameter1,":")
for record in records:
feed_name = record["feed_name"]
feed_name = feed_name.ljust(27)
class_name = record["class"]
properties = record["property"]
detected = record["detected"]
expiration = record["expiration"]
detected = datetime.strptime(detected, "%Y-%m-%dT%H:%M:%SZ")
detected = detected.strftime("%Y-%m-%d")
expiration = datetime.strptime(expiration, "%Y-%m-%dT%H:%M:%SZ")
expiration = expiration.strftime("%Y-%m-%d")
result = is_date_in_future(expiration)
if result is True:
active = "Active"
else:
active = "Expired"
print(feed_name,"\t(",properties,")\t(",active,")",detected,"to",expiration)
else:
print("Error:", response.status_code)
DATA = "{\"target\": {\"one\": {\"type\": \"host\", \"target\": \"" + parameter1 + "\",\"sources\":[\"infoblox_web_cat\"]}}}"
# Make the cURL request
url = "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true"
headers = {
"Content-Type": "application/json",
"Authorization": "Token " + APIKEY
}
response = requests.post(url, data=DATA, headers=headers)
# Check if the request was successful (status code 200)
if response.status_code == 200:
data = response.json()
results = data["results"]
print("")
for result in results:
records = result['data']['results']
if len(records) == 0:
print("WebCat for ",parameter1,":NONE")
else:
for record in records:
cat_name = record["name"]
print("WebCat for ",parameter1,":",cat_name)
else:
print("Error:", response.status_code)
DATA = "{\"target\": {\"one\": {\"type\": \"host\", \"target\": \"" + parameter1 + "\",\"sources\":[\"atp\"]}}}"
# Make the cURL request
url = "https://csp.infoblox.com/tide/api/services/intel/lookup/jobs?wait=true"
headers = {
"Content-Type": "application/json",
"Authorization": "Token " + APIKEY
}
response = requests.post(url, data=DATA, headers=headers)
# Check if the request was successful (status code 200)
if response.status_code == 200:
data = response.json()
results = data['results'][0]['data']['threat']
print("")
if len(results) == 0:
print("No Threat Data for ",parameter1)
else:
print("Threat Data for ",parameter1)
print("FullProfile\tProperty\t\t\tExpiration\tConfidence\tConfidenceScore\t\tThreatLevel\tThreatScore\tRiskScore")
for result in results:
# Keep this IF statement if you only want to inlucde Infoblox data and not SURBL or FARSIGHT
var_profile = "NA"
var_confidence = "NA"
var_expiration = "NA"
var_full_profile = "NA"
var_property = "NA"
var_threat_level = "NA"
var_confidence_score_rating = "NA"
var_risk_score_rating = "NA"
var_threat_score_rating = "NA"
if 'profile' in result:
var_profile = result['profile']
if 'confidence' in result:
var_confidence = result['confidence']
if 'expiration' in result:
var_expiration = result['expiration']
var_expiration = datetime.strptime(var_expiration, "%Y-%m-%dT%H:%M:%S.%fZ")
var_expiration = var_expiration.strftime("%Y-%m-%d")
dateres = is_date_in_future(var_expiration)
if dateres is False:
var_expiration = "Expired"
if 'full_profile' in result:
var_full_profile = result['full_profile']
if 'property' in result:
var_property = result['property']
if len(var_property) < 22:
var_property += "\t"
if 'threat_level' in result:
var_threat_level = result['threat_level']
if 'confidence_score_rating' in result:
var_confidence_score_rating = result['confidence_score_rating']
if 'risk_score_rating' in result:
var_risk_score_rating = result['risk_score_rating']
if 'threat_score_rating' in result:
var_threat_score_rating = result['threat_score_rating']
if result['profile'] == 'IID':
if var_expiration != 'Expired':
print(var_full_profile,"\t",var_property,"\t",var_expiration,"\t",var_confidence,"\t\t",var_confidence_score_rating,"\t\t\t",var_threat_level,"\t\t",var_threat_score_rating,"\t\t",var_risk_score_rating)
else:
print("Error:", response.status_code)