Infoblox Grid Action Bundle
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.0 |
| Compatible with ThreatQ Versions | >= 6.7.3 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The Infoblox Grid Action Bundle allows the management of entries in Response Policy Zone (RPZ) zones.
The bundle provides the following actions:
- Infoblox Grid Add to RPZ - creates records in an RPZ from ThreatQ indicators of compromise (IP, FQDN and CIDR Block).
- Infoblox Grid Add Batch To RPZ - adds a batch of indicators to a RPZ Zone.
- Infoblox Grid Remove from RPZ - deletes records from an RPZ that are no longer needed.
- Infoblox Grid Remove Batch From RPZ - deletes a batch of indicators from a RPZ Zone.
The actions enrich the following indicator types:
- CIDR Block
- FQDN
- IP Address
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A data collection containing indicator types:
- CIDR Block
- FQDN
- IP Address
- An Infoblox instance, username, and password.
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the action zip file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the action zip file using one of the following methods:
- Drag and drop the zip file into the dialog box
- Select Click to Browse to locate the zip file on your local machine
- Select the actions to install, when prompted, and click on Install.
ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.
Your actions will now be installed on your instance. You will still need to configure the action(s).
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description Infoblox Grid URL Specify full URL to the Infoblox Grid instance. Infoblox Username Enter your Infoblox username to authenticate. Infoblox Password Enter your Infoblox password to authenticate. Infoblox RPZ The name of the Response Policy Zone created on the Infoblox Grid appliance. DNS View The name of the DNS view in which the record resides. The default value for DNS view is "default". Ingest Infoblox RPZ Name as Attribute
(Add Batch to RPZ action only)Enable this to add Infoblox RPZ Name as an attribute to each exported indicator. Enabling this parameter will increase the run time.
Delete Infoblox RPZ Name Attribute
(Remove Batch to RPZ action only)Enable this to remove Infoblox RPZ Name Attribute if present for each exported indicator. Enabling this parameter will increase the run time.
Disable Proxies Enable or disable verification of SSL connections with the provider. Enable SSL Certificate Verification If enabled, the action will not honor proxy settings within ThreatQ. Objects per run Maximum number of objects to send to Infoblox per-run.
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The following actions are available:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Infoblox Grid Add To RPZ | Adds Indicators to a RPZ Zone. | Indicators | IP Address, CIDR Block, FQDN |
| Infoblox Grid Add Batch to RPZ | Adds a batch of indicators to a RPZ Zone. | Indicators | IP Address, CIDR Block, FQDN |
| Infoblox Grid Remove From RPZ | Deletes Indicators from a RPZ Zone. | Indicators | IP Address, CIDR Block, FQDN |
| Infoblox Grid Remove Batch from RPZ | Deletes a batch of indicators from a RPZ Zone. | Indicators | IP Address, CIDR Block, FQDN |
Infoblox Grid Add to RPZ
The Infoblox Grid Add to RPZ uploads the indicators from the selected collection to an existing RPZ Zone from Infoblox Grid. The indicators are added only if they do not have the attribute Added to Infoblox RPZ equal to user config Infoblox RPZ. The name of the zone must be specified in the action configuration. The actions add the attribute Added to Infoblox RPZ to all the exported indicators and they delete the attribute Removed From Infoblox RPZ having the value equal to the specified zone.
Indicators are uploaded sequentially. Larger collections will increase the duration of the action.
POST "{{INFOBLOX_URL}}/wapi/v2.12/record:rpz:cname"
Sample Body:
{
"canonical": "217.60.9.178",
"name": "217.60.9.178.{{RPZ_NAME}}",
"rp_zone": "{{RPZ_NAME}}",
"disable": false,
"view": "default"
}Sample Response:
"record:rpz:cname/ZG5zLmJpbmRfY25hbWUkLl9kZWZhdWx0LnRocmVhdHEuMTgwLjE2NC43Mi4xNDg:217.60.9.178.{{RPZ_NAME}}/default"ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| N/A | Indicator.Attribute | Added to Infoblox RPZ | N/A | RPZ Name | The value is the user config Infoblox RPZ |
The attribute Removed From Infoblox RPZ is removed if it has the value equal to user config Infoblox RPZ.
Infoblox Grid Add Batch to RPZ
The Infoblox Grid Add Batch to RPZ action uploads the indicators from the selected collection to an existing RPZ Zone from Infoblox Grid. The name of the zone must be specified in the action configuration.
The action adds the attribute Added to Infoblox RPZ to all the exported indicators if user configuration Ingest Infoblox RPZ Name As Attribute is enabled.
The action uploads batches of 100 indicators by sending each of them in a CSV file.
The following 3 requests are made to upload the file: Request to Initiate the Upload, Request to Upload the File, and Request to Start Processing the File.
Request to Initiate the Upload
POST {{INFOBLOX_URL}}/wapi/v2.12/fileop?_function=uploadinit&filename=insert_iocs.csv
Sample Response:
{
"token": "eJytjksLwjAQhP+K5GybbNk+b5UqCKIieg6liXWhL9MIivjfbQ569ORlDt/szsyT6ftA5iEttZpl\nM4gRIY0QQz8BTEOYz9jNNJPDLtYOY8Y5CB8A/UnjkDsoFRldWXmmRkvqudFXSco77Te7vPAEihSE\nEBgmEGAQcepGbex0WI1sSlelLaXuql5RV7uexXr75W2v3CpW5MdcHparj+EYH21vylpz2w5/2EHK\nhf7+Ya83PFBaaA==\n",
"url": "{{INFOBLOX_URL}}/http_direct_file_io/req_id-UPLOAD-0409100045812426/insert_iocs"
}Request to Upload the File
POST {{INFOBLOX_URL}}/http_direct_file_io/req_id-UPLOAD-0409100045812426/insert_iocs
Sample Body:
header-responsepolicycnamerecord,fqdn*,canonical_name,disabled,parent_zone,view
"responsepolicycnamerecord","5.15.134.0/24.threatq-act","5.15.134.0/24","FALSE","threatq-act","default"
"responsepolicycnamerecord","148.72.164.179.threatq-act","148.72.164.179","FALSE","threatq-act","default"Request to Start Processing the File
POST {{INFOBLOX_URL}}/wapi/v2.12/fileop?_function=csv_import
Sample Parameters:
{
"action": "START",
"operation": "INSERT",
"on_error": "CONTINUE",
"token": "{{TOKEN_FROM_INITIATE_UPLOAD}}"
}Sample Response:
{
"csv_import_task": {
"_ref": "csvimporttask/b25lLmNzdl9pbXBvcnRfdGFzayQ1Njg:568",
"admin_name": "admin",
"file_name": "insert_iocs",
"file_size": 395,
"import_id": 568,
"lines_failed": 0,
"lines_processed": 0,
"lines_warning": 0,
"on_error": "CONTINUE",
"operation": "INSERT",
"separator": "COMMA",
"start_time": 1744193295,
"status": "PENDING",
"update_method": "OVERRIDE"
}
}ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| N/A | Indicator.Attribute | Added to Infoblox RPZ | N/A | RPZ Name | The value is the user config Infoblox RPZ |
Infoblox Grid Remove from RPZ
The Infoblox Grid Remove from RPZ action deletes the indicators from an existing RPZ Zone from Infoblox Grid. The indicators are removed only if they do not have the attribute Removed From Infoblox RPZ equal to user config Infoblox RPZ. The name of the zone must be specified in the action configuration. The action adds the attribute Removed From Infoblox RPZ to all the indicators from the input collection and they delete the attribute Added to Infoblox RPZ having the value equal to the specified zone.
The action deletes the indicators sequentially. Larger collections will increase the duration of the action.
POST "{{INFOBLOX_URL}}/wapi/v2.12/request"
Sample Body:
[
{
"method": "GET",
"object": "record:rpz:cname",
"data": {
"name": "217.60.9.178.{{RPZ_NAME}}",
"view": "default"
},
"assign_state": {
"name_ref": "_ref"
}
},
{
"method": "DELETE",
"object": "##STATE:name_ref:##",
"enable_substitution": true,
"discard": true
}
]Sample Response:
{
"result": [
{
"_ref": "record:rpz:cname/ZG5zLmJpbmRfY25hbWUkLl9kZWZhdWx0LnRocmVhdHEuY29tLnhwdG94cA:217.60.9.178.{{RPZ_NAME}}/default",
"canonical": "217.60.9.178",
"name": "217.60.9.178.threatq",
"view": "default"
}
]
}ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| N/A | Indicator.Attribute | Removed From Infoblox RPZ | N/A | RPZ Name | The value is the user config Infoblox RPZ |
The attribute Added To Infoblox RPZ is removed if it has the value equal to user config Infoblox RPZ.
Infoblox Grid Remove Batch from RPZ
The Infoblox Gird Remove Batch from RPZ action removes the input indicators from an existing RPZ Zone from Infoblox Grid. The name of the zone must be specified in the action configuration.
The action removes the attribute Added to Infoblox RPZ having the value equal to user configuration Infoblox RPZ if the user configuration Delete Infoblox RPZ Name Attribute is enabled.
The action removes batches of 100 indicators by sending each of them in a CSV file.
The following 3 requests are made to upload the file: Request to Initiate the Upload, Request to Upload the File, and Request to Start Processing the File.
There is no default mapping for this action because no data is ingested. The attribute Added to Infoblox RPZ is removed if it has the value equal to user config Infoblox RPZ.
Request to Initiate the Upload
POST {{INFOBLOX_URL}}/wapi/v2.12/fileop?_function=uploadinit&filename=delete_iocs.csv
Sample Response:
{
"token": "eJytjksLwjAQhP+K5GybbNk+b5UqCKIieg6liXWhL9MIivjfbQ569ORlDt/szsyT6ftA5iEttZpl\nM4gRIY0QQz8BTEOYz9jNNJPDLtYOY8Y5CB8A/UnjkDsoFRldWXmmRkvqudFXSco77Te7vPAEihSE\nEBgmEGAQcepGbex0WI1sSlelLaXuql5RV7uexXr75W2v3CpW5MdcHparj+EYH21vylpz2w5/2EHK\nhf7+Ya83PFBaaA==\n",
"url": "{{INFOBLOX_URL}}/http_direct_file_io/req_id-UPLOAD-0409100045812426/delete_iocs"
}Request to Upload the File
POST {{INFOBLOX_URL}}/http_direct_file_io/req_id-UPLOAD-0409100045812426/delete_iocs
Sample Body:
header-responsepolicycnamerecord,fqdn*,canonical_name,disabled,parent_zone,view
"responsepolicycnamerecord","5.15.134.0/24.threatq-act","5.15.134.0/24","FALSE","threatq-act","default"
"responsepolicycnamerecord","148.72.164.179.threatq-act","148.72.164.179","FALSE","threatq-act","default"Request to Start Processing the File
POST {{INFOBLOX_URL}}/wapi/v2.12/fileop?_function=csv_import
Sample Parameters:
{
"action": "START",
"operation": "DELETE",
"on_error": "CONTINUE",
"token": "{{TOKEN_FROM_INITIATE_UPLOAD}}"
}Sample Response:
{
"csv_import_task": {
"_ref": "csvimporttask/b25lLmNzdl9pbXBvcnRfdGFzayQ1Njg:568",
"admin_name": "admin",
"file_name": "delete_iocs",
"file_size": 395,
"import_id": 568,
"lines_failed": 0,
"lines_processed": 0,
"lines_warning": 0,
"on_error": "CONTINUE",
"operation": "INSERT",
"separator": "COMMA",
"start_time": 1744193295,
"status": "PENDING",
"update_method": "OVERRIDE"
}
}Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
Infoblox Grid Add to RPZ
Scenario: no indicator has the attribute Removed From Infoblox RPZ to be removed.
| Metric | Result |
|---|---|
| Run Time | 14 minutes |
| Indicators | 5,000 |
| Indicator Attributes | 5,000 |
Scenario: all the indicators the attribute Removed From Infoblox RPZ is removed.
| Metric | Result |
|---|---|
| Run Time | 34 minutes |
| Indicators | 5,000 |
| Indicator Attributes | 5,000 |
Infoblox Grid Add Batch to RPZ
Scenario: Ingest Infoblox RPZ Name As Attribute configuration parameter is enabled.
| Metric | Result |
|---|---|
| Run Time | 30 minutes |
| Indicators | 5,000 |
| Indicator Attributes | 5,000 |
Scenario: Ingest Infoblox RPZ Name As Attribute configuration parameter is disabled.
| Metric | Result |
|---|---|
| Run Time | 10 minutes |
| Indicators | 50,000 |
Infoblox Grid Remove from RPZ
Scenario: no indicators had the attribute Removed From Infoblox RPZ removed.
| Metric | Result |
|---|---|
| Run Time | 14 minutes |
| Indicators | 5,000 |
| Indicator Attributes | 5,000 |
Scenario: all the indicators had the attribute Removed From Infoblox RPZ removed.
| Metric | Result |
|---|---|
| Run Time | 34 minutes |
| Indicators | 5,000 |
| Indicator Attributes | 5,000 |
Infoblox Grid Remove Batch from RPZ
Scenario: the Delete Infoblox RPZ Name Attribute configuration parameter is enabled.
| Metric | Result |
|---|---|
| Run Time | 30 minutes |
| Indicators | 50,000 |
Scenario: the Delete Infoblox RPZ Name Attribute configuration parameter is disabled.
| Metric | Result |
|---|---|
| Run Time | 12 minutes |
| Indicators | 50,000 |
Known Issues / Limitations
- The actions Infoblox Grid Add Batch To RPZ and Infoblox Grid Remove Batch From RPZ are considerably faster when no attributes are removed. Be aware that some batches can be dropped due to already existing or missing indicators in the Infoblox RPZ. In the event that a batch is dropped, the run summary will have error files and the corresponding attribute will not be added to the indicator.
The actions Infoblox Grid Add To RPZ and Infoblox Grid Remove From RPZ are slower because they upload the indicators sequentially. These actions are considered "safer" in that they will fail only for indicators if that one cannot be uploaded.
Change Log
- Version 1.1.0
- Updated the endpoint for the Infoblox Add Batch to RPZ and Infoblox Grid Remove Batch from RPZ actions. This new endpoint will allow the uploading of indicators using CSV files.
- Updated the minimum ThreatQ version to 6.7.3.
- Version 1.0.1
- Added two new actions:
- Infoblox Grid Add Batch to RPZ.
- Infoblox Grid Remove Batch from RPZ.
- Added a new Known Issue / Limitation entry regarding the new actions.
- Added two new actions:
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Infoblox Grid Action Bundle Guide v1.1.0 | 6.7.3 or Greater |
| Infoblox Grid Action Bundle Guide v1.0.1 | 5.25.0 or Greater |
| Infoblox Grid Action Bundle Guide v1.0.0 | 5.25.0 or Greater |