Infoblox Dossier Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.1 |
| Compatible with ThreatQ Versions | >= 4.40.0 |
| Support Tier | ThreatQ Supported |
Introduction
The ThreatQuotient for Infoblox Dossier Operation enables a ThreatQ user to query Infoblox Dossier for enrichment metadata.
The operation provides the following action:
- Enrich Indicator - enriches indicators (IP Addresses, Emails, FQDNs, URLs, and MD5, SHA-1, and SHA-256 hashes) with research from Infoblox Dossier.
The operation is compatible with the following indicator types:
- Email Address
- FQDN
- IP Address
- MD5
- SHA-1
- SHA-256
- URL
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API Key Your API key for connecting to Infoblox Dossier. Hostname The Hostname or IP address of Infoblox Dossier. Port The communication port (default is 8000). Verify SSL Check this box to verify SSL when connecting to the Infoblox Dossier instance. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Enrich Indicator | Enriches indicators with research from Infoblox Dossier. | Indicator | IP Addresses, Emails, FQDNs, URLs, and MD5, SHA-1, SHA-256 |
Enrich Indicator
The Enrich Indicator action enriches indicators (IP Addresses, Emails, FQDNs, URLs, and MD5, SHA-1, and SHA-256 hashes) with research from Infoblox Dossier.
The action also supports the Source filter.
Enriching Data Results Example
Change Log
- Version 1.0.1
- Updated Dossier URI - https://csp.infoblox.com/tide/
- Accounted for empty responses from Activity, CCB, Custom Lists, zvelo
- Parsed data from RPZ Feeds, Custom Lists, DNS
- Added functionality for sources zvelo and whitelist
- Version 1.0.0
- Initial Release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Infoblox Dossier Operation Guide v1.0.1 | 4.30.0 or Greater |
| Infoblox Dossier Operation Guide v1.0.0 | 4.30.0 or Greater |