ActiveTrust Cloud Threats API
|
|
- Beryl Carson
- 6 years ago
- Views:
Transcription
1 QUICK START GUIDE ActiveTrust Cloud Threats API March Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 1 of 19
2 Contents Overview... 3 Prerequisites... 3 ActiveTrust Cloud Threats API... 3 API Calls... 3 Authentication... 3 Errors... 4 Request Parameters... 4 Threats API response... 5 Use Case Examples... 7 Sample script to pull and redistribute events... 7 atc_threats.py configuration... 7 Infoblox ActiveTrust Cloud Splunk application... 8 Integration with Carbon Black Server... 8 Integrations via Syslog/UDP... 9 Integration with Infoblox Reporting... 9 Integration with Splunk Integration with McAfee ESM References Annex A Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 2 of 19
3 Overview The ActiveTrust Cloud Threats API allows you to make RESTful API calls to gather DNS security data from ActiveTrust Cloud for SIEM (Security Information and Event Management) purposes. Based on your business needs, you can configure a SIEM system in your network to collect the DNS security data so you can filter the data and create custom reports. The document contains an overview and examples of using ActiveTrust Cloud Threats API. Prerequisites ActiveTrust Cloud subscription and an API key (an authorization token) are required to obtain access to the API and events. ActiveTrust Cloud Threats API API Calls The Threats API uses HTTPS (HTTP over SSL/TLS) as the transport mechanism. It only supports a single API call (i.e. dns_event) which allows you to obtain a list of blocked DNS requests. Table 1) API Calls HTTP Method URI Description GET Get list of the blocked DNS requests Authentication An API key (or authorization token) is used to authenticate requests to the portal. You can obtain an API key on the Cloud Service Portal (CSP, in the user's preferences. To obtain the authentication token: 1. Log in to the Cloud Services Portal. 2. At the upper right-hand corner, click your user name and select "User Preferences". 3. On the User Preferences page, click "Show" under "API key", and copy the API key. To authenticate requests, you should pass an HTTP "Authorization" header with the API key, and the prefix word "Token". For example. Command 1: Get RPZ hits from " :09:00 UTC" to " :00:00 UTC" in CEF format curl -H "Authorization: Token ac00eb99a55e4640be1eb899341cbd82" " Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 3 of 19
4 Command 2: Get all blocked requests to "example.com" for the last 5 minutes in JSON format t1=`date +%s`;t0=`expr $t1-300`;curl -H "Authorization: Token ac00eb99a55e4640be1eb899341cbd82" " Errors If the request was not authorized, the server returns a "401" response code and an error in JSON (regardless of the output format). Error Response 1: Unauthorized request HTTP/ Unauthorized Server: nginx/ Date: Mon, 29 Jan :19:38 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 74 Connection: keep-alive X-Content-Type-Options: nosniff {"status_code": "401", "status_detail": {"errors": [ "Not authorized" ]}} If a request was executed successfully then the server will respond with a 200" response code. If the dataset is empty the response will not contain any data, the CEF format will be blank and the JSON format will contain an empty array. Error Response 2: An empty response in CEF format (including HTTP headers) HTTP/ OK Server: nginx/ Date: Mon, 29 Jan :36:00 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 0 Connection: keep-alive Error Response 3: An empty response in JSON format (including HTTP headers) HTTP/ OK Server: nginx/ Date: Mon, 29 Jan :36:08 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 36 Connection: keep-alive {"status_code": "200", "result": []} It is recommended to check the HTTP response code for the request result. Request Parameters It is possible for an API call to return a huge dataset. Currently, Infoblox limits the result dataset to records. It is recommended to narrow the search and execute it frequently to avoid polling a big dataset. The following table explains the supported parameters you can use in your API requests to filter those results Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 4 of 19
5 Table 2) Request Parameters Parameter Description Example t0 Start time in seconds (Unix timestamp). Query records on or after the start time. (required) t1 End time in seconds (Unix timestamp). Obtain records before (but not on) the end time. (required) source Enter rpz for RPZ events or rpz analytic for detection (threat insight) events. If omitted, data from both are provided. (optional) network Source Network (NAT case) / Some Network DFP name (DFP) / AT Endpoint (optional) qip Device IP that sent the DNS query (optional) qname Queried IP/Domain (optional) example.com policy_name Policy name (optional) Policy name threat_level Threat Level (optional) HIGH threat_class Threat category (optional) MalwareDownload _limit Number of rows to return 2 (optional) _offset Offset of first row to return, for 42 paging (optional) _format JSON (default) or CEF (Optional) cef Note: There is a short delay between a query being blocked and that information being available via Threats API. To avoid losing events it is recommended to not use a current timestamp as t1. Threats API response The API supports CEF and JSON (default) output formats. Events in JSON are listed in the "result" object array. In CEF format every event is located on a separate line. "New line" character is used as a delimiter. Response 1: Response in JSON Format { "status_code": "200", "result": [ { "qname": "pqgbrfxiwcyvdf.net.", "device": " ", "user": "unknown", "severity": "HIGH", "tclass": "MalwareC2", "tproperty": "CryptoLocker", "timestamp": "11e f cd79196", "event_time": " T17:28:01.000Z", "confidence": "HIGH", "rcode": "NXDOMAIN", 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 5 of 19
6 "rdata": "", "country": "unknown", "qtype": "A", "network": "Germany/Nürnberg", "feed_name": "antimalware", "feed_type": "DOMAIN", "policy_name": "Default Global Policy", "rip": "" } ] } Response 2: Response in CEF Format CEF:0 Infoblox ATC 2.0 dns_event 10 InfobloxAtcTimestamp= T17:28:01.000Z InfobloxAtcDevice= InfobloxAtcThreatClass=MalwareC2 InfobloxAtcThreatProperty=CryptoLocker InfobloxAtcRcode=NXDOMAIN InfobloxAtcUser=unknown InfobloxAtcNetwork=Germany/Nürnberg InfobloxAtcQname=pqgbrfxiwcyvdf.net. InfobloxAtcQtype=A InfobloxAtcConfidence=HIGH InfobloxAtcFeedName=antimalware InfobloxAtcFeedType=DOMAIN InfobloxAtcPolicyName=Default Global Policy InfobloxAtcRip= The following table describes the data fields that can appear in the output. Table 3) Data Output Fields JSON format CEF format Description Examples qname InfobloxAtcQname Destination example.com. Domain, Destination IP address device InfobloxAtcDevice Device IP or AT Endpoint name , "ATE" user InfobloxAtcUser User Info administrator severity In the CEF Severity field Threat Level HIGH, numeric in CEF format tclass InfobloxAtcThreatClass Malware category MalwareDownload, "CUSTOM" tproperty InfobloxAtcThreatProperty Threat property "Locky", LIST timestamp Timestamp in an UUID format "11e8-04bd bf e622352" event_time InfobloxAtcTimestamp Event time T17:28:01.000Z confidence InfobloxAtcConfidence Confidence (decoded, e.g., LOW, MEDIUM, HIGH) HIGH rcode InfobloxAtcRcode Response type (decoded, e.g. NXDOMAIN, NOERROR, etc.) NOERROR, "NXDOMAIN", "REDIRECT" rdata Response data " ", "" country Country code. Reflect location of the resolved IP "US", "unknown" 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 6 of 19
7 qtype InfobloxAtcQtype Query Type (decoded, e.g., A, AAAA, MX, etc.) network InfobloxAtcNetwork Source Network (NAT case) / DFP / ATE (decoded) TXT Some Network, AT Endpoint feed_name InfobloxAtcFeedName Feed name "ransomware", "CUSTOM" feed_type InfobloxAtcFeedType Feed type "DOMAIN", "IP- BASED" policy_name InfobloxAtcPolicyName Policy name "Default Global Policy" rip InfobloxAtcRip IP returned , "" Use Case Examples There are several use cases for the API sending ATC security events into a variety of security or analytical solutions. This document will be highlighting one such example use case focusing on integration with a SIEM. Additional configuration is required on the SIEM side to poll, aggregate and correlate events as well as create additional reports. The events already contain information about threats, and by which policy and feed request were blocked. Not every 3rd party software is capable of receiving events through REST API calls. However, syslog is commonly accepted by any SIEM or Syslog server/collector. This document includes a sample python script which will pull ATC events and redistribute the event to a list ofdestinations over Syslog/UDP. The following use case examples are covered in this document: "Infoblox ActiveTrust Cloud" application for Splunk Integration with Carbon Black Server Infoblox Reporting via Syslog Splunk via Syslog McAfee ESM via Syslog Sample script to pull and redistribute events "atc_threats.py" is a sample script which pulls events in CEF format and forwards them via Syslog/UDP. The script is available on GitHub ( and in the Annex A. Note that the script does not accept any CLI options. You will need to set parameters in the script itself. Refer atc_threats.py configuration chapter for the configuration details. Once you set the API key and destinations you can execute script by the following command: python atc_threats.py The script creates "atc_threats_ts.txt" file with the current timestamp in order to fetch only the new events. You can use cron or any other scheduler to periodically pull events. atc_threats.py configuration The script configuration is defined in the script itself. There are 4 configuration parameters: "ATC_APIKey" defines ActiveTrust Cloud API key. Refer to Authentication chapter for the details; 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 7 of 19
8 "Event_filter" defines event filter. The filter will be passed as GET HTTP request parameters. Refer to Request Parameters chapter for the details; "destinations" is an array of tuples which defines list of destinations. A tuple consists of: o "type" - should be "syslog"; o "host" - an IP address or hostname of a remote syslog receiver; o "port" - a UDP port on which a remote receiver listening the messages; o "facility" - a syslog facility. Only local facilities ("syslog0" - "syslog7") are supported; o "severity" - a syslog severity. sync_delay defines a delta in seconds from a current timestamp. Infoblox ActiveTrust Cloud Splunk application Infoblox ActiveTrust Cloud Splunk application allows: Collection of ActiveTrust Cloud logs into Splunk using the REST API; Filter it efficiently with full drill down support based on the time, threat property, threat class, source IP, domain name, query type and much more; Get additional context from the Infoblox Dossier threat investigation portal. The application is available on the splunkbase.splunk.com website: Integration with Carbon Black Server The Carbon Black Infoblox Secure DNS connector ingests reports via syslog from the Infoblox Secure DNS appliance or via REST against Infoblox ActiveTrust Cloud Services and correlates them against data in the connected Carbon Black server. The connector can then take one or more actions based on these 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 8 of 19
9 reports, including killing the offending process from the endpoint, isolating the system from the network, and creating an alert for future follow up. The integration was developed by Carbon Black. Documentation and the source code are available on GitHub: Integrations via Syslog/UDP Integration with Infoblox Reporting Infoblox appliances can accept and forward syslog messages from remote systems as well as Infoblox Reporting. This allows you to index and store internal and external syslog messages. The integration takes advantage of these capabilities and allows us to push events detected in ActiveTrust Cloud to a local reporting server using "atc_threats.py" script. Infoblox Reporting syslog destination in atc_threats.py script does not require any specific parameters. Please follow the procedure described in atc_threats.py configuration chapter. To configure NIOS and Reporting appliance: 1. In the grid member properties (can be any grid member), check the "Enable Syslog Proxy" checkbox, and define an appropriate access control list and listening ports Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 9 of 19
10 2. In the Grid Reporting Properties (Administration Reporting) on the "General" tab, enable "Syslog" index and set desired index percentage. 3. On the "Syslog Data" tab, set "Source" to "Any" or "External". Other settings are optional 4. Execute "atc_threats.py" python script on a remote server and wait for a few seconds after the script execution. 5. Navigate to Reporting Search and run the following search. index="ib_syslog" CEF:0\ Infoblox\ ATC 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 10 of 19
11 6. If everything was configured correctly you should see the events 7. Configure a remote server to execute the script on a schedule. Integration with Splunk Splunk is a SIEM solution which accepts events via different southbound interfaces. Infoblox ActiveTrust Cloud Splunk application is a preferred way to push events to Splunk. In the event that it is not possible to install additional applications, you can use Syslog which is natively supported by Splunk. The provided "atc_threats.py" script can send ActiveTrust Cloud events to Splunk via Syslog/UDP. Please refer to Splunk documentation on how to accept and process syslog data: Integration with McAfee ESM McAfee ESM does not support REST API as a source for the incoming events. You can configure a local receiver to accept syslog messages with an advanced syslog parser. The "atc_threats.py" script can be used to send ActiveTrust Cloud events to McAfee ESM Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 11 of 19
12 To configure the integration please follow the procedure described below. 1. Select a "Local Receiver" and click on the "Add Data Source" button. 2. Set "Data source vendor" to "Generic", "Data Source Model" to "Advanced Syslog Parser", check "Parsing", set "Name" to a desired value (e.g. ATC) and "IP Address" to that of a remote system where the script will be executed Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 12 of 19
13 3. Press "Ok" to save changes. 4. Select created syslog listener and click on the "Policy Editor" button Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 13 of 19
14 5. Add an advanced syslog parsing rule. You can use the rule provided below or create your own policy. any any any -> any any Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 14 of 19
15 6. The script retrieves events in CEF format so it is recommended to use CEF for data transformation. 7. Some fields like "DNS - Query" and "DNS - Type" are not available by default. You need to add them to the list using the "+" button Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 15 of 19
16 8. You must rollout any changes and new rules to the local receiver. 9. Open "View Streaming Events" and press "Start". 10. Generate sample events. 11. Execute the script Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 16 of 19
17 12. Check that McAfee ESM received Syslog messages and use the correct rule to parse events. 13. Configure a remote server to execute the script on a schedule. Please refer "McAfee Enterprise Security Manager. Writing Custom Parsing Rules in McAfee ESM" guide for other details and configuration options. References 1. ActiveTrust Cloud Administrator guide ( 2. McAfee Enterprise Security Manager. Writing Custom Parsing Rules in McAfee ESM. ( N/24000/PD24926/en_US/Writing_Custom_Parsing_Rules_in_McAfee_ESM.pdf) 3. Infoblox connector for Carbon Black Server ( 4. Splunk. Get data from TCP and UDP ports ( 5. "Atc_threats.py" script ( Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 17 of 19
18 Annex A import requests import time import re import socket import os import logging import urllib3 urllib3.disable_warnings() ATC_APIKey="PutYourAPIkeyHere" Event_filter="" #"&source=rpz" destinations=[{"type":"syslog", "host":" ", "port":"514", "facility":"local4", "severity":"warning"}, {"type":"syslog", "host":" ", "port":"514", "facility":"local4", "severity":"warning"}, ] sync_delay=60 t1=str(int(time.time())-60) try: with open('atc_threats_ts.txt', 'r+') as f: t0=f.read().replace('\n', '') f.seek(0) f.write(t1) except IOError, exc: if exc.errno == 2: t0=t1 with open('atc_threats_ts.txt', 'w') as f: f.write(t1) else: raise #Syslog RFCs # # class Facility: local0, local1, local2, local3, local4, local5, local6, local7 = range(16, 24) class Severity: emergency,alert,critical,error,warning,notice,informational,debug = range(8) class DST: def init (self, *initial_data, **kwargs): for dictionary in initial_data: for key in dictionary: setattr(self, key, dictionary[key]) for key in kwargs: setattr(self, key, kwargs[key]) if self.type == "syslog": self.socket = socket.socket(socket.af_inet, socket.sock_dgram) def send_msg_syslog(self,timestamp,msg): "send syslog" 2018 Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 18 of 19
19 facility=getattr(facility, self.facility) severity=getattr(severity, self.severity) print self.type, self.host, timestamp, msg, "\n" data = "<%d>1 %s %s atc-sync %s - - %s" % (severity + facility*8, timestamp, socket.gethostname(),os.getpid(), msg) while True: try: self.socket.sendto(data, (self.host, int(self.port))) break except IOError, exc: if exc.errno == 55: time.sleep(0.1) else: raise def send_msg(self,timestamp,msg): "send a message to a remote system" method = getattr(self, 'send_msg_'+str(self.type)) return method(timestamp,msg) dest_dst=[dst(x) for x in destinations] response = requests.get(' &_format=cef'+event_filter, headers={"authorization": "Token "+ATC_APIKey}) for msg in response.text.encode('utf-8').split('\n'): r = re.search('infobloxatctimestamp=([^\s]+)\s', msg) if r: for dst in dest_dst: dst.send_msg(r.group(1),msg) #print 'curl -k -H "Authorization: Token '+ATC_APIKey+'" " Infoblox Inc. All rights reserved. ActiveTrust Cloud Threats API Quick Start Guide March 2018 Page 19 of 19
Implementing Infoblox Data Connector 2.0
DEPLOYMENT GUIDE Implementing Infoblox Data Connector 2.0 2017 Infoblox Inc. All rights reserved. Implementing Infoblox Data Connector, July 2017 Page 1 of 31 Contents Overview... 3 Prerequisites... 3
More informationCarbon Black QRadar App User Guide
Carbon Black QRadar App User Guide Table of Contents Carbon Black QRadar App User Guide... 1 Cb Event Forwarder... 2 Overview...2 Requirements...2 Install Cb Event Forwarder RPM...2 Configure Cb Event
More informationIntegration with McAfee DXL
DEPLOYMENT GUIDE Integration with McAfee DXL Visibility into Network Changes and Faster Threat Containment Using Outbound APIs 2017 Infoblox Inc. All rights reserved. Integration with McAfee DXL November
More informationQuick Start Guide. ATC DNS Response Logs File Conversation Tool
Quick Start Guide ATC DNS Response Logs File Conversation Tool TABLE OF CONTENTS Introduction... 3 Prerequisites... 3 Converted Output Formats... 3 Using the Tool... 3 Operations available... 3 Options...
More informationRSA NetWitness Platform
RSA NetWitness Platform RSA SecurID Access Last Modified: Tuesday, January 29, 2019 Event Source Product Information: Vendor: RSA, The Security Division of Dell EMC Event Sources: Authentication Manager,
More informationInfoblox Dossier User Guide
Infoblox Dossier User Guide 2017 Infoblox Inc. All rights reserved. ActiveTrust Platform Dossier and TIDE - June 2017 Page 1 of 16 1. Overview of Dossier... 3 2. Prerequisites... 3 3. Access to the Dossier
More informationIntegration with Tenable Security Center
DEPLOYMENT GUIDE Integration with Tenable Security Center Outbound API 2017 Infoblox Inc. All rights reserved. Integration with Tenable Security Center August 2017 Page 1 of 10 Contents Introduction...
More informationIntegrate Palo Alto Traps. EventTracker v8.x and above
EventTracker v8.x and above Publication Date: August 16, 2018 Abstract This guide provides instructions to configure Palo Alto Traps to send its syslog to EventTracker Enterprise. Scope The configurations
More informationRSA NetWitness Logs. Microsoft Azure NSG (Flow Logs) Event Source Log Configuration Guide. Last Modified: Monday, February 26, 2018
RSA NetWitness Logs Event Source Log Configuration Guide Microsoft Azure NSG (Flow Logs) Last Modified: Monday, February 26, 2018 Event Source Product Information: Vendor: Microsoft Event Source: NSG (Flow
More informationThe Vectra App for Splunk. Table of Contents. Overview... 2 Getting started Setup... 4 Using the Vectra App for Splunk... 4
Table of Contents Overview... 2 Getting started... 3 Installation... 3 Setup... 4 Using the Vectra App for Splunk... 4 The Vectra Dashboard... 5 Hosts... 7 Detections... 8 Correlations... 9 Technical support...
More informationInfoblox TIDE User Guide
Infoblox TIDE User Guide 2017 Infoblox Inc. All rights reserved. ActiveTrust Platform Dossier and TIDE - June 2017 Page 1 of 16 Overview of TIDE Overview TIDE uses highly accurate machine-readable threat
More informationEnabling and Configuring Outbound API Notifications
DEPLOYMENT GUIDE Enabling and Configuring Outbound API Notifications 2016 Infoblox Inc. All rights reserved. Enabling and Configuring Outbound API Notifications December 2016 Page 1 of 7 Contents Introduction...
More informationUSM Anywhere AlienApps Guide
USM Anywhere AlienApps Guide Updated April 23, 2018 Copyright 2018 AlienVault. All rights reserved. AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, Unified Security Management,
More informationForeScout Extended Module for Splunk
Version 2.8 Table of Contents About Splunk Integration... 5 Support for Splunk Enterprise and Splunk Enterprise Security... 6 What's New... 6 Support for Splunk Cloud... 6 Support for Batch Messaging...
More informationForescout. Configuration Guide. Version 3.5
Forescout Version 3.5 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationForeScout Extended Module for Splunk
ForeScout Extended Module for Splunk Version 2.7.0 Table of Contents About Splunk Integration... 5 Support for Splunk Enterprise and Splunk Enterprise Security... 7 What's New... 7 Support for Splunk Cloud...
More informationRSA NetWitness Platform
RSA NetWitness Platform Event Source Log Configuration Guide Check Point Security Suite, IPS-1 Last Modified: Wednesday, May 9, 2018 Event Source Product Information: Vendor: Check Point Event Source:
More informationTrademarks. License Agreement. Third-Party Licenses. Note on Encryption Technologies. Distribution
Copyright 2017 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries.
More informationF5 Analytics and Visibility Solutions
Agility 2017 Hands-on Lab Guide F5 Analytics and Visibility Solutions F5 Networks, Inc. 2 Contents: 1 Class 1: Introduction to F5 Analytics 5 1.1 Lab Environment Setup.......................................
More informationInfoblox as Part of the Ecosystem
Infoblox Core Exchange Infoblox Core Exchange is a highly-interconnected set of ecosystem integrations that extend security, increase agility, and provide situational awareness for more efficient operations,
More informationForescout. eyeextend for Splunk. Configuration Guide. Version 2.9
Forescout Version 2.9 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationRSA NetWitness Logs. Salesforce. Event Source Log Configuration Guide. Last Modified: Wednesday, February 14, 2018
RSA NetWitness Logs Event Source Log Configuration Guide Salesforce Last Modified: Wednesday, February 14, 2018 Event Source Product Information: Vendor: Salesforce Event Source: CRM Versions: API v1.0
More informationIntegration with ForeScout
DEPLOYMENT GUIDE Integration with ForeScout Outbound API 2018-02-28 2017 Infoblox Inc. All rights reserved. Integration with ForeScout August 2017 Page 1 of 12 Contents Prerequisites... 3 Limitations...
More informationDHS Automated Information Sharing (AIS) Program
DHS Automated Information Sharing (AIS) Program 2018 Infoblox Inc. All rights reserved. Page 1 of 5 2018 Infoblox Inc. All rights reserved. DHS Automated Information Sharing (AIS) Program Infoblox AIS
More informationNetwrix Auditor Add-on for Privileged User Monitoring
Netwrix Auditor Add-on for Privileged User Monitoring Quick-Start Guide Version: 9.6 5/8/2018 Legal Notice The information in this publication is furnished for information use only, and does not constitute
More informationThreat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ
Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ 2018-07-19 1 1 2017 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. Three Aspects of Security #1
More informationUsing Reporting Appliance for Managed Service Providers
DEPLOYMENT GUIDE Using Reporting Appliance for Managed Service Providers NIOS version 8.3 July- 2018 2018 Infoblox Inc. All rights reserved. Using reporting appliance for Managed service providers July,
More informationMcAfee Next Generation Firewall (Stonesoft)
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: McAfee Next Generation Firewall (Stonesoft) September 2, 2014 McAfee NGFW Page 1 of 7 Important Note: The information contained
More informationAvi Networks Technical Reference (16.3)
Page 1 of 6 Notifications view online Alert actions are configured to proactively send notifications to an administrator using the Notifications option available on the Avi user interface. The options
More informationForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7
ForeScout CounterACT Core Extensions Module: CEF Plugin Version 2.7 Table of Contents About the CounterACT CEF Plugin... 3 Automated Reporting Using CEF... 3 Trigger CounterACT Actions Based on SIEM Messages...
More informationDNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited
DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert suman@bdcert.org Amber IT Limited suman@amberit.com.bd DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control
More informationBarracuda Networks Spam Firewall
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Barracuda Networks Spam Firewall January 30, 2015 Barracuda Networks Spam Firewall Page 1 of 7 Important Note: The information
More informationData Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC
Data Onboarding Where Do I begin? Luke Netto Senior Professional Services Consultant @ Splunk September 26, 2017 Washington, DC Forward-Looking Statements During the course of this presentation, we may
More informationCyphort Integration with Carbon Black
SOLUTION BRIEF Cyphort Integration Carbon Black Carbon Black Enterprise Protection Carbon Black Enterprise Protection formerly known as Bit9 Security Platform, is the next-generation endpoint security
More informationMcAfee Enterprise Security Manager. Data Source Configuration Guide. Bit9 Parity Suite. Data Source: February 4, Bit9 Parity Suite Page 1 of 8
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Bit9 Parity Suite February 4, 2015 Bit9 Parity Suite Page 1 of 8 Important Note: The information contained in this document
More informationStonesoft Management Center. Release Notes Revision A
Stonesoft Management Center Release Notes 6.1.3 Revision A Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 4 New features on page 5 Enhancements
More informationMcAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Verdasys Digital Guardian October 1, 2014
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Verdasys Digital Guardian 6.1.2 October 1, 2014 Verdasys Digital Guardian 6.1.2 Page 1 of 7 Important Note: The information
More informationCounterACT CEF Plugin
Version 2.6.0 and Above Table of Contents About the CounterACT CEF Plugin... 3 Automated Reporting Using CEF... 3 Trigger CounterACT Actions Based on SIEM Messages... 3 Open Integration with ControlFabric
More informationSAMPLE REPORTS. Infoblox Reporting and Analytics Infoblox Reporting and Analytics Sample Report Book
SAMPLE REPORTS Infoblox Reporting and Analytics Infoblox Reporting and Analytics Sample Report Book 1 INFOBLOX REPORTING AND ANALYTICS OVERVIEW... 5 2 HOME DASHBOARDS AND PREDICTIVE REPORTS... 6 2.1 HOME
More informationCounterACT Syslog Plugin
Version 3.2.0 Table of Contents About the Syslog Plugin... 3 Multiple Destination Syslog Server Support... 3 Receiving Event Messages... 3 Sending Syslog Messages... 4 Sending CounterACT Event Messages...
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0
ForeScout CounterACT Network Module: Centralized Network Controller Plugin Version 1.0 Table of Contents About the Centralized Network Controller Integration... 4 About This Plugin... 4 How It Works...
More informationNetFlow Optimizer. Overview. Version (Build ) May 2017
NetFlow Optimizer Overview Version 2.4.9 (Build 2.4.9.0.3) May 2017 Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents About NetFlow Optimizer...
More informationBIG-IP Analytics: Implementations. Version 13.1
BIG-IP Analytics: Implementations Version 13.1 Table of Contents Table of Contents Setting Up Application Statistics Collection...5 What is Analytics?...5 About HTTP Analytics profiles... 5 Overview:
More informationVMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database
VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database For multiple versions Have documentation feedback? Submit a Documentation Feedback support ticket using
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationAPIs and API Design with Python
APIs and API Design with Python Lecture and Lab 5 Day Course Course Overview Application Programming Interfaces (APIs) have become increasingly important as they provide developers with connectivity to
More informationRSA NetWitness Platform
RSA NetWitness Platform AWS CloudTrail Last Modified: Tuesday, May 1, 2018 Event Source Product Information: Vendor: Amazon Web Services Event Source: AWS CloudTrail Versions: all RSA Product Information:
More informationLenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide
Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide Version 1.0 Note Before using this information and the product it supports, read the information in Appendix A Notices on
More informationRSA NetWitness Logs. Airtight Management Console. Event Source Log Configuration Guide. Last Modified: Thursday, May 04, 2017
RSA NetWitness Logs Event Source Log Configuration Guide Airtight Management Console Last Modified: Thursday, May 04, 2017 Event Source Product Information: Vendor: AirTight Event Source: Airtight Management
More informationLibelium Cloud Hive. Technical Guide
Libelium Cloud Hive Technical Guide Index Document version: v7.0-12/2018 Libelium Comunicaciones Distribuidas S.L. INDEX 1. General and information... 4 1.1. Introduction...4 1.1.1. Overview...4 1.2. Data
More informationForeScout App & Add-ons for Splunk
How-to Guide Version 2.7 Table of Contents About Splunk Integration... 4 Support for Splunk Adaptive Response... 5 What's New... 5 Support for Batch Messaging... 5 Support for Customized Indexes... 7 Use
More information#MicroFocusCyberSummit
#MicroFocusCyberSummit Data Simplicity: ArcSight Data Platform enhances enterprise data via the Common Event Format Peter Titov Micro Focus #MicroFocusCyberSummit Agenda Usage Ingestion Management Solutions
More informationInfoblox Trinzic V-x25 Series Appliances for AWS
DEPLOYMENT GUIDE Infoblox Trinzic V-x25 Series Appliances for AWS NIOS version 8.2 Oct. 2017 2017 Infoblox Inc. All rights reserved. Infoblox Trinzic TE-Vx25 Deployment Guide October 2017 Page 1 of 29
More informationForeScout Open Integration Module: Data Exchange Plugin
ForeScout Open Integration Module: Data Exchange Plugin Version 3.2.0 Table of Contents About the Data Exchange Plugin... 4 Requirements... 4 CounterACT Software Requirements... 4 Connectivity Requirements...
More informationSymantec Advanced Threat Protection App for Splunk
Symantec Advanced Threat Protection App for Splunk Administrator Guide Date Published: 27 th Mar 2017 Document Version: 1.0.5 Table of Contents Installing and setting up the ATP app 3 About the Symantec
More informationNetworking. Chapter How to identify machines on internet Ports
Chapter 1 Networking Computer networks allow communication between multiple computers, regardless of their physical location. Internet provides us with an infrastructure that allows computers to interact
More informationConfiguring Antivirus Devices
CHAPTER 9 Revised: November 11, 2007 Antivirus (AV) devices provide detection and prevention against known viruses and anomalies. This chapter describes how to configure and add the following devices and
More informationStonesoft Management Center. Release Notes Revision B
Stonesoft Management Center Release Notes 6.1.1 Revision B Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements...
More informationHPE Security ArcSight Connectors
HPE Security ArcSight Connectors SmartConnector for Barracuda Firewall NG F- Series Syslog Configuration Guide October 17, 2017 Configuration Guide SmartConnector for Barracuda Firewall NG F-Series Syslog
More informationArbor Networks Pravail
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Arbor Networks Pravail January 30, 2015 Arbor Networks Pravail Page 1 of 7 Important Note: The information contained in this
More informationProduct overview. McAfee Web Protection Hybrid Integration Guide. Overview
McAfee Web Protection Hybrid Integration Guide Product overview Overview The McAfee Web Protection hybrid solution is the integration of McAfee Web Gateway and McAfee Web Gateway Cloud Service (McAfee
More informationRSA NetWitness Logs. F5 Big-IP Advanced Firewall Manager. Event Source Log Configuration Guide. Last Modified: Friday, May 12, 2017
RSA NetWitness Logs Event Source Log Configuration Guide F5 Big-IP Advanced Firewall Manager Last Modified: Friday, May 12, 2017 Event Source Product Information: Vendor: F5 Event Source: Big-IP Advanced
More informationCb Response Interoperability
Copyright 1994-2018 Dell Inc. or its subsidiaries. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or
More informationQuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview
Overview Product overview Aruba s User and Entity Behavior Analytics (UEBA) solution, Aruba IntroSpect, detects attacks by spotting small changes in behavior that are often indicative of attacks that have
More informationK2289: Using advanced tcpdump filters
K2289: Using advanced tcpdump filters Non-Diagnostic Original Publication Date: May 17, 2007 Update Date: Sep 21, 2017 Topic Introduction Filtering for packets using specific TCP flags headers Filtering
More informationRESTCONF Programmable Interface
This chapter describes how to set-up and configure an HTTP-based protocol-representational State Transfer Configuration Protocol (RESTCONF). RESTCONF provides a programmatic interface based on standard
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: About Security, Internet Access, and Communication
More informationInfoblox Authenticated DHCP
Infoblox Authenticated DHCP Unified Visitor Management amigopod Technical Note Revision 1.1 5 July 2010 United States of America +1 (888) 590-0882 Europe, Middle East & Asia +34 91 766 57 22 Australia
More informationSIEM Product Comparison
SIEM Product Comparison SIEM Technology Space SIEM market analysis of the last 3 years suggest: Market consolidation of SIEM players (25 vendors in 2011 to 16 vendors in 2013) Only products with technology
More informationDeploying the F5 Analytics iapp Template
Deploying the iapp Template Welcome to the F5 deployment guide for deploying F5 BIG-IP for easy export of statistical data. This document contains guidance on configuring the BIG-IP system with the Analytics
More informationDepartment of Computer Science. Burapha University 6 SIP (I)
Burapha University ก Department of Computer Science 6 SIP (I) Functionalities of SIP Network elements that might be used in the SIP network Structure of Request and Response SIP messages Other important
More informationAvaya Port Matrix: Avaya Aura Appliance Virtualization Platform 7.0
Avaya Port Matrix: Avaya Aura Appliance Virtualization Platform 7.0 Issue 1.0 August 24, 2015 August 2015 Avaya Port Matrix: Avaya Aura Appliance Virtualization Platform 7.0 1 ALL INFORMATION IS BELIEVED
More informationCisco Stealthwatch. Proxy Log Configuration Guide 7.0
Cisco Stealthwatch Proxy Log Configuration Guide 7.0 Table of Contents Introduction 3 Overview 3 Important Configuration Guidelines 3 Contacting Support 3 Configuring the Blue Coat Proxy Logs 5 Creating
More informationHPE Security ArcSight User Behavior Analytics
HPE Security ArcSight Analytics Software Version: 5.0 Integration and Content Guide July 21, 2016 Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set
More informationForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3
ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic
More informationForeScout CounterACT. Configuration Guide. Version 3.4
ForeScout CounterACT Open Integration Module: Data Exchange Version 3.4 Table of Contents About the Data Exchange Module... 4 About Support for Dual Stack Environments... 4 Requirements... 4 CounterACT
More informationForeScout App for Splunk
How-to Guide Version 2.0.0 Table of Contents About Splunk Integration... 3 Use Cases... 3 Data Mining and Trend Analysis of CounterACT Data... 4 Continuous Posture Tracking Based on a Broad Range of CounterACT
More informationF5 DDoS Hybrid Defender : Setup. Version
F5 DDoS Hybrid Defender : Setup Version 13.1.0.3 Table of Contents Table of Contents Introducing DDoS Hybrid Defender... 5 Introduction to DDoS Hybrid Defender...5 DDoS deployments... 5 Example DDoS Hybrid
More informationLCE Splunk Client 4.6 User Manual. Last Revised: March 27, 2018
LCE Splunk Client 4.6 User Manual Last Revised: March 27, 2018 Table of Contents Getting Started with the LCE Splunk Client 3 Standards and Conventions 4 Install, Configure, and Remove 5 Download an LCE
More informationSplunk Review. 1. Introduction
Splunk Review 1. Introduction 2. Splunk Splunk is a software tool for searching, monitoring and analysing machine generated data via web interface. It indexes and correlates real-time and non-real-time
More informationThe following topics provide more information on user identity. Establishing User Identity Through Passive Authentication
You can use identity policies to collect user identity information from connections. You can then view usage based on user identity in the dashboards, and configure access control based on user or user
More informationDell (SonicWALL) SonicOS
McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Dell (SonicWALL) SonicOS February 17, 2015 Dell (SonicWall) SonicOS Page 1 of 8 Important Note: The information contained
More informationForeScout Amazon Web Services (AWS) Plugin
ForeScout Amazon Web Services (AWS) Plugin Version 1.1.1 and above Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic Segmentation
More informationInfoblox VMware vrealize Log Insight Content Pack User Manual Version 1.1
Infoblox VMware vrealize Log Insight Content Pack User Manual Version 1.1 Release History S# Version Date History 1 1.0 14 May 2015 Initial Version 2 1.1 15 May 2015 IPAM, DHCP and DNS Dashboard changes
More informationConfiguring the Management Access List
The following topics explain how to configure the various system settings that are grouped together on the page. The settings cover overall system function. Configuring the Management Access List, page
More informationVARONIS APP FOR SPLUNK. User Guide
VARONIS APP FOR SPLUNK User Guide Publishing Information Software version Version 1.14 Document version 2 Publication date September, 2017 Copyright 2005-2017 Varonis Systems Inc. All rights reserved.
More informationStonesoft Management Center. Release Notes Revision B
Stonesoft Management Center Release Notes 6.1.0 Revision B Table of contents 1 About this release...3 System requirements... 3 Build version...4 Compatibility... 5 2 New features...6 3 Enhancements...
More informationTanium Connect User Guide. Version 4.8.3
Tanium Connect User Guide Version 4.8.3 September 11, 2018 The information in this document is subject to change without notice. Further, the information provided in this document is provided as is and
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationProxy Log Configuration
Stealthwatch System Proxy Log Configuration (for Stealthwatch System v6.10.x) Copyrights and Trademarks 2018 Cisco Systems, Inc. All rights reserved. NOTICE THE SPECIFICATIONS AND INFORMATION REGARDING
More informationForescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2
Forescout Version 2.2 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationIntegrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation
Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation Configuration Example March 2018 2018 Juniper Networks, Inc. Juniper Networks, Inc. 1133
More informationIntegrate Microsoft ATP. EventTracker v8.x and above
EventTracker v8.x and above Publication Date: August 20, 2018 Abstract This guide provides instructions to configure a Microsoft ATP to send its syslog to EventTracker Enterprise. Scope The configurations
More informationTracking Messages
This chapter contains the following sections: Tracking Service Overview, page 1 Setting Up Centralized Message Tracking, page 2 Checking Message Tracking Data Availability, page 4 Searching for Email Messages,
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationBIG-IP Analytics: Implementations. Version 12.1
BIG-IP Analytics: Implementations Version 12.1 Table of Contents Table of Contents Setting Up Application Statistics Collection...5 What is Analytics?...5 About HTTP Analytics profiles...5 Overview: Collecting
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Overview: Security, Internet Access, and Communication
More information