Infoblox TIDE User Guide

Transcription

1 Infoblox TIDE User Guide 2017 Infoblox Inc. All rights reserved. ActiveTrust Platform Dossier and TIDE - June 2017 Page 1 of 16

2 Overview of TIDE Overview TIDE uses highly accurate machine-readable threat intelligence data via a flexible TIDE (Threat Intelligence Data Exchange) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease consumption of threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyber threats. TIDE is backed by the Infoblox threat intelligence team that normalizes and refines high-quality threat intelligence data feeds. TIDE collects and manages curated threat intelligence from internal and external sources in a single platform. It enables security operations to remediate threats more rapidly by sharing normalized TIDE data in real time with third-party security systems such as Palo Alto Networks, SIEM, etc. By leveraging highly accurate machine-readable threat intelligence (MRTI) data to aggregate and selectively distribute data across a broad range of security infrastructure, the end result is a highly refined feed with a very low historical false-positive rate. Prerequisites Prerequisites TIDE is a subscription-based services provided in Infoblox Cloud. There are no specific requirements for the software to access the services except a relevant subscription. Recent versions of Google Chrome are recommended to access TIDE. TIDE User Interface Access to the TIDE portal through the User Interface TIDE can be accessed at The Portal is not integrated with CSP and separate credentials are required. Your credentials are provided in a welcome when your account is created.

3 Home Dashboard and Navigation Menu Home dashboard and navigation menu The navigation menu is located on the top of the screen and provides an access to all functions of the portal. It consists of Data Management, Search, Resources and user s profile sub-menus. Data Management provides access to data governance and submission tools, link to the dashboard and Alexa Top domains. Search provides access to conducting Dossier and Indicator searches. Resources contains API guides, Threat Classification Guide, default threat indicators TTLs and description of the subscription levels. Your username : sub-menu with metric reports and user settings. On the home dashboard you can find: Indicator Search widget a shortcut to perform an Infoblox Threat Indicator search. Active Indicator Filters search widget a shortcut to perform an Infoblox active indicator filter search. Daily Threat Types and Weekly Data Types widgets provide information about daily and weekly Infoblox published IOC s discovered/added by our Cyber Threat Intelligence team. Resources widget providing shortcuts to popular resource links. Partners widgets provide overview information about premium partner data feeds which are part of the TIDE marketplace and can be purchased a la carte. By selecting ActiveTrust in the upper left corner you can return to the start page/dashboard.

4 User Settings and Metric Reports User Settings and Metric Reports Metric Reports Subscriptions include a limited number of Dossier and partners searches. Statistics per user, organization, partners, and dossier transactions are provided in Metric Reports. The menu is available only to an organization s administrators. User Settings On the User Management page, you can change your password and manage API Keys. The passwords must satisfy the requirements described on the Change Password page. API keys are required to access Dossier and TIDE via REST API. A user can create multiple API keys. There are no any specific permissions related to a key. Only the key name and description can be changed. A key may be deactivated or deleted. In order to copy the key, you can: Click on a key. An information window will appear, displaying the message: Copying the key to the clipboard was successful. Edit a key Refer to the next section RESOURCES for examples of API key usage. User Management Organization Admin User Management An Organization Administrator (OrgAdmin) user management role is available to organizations in ActiveTrust TIDE. This role is provisioned at the time the account is created, or upon request for organizations previously created without the organization admin role implemented. Please note, An OrgAdmin can only update or edit user accounts within their own organization.

5 As an OrgAdmin, you can manage users within your own organization. The org administrator can perform the following tasks: View a list of all users in the organization along with their account information. Invite a new user. Update or change user information. Update or change a user s role. Reset a user s password. Activate or deactivate all other users within the organization. Can grant other users within the organization the role of OrgAdmin. Managing Users using the UI To manage an organization s users using the UI, do the following: From the ActiveTrust TIDE dashboard, navigate to the User Management page (your user name > Admin > User Management). A listing of the organization s current users will be displayed in the Users panel located on the left-hand side of the page. Inviting a New User 1. Click on the Add New User The Invite A New User panel will be displayed. 2. Select which role(s) the new user will be assigned. Multiple roles may be assigned by holding down the Shift key on your keyboard while selecting more than one user role. 3. Fill out the First Name, Last Name, and 4. Click the Invite button to invite the new user. When the pop-up window appears confirming your intent to create a new user, click on the Submit button to continue. 5. From the New User Credentials pop-up window, copy and paste the new user s logon credentials into an addressed to the user, before clicking on the OK 6. Verify in the Users panel that the new user s account has been created as intended. Updating the Account of a Current User 1. Click on the user s name in the Users The View User panel will be displayed. 2. Click on the Edit button in the View User panel to open the Edit User panel. 3. Select the types of edits you wish to make to the user s account. The types of edits that can be made include edits in the user s role, changes to the user s account

6 information, resetting the user s password, and activating/deactivating the user s account. 4. Once the desired edits/changes have been made to the user s account, click on the Update button to apply changes to the user s account. 5. In the Update User pop-up window, click OK to confirm you want to update the user s account. 6. Verify in the Users panel that the user s account has been updated as intended. Managing Users using the API To manage an organization s users using the API, do the following: Adding a New User This API call adds a new user to the caller s organization. The person making the call must be assigned the role of OrgAdmin to make the call. Request Request endpoint POST /api/admin/accounts/org/users

7 Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object that includes the api key generated for the user. Example Using curl to add user to the caller s organization. curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X POST " -d '" ":"djfrosh@bankorg.net","firstname":"dj", "lastname":"frosh", "password":"djfr#shl1te", "roles":["dataadmin", "DataUser", "DataWriter","Reports"]' Response: "code": 0, "status": "success", "data": "httpcode": 201, "data": "code": 0, "status": "success", "data": " ": "djfrosh@bankorg.net", "uid": "djfrosh@bankorg.net", "oid": "BankOrg", "apikey": "a7d8ab2a43b6406bbd8c4f3d33698e9f6087e81fc34c4e4199d5c4ecbbc0f502" Updating a User s Information This API call allows the editing of a current user to the caller s organization. The person making the call must possess the role of OrgAdmin to make the call. Request

8 Request endpoint PUT /api/admin/accounts/org/user/user_id It is required to have at least one of the below fields: Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object. Example Using curl to update firstname and lastname for user djfrosh@bankorg.net curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X PUT " -d '"firstname":"dokta", "lastname":"fresh"'

9 Response: "code": 200, "status": "success" Updating a User s Role This API call allows the updating of a current user s role within the caller s organization. The person making the call must possess the role of OrgAdmin to make the call. Request Request endpoint PUT /api/admin/accounts/org/user/user_id/roles Request Body Path Parameters

10 Response If the submission is successful, the HTTP code 200 (OK) will be returned with a JSON response object. Example Using curl to update roles for user djfrosh@bankorg.net curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X PUT " -d '"roles":["dataadmin", "DataUser"]' Response: "code": 200, "status": "success" Activating/Deactivating a User s Account Using this API call a user s account within the caller s organization can be activated or deactivated. The person making the call must possess the role of OrgAdmin to make the call. Request Request endpoint PUT /api/admin/accounts/org/user/user_id/active/is_active Payload N/A

11 Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object. Example curl -u [YOUR_API_KEY]: -X PUT " 8000/api/admin/accounts/org/user/djfrosh@bankorg.net/active/true" Response: "code": 0, "status": "success", "data": "auth": "httpcode": 200, "data": "code": 0, "status": "success", "admin": "httpcode": 200, "data": "code": 200, "status": "success"

12 Resetting a User s Password Using this API call a user s password can be reset within the caller s organization. The person making the call must possess the role of OrgAdmin to make the call. Request Request endpoint POST /api/auth/credentials/password/reset/user_id Payload Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object.

13 Example curl -H Content-Type : application/json -u [YOUR_API_KEY]: -X POST -d new_password : Test.Pass.1 Get User list Response: "code": 200, "status": "success" Using this API call a list of all the users within the caller s organization may be obtained. The person making the call must possess the role of OrgAdmin to make the call. Request Request endpoint GET /api/admin/accounts/org/users Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object. The root key of the object is data. The value of the root object is an array of user objects containing user profile, roles, and active status. Example curl -X GET -u [YOUR_API_KEY]:

14 Response: "code": 0, "status": "success", "data": [ "id": "j.j@bankorg.net", "status": "inactive", "profile": " ": "j.j@bankorg.net", "fullname": "John Jones", "firstname": "John", "lastname": "Jones", "rolestring": "DataAdmin DataUser DataWriter Reports", "roles": [ "DataAdmin", "DataUser", "DataWriter", "Reports" ], "id": "j.joans@bankorg.net", "status": "inactive", "profile": " ": "j.joans@bankorg.net", "fullname": "Jon joans", "firstname": "Jon", "lastname": "joans", "rolestring": "DataAdmin DataUser DataWriter Reports", "roles": [ "DataAdmin", "DataUser", "DataWriter", "Reports" ] ]

15 Get Available Roles for an Organization Using this API call all available user roles within the caller s organization may be obtained. The person making the call must possess the role of OrgAdmin to make the call. Request Request endpoint GET /api/admin/accounts/org/roles Response If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object. Example Request using curl to return available roles for the caller s organization. curl GET -u [YOUR_API_KEY]: Response: "code": 200, "status": "success", "data": [ "name": "DataAdmin", "description": "Data sharing administrators", "org": "TEST_ORG", "name": "DataUser", "description": "Organization data users", "org": "TEST_ORG",

16 "name": "DataWriter", "description": "Organization data users", "org": "TEST_ORG", "name": "OrgAdmin", "description": "Organization administrators", "org": "TEST_ORG", "name": "Reports", "description": "Access to organization reports", "org": "TEST_ORG", "name": "User", "description": "Organization users", "org": "TEST_ORG" ] Indicator Search Indicator Search The indicator search returns data only from the ActiveTrust database but the search is not limited to a specific indicator (e.g. a hostname). The search interface currently returns a maximum of 25,000 records. It is recommended to use API for larger data sets. Because of size of the available data, it is recommended to apply filters to limit the resulting dataset. When a keyword is used to search data, other filters are not applied even if they were specified. The result dataset can be exported in XML, CSV or JSON format. It is also possible to limit the number of returns by inputting a value in the Records Returned field.

17 BRIC Score BRIC Score The Business Risk Impact Calculation score (BRIC) identifies the likely business impact of blocking a hostname to the average company with no insight into their network practices. The score for a hostname is based on a combination of factors; the domain s popularity, the robustness of the domain s resources, the domain s history, and the domain s order of separation from known threats. The factors making up the BRIC score can be assessed and assigned an integer value of 0-100, to match an enterprise defender s preferences. A low BRIC score value is indicative of a lesser likelihood of impacting a company when blocking a hostname, while a high BRIC score indicative of a greater likelihood of companies of impacted a company by blocking a hostname. Viewing the BRIC Score in the UI The BRIC Score for hostnames may be viewed in the search results pane after an indicator search has been performed. please note, BRIC Score data is only available for the IID feed. For each hostname in the IID feed, the hostname will have an associated BRIC Score ranging from BRIC Score API Calls The following API calls may be used to retrieve BRIC Score data: /api/data/threat/<type>?<ip,host,url>=<indicator>&bric_score=<0-100> /api/data/threat/<type>?bric_score_from=<0-100>&bric_score_to=<0-100> /api/data/threat/state/<type>?<ip,host,url>=<indicator>&bric_score=<0-100> /api/data/threat/state/<type>?bric_score_from=<0-100>&bric_score_to=<0-100>

18 /api/data/threat?type=<ip,host,url>&<ip,host,url>=<indicator>&bric_score=<0-100> /api/data/threat/state?type=<ip.host,url>&bric_score_from=<0-100>&bric_score_to=<0-100> When performing an API call to retrieve the BRIC score for hostnames in the IID partner feed, the following information will be displayed in the report body. An example API report body is displayed below. "id": "c fa7-11e8-91b6-e9a8dd7a1bc9", "type": "IP", "ip": " ", "profile": "IID", "property": "MalwareC2_Generic", "class": "MalwareC2", "threat_level": 100, "expiration": " T21:02:53.000Z", "detected": " T21:02:53.000Z", "received": " T23:11:20.819Z", "imported": " T23:11:20.819Z", "up": "true", "batch_id": "c516c127-5fa7-11e8-91b6-e9a8dd7a1bc9", "bric_score": 10 BRIC Score API call examples Several example API calls for retrieving BRIC Score information are provided: Running an API call for a specific BRIC Score When performing a threat query using the API, records may be requested based on a specific BRIC score by amending the API query. For example:

19 /api/data/threats?text_search= &bric_score=10 Running an API call for a specified range of BRIC scores When performing a threat query using the API, records may be requested based on a range of BRIC scores. For example: /api/data/threats?text_search= &bric_score_from=10&bric_score_to=50 Batch Submissions BRIC Scores may also be retrieved when searching batch submissions. In this case, bric_score can be appended to a query to return hostname BRIC scores in the IID partner feed. Search for Lookalike Domains Searching for Lookalike Domains Lookalike domains are domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusion ones (e.g. o to 0, l to 1, w to vv), switching to different top level domains (e.g..com to.cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection, and phishing. TIDE supports searching for lookalike domains through the UI and through the API. To retrieve records through the TIDE UI, the Indicator Search is used. To retrieve records through API, two methods are supported: 1. Running an API call using the Swagger page. 2. Running an API call through Terminal

20 Searching for Lookalike Domains via the TIDE UI You can use the Indicator Search in the TIDE UI to search for lookalike domains. Note that Indicator Search is limited to a maximum of 25,000 records. The default number of search returns is limited to 1,000 records. To search for lookalike domains using Indicator Search, follow these steps: 1. Select Hostnames for data type. 2. For Threat Class, deselect All and select Policy. 3. From the Data Provider options, deselect All and select IID. 4. Click the Search button to run the search query. 5. From the returned search results, in the Property column, apply a sort to classify the different policies according to type. 6. Scroll through the returned search results until the lookalike domains are located (Policy_LookalikeDomains). From the returned indicator search results, you can perform a Dossier search against a selected lookalike domain to discover additional details on the indicator. You can download the search results as an XML, CSV, or JSON file. Searching for Lookalike Domains using an API call on the Swagger page To run a search for a lookalike domain in TIDE using Swagger, follow these steps: 1. Navigate to the Manage API Keys page (user name > User Settings > User Management Manage API Keys). 2. Select an active API key and copy it. 3. Navigate to the Data API Guide (Resources > API guides > Data API Guide). 4. Paste the copied API key into the api key text field. 5. Click the Enter API key button. A modal window will appear acknowledging that your API key has been accepted. 6. From the list of ActiveTrust Platform Data Service REST APIs, click threat: Threat APIs to reveal all available API GET calls. 7. From the list of GET calls, click State Table API (/data/threats/state/(type)) to display all available search parameters. Note that while running any of the threat API calls, TIDE will return data on lookalike domains. The recommended GET call to run when querying the system for lookalike domains is the State Table.

21 8. For the type parameter, select host. 9. For the property parameter, input Policy_LookalikeDomains. 10. Click the Try it out button to run the call. Once you execute the API call, the Response Body of the returned search will yield the requested lookalike domain data. By default, TIDE returns 100 lookalike domain records. However, by adjusting the rlimit parameter of the query, you may request fewer or more records (as few as one record and as many as 500 records). A lookalike domain query returns data as shown in the following example: "id": "dc396246y e6-91e8-77e31fb69hcv", "type": "HOST", "host": "whatsapp.qxowgqhtny.site", "domain": "lookalikedomain.site", "tld": "site", "profile": "IID", "property": "Policy_LookalikeDomains", "class": "Policy", "threat_level": 100, "detected": " T02:15:07.473Z", "received": " T15:37:24.173Z", "imported": " T15:37:24.173Z", "expiration": " T02:15:07.473Z", "dga": false, "up": true, "batch_id": "dc396246y e6-91e8-77e31fb69hcve", "extended": "extended": "301a337ecd3490a61bc54e4dfd2bcg610ded2" Searching for Lookalike Domains using an API Call in Terminal To run a search for a lookalike domain in TIDE using Terminal, use the following API call. When using an API call in Terminal, all records within the system can be obtained.

22 curl -u [YOUR_API_KEY]: ' Domains&rlimit=100' The resulting response will retrieve the requested number of records. Resources Resources Under the Resources menu are located the API guides and the Threat Classification guides. The API guides are tool kits which can be used to build API calls and review retrieved data. The Threat Classification guide defines the common threat intelligence data classification groups in the TIDE platform, as well as the specific properties that each group encompasses. Data Management Data Management ATP-TIDE allows the user to effectively and efficiently manage data with many useful tools including Alexa Top, data submission, and the associated governance system. It also includes the ability to run robust API calls within the TIDE ecosystem. ActiveTrust Threat Classifications Guide TIDE Threat Classifications The TIDE Threat Classification Guide defines the common threat intelligence data classification groups in the TIDE platform as well as the specific properties that these groups encompass.

23 When using the Threat Classification Guide, the threat indicators returned by a search contain Class and Property fields e.g. class Bot and property Bot_Bankpatch. The Threat Classification Guide contains descriptions of all classes and properties supported by Dossier and TIDE. Each threat indicator belongs to a specific class and has a default expiration time (TTL). The default expiration times for all threat classes are provided on the Default TTLs page. To search for a specific threat type, search by threat class or property using the search box to narrow down the results. Expired threat indicators are still available in the database and returned by a search, but they are not included in the ActiveTrust/DNS Firewall feeds. The Cyber Threat Intelligence team periodically checks the indicators for validity and accuracy. Alexa Top Alexa Top Alexa top is a ranking of the most popular sites in the Internet. This tool provides access to Alexa Top sites. Default Threat Time-To-Live (TTL) Default TTLs The default TTL (time-to-live) list displays each threat class s default time-to- live value within TIDE. Please note, the TTL values may vary.

24

25 Infoblox Threat Intelligence Data Exchange (TIDE) Infoblox Threat Intelligence Data Exchange Infoblox Threat Intelligence Data Exchange provides an access to highly curated threat indicators and data governance tools to share indicators inside the organization and/or between the organizations. Infoblox TIDE and Dossier API Guides ActiveTrust and Dossier API Guides The following ActiveTrust-TIDE and Dossier guides are accessible only through the UI. Swagger Rest API Guides Data API Guide Dossier API Guide Basic Admin API Guide (this guide is available to admin only) Dossier API Guide Advanced (this guide is available to admin only) Web-based API Guides API FAQ Default TTLs Threat Classification Guide (this content will be migrated to the help site) PDF API Guides TIDE API Getting Started Guide Dossier API Reference Guide

26 TIDE API Guides API Guides When running an API call, the required API key can be obtained by visiting the User Management page. A new API key may be generated, or an existing API key can be used. To copy the desired API key to the clipboard, click on it. Once the key is obtained, the API key may be pasted into the API Key field located on each API guide page. TIDE API TIDE API TIDE API consist of a Data API and an Admin API. The Data API is used to submit and retrieve threat indicators. The Admin API provides access to governance policies, data profiles, and information about available sources and targets for data sharing. The TIDE platform provides API Guides, which describe all filters and options available by using an API call. Before using the API guides, an API Key must be entered into the api_key field. The API keys are configured in the Manage API Keys section of the User Settings page. The TIDE platform leverages the Basic Auth method in HTTP/HTTPS to transport the API key. The API key is passed in the username field. The password field should be set to an empty string. All data fields (including filter) represented in ISO 8601 format. Data API Data API The TIDE Data API consist of: Threat Batch APIs (batch) used to submit own threat indicators and retrieve details about uploaded batches.

27 Dashboard APIs (dashboard) used to retrieve daily, weekly and monthly statistics by threats. This information is available on the dashboard. Threat Feed APIs (feed) used to create feeds and retrieve threat indicators using the feeds. Property APIs (property) used to retrieve threat properties registered on TIDE platform. Threat Search APIs (search) allow to save predefined searches of threat indicators and evoke them later by a name. Threat APIs (threat) search threat indicators on TIDE platform. Threat Class APIs (threat_class) used to retrieve threat classes registered on TIDE platform. Whitelist Host APIs (whitelist_host) used to check if a hostname is whitelisted. If the call was evoked without the parameter, it returns all whitelisted hostnames. Whitelist IP APIs (whitelist_ip) used to check if an IP address is whitelisted. If the call was evoked without the parameter, it returns all whitelisted IP ranges and IPaddresses. Admin API Admin API ActiveTrust Admin API consist of: Sharing Info APIs (sharing) provide information about organizations and groups which provide thereat indicators or can be shared with. Resource Info APIs (resources) manage data profiles. GET requests retrieve information, POST create a profile. API FAQ contains information how to create a profile. Governance Policy APIs (governance) manage governance policies. GET requests retrieve information, POST create a policy. API FAQ contains information how to create a policy.

28

29 Governance Policies and Data Submission Governance policies and data submissions Customers can submit/upload their own threat indicators and share them with other organizations or groups that they have the rights to do so. Submitted data is available via Dossier and Indicator searches on the portal and through the Data API. Data Governance Policies allow organizations to control how their submitted data is shared with other organizations or groups on the platform. Infoblox can enable accessing and data sharing between organizations upon request. Policies can be used for multiple data submissions and are only visible within your organization. Data profiles are used to identify data in the platform from one or many data submissions. A data profile must be specified when data is submitted. Data profiles are associated with governance policies, which control who can access the data. When a data profile is created it must be associated with a governance policy. Users can submit threat indicators on the portal or via Data API. In order to submit data, the following is required: 1. A governance policy defines how data is shared. 2. A data profile defines if standard TTL should be used and a governance policy. Users can submit data using the following formats: JSON, CSV, XML, TSV (tab separated values). For all data formats the submitted data must identify the data/record type in addition to the list of data records. For CSV and TSV the record type must be provided as one of the columns. For JSON and XML the record type is defined in a separate top level field. The record type field can be one of the following values: host, ip, or url. It is not possible to upload data using different profiles or different record types in the same file. Threat data consists of file-level fields and record-level fields. The table below contains descriptions of all available fields.

30 The listing below contains a sample data submission in XML format. <feed> <profile>sampleprofile</profile> <record_type>ip</record_type> <record> <ip> </ip> <property>phishing_phish</property> <detected> t154742z</detected>

31 </record> <record> <ip> </ip> <property>scanner_generic</property> <detected> t154242z</detected> <duration>42y0m0w0d42h</duration> </record> </feed> The listing below contains a sample data submission in JSON format. "feed": "profile": "SampleProfile", "record_type": "host", "record": [ "host": " "property": "Scanner_Generic", "detected": " T154242Z", "duration":"42y0m0w0d42h", "host": " "property": "Phishing_Phish", "detected": " T154742Z" ] The listing below contains a sample data submission in CSV format. record_type,url,profile,detected,property url," "UnwantedContent_Parasite" url," "Scam_FakeGiftCard"

32 The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time. Submitting Threat Indicators Submitting threat indicators The listing below contains a sample curl command to submit threat indicators in JSON format to TIDE. curl -X POST -H "Content-Type: application/json" -u [YOUR_API_KEY]: The system determines the format of the input data based on the Content-Type HTTP header (application/xml, text/xml, application/json, text/plain, text/csv, text/tab-separated-values, text/tsv, text/psv). If the Content-Type is not match with predefined types, or is not specified, it tries to determine the format dynamically by reading the first part of the data. It s safest to specify the format in the Content- Type. The file format is described in Governance policies and data submission chapter. Searching for Threat Indicators Searching for threat indicators Data Threat API calls are used to search threat indicators. Submitted threat indicators are also available for the search. The resulting dataset can be formatted in JSON, XML, STIX, CSV, TSV, PSV, CEF. The threat indicators can be used by 3rd party solutions, e.g. with Palo Alto NGFW (please check Implementing Infoblox TIDE feeds into Palo Alto Networks Firewalls deployment guide for details) after a simple post processing.

33 It is highly recommended to limit amount of retrieving data by applying filters. The table below contains sample requests using CURL command. Export of Threat Indicators for 3rd Party Solutions Exporting threat indicators TIDE s threat indicators can be used by 3rd party solutions, e.g. with Palo Alto NGFW (please check Implementing Infoblox TIDE feeds into Palo Alto Networks Firewalls deployment guide for details) after a simple post-processing. It is highly recommended to limit amount of retrieving data by applying filters. The table below contains sample requests using CURL command.

34 References References TIDE API FAQ. TIDE Data API Guide. Implementing TIDE feeds into Palo Alto Networks Firewalls. Deployment guide.