Infoblox Dossier User Guide

Size: px

Start display at page:

Download "Infoblox Dossier User Guide"

Darren Sharp
5 years ago
Views:

2 1. Overview of Dossier Prerequisites Access to the Dossier User Interface Home Dashboard and Navigation Menu User Settings and Metric Reports Dossier Search Dossier Threat Indicators Dossier API Dossier API Guides Utilizing AIS Data with Infoblox Dossier AIS Data in Dossier References... 9 Infoblox Dossier Documentation 2 / 10

3 1. Overview of Dossier Overview Infoblox Dossier is a threat investigation tool providing immediate contextual information on threats simultaneously from a dozen sources including TIDE. This allows threat analysts to save precious time in taking action against any identified threats. By using Dossier, accurate decisions may be made more quickly and with greater confidence, thereby shortening the threat s attack window. Infoblox Dossier threat indicator investigation provides rich threat context to prioritize incidents and respond quickly. 2. Prerequisites Prerequisites Dossier is a subscription-based services provided in Infoblox Cloud. There are no specific requirements for the software to access the services except a relevant subscription. Infoblox Dossier Documentation 3 / 10

4 3. Access to the Dossier User Interface Access to Dossier Dossier can be accessed at Dossier is also available by visiting where it is located under the Analyze section. These sites are respectively referred to as The Portal and CSP. The Portal is not integrated with CSP and separate credentials are required. Your credentials are provided in a welcome when your account is created. 4. Home Dashboard and Navigation Menu Home dashboard and navigation menu On the TIDE dashboard you can find a shortcut to perform a Dossier Keyword Search. Access to Dossier is also available under the Search menu. Infoblox Dossier Documentation 4 / 10

5 5. User Settings and Metric Reports User Settings and Metric Reports Metric Reports Subscriptions include a limited number of Dossier and partners searches. Statistics per user, organization, partners, and dossier transactions are provided in Metric Reports. The menu is available only to an organization s administrators. User Settings On the User Management page, you can change your password and manage API Keys. The passwords must satisfy the requirements described on the Change Password page. API keys are required to access Dossier via REST API. A user can create multiple API keys. There are not any specific permissions related to a key. Only the key name and description can be changed. A key may be deactivated or deleted. In order to copy the key, you can:? Click on a key. Info window Copying the key to the clipboard was successful will be displayed.? Edit a key 6. Dossier Search Dossier Search The Dossier search field accepts the following input types: domains, hostnames, IPs, URLs, SHA1 and SHA256 hashes, and addresses. Not all features/data providers support all data types, e.g. Alexa supports only hostnames and domains, for example. Dossier automatically detects the type of the data in a search field and performs only relevant searches. With Dossier, it is possible to enter domains in this format example[.]com. The Features sidebar provides the ability to select or deselect any of the listed features by checking the appropriate check box. By hovering over the i icon on any of the Dossier search fields, a brief description of the feature can be viewed. A brief description of Dossier s features is available by hovering over Infoblox Dossier Documentation 5 / 10

6 the i icon in the feature s search field. Dossier search is available via the web-interface and a REST API. The portal uses the same API so there is no difference in available filters and search results between Web and API Searches. 7. Dossier Threat Indicators Dossier Threat Indicators The Dossier threat indicator research tool offers the following features. Using the Dossier toolset, users may make accurate ccurate decisions more quickly and with greater confidence based on the contextual information obtained from a dozen sources simultaneously. Alexa Alexa is a global pioneer in the world of analytical insight. Their vast experience means they have developed the most robust and accurate web analytics service. Search results from Alexa provide a ranking from the global Top 1,000,000 Sites list. ActiveTrust Active Trust is Infoblox s flagship data collection. Queries are executed against all data within ActiveTrust and data provider subscriptions. DNS Lookup Search results from DNS Lookup provide all the available information about a given hostname from DNS nameservers. Google Custom Search Google Custom Search, or GCS, searches anti-virus analysis pages, malware analysis blogs and other related malware/rce websites. Google Custom Search is a platform provided by Google that allows web developers to feature specialized information in web searches, refine and categorize queries and create customized search engines. Geolocation The geolocation tool plots the identified coordinates on a map, providing city-level accuracy. Other information including ISP, city, region, lat/long, and country are also included. Google Safe Browsing Google Safe Browsing, or GSB, is a Google service that enables applications to check URLs against Google s constantly updated lists of suspected phishing, malware, and Infoblox Dossier Documentation 6 / 10

7 unwanted software pages. Passive DNS Passive DNS is the historical DNS record for hostnames. When searching a hostname, Passive DNS will return all IPs that hostname has resolved to and were caught by the PDNS sensors in the previous 12 months. When searching an IP, Passive DNS will return all hostnames that have pointed to that IP. Note: Not every DNS change is caught, so there will be missing information. Reverse DNS The Reverse DNS tool performs a reverse DNS lookup of an IP address by searching domain name registry and registrar tables. Reverse Whois DomainTools Reverse Whois lookup API allows a lookup in Whois records that contain a string. This is typically used for identifying information like an address or name. The results can reveal related, registered domains. Secure Domain Foundation Secure Domain Foundation is a Canadian incorporated not-for-profit organization whose primary mission is to provide Domain Name Registrars, registries (cctld & gtld), hosting providers, DNS operators, and other Internet infrastructure providers with the tools they need to combat abuse of their services and a forum for sharing intelligence on bad actors. This version of SDF s API is designed specifically to assist domain registries, registrars, and hosting providers to easily obtain validation and reputation information on certain account or whois related data points. Whois DomainTools Whois lookup API provides the ownership record for a domain name or IP address with basic registration details, all in well-structured format that groups together important data. 8. Dossier API Dossier API Customers commonly use Dossier API Basic. It provides access to all information available on the portal. The Dossier API Basic Guide describes all available filters and options. Before using the Dossier API Guide, you need to enter an API Key in api_key field. The API keys are configured on the User Settings page under Manage API Keys. Infoblox Dossier Documentation 7 / 10

8 The ActiveTrust platform leverages the Basic Auth method in HTTP/HTTPS to transport the API key. The API key is passed in the username field. The password field should be set to an empty string. When a test query is executed, the API Guide returns: a CURL command to request the data, response body and response code. The listing below contains a sample CURL command which retrieves information about eicar.top domain in JSON format, which is the only supported export format for API based indicator search. curl -H Content-Type : application/json -X POST ctivetrust.net:8000/api/services/intel/lookup/jobs?wait=true -u <User_API_Key>: -d { target :{ one :{ type : host, target : eicar.top, sources : [ alexa, atp, dns, gcs, gsb, malware_ analysis, pdns, ptr, rwhois, sdf, whois ]}}} Depending on the amount of data being requested, it may take some time to retrieve the data. In the case where the data is not required immediately, a search can be executed with the wait parameter set to false and retrieved later using the Dossier API Advanced call. In this case the first search (Basic API call) will return the job_id. The status of the job and results can be retrieved using the Advanced API lookup_jobs_management calls. The URL below retrieves results of a job using the job_id parameter: The Dossier Advanced API provides these API calls:? Lookup Jobs APIs (lookup_jobs_management) API calls return status and results of the lookup jobs.? Lookup Job Index (lookup_jobs_index) API calls return list of the performed searches per user or organization.? Worker Status (worker_stats) API calls provide statistics per source, e.g. alexa, atp, dns etc.? Service Metadata (service_metadata) API calls return information about supported sources, targets, supported sources by targets and targets descriptions. 9. Dossier API Guides Dossier API Guides Infoblox Dossier Documentation 8 / 10

9 The following Dossier guides are accessible only through the UI. Swagger Rest API Guides Dossier API Guide Basic PDF API Guides Dossier API Reference Guide 10. Utilizing AIS Data with Infoblox Dossier Utilize AIS Data Today with Dossier As a qualified commercial capability provider, Infoblox has completed the technical and operational integrations necessary to distribute AIS threat data to our private sector customers. In addition, we have completed the terms of use and interconnectivity agreements on behalf of our customers who wish to deploy this data in their network protection mechanisms immediately. No additional agreements are required For customers having access to AIS Commercial threat indicators, Dossier will be automatically enabled and search against this data set. For those AIS indicators where additional context is needed, Dossier query results offer a broad set of information for better threat response and triage. 11. AIS Data in Dossier AIS Data in Dossier AIS data is available via simple searches on specific data types such as IPs and Hostnames using Dossier. Dossier provides additional context from other sources on known AIS indicators and can provide useful context for response action when you have an RPZ hit on an indicator sourced from AIS. 12. References References Dossier API Guide Basic. Infoblox Dossier Documentation 9 / 10

10 Powered by TCPDF ( Infoblox Dossier Quick Start Guide Infoblox Dossier Documentation 10 / 10

ActiveTrust Platform Dossier & TIDE

ActiveTrust Platform Dossier & TIDE Quick Start Guide 2018 Infoblox Inc. All rights reserved. Page 1 of 41 2018 Infoblox Inc. All rights reserved. Overview ActiveTrust Platform TIDE and Dossier Quick Start