activetrust platform dossier &...

© 2018 Infoblox Inc. All rights reserved. of 41 © 2018 Infoblox Inc. All rights reserved.

ActiveTrust Platform Dossier & TIDE Quick Start Guide

© 2018 Infoblox Inc. All rights reserved. of 41

Overview ActiveTrust Platform

TIDE and Dossier™

Quick Start Guide

ActiveTrust uses highly accurate machine-readable threat intelligence data via a flexible Threat Intelligence Data Exchange (TIDE) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease consumption of threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyberthreats. TIDE is backed by the Infoblox threat intelligence team that normalizes and refines high-quality threat intelligence data feeds.

Infoblox Threat Intelligence Data Exchange (TIDE) collects and manages curated threat intelligence from internal and external sources in a single platform. It enables security operations to remediate threats more rapidly by sharing normalized TIDE data in real time with third-party security systems such as Palo Alto Networks, SIEM, etc. By leveraging highly accurate machine-readable threat intelligence (MRTI) data to aggregate and selectively distribute data across a broad range of security infrastructure, the end result is a highly refined feed with a very low historical false-positive rate.

Infoblox Dossier™ is a threat investigation tool providing immediate contextual information on threats from a dozen sources (including TIDE) simultaneously. This allows threat analysts to save precious time in taking action against any identified threats. By using Dossier, accurate decisions may be made more quickly and with greater confidence, thereby shortening the threat’s attack window. Infoblox Dossier threat indicator investigation provides rich threat context to prioritize incidents and respond quickly.

Prerequisites Prerequisites ActiveTrust Dossier and TIDE are subscription-based services provided in Infoblox Cloud. There are no specific requirements for the software to access the services except a relevant subscription. Recent versions of Google Chrome are recommended to access ActiveTrust portal.


The ActiveTrust TIDE and Dossier User Interface Access to ActiveTrust TIDE and Dossier

Dossier can be accessed from CSP at https://csp.infoblox.com under the “Analyze” section. Dossier may also be accessed from the CSP dashboard by clicking on the “Dossier” shortcut on the left sidebar.

The Portal is not integrated with CSP and separate credentials are required. Your credentials are provided in a welcome email when your account is created.

Home Dashboard and Navigation Menu Home Dashboard and Navigation Menu

On the home dashboard you can find:

● Dossier Keyword Search widget – a shortcut to start an Infoblox Dossier keyword search.

● Indicator Search widget – a shortcut to perform an Infoblox Threat Indicator search.

● Active Indicator Filters search widget – a shortcut to perform an Infoblox active indicator filter search.

● Daily Threat Types and Weekly Data Types widgets – provide information about daily and weekly Infoblox published IOC’s discovered/added by our Cyber Threat Intelligence team.

● Resources widget providing shortcuts to popular resource links.

● Partners widgets provide overview information about premium partner data feeds which are part of the TIDE marketplace and can be purchased “a la carte”.

● By selecting “ActiveTrust” in the upper left corner you can return to the start page/dashboard.

The navigation menu is located on the top of the screen and provides an access to all functions of the portal. It consists of “Data Management”, “Search”, “Resources” and user’s profile sub-menus.

https://csp.infoblox.com/


● “Data Management” provides access to data governance and submission tools, link to the dashboard and Alexa Top domains.

● “Search” provides access to conducting Dossier and Indicator searches.

● “Resources” contains API guides, Threat Classification Guide, default threat indicators TTLs and description of the subscription levels.

● “Your username”: sub-menu with metric reports and user settings.

User Settings and Metric Reports User Settings and Metric Reports

Metric Reports

Subscriptions include a limited number of Dossier and partners’ searches. Statistics per user, organization, partners, and dossier transactions are provided in “Metric Reports”. The menu is available only to an organization’s administrators.

User Settings

On the User Management page, you can change your password and manage your API Keys. The passwords must satisfy the requirements described on the “Change Password” page.’

API keys are required to access Dossier and TIDE via the REST API. A user can create multiple API keys. There are no specific permissions associated with an API key. Only the key name and description can be edited. A key may be deactivated or deleted. In order to copy, please follow this simple procedure:

● Click on the API key. An info window “Copying the key to the clipboard was successful” will be displayed. ● To edit an API key, click on Active, Edit, or Remove as appropriate. ● To add an API key, click on the “Create New Key” link.

Please refer to the RESOURCES section for examples of API key usage.

User Management User Management


An Organization Administrator (OrgAdmin) user management role is available to organizations in ActiveTrust TIDE. This role is provisioned at the time the account is created, or upon request for organizations previously created without the organization admin role implemented. Please note, An OrgAdmin can only update or edit user accounts within their own organization.

As an OrgAdmin, you can manage users within your own organization. The org administrator can perform the following tasks:

• View a list of all users in the organization along with their account information. • Invite a new user. • Update or change user information. • Update or change a user’s role. • Reset a user’s password. • Activate or deactivate all other users within the organization. • Can grant other users within the organization the role of OrgAdmin.

Managing Users using the UI

To manage an organization’s users using the UI, do the following:

From the ActiveTrust TIDE dashboard, navigate to the User Management page (your user name > Admin > User Management). A listing of the organization’s current users will be displayed in the ‘Users’ panel located on the left-hand side of the page.

Inviting a New User

1. Click on the ‘Add New User’ The ‘Invite A New User’ panel will be displayed. 2. Select which role(s) the new user will be assigned. Multiple roles may be assigned

by holding down the ‘Shift’ key on your keyboard while selecting more than one user role.

3. Fill out the ‘First Name,’ ‘Last Name,’ and ‘Email’ 4. Click the ‘Invite’ button to invite the new user. When the pop-up window appears

confirming your intent to create a new user, click on the ‘Submit’ button to continue. 5. From the ‘New User Credentials’ pop-up window, copy and paste the new user’s

logon credentials into an email addressed to the user, before clicking on the ‘OK’ 6. Verify in the ‘Users’ panel that the new user’s account has been created as

intended.

Updating the Account of a Current User

1. Click on the user’s name in the ‘Users’ The ‘View User’ panel will be displayed. 2. Click on the ‘Edit’ button in the ‘View User’ panel to open the ‘Edit User’ panel. 3. Select the types of edits you wish to make to the user’s account. The types of edits

that can be made include edits in the user’s role, changes to the user’s account information, resetting the user’s password, and activating/deactivating the user’s account.


4. Once the desired edits/changes have been made to the user’s account, click on the ‘Update’ button to apply changes to the user’s account.

5. In the ‘Update User’ pop-up window, click ‘OK’ to confirm you want to update the user’s account.

6. Verify in the ‘Users’ panel that the user’s account has been updated as intended.

Managing Users using the API

To manage an organization’s users using the API, do the following:

Adding a New User

This API call adds a new user to the caller’s organization. The person making the call must be assigned the role of ‘OrgAdmin” to make the call.

Request

Request endpoint

POST /api/admin/accounts/org/users

Request Body

Field Type Description

email string User email, 8 – 512 chars, required

firstName string User first name, 8 – 512 chars, required

lastName string User last name, 8 – 512 chars, required

password string

User password, 8 – 72 chars, optional. Mix of upper and lower-case characters, numbers and non-alphanumerics

roles Array of strings

List of user roles available: DataAdmin, DataUser, DataWriter, Reports, OrgAdmin

Response


If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object that includes the api key generated for the user.

Example

Using curl to add user to the caller’s organization.

curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X POST "https://api.activetrust.net:8000/api/admin/accounts/org/users" -d '{"email":"[email protected]","firstName":"DJ", "lastName":"Frosh", "password":"djFr#shL1te", "roles":["DataAdmin", "DataUser", "DataWriter","Reports"]}'

Response: { "code": 0, "status": "success", "data": { "httpCode": 201, "data": { "code": 0, "status": "success", "data": { "email": "[email protected]", "uid": "[email protected]", "oid": "BankOrg", "apiKey": "a7d8ab2a43b6406bbd8c4f3d33698e9f6087e81fc34c4e4199d5c4ecbbc0f502" } } } }

Updating a User’s Information

This API call allows the editing of a current user to the caller’s organization. The person making the call must possess the role of ‘OrgAdmin” to make the call.

Request


Request endpoint

PUT /api/admin/accounts/org/user/{user_id}

It is required to have at least one of the below fields:

Request Body


firstName string User first name, 1 – 512 chars

lastName string User last name, 1 – 512 chars

Path Parameters


user_id string User email, targeted user to be updated

Response

If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object.

Example

Using curl to update firstName and lastName for user [email protected]

curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X POST "https://api.activetrust.net:8000/api/admin/accounts/org/users" -d '{"email":"[email protected]","firstName":"DJ", "lastName":"Frosh", "password":"djFr#shL1te", "roles":["DataAdmin", "DataUser", "DataWriter","Reports"]}'


Response: { "code": 200, "status": "success" }

Updating a User’s Role

This API call allows the updating of a current user’s role within the caller’s organization. The person making the call must possess the role of ‘OrgAdmin” to make the call.

Request

Request endpoint

PUT /api/admin/accounts/org/user/{user_id}/roles

Request Body

Request Body


roles Array of string List of user roles available: DataAdmin, DataUser, DataWriter, Reports, OrgAdmin

Path Parameters

Path Parameters



Response

If the submission is successful, the HTTP code 200 (OK) will be returned with a JSON response object.


Example

Using curl to update roles for user [email protected]

curl -H "Content-Type":"application/json" -u [YOUR_API_KEY]: -X PUT "https://api.activetrust.net:8000/api/admin/accounts/org/user/[email protected]/roles" -d '{"roles":["DataAdmin", "DataUser"]}'


Activating/Deactivating a User’s Account

Using this API call a user’s account within the caller’s organization can be activated or deactivated. The person making the call must possess the role of ‘OrgAdmin” to make the call.

Request

Request endpoint

PUT /api/admin/accounts/org/user/{user_id}/active/{is_active}

Payload

N/A

mailto:[email protected]


Path Parameters



is_active boolean User status, true to activate user, false to deactivate user

Response


Example

curl -u [YOUR_API_KEY]: -X PUT "https://api.activetrust.net:8000/api/admin/accounts/org/user/[email protected]/active/true"

Response: { "code": 0, "status": "success", "data": { "auth": { "httpCode": 200, "data": {


"code": 0, "status": "success" } }, "admin": { "httpCode": 200, "data": { "code": 200, "status": "success" } } } }

Resetting a User’s Password

Using this API call a user’s password can be reset within the caller’s organization. The person making the call must possess the role of ‘OrgAdmin” to make the call.

Request

Request endpoint

POST /api/auth/credentials/password/reset/{user_id}

Payload

Request Body


new_password string

New password. Required. 8 – 72 chars. At least one uppercase. At least one lowercase. At least one number. At least one special character (specified below) or space: !”#$%&'()*+,-./:;<=


Path Parameters



Response


Example

curl -H “Content-Type”:”application/json” -u [YOUR_API_KEY]: -X POST https://api.activetrust.net:8000/api/auth/credentials/password/reset/[email protected] -d ‘{“new_password”: “Test.Pass.1”}’


Get User list

Using this API call a list of all the users within the caller’s organization may be obtained. The person making the call must possess the role of ‘OrgAdmin’ to make the call.

Request

Request endpoint

GET /api/admin/accounts/org/users

Response


If the submission is successful, the HTTP code 200 (OK) will be returned, along with a JSON object. The root key of the object is “data”. The value of the root object is an array of user objects containing user profile, roles, and active status.

Example

curl -X GET -u [YOUR_API_KEY]: https://api.activetrust.net:8000/api/admin/accounts/org/users

Response: { "code": 0, "status": "success", "data": [ { "id": "[email protected]", "status": "inactive", "profile": { "email": "[email protected]", "fullName": "John Jones", "firstName": "John", "lastName": "Jones", "rolestring": "DataAdmin | DataUser | DataWriter | Reports" }, "roles": [ "DataAdmin", "DataUser", "DataWriter", "Reports" ] }, { "id": "[email protected]", "status": "inactive", "profile": { "email": "[email protected]", "fullName": "Jon joans", "firstName": "Jon", "lastName": "joans", "rolestring": "DataAdmin | DataUser | DataWriter | Reports" }, "roles": [ "DataAdmin", "DataUser", "DataWriter", "Reports" ] }

https://api.activetrust.net:8000/api/admin/accounts/org/users


} ] }

Get Available Roles for an Organization

Using this API call all available user roles within the caller’s organization may be obtained. The person making the call must possess the role of ‘OrgAdmin” to make the call.

Request

Request endpoint

GET /api/admin/accounts/org/roles

Response


Example

Request using curl to return available roles for the caller’s organization.

curl GET -u [YOUR_API_KEY]: https://api.activetrust.net:8000/api/admin/accounts/org/roles

Response: { "code": 200, "status": "success", "data": [ { "name": "DataAdmin", "description": "Data sharing administrators", "org": "TEST_ORG" }, { "name": "DataUser", "description": "Organization data users", "org": "TEST_ORG" }, { "name": "DataWriter",

https://api.activetrust.net:8000/api/admin/accounts/org/roles


"description": "Organization data users", "org": "TEST_ORG" }, { "name": "OrgAdmin", "description": "Organization administrators", "org": "TEST_ORG" }, { "name": "Reports", "description": "Access to organization reports", "org": "TEST_ORG" }, { "name": "User", "description": "Organization users", "org": "TEST_ORG" } ] }

Dossier Dossier Dossier search is available through the web-interface and via the REST API. The portal uses the same API so there is no difference in available filters and search results when using either the Web or the API searches.

Dossier Threat Indicators Dossier Threat Indicators

The Dossier™ threat indicator research tool offers the following features. Using the Dossier toolset, users may make accurate decisions more quickly and with greater confidence based on the contextual information obtained from a dozen sources simultaneously. Dossier source descriptions are as follows:

• Alexa Alexa is a global pioneer in the world of analytical insight. Their vast experience means they have developed the most robust and accurate web analytics service. Search results from Alexa provide a ranking from the global Top 1,000,000 Sites list.


• ActiveTrust ActiveTrust is Infoblox’s flagship data collection. Queries are executed against all data within ActiveTrust and data provider subscriptions.

• Current DNS Search results from Current DNS provide all the available information about a given hostname from DNS nameservers.

• Google Custom Search Google Custom Search, or GCS, searches anti-virus analysis pages, malware analysis blogs and other related malware/RCE websites. Google Custom Search is a platform provided by Google that allows web developers to feature specialized information in web searches, refine and categorize queries and create customized search engines.

• Geolocation The geolocation tool plots the identified coordinates on a map, providing city-level accuracy. Other information including ISP, city, region, lat/long, and country are also included.

• Google Safe Browsing Google Safe Browsing, or GSB, is a Google service that enables applications to check URLs against Google’s constantly updated lists of suspected phishing, malware, and unwanted software pages.

• iSIGHT iSIGHT Partners is the leading provider of global cyber threat intelligence, delivering unparalleled insight into your cyber adversaries, their motives and methods. iSIGHT provides instant reporting on threat actors targeting organizations, plus related Indicators of Compromise (IOCs) to help prioritize relevant threats, speed detection of advanced attacks and bolster responses to minimize further risk. iSIGHT is available as a separate subscription and is not automatically included with Dossier.

• Passive DNS Passive DNS is the historical DNS record for hostnames. When searching a hostname, Passive DNS will return all IPs that hostname has resolved to and were caught by the Passive DNS sensors in the previous 12 months. When searching an IP, Passive DNS will return all hostnames that have pointed to that IP. Note: Not every DNS change is caught, so there will be missing information.

• Reverse DNS The Reverse DNS tool performs a reverse DNS lookup of an IP address by searching domain name registry and registrar tables.

• Reverse Whois DomainTools’ Reverse Whois lookup API allows a lookup in Whois records that contain a string. This is typically used for identifying information like an email address or name. The results can reveal related, registered domains.


• Secure Domain Foundation Secure Domain Foundation, or SDF, is a Canadian incorporated not-for-profit organization whose primary mission is to provide Domain Name Registrars, registries (ccTLD & gTLD), hosting providers, DNS operators, and other Internet infrastructure providers with the tools they need to combat abuse of their services and a forum for sharing intelligence on bad actors. This version of SDF’s API is designed specifically to assist domain registries, registrars, and hosting providers to easily obtain validation and reputation information on certain account or Whois related data points.

• Malware Analysis Data collection of malicious content detected by aggregation of antivirus engines and website scanners.

• Whois DomainTools’ Whois lookup API provides the ownership record for a domain name or IP address with basic registration details, all in well-structured format that groups together important data.

Dossier Search Dossier Search

The indicator search returns data only from the ActiveTrust database but the search is not limited to a specific indicator (e.g. a hostname). The search interface currently returns a maximum of 25,000 records. It is recommended to use API for larger data sets.

Because of size of the available data, it is recommended to apply filters to limit the resulting dataset. When a keyword is used to search data, other filters are not applied even if they were specified. The result dataset can be exported in XML, CSV or JSON format. It is also possible to limit the number of returns by inputting a value in the “Records Returned” field.

Indicator Search Indicator Search

The indicator search returns data only from the ActiveTrust database but the search is not limited to a specific indicator (e.g. a hostname). The search interface currently returns a maximum of 25,000 records. It is recommended to use API for larger data sets.

Because of size of the available data, it is recommended to apply filters to limit the resulting dataset. When a keyword is used to search data, other filters are not applied even if they were specified. The result dataset can be exported in XML, CSV or JSON format. It is also possible to limit the number of returns by inputting a value in the “Records Returned” field.


BRIC Score BRIC Score

The Business Risk Impact Calculation score (BRIC) identifies the likely business impact of blocking a hostname to the average company with no insight into their network practices. The score for a hostname is based on a combination of factors; the domain’s popularity, the robustness of the domain’s resources, the domain’s history, and the domain’s order of separation from known threats.

The factors making up the BRIC score can be assessed and assigned an integer value of 0-100, to match an enterprise defender’s preferences. A low BRIC score value is indicative of a lesser likelihood of impacting a company when blocking a hostname, while a high BRIC score indicative of a greater likelihood of companies of impacted a company by blocking a hostname.

Viewing the BRIC Score in the UI

The BRIC Score for hostnames may be viewed in the search results pane after an indicator search has been performed. please note, BRIC Score data is only available for the IID feed. For each hostname in the IID feed, the hostname will have an associated BRIC Score ranging from 0-100.

BRIC Score API Calls

The following API calls may be used to retrieve BRIC Score data:

/api/data/threat/<type>?<ip,host,url>=<indicator>&bric_score=<0-100>

/api/data/threat/<type>?bric_score_from=<0-100>&bric_score_to=<0-100>

/api/data/threat/state/<type>?<ip,host,url>=<indicator>&bric_score=<0-100>

/api/data/threat/state/<type>?bric_score_from=<0-100>&bric_score_to=<0-100>

/api/data/threat?type=<ip,host,url>&<ip,host,url>=<indicator>&bric_score=<0-100>

/api/data/threat/state?type=<ip.host,url>&bric_score_from=<0-100>&bric_score_to=<0-100>

When performing an API call to retrieve the BRIC score for hostnames in the IID partner feed, the following information will be displayed in the report body. An example API report body is displayed below.


{ "id": "c5786928-5fa7-11e8-91b6-e9a8dd7a1bc9", "type": "IP", "ip": "184.168.43.1", "profile": "IID", "property": "MalwareC2_Generic", "class": "MalwareC2", "threat_level": 100, "expiration": "2018-07-22T21:02:53.000Z", "detected": "2018-05-23T21:02:53.000Z", "received": "2018-05-24T23:11:20.819Z", "imported": "2018-05-24T23:11:20.819Z", "up": "true", "batch_id": "c516c127-5fa7-11e8-91b6-e9a8dd7a1bc9", "bric_score": 10 }

BRIC Score API call examples

Several example API calls for retrieving BRIC Score information are provided:

Running an API call for a specific BRIC Score

When performing a threat query using the API, records may be requested based on a specific BRIC score by amending the API query. For example:

/api/data/threats?text_search=184.168.43.1&bric_score=10

Running an API call for a specified range of BRIC scores

When performing a threat query using the API, records may be requested based on a range of BRIC scores. For example:

/api/data/threats?text_search=184.168.43.1&bric_score_from=10&bric_score_to=50

Batch Submissions

BRIC Scores may also be retrieved when searching batch submissions. In this case, “bric_score” can be appended to a query to return hostname BRIC scores in the IID partner feed.


Search for Lookalike Domains Search for Lookalike Domains

Lookalike domains are domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusion ones (e.g. o to 0, l to 1, w to vv), switching to different top level domains (e.g. .com to .cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection, and phishing.

TIDE supports searching for lookalike domains through the UI and through the API.

To retrieve records through the TIDE UI, the Indicator Search is used.

To retrieve records through API, two methods are supported:

1. Running an API call using the Swagger page. 2. Running an API call through Terminal

Searching for Lookalike Domains via the TIDE UI

You can use the Indicator Search in the TIDE UI to search for lookalike domains. Note that Indicator Search is limited to a maximum of 25,000 records. The default number of search returns is limited to 1,000 records.

To search for lookalike domains using Indicator Search, follow these steps:

1. Select ‘Hostnames’ for data type. 2. For Threat Class, deselect ‘All’ and select ‘Policy’. 3. From the Data Provider options, deselect ‘All’ and select ‘IID’. 4. Click the ‘Search’ button to run the search query. 5. From the returned search results, in the ‘Property’ column, apply a sort to classify

the different policies according to type. 6. Scroll through the returned search results until the lookalike domains are located

(Policy_LookalikeDomains).

From the returned indicator search results, you can perform a Dossier search against a selected lookalike domain to discover additional details on the indicator.

You can download the search results as an XML, CSV, or JSON file.

Searching for Lookalike Domains using an API call on the Swagger page

To run a search for a lookalike domain in TIDE using Swagger, follow these steps:


1. Navigate to the Manage API Keys page (user name > User Settings > User Management – Manage API Keys).

2. Select an active API key and copy it. 3. Navigate to the Data API Guide (Resources > API guides > Data API Guide). 4. Paste the copied API key into the ‘api key’ text field. 5. Click the ‘Enter API key’ button. A modal window will appear acknowledging that

your API key has been accepted. 6. From the list of ActiveTrust Platform Data Service REST APIs, click ‘threat: Threat

APIs’ to reveal all available API GET calls. 7. From the list of GET calls, click State Table API (/data/threats/state/(type)) to

display all available search parameters. Note that while running any of the threat API calls, TIDE will return data on lookalike domains. The recommended GET call to run when querying the system for lookalike domains is the State Table.

8. For the ‘type’ parameter, select host. 9. For the ‘property’ parameter, input Policy_LookalikeDomains. 10. Click the ‘Try it out’ button to run the call.

Once you execute the API call, the Response Body of the returned search will yield the requested lookalike domain data. By default, TIDE returns 100 lookalike domain records. However, by adjusting the rlimit parameter of the query, you may request fewer or more records (as few as one record and as many as 500 records).

A lookalike domain query returns data as shown in the following example:

{ "id": "dc396246y-56554-11e6-91e8-77e31fb69hcv", "type": "HOST", "host": "whatsapp.qxowgqhtny.site", "domain": "lookalikedomain.site", "tld": "site", "profile": "IID", "property": "Policy_LookalikeDomains", "class": "Policy", "threat_level": 100, "detected": "2018-05-15T02:15:07.473Z", "received": "2018-05-15T15:37:24.173Z", "imported": "2018-05-15T15:37:24.173Z", "expiration": "2018-05-29T02:15:07.473Z", "dga": false, "up": true, "batch_id": "dc396246y-56554-11e6-91e8-77e31fb69hcve", "extended": { "extended": "301a337ecd3490a61bc54e4dfd2bcg610ded2" } }


Searching for Lookalike Domains using an API Call in Terminal

To run a search for a lookalike domain in TIDE using Terminal, use the following API call. When using an API call in Terminal, all records within the system can be obtained.

curl -u [YOUR_API_KEY]: 'https://platform.activetrust.net:8000/api/data/threats/state/host?property=Policy_LookalikeDomains&rlimit=100'

The resulting response will retrieve the requested number of records.

Resources Resources Under the Resources menu are located the API guides and the Threat Classification guides. The API guides are tool kits which can be used to build API calls and review retrieved data. The Threat Classification guide defines the common threat intelligence data classification groups in the TIDE platform, as well as the specific properties that each group encompasses.

Data Management Data Management

ATP-TIDE allows the user to effectively and efficiently manage data with many useful tools including Alexa Top, data submission, and the associated governance system. It also includes the ability to run robust API calls within the TIDE ecosystem.

ActiveTrust Threat Classifications Guide TIDE Threat Classifications The TIDE Threat Classification Guide defines the common threat intelligence data classification groups in the TIDE platform as well as the specific properties that these groups encompass.

https://platform.activetrust.net/#threatclassification


When using the Threat Classification Guide, the threat indicators returned by a search contain “Class” and “Property” fields e.g. class “Bot” and property “Bot_Bankpatch”. The “Threat Classification Guide” contains descriptions of all classes and properties supported by Dossier and TIDE.

Each threat indicator belongs to a specific class and has a default expiration time (TTL). The default expiration times for all threat classes are provided on the “Default TTLs” page. To search for a specific threat type, search by threat class or property using the search box to narrow down the results.

Expired threat indicators are still available in the database and returned by a search, but they are not included in the ActiveTrust/DNS Firewall feeds. The Cyber Threat Intelligence team periodically checks the indicators for validity and accuracy.

Alexa Top Alexa Top

Alexa top is a ranking of the most popular sites in the Internet. This tool provides access to Alexa Top 10000 sites.

Default Threat Time-To-Live (TTL) Default TTLs The default TTL (time-to-live) list displays each threat class’s default time-to- live value within TIDE. Please note, the TTL values may vary.

Default TTLs

Class Property TTL

APT 20 years

Bot 7 days

CompromisedHost 30 days

DDoS 12 hours

ExploitKit 20 days

IllegalContent 3 days

InternetInfrastructure 1 year

https://platform.activetrust.net/#defaultttls


MaliciousNameserver 90 days

MalwareC2 60 days

Malware C2DGA 15 days

MalwareDownload 30 days

Phishing 30 days

Policy 3 days

Proxy 3 days

Scam 14 days

Scanner 7 days

Sinkhole 1 year

Spambot 5 days

UncategorizedThreat 30 days

Undefined 1 day

UnwantedContent 14 days

Whitelist 1 year

Infoblox Threat Intelligence Data Exchange (TIDE) Infoblox Threat Intelligence Data Exchange

Infoblox Threat Intelligence Data Exchange provides an access to highly curated threat indicators and data governance tools to share indicators inside the organization and/or between the organizations.


Infoblox TIDE and Dossier API Guides Infoblox ActiveTrust and Dossier API Guides

The following ActiveTrust-TIDE and Dossier guides are accessible only through the UI. Swagger Rest API Guides

Data API Guide Dossier API Guide Basic Admin API Guide (this guide is available to admin only) Dossier API Guide Advanced (this guide is available to admin only)

Web-based API Guides

API FAQ Default TTLs Threat Classification Guide

PDF API Guides

TIDE API Getting Started Guide Dossier API Reference Guide

TIDE API Guide TIDE API

TIDE API consist of a Data API and an Admin API. The Data API is used to submit and retrieve threat indicators. The Admin API provides access to governance policies, data profiles, and information about available sources and targets for data sharing. The TIDE platform provides API Guides, which describe all filters and options available by using an API call. Before using the API guides, an API Key must be entered into the “api_key” field. The API keys are configured in the “Manage API Keys” section of the “User Settings” page.

The TIDE platform leverages the Basic Auth method in HTTP/HTTPS to transport the API key. The API key is passed in the username field. The password field should be set to an empty string. All data fields (including filter) represented in ISO 8601 format.

https://platform.activetrust.net/#dataapi

https://platform.activetrust.net/#dossier_api_guide_basic

https://platform.activetrust.net/#adminapi

https://platform.activetrust.net/#dossier_api_guide_advance

https://platform.activetrust.net/#apifaq

https://platform.activetrust.net/#defaultttls

https://platform.activetrust.net/#threatclassification

https://platform.activetrust.net/APIGettingStartedGuide.pdf

https://platform.activetrust.net/DossierCallsRef.pdf


Dossier API Dossier API

Customers commonly use Dossier API Basic. It provides access to all information available on the portal. The Dossier API Basic Guide describes all available filters and options. Before using the Dossier API Guide, you need to enter an API Key in “api_key” field. The API keys are configured on the User Settings page under “Manage API Keys”.

The ActiveTrust platform leverages the Basic Auth method in HTTP/HTTPS to transport the API key. The API key is passed in the username field. The password field should be set to an empty string.

When a test query is executed, the API Guide returns: a CURL command to request the data, response body and response code. The listing below contains a sample CURL command which retrieves information about “eicar.top” domain in JSON format, which is the only supported export format for API based indicator search.

curl -H “Content-Type”:”application/json” -X POST “https://platform.activetrust.net:8000/api/services/intel/lookup/jobs?wait=true” -u <User_API_Key>: -d ‘{“target”:{“one”:{“type”: “host”,”target”: “eicar.top”, “sources”: [“alexa”,”atp”,”dns”,”gcs”,”gsb”,”malware_analysis”,”pdns”,”ptr”,”rwhois”,”sdf”,”whois”]}}}

Depending on the amount of data being requested, it may take some time to retrieve the data. In the case where the data is not required immediately, a search can be executed with the “wait” parameter set to “false” and retrieved later using the Dossier API Advanced call. In this case the first search (Basic API call) will return the “job_id”. The status of the job and results can be retrieved using the Advanced API “lookup_jobs_management” calls. The URL below retrieves results of a job using the “job_id” parameter:

https://platform.activetrust.net:8000/api/services/intel/lookup/jobs/job_id/results

The Dossier Advanced API provides these API calls:

● Lookup Jobs APIs (lookup_jobs_management) API calls – return status and results of the lookup jobs.

● Lookup Job Index (lookup_jobs_index) API calls – return list of the performed searches per user or organization.

https://platform.activetrust.net:8000/api/services/intel/lookup/jobs/job_id/results


● Worker Status (worker_stats) API calls – provide statistics per source, e.g. alexa, atp, dns etc.

● Service Metadata (service_metadata) API calls – return information about supported sources, targets, supported sources by targets and targets descriptions.

Data API Data API

ActiveTrust Data API consist of:

● Threat Batch APIs (batch) – used to submit own threat indicators and retrieve details about uploaded batches.

● Dashboard APIs (dashboard) – used to retrieve daily, weekly and monthly statistics by threats. This information is available on the dashboard.

● Threat Feed APIs (feed) – used to create feeds and retrieve threat indicators using the feeds.

● Property APIs (property) – used to retrieve threat properties registered on ActiveTrust platform.

● Threat Search APIs (search) – allow to save predefined searches of threat indicators and evoke them later by a name.

● Threat APIs (threat) – search threat indicators on ActiveTrust platform.

● Threat Class APIs (threat_class) – used to retrieve threat classes registered on ActiveTrust platform.

● Whitelist Host APIs (whitelist_host) – used to check if a hostname is whitelisted. If the call was evoked without the parameter, it returns all whitelisted hostnames.

● Whitelist IP APIs (whitelist_ip) – used to check if an IP address is whitelisted. If the call was evoked without the parameter, it returns all whitelisted IP ranges and IP-addresses.


Admin API Admin API

ActiveTrust Admin API consist of:

● Sharing Info APIs (sharing) – provide information about organizations and groups which provide thereat indicators or can be shared with.

● Resource Info APIs (resources) – manage data profiles. GET requests retrieve information, POST create a profile. API FAQ contains information how to create a profile.

● Governance Policy APIs (governance) – manage governance policies. GET requests retrieve information, POST create a policy. API FAQ contains information how to create a policy.

CURL Command Requests

Request Description

curl “https://platform.activetrust.net:8000/api/data/threats/host?profile=IID&dga=false&from_date=2017-06-04T00:00:00Z&data_format=csv&rlimit=100” -u [YOUR_API_KEY]:

1000 threat indicators in CSV format which were added after 2017-06-04 GMT (Date/Time is in ISO 8601 format) by Infoblox and are not DGA.

curl “https://platform.activetrust.net:8000/api/data/threats/state/host?Profile=IID&data_format=json” -u [YOUR_API_KEY]:

All currently active hostname threats detected by Infoblox (IID)


curl “https://platform.activetrust.net:8000/api/data/threats?type=host&profile=IID& period=30min&data_format=json” -u [YOUR_API_KEY]:

Infoblox-sourced hostnames for the past 30 minutes.

curl “https://platform.activetrust.net:8000/api/data/threats?profile=AIS-FEDGOV,iSIGHTPARTNERS& period=1w&data_format=csv ” -u [YOUR_API_KEY]:

iSight Partners and DHS AIS IPs for the past week, in CSV format.

Governance Policies and Data Submission Governance Policies and Data Submissions

Customers can submit/upload their own threat indicators and share them with other organizations or groups that they have the rights to do so. Submitted data is available via Dossier and Indicator searches on the portal and through the Data API. Data Governance Policies allow organizations to control how their submitted data is shared with other organizations or groups on the platform. Infoblox can enable accessing and data sharing between organizations upon request. Policies can be used for multiple data submissions and are only visible within your organization.

Data profiles are used to identify data in the platform from one or many data submissions. A data profile must be specified when data is submitted. Data profiles are associated with governance policies, which control who can access the data. When a data profile is created it must be associated with a governance policy.


Users can submit threat indicators on the portal or via Data API. In order to submit data, the following is required:

1. A governance policy – defines how data is shared. 2. A data profile – defines if standard TTL should be used and a governance policy.

Users can submit data using the following formats: JSON, CSV, XML, TSV (tab separated values). For all data formats the submitted data must identify the data/record type in addition to the list of data records. For CSV and TSV the record type must be provided as one of the columns. For JSON and XML the record type is defined in a separate top level field. The record type field can be one of the following values: “host”, “ip”, or “url”. It is not possible to upload data using different profiles or different record types in the same file. Threat data consists of file-level fields and record-level fields. The table below contains descriptions of all available fields.

Threat Data Fields

Field Name Description

File-level fields

profile

data profile id or name

record_type

host, ip, or url

external_id

string indicating an external ID to assign to the batch


record

surrounds the individual record(s) in the XML and JSON formats

Record-level fields

host

threat hostname

ip

threat IP address

url

threat URL

property

threat type

target

target of threat

detected

date/time threat was detected, in ISO 8601 format

duration

duration of this threat in XyXmXwXdXh format, expiration date will be set to the detected date + this duration


The listing below contains a sample data submission in XML format.

<feed> <profile>SampleProfile</profile> <record_type>ip</record_type> <record> <ip>127.1.0.1</ip> <property>Phishing_Phish</property> <detected>20170602T154742Z</detected> </record> <record> <ip>8.8.8.8</ip> <property>Scanner_Generic</property> <detected>19980927T154242Z</detected> <duration>42y0m0w0d42h</duration> </record> </feed>

The listing below contains a sample data submission in JSON format.

{ "feed": { "profile": "SampleProfile", "record_type": "host", "record": [ {"host": "www.google.com", "property": "Scanner_Generic", "detected": "19980927T154242Z", "duration":"42y0m0w0d42h"}, {"host": "www.example.com", "property": "Phishing_Phish", "detected": "20170602T154742Z"} ] } }

The listing below contains a sample data submission in CSV format.

record_type,url,profile,detected,property url,"https://example.com/page1.html","SampleProfile","20170602T154742Z", "UnwantedContent_Parasite" url,"http://example.com/gift.html","SampleProfile","20170602T154742Z", "Scam_FakeGiftCard"


The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time.

Submitting Threat Indicators Submitting Threat indicators

ActiveTrust Admin API consist of:

The listing below contains a sample curl command to submit threat indicators in JSON format to TIDE.

curl -X POST -H "Content-Type: application/json" --data-binary @DATA_FILE_NAME.json http://api.activetrust.net:8000/api/data/batches -u [YOUR_API_KEY]:

The system determines the format of the input data based on the Content-Type HTTP header (application/xml, text/xml, application/json, text/plain, text/csv, text/tab-separated-values, text/tsv, text/psv). If the Content-Type is not match with predefined types, or is not specified, it tries to determine the format dynamically by reading the first part of the data. It’s safest to specify the format in the Content-Type. The file format is described in “Governance policies and data submission” chapter.

Searching for Threat Indicators Searching for Threat indicators

Data Threat API calls are used to search threat indicators. Submitted threat indicators are also available for the search. The resulting dataset can be formatted in JSON, XML, STIX, CSV, TSV, PSV, CEF.

The threat indicators can be used by 3rd party solutions, e.g. with Palo Alto NGFW (please check Implementing Infoblox TIDE feeds into Palo Alto Networks Firewalls deployment guide for details) after a simple post processing.

It is highly recommended to limit amount of retrieving data by applying filters. The table below contains sample requests using CURL command.

https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-implementing-infoblox-tide-feeds-into-palo-alto-networks-firewalls.pdf




Request Description

curl “https://platform.activetrust.net:8000/api/data/threats/host?profile=IID&dga=false&from_date=2017-06-04T00:00:00Z&data_format=csv&rlimit=100” -u [YOUR_API_KEY]:




curl “https://platform.activetrust.net:8000/api/data/threats?type=host&profile=IID& period=30min&data_format=json” -u [YOUR_API_KEY]:period=30min&data_format=json” -u [YOUR_API_KEY]:





Export of Threat Indicators for 3rd Party Solutions Exporting Threat indicators

TIDE’s threat indicators can be used by 3rd party solutions, e.g. with Palo Alto NGFW (please check Implementing Infoblox TIDE feeds into Palo Alto Networks Firewalls deployment guide for details) after a simple post-processing.

It is highly recommended to limit amount of retrieving data by applying filters. The table below contains sample requests using CURL command.


Request Description

curl “https://platform.activetrust.net:8000/api/data/threats/host?profile=IID&dga=false&from_date=2017-06-



04T00:00:00Z&data_format=csv&rlimit=100” -u [YOUR_API_KEY]:



curl “https://platform.activetrust.net:8000/api/data/threats?type=host&profile=IID& period=30min&data_format=json” -u [YOUR_API_KEY]:




DHS Automated Information Sharing (AIS) Program Infoblox AIS Program Overview and Deployment Guide DHS Automated Information Sharing (AIS) Program


Introduction to AIS Introduction

This document provides an overview of the DHS Automated Indicator Sharing (AIS) Program Threat Indicator Feeds and preliminary steps on how to deploy and utilize this data in the protection of your network. As this program evolves, Infoblox will enhance our applicable customer offerings in a continuous effort to deliver timely, accurate, and comprehensive threat intelligence in ways that customers can efficiently consume.

AIS: A Cybersecurity Block Watch AIS: A Cybersecurity Block Watch

As stated on the DHS website, The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).

AIS is a part of the Department’s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared in real time with all our partners, protecting them from that threat. That means adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyber attacks. While AIS won’t eliminate sophisticated cyber threats, it will allow companies and federal agencies to concentrate more on them by clearing away less sophisticated attacks.

Ultimately, the goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyber attacks.

Infoblox’s Role as a Commercial Capability for AIS Infoblox’s Role as a Commercial Capability for AIS

Infoblox supports leveraging collective threat intelligence to broaden our customers’ viewpoints into the external threat space. In many cases, indicators that start out as suspicious broken infrastructure from one organization’s perspective quickly become threat

https://www.us-cert.gov/ais


attack components for another organization. As the market leader in core network services, and by actively participating in and enhancing programs like AIS, Infoblox can function as an effective distribution mechanism where our customers can realize the outsized impact of Threat Intelligence Exchange Programs like AIS.

Utilize AIS Data Today with Infoblox ActiveTrust Utilize AIS Data Today with Infoblox ActiveTrust

As a qualified commercial capability provider, Infoblox has completed the technical and operational integrations necessary to distribute AIS threat data to our private sector customers. In addition, we have completed the terms of use and interconnectivity agreements on behalf of our customers who wish to deploy this data in their network protection mechanisms immediately. No additional agreements are required.

Infoblox presents the AIS Threat Indicators in a variety of ways within our ActiveTrust Solutions:

• Threat Intelligence Data Exchange (TIDE): o For bulk download use cases, customers can pull the historical and updated

AIS indicator sets both manually and via the TIDE API in a variety of formats. o For correlation use cases, customers can search the AIS data set for

evidence of specific hostnames or IP addresses.

• Dossier: o For customers who have access to AIS Commercial threat indicators, Dossier

will be automatically enabled and search against this data set. For those AIS indicators where additional context is needed, Dossier query results offer a broad set of information for better threat response and triage.

• RPZ Feeds: o Infoblox offers curated sets of threat indicators for native inclusion in Infoblox

DNS Firewall implementations. o This allows you to leverage your DNS Resolver as the AIS integration engine,

then block or alert on outbound traffic that intersects with the most recent AIS Threat Data.


AIS: How to Engage AIS: How to Engage

We encourage all commercial customers of Infoblox to engage the AIS Program data. This guide will lay out the general steps to deploy the AIS Threat Indicators for network protection in your Enterprise.

AIS in TIDE AIS in TIDE

Once you have authorized Infoblox to activate your access to the AIS Indicator Feeds, log into the TIDE platform. Once logged in, you can access the AISCOMM data source under your data attributes menu and refine your search query as necessary.

Within TIDE you can access AIS data via our API using the interactive API Guide, with the source profile set to AISCOMM, and generate the outputs in a variety of formats, including CSV, JSON, and CEF.

AIS Data in Dossier AIS Data in Dossier

AIS data is available via simple searches on specific data types such as IPs and Hostnames using Dossier. Dossier provides additional context from other sources on known AIS indicators and can provide useful context for response action when you have an RPZ hit on an indicator sourced from AIS.

AIS FAQs FAQs

Is there an additional cost for the AIS data? No. Both as part of our agreement with DHS and as part of our strategy to enable crowd-sourced threat intelligence within our customer base, there is no additional cost associated with this data.

How are the AIS indicators originated? Generally, the AIS data set originates from two efforts. First, DHS itself contributes threat

https://platform.activetrust.net/



data from NCCIC Policy watch lists and from methods within the US Federal space that discover new indicators of compromise. The second pathway is from DHS AIS program members themselves – a growing list of organizations in a variety of sectors. These organizations contribute back suspect or malicious indicators to the AIS data store, to enhance collective threat intelligence.

References References

1. ActiveTrust Data API Guide (https://platform.activetrust.net/#dataapi). 2. ActiveTrust Admin API Guide (https://platform.activetrust.net/#adminapi). System Admin only. 3. ActiveTrust Dossier API Guide Basic (https://platform.activetrust.net/#dossier_api_guide_basic). 4. ActiveTrust Dossier API Guide Advanced (https://platform.activetrust.net/#dossier_api_guide_advance). System Admin only. 5. ActiveTrust API FAQ (https://platform.activetrust.net/#apifaq). 6. Implementing Infoblox TIDE feeds into Palo Alto Networks Firewalls. Deployment guide. (https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-implementing-infoblox-tide-feeds-into-palo-alto-networks-firewalls.pdf).


https://platform.activetrust.net/#adminapi

https://platform.activetrust.net/#dossier_api_guide_basic

https://platform.activetrust.net/#dossier_api_guide_advance

https://platform.activetrust.net/#apifaq



activetrust platform dossier &...

Documents