Infoblox App for Microsoft Sentinel
Solution: Infoblox
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Infoblox |
| Support Tier | Partner |
| Support Link | https://support.infoblox.com/ |
| Categories | domains |
| Version | 3.0.2 |
| Author | Infoblox |
| First Published | 2024-07-15 |
| Last Updated | 2024-07-15 |
| Solution Folder | Infoblox |
| Marketplace | Azure Marketplace · Popularity: 🟡 Low (42%) |
The Infoblox Solution for Microsoft Sentinel is designed to enhance the capabilities of Security Operations Centers (SOC) by integrating actionable intelligence and contextual network data derived from DNS data into Microsoft Sentinel. This integration provides SOC analysts with the tools they need to quickly identify and respond to potential threats such as malware and data exfiltration, improving overall security posture. With seamless configuration and intuitive dashboards, the solution ensures that critical security events are monitored and correlated, offering actionable insights that streamline threat detection and response. SOC analysts will benefit from the app’s ability to provide contextual network data, including user and device attribution, through various lookups and visualizations. By leveraging unique DNS-based threat intelligence, audit logs and other data sources, analysts can conduct faster and more effective investigations. The solution’s functionalities, such as SOC Insights Overview and DNS Events, empower analysts to reduce alert fatigue by focusing on correlated events, ultimately leading to improved efficiency and protection against emerging threats.
Benefits 1. Reduce alert fatigue with actionable insights through SOC Insights: Focus on the most critical alerts and insights to streamline threat detection and response. 2. Faster investigations with contextual network data: Quickly correlate network activities with potential threats using detailed lookups and visualizations. 3. Unique DNS-based Infoblox Threat Intel: Access unparalleled DNS-based threat intelligence to enhance security decision-making and threat mitigation.
Contents
Data Connectors
This solution provides 5 data connector(s):
- [Recommended] Infoblox Cloud Data Connector via AMA
- Infoblox Data Connector via REST API 🔶
- [Recommended] Infoblox SOC Insight Data Connector via AMA
- Infoblox SOC Insight Data Connector via REST API 🔶
- [Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 22 table(s):
Internal Tables
The following 8 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
InfobloxInsightAssets_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsightComments_CL 🔶 |
- | Playbooks (writes) |
InfobloxInsightEvents_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsightIndicators_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsight_CL 🔶 |
Infoblox SOC Insight Data Connector via REST API | Analytics, Playbooks (writes), Workbooks |
SecurityAlert |
- | Workbooks |
SecurityIncident |
- | Workbooks |
tide_lookup_data_CL 🔶 |
- | Playbooks (writes), Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 27 content item(s):
| Content Type | Count |
|---|---|
| Playbooks | 17 |
| Parsers | 6 |
| Analytic Rules | 2 |
| Workbooks | 2 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Infoblox - SOC Insight Detected - API Source | Medium | Impact | Internal use:InfobloxInsight_CL |
| Infoblox - SOC Insight Detected - CDC Source | Medium | Impact | CommonSecurityLog |
Workbooks
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Infoblox-Block-Allow-IP-Domain | The playbook will add/remove IP or Domain value in Named List of Infoblox. | - |
| Infoblox-Block-Allow-IP-Domain-Incident-Based | The playbook will add / remove IP or Domain values in Named List that available in incidents of Info... | - |
| Infoblox-Config-Insight-Details | The playbook retrieves Config Insight Details Data and ingests it into a custom table within the Log... | - |
| Infoblox-Config-Insights | The playbook retrieves Config Insight Data and ingests it into a custom table within the Log Analyti... | - |
| Infoblox-DHCP-Lookup | The playbook will retrieve IP entities from an incident, search for related DHCP data in a table, an... | CommonSecurityLog (read) |
| Infoblox-Data-Connector-Trigger-Sync | Playbook to sync timer trigger of all Infoblox data connectors. | - |
| Infoblox-Get-Host-Name | The playbook will fetch the data from 'Hosts' API and ingest it into custom table | - |
| Infoblox-Get-IP-Space-Data | The playbook will fetch the data from 'IP Space' API and ingest it into custom table | - |
| Infoblox-Get-Service-Name | This playbook will fetch the data from 'Services' API and ingest it into custom table | - |
| Infoblox-IPAM-Lookup | The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and... | - |
| Infoblox-SOC-Get-Insight-Details | Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Info... | Internal use:InfobloxInsightAssets_CL (write)InfobloxInsightComments_CL (write)InfobloxInsightEvents_CL (write)InfobloxInsightIndicators_CL (write)InfobloxInsight_CL (write) |
| Infoblox-SOC-Get-Open-Insights-API | Leverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into t... | Internal use:InfobloxInsight_CL (write) |
| Infoblox-SOC-Import-Indicators-TI | Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into th... | - |
| Infoblox-TIDE-Lookup | The playbook fetches TIDE lookup data for the provided entity type and value. | Internal use:tide_lookup_data_CL (read/write) |
| Infoblox-TIDE-Lookup-Comment-Enrichment | The playbook enrich an incident by adding TIDE Lookup information as comment on an incident. | - |
| Infoblox-TIDE-Lookup-Via-Incident | The playbook takes entity type and value from incident available in Workbook and ingests TIDE Lookup... | - |
| Infoblox-TimeRangeBased-DHCP-Lookup | The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| InfobloxCDC_SOCInsights | - | CommonSecurityLog (read) |
| InfobloxInsight | - | Internal use:InfobloxInsight_CL (read) |
| InfobloxInsightAssets | - | Internal use:InfobloxInsightAssets_CL (read) |
| InfobloxInsightComments | - | Internal use:InfobloxInsightComments_CL (read) |
| InfobloxInsightEvents | - | Internal use:InfobloxInsightEvents_CL (read) |
| InfobloxInsightIndicators | - | Internal use:InfobloxInsightIndicators_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.2 | 19-06-2025 | Added flags for Asset, Indicator, Event and Comment in InfobloxSOCGetInsightDetails playbook. Updated Workbook, Parser and Analytic rule. |
| 3.0.1 | 07-11-2024 | Bug fix in Infoblox_Workbook Workbook |
| 3.0.0 | 15-07-2024 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊