Infoblox-SOC-Get-Open-Insights-API

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Leverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table. This playbook is scheduled to run on a daily basis.

Attribute	Value
Type	Playbook
Solution	Infoblox
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
InfobloxInsight_CL 🔶	?	✓	?

Additional Documentation

📄 Source: Infoblox SOC Get Open Insights API/readme.md

• Summary
• Prerequisites
• Deployment instructions
• Post-Deployment instructions

Summary

This playbook uses the Infoblox SOC Insights REST API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table.

This playbook is an alternative to using the Infoblox SOC Insight Data Connectors via the Microsoft forwarding agent, which require the Infoblox Cloud Data Connector (CDC). Instead, this playbook ingests the same type of data via REST API. This way, you do not need to set up and deploy and Infoblox CDC in your environment.

You can use both methods in the same workspace, but beware of duplicate data.

Simply input your Infoblox API Key into the playbook parameters and it will ingest every open SOC Insight at runtime.

The Analytic Query Infoblox - SOC Insight Detected - API Source will read this data for insights and create an Incident when one is found. It is OK to run the playbook multiple times, as the Analytic Queries will group SOC Insight Incidents into one that have the same Infoblox Insight ID in the underlying data tables.

This playbook is scheduled to run on a daily basis. You can increase or decrease recurrence.

Prerequisites

1. User must have a valid Infoblox API Key.

Deployment instructions

1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required parameters:
   • Playbook Name: Enter the playbook name here
   • Infoblox API Key: Enter valid value for API Key
   • Workspace ID: Enter value for Workspace ID,use same Workspace ID for Authorization
   • Workspace Key: Enter value for Workspace Key,use same Workspace Key for Authorization

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

1. Go to your logic app -> API connections -> Select connection resource
2. Go to General -> edit API connection
3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created
4. Click Save

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Playbooks · Back to Infoblox