⚠️ Infoblox SOC Insights
⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Infoblox |
| Support Tier | Partner |
| Support Link | https://support.infoblox.com/ |
| Categories | domains |
| Version | 3.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2024-03-06 |
| Solution Folder | Infoblox SOC Insights |
| Pre-requisites | Common Event Format |
The Infoblox SOC Insights solution allows you to easily connect your Infoblox BloxOne SOC Insights data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.
This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| Common Event Format |
Data Connectors
This solution provides 3 data connector(s):
- [Deprecated] Infoblox SOC Insight Data Connector via AMA
- Infoblox SOC Insight Data Connector via REST API 🔶
- [Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent
Connectors from dependency solutions:
- Common Event Format (CEF) (dependency on Common Event Format)
- Common Event Format (CEF) via AMA (dependency on Common Event Format)
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CommonSecurityLog |
Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Infoblox SOC Insight Data Connector via AMA, [Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent | Analytics |
Internal Tables
The following 7 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
InfobloxInsightAssets_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsightComments_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsightEvents_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsightIndicators_CL 🔶 |
- | Playbooks (writes), Workbooks |
InfobloxInsight_CL 🔶 |
Infoblox SOC Insight Data Connector via REST API | Analytics, Playbooks (writes), Workbooks |
SecurityAlert |
- | Workbooks |
SecurityIncident |
- | Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 12 content item(s):
| Content Type | Count |
|---|---|
| Parsers | 6 |
| Playbooks | 3 |
| Analytic Rules | 2 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Infoblox - SOC Insight Detected - API Source | Medium | Impact | Internal use:InfobloxInsight_CL |
| Infoblox - SOC Insight Detected - CDC Source | Medium | Impact | CommonSecurityLog |
Workbooks
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Infoblox SOC Get Insight Details | Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Info... | Internal use:InfobloxInsightAssets_CL (write)InfobloxInsightComments_CL (write)InfobloxInsightEvents_CL (write)InfobloxInsightIndicators_CL (write)InfobloxInsight_CL (write) |
| Infoblox SOC Get Open Insights API | Leverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into t... | Internal use:InfobloxInsight_CL (write) |
| Infoblox SOC Import Indicators TI | Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into th... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| InfobloxCDC_SOCInsights | - | CommonSecurityLog (read) |
| InfobloxInsight | - | Internal use:InfobloxInsight_CL (read) |
| InfobloxInsightAssets | - | Internal use:InfobloxInsightAssets_CL (read) |
| InfobloxInsightComments | - | Internal use:InfobloxInsightComments_CL (read) |
| InfobloxInsightEvents | - | Internal use:InfobloxInsightEvents_CL (read) |
| InfobloxInsightIndicators | - | Internal use:InfobloxInsightIndicators_CL (read) |
Release Notes
| Version | Date Modified | Change History |
|---|---|---|
| 3.0.2 | 28-06-2024 | Deprecating data connectors |
| 3.0.1 | 03-05-2024 | Repackaged for parser issue fix on reinstall |
| 3.0.0 | 04-03-2024 | Initial Solution Release |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊