This article describes the required procedure to integrate Infoblox Threat Defense with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements
Below you will find the technical requirements to use the Infoblox Threat Defense OOTB Response Integrations.
Integration Setup - Infoblox Threat Defense Portal
You must carry out a few preliminary procedures to properly deploy the integration. This process requires the creation of a role, user group, service user, access policy, and service API key which should be used exclusively for this integration.
2. Then, head to the User Access section of the Infoblox Portal using the Configure side panel.
3. Now, you will create a role. This role will be assigned to the integration’s user and must have all the required permissions to interact with Infoblox’s REST API and operate custom lists. After opening the User Access view, select the Roles tab, and click on Create Role.
4. Assign an identifiable name and description to the role. In the Features section of the dialog box, select all the permissions needed by the role. You can find them in the table below, as well as on the provided screenshot.
Feature | Permission |
BloxOne Threat Defense | Custom Lists Manage |
BloxOne Threat Defense | Custom Lists View |
BloxOne Cloud | Tag Create |
BloxOne Cloud | Tag Delete |
BloxOne Cloud | Tag List |
BloxOne Cloud | Tag Read |
Click on the checkbox of each permission to assign it to the role. Once done, click on the Save & Close button at the bottom of the dialog box.
5. Next, you must create a User Group to link the integration user with its role. While on the User Access section, select the User Groups tab, and click on Create User Group.
6. This will open the User Group creation dialog box. You must assign an identifiable Name to the user group, and a description (optional). Here, you can select the users that you wish to include in this user group; however, we can skip this for now. Click on Save & Close to create the group.
7. Then, you must create a service user. While on the User Access section, select the Users tab, and then click on Create User.
8. This will open the user creation dialog box. Assign an identifiable name to the user. Then, select Service from the Type drop-down menu. The Email field is not required.
9. This is the point where you must assign a user group to the user. Click on the blue arrow icon next to the group you wish to select, this will move it to the Selected User Groups field.
10. Click on Save & Close. The user is now created.
11. Now, you must create an Access Policy to link the integration user, the role, and user group together. While on the User Access section, select the Access Policies tab, and click on Create Access Policy.
12. This will open the Access Policy creation dialog box. First, enter an identifiable name for the policy, and a detailed description (optional). Now, the most vital part of the procedure is to select the integration Role and User Group from the corresponding drop-down menus. Access View is set to All by default, leave it as is.
13. Click on Save & Close. The Access Policy is now created.
14. Finally, you must create a Service API key linked to the service user. While on the User Access section, select the Service API Keys tab, and click on Create.
15. This will open the Service API Key creation dialog box. Assign an identifiable Name to it, select the integration’s Service User from the drop-down menu, and assign an Expiration Date to the Service API Key by clicking on the calendar icon. It is recommended to set an expiration date of at least one year, or by the duration determined by your organization’s specific needs and policies.
16. Click on Save & Close to finish the creation process.
17. An emerging dialog box will show up displaying the generated Service API Key. It is strongly recommended to save this API Key for safekeeping as this is the only time it will be displayed, and it is necessary to set up the response integration.
We reiterate, once you close the API Access Key Generated dialog, you won't be able to retrieve the service API Key again. If you misplace it, you will have to repeat this step of the procedure.
Integration Setup - Lumu Portal
This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Infoblox Threat Defense Response Integration. To start, log into your Lumu account through the
Lumu Portal.
Integrations are also available for Lumu MSP accounts. To access them, log in to the
Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations dropdown menu. Then, click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.
2. Locate the Infoblox Threat Defense integration and click on the Add button.
3. On the window that opens, familiarize yourself with the integration details as well as best use cases and requirements. Next, click the orange Activate button to start the integration setup process.
4. A popup will appear asking you to fill in Name and Threat Types. Make sure the name of the integration is meaningful and descriptive, and then choose the Threat Types you want the integration to push to Infoblox Threat Defense. If you want to include IP addresses in your Infoblox custom list, click the Include IP Indicators tickbox to do so.
5. Next, you will be asked to provide the
API Key obtained on
Step 17 of the
Integration Setup - Infoblox Threat Defense Portal section of this guide. Once done, click on the
Next button. Lumul will then validate if the provided credentials are correct.
6. Finally, you will be asked to select a Custom List to which the threat indicators will be sent. You can choose an existing one using the Push IOCs to an existing custom list dropdown, or create a new one using the Push IOCs to a new custom list text field. Lumu provides a recommended name for this list, but you can change it to whatever best suits your needs. For the purposes of this guide, we will select the Push IOCs to a new custom list option. Once done, click Save.
If you enter the name of an already existing list in the Push IOCs to a new custom list text field, the integration will warn you that such name already exists and request for you to change it.
In order for the integration to work properly, make sure that the Custom List created is part of a Policy Rule. To learn more about how to add Custom Lists to Policy Rules, please refer to
Infoblox’s documentation on the subject.
7. The integration is now created and active. The Lumu Portal will display the details of the created integration.
Final Steps - Validate the Integration on the Infoblox Portal
You can validate that the integration is functioning properly in the Infoblox Threat Defense Portal by following these steps:
1. In your Infoblox Threat Defense Portal, select the Configure menu on the left panel, go to Security, and open the Policies panel.
2. Once there, select the
Custom Lists tab. When the integration is activated, the
Custom List selected during the process on
Step 6 of the
Integration Setup - Lumu Portal section will be updated with confirmed compromises found by Lumu within the preceding 3 days. Now you can have certainty that the integration is up and running.