Infoblox Threat Defense Out-of-the-Box Response Integration

Infoblox Threat Defense Out-of-the-Box Response Integration

This article describes the required procedure to integrate Infoblox Threat Defense with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

Below you will find the technical requirements to use the Infoblox Threat Defense OOTB Response Integrations.
  • You must have an Infoblox Threat Defense account with an active Infoblox Threat Defense subscription.
  • You must have an active Lumu Defender subscription, or a Lumu for MSP account. To learn more about Lumu subscription tiers, head to our article on Lumu Offerings.

Integration Setup - Infoblox Threat Defense Portal

You must carry out a few preliminary procedures to properly deploy the integration. This process requires the creation of a role, user group, service user, access policy, and service API key which should be used exclusively for this integration.
1. First, you must log in to the Infoblox Cloud Services Portal.
2. Then, head to the User Access section of the Infoblox Portal using the Configure side panel.

3. Now, you will create a role. This role will be assigned to the integration’s user and must have all the required permissions to interact with Infoblox’s REST API and operate custom lists. After opening the User Access view, select the Roles tab, and click on Create Role.

4. Assign an identifiable name and description to the role. In the Features section of the dialog box, select all the permissions needed by the role. You can find them in the table below, as well as on the provided screenshot.
FeaturePermission
BloxOne Threat DefenseCustom Lists Manage
BloxOne Threat DefenseCustom Lists View
BloxOne CloudTag Create
BloxOne CloudTag Delete
BloxOne CloudTag List
BloxOne CloudTag Read

Click on the checkbox of each permission to assign it to the role. Once done, click on the Save & Close button at the bottom of the dialog box.

5. Next, you must create a User Group to link the integration user with its role. While on the User Access section, select the User Groups tab, and click on Create User Group.

6. This will open the User Group creation dialog box. You must assign an identifiable Name to the user group, and a description (optional). Here, you can select the users that you wish to include in this user group; however, we can skip this for now. Click on Save & Close to create the group.

7. Then, you must create a service user. While on the User Access section, select the Users tab, and then click on Create User.

8. This will open the user creation dialog box. Assign an identifiable name to the user. Then, select Service from the Type drop-down menu. The Email field is not required.
9. This is the point where you must assign a user group to the user. Click on the blue arrow icon next to the group you wish to select, this will move it to the Selected User Groups field.

10. Click on Save & Close. The user is now created.

11. Now, you must create an Access Policy to link the integration user, the role, and user group together. While on the User Access section, select the Access Policies tab, and click on Create Access Policy.

12. This will open the Access Policy creation dialog box. First, enter an identifiable name for the policy, and a detailed description (optional). Now, the most vital part of the procedure is to select the integration Role and User Group from the corresponding drop-down menus. Access View is set to All by default, leave it as is.

13. Click on Save & Close. The Access Policy is now created.

14. Finally, you must create a Service API key linked to the service user. While on the User Access section, select the Service API Keys tab, and click on Create.

15. This will open the Service API Key creation dialog box. Assign an identifiable Name to it, select the integration’s Service User from the drop-down menu, and assign an Expiration Date to the Service API Key by clicking on the calendar icon. It is recommended to set an expiration date of at least one year, or by the duration determined by your organization’s specific needs and policies.

16. Click on Save & Close to finish the creation process.

17. An emerging dialog box will show up displaying the generated Service API Key. It is strongly recommended to save this API Key for safekeeping as this is the only time it will be displayed, and it is necessary to set up the response integration.

Notes
We reiterate, once you close the API Access Key Generated dialog, you won't be able to retrieve the service API Key again. If you misplace it, you will have to repeat this step of the procedure.

Integration Setup - Lumu Portal

This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Infoblox Threat Defense Response Integration. To start, log into your Lumu account through the Lumu Portal.
Notes
Integrations are also available for Lumu MSP accounts. To access them, log in to the Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations dropdown menu. Then, click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.

2. Locate the Infoblox Threat Defense integration and click on the Add button.

3. On the window that opens, familiarize yourself with the integration details as well as best use cases and requirements. Next, click the orange Activate button to start the integration setup process.

4. A popup will appear asking you to fill in Name and Threat Types. Make sure the name of the integration is meaningful and descriptive, and then choose the Threat Types you want the integration to push to Infoblox Threat Defense. If you want to include IP addresses in your Infoblox custom list, click the Include IP Indicators tickbox to do so.

5. Next, you will be asked to provide the API Key obtained on Step 17 of the Integration Setup - Infoblox Threat Defense Portal section of this guide. Once done, click on the Next button. Lumul will then validate if the provided credentials are correct.

6. Finally, you will be asked to select a Custom List to which the threat indicators will be sent. You can choose an existing one using the Push IOCs to an existing custom list dropdown, or create a new one using the Push IOCs to a new custom list text field. Lumu provides a recommended name for this list, but you can change it to whatever best suits your needs. For the purposes of this guide, we will select the Push IOCs to a new custom list option. Once done, click Save.

Notes
If you enter the name of an already existing list in the Push IOCs to a new custom list text field, the integration will warn you that such name already exists and request for you to change it.


Notes
In order for the integration to work properly, make sure that the Custom List created is part of a Policy Rule. To learn more about how to add Custom Lists to Policy Rules, please refer to Infoblox’s documentation on the subject.

7. The integration is now created and active. The Lumu Portal will display the details of the created integration.

Final Steps - Validate the Integration on the Infoblox Portal

You can validate that the integration is functioning properly in the Infoblox Threat Defense Portal by following these steps:
1. In your Infoblox Threat Defense Portal, select the Configure menu on the left panel, go to Security, and open the Policies panel.

2. Once there, select the Custom Lists tab. When the integration is activated, the Custom List selected during the process on Step 6 of the Integration Setup - Lumu Portal section will be updated with confirmed compromises found by Lumu within the preceding 3 days. Now you can have certainty that the integration is up and running.



        • Related Articles

        • Lumu Out-of-the-box Integrations

          For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...
        • Cisco Firepower Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Cisco Firepower to receive and block adversaries detected by Lumu and improve the detection & ...
        • Cylance Endpoint Security Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Cylance Endpoint Security with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Below you will find the technical ...
        • iboss Zero Trust Out-of-the-Box Response Integration

          This article describes the required procedure to integrate iboss Zero Trust with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements iboss Account An active iboss Zero Trust SSE Zero ...
        • Watchguard Firebox Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Watchguard Firebox with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements A Watchguard Firebox Firewall operating on ...