Get Valuable Insights into Your Network’s Data with Infoblox BloxOne® Splunk Plugin

Share On Facebook
Share On Twitter
Share On Linkedin

Introduction

The Infoblox BloxOne® Splunk plugin provides valuable insights into the network and boosts visibility into events and threat intelligence. The application contains predefined dashboards where users can see insights into DNS, DHCP, and Security Activity data in Splunk. Users can update dashboards as per their requirements. IIt allows the users to monitor their network’s security by providing detailed information on TIDE (Threat Intelligence Data Exchange) events.

Prerequisites

Before you can begin using the Infoblox BloxOne Splunk plugin, a few prerequisites must be met. First, users will need to have Infoblox BloxOne with a valid DDI or Threat Defense License. They will need an OPH (On-Prem Host) with the Data Connector service enabled.

Besides the above, users will also need a Splunk account in order to download and install the application from Splunkbase, as well as a valid license for Splunk Enterprise or Cloud.
Once they have met the prerequisites, they can begin deploying and using the Infoblox BloxOne Splunk plugin.

What’s there in the Infoblox BloxOne Splunk Plugin?

The Infoblox BloxOne Splunk plugin comes with predefined dashboards that allow users to see insights into DNS, DHCP, and Security Activity data. These dashboards provide users with a high-level view of their network’s data and allow them to quickly see their network metrics at a single place.

The dashboards that are included in the app are:

  1. Security Events Dashboard: This dashboard provides a detailed view of security-related activity on the network. It also includes insights about devices, threat indicators, threat classes, and others.
  2. DNS Events Dashboard: This dashboard provides a detailed view of DNS activity on the network, including information on DNS queries, responses, and errors. It also includes data on top domain names, top clients, events over time, etc.
  3. DHCP Overview Dashboard: This dashboard provides a detailed view of DHCP activity on the network, including information on DHCP requests and leases.
  4. B1TD Filter Hits: This dashboard gives information about the queries matching the application, category, and custom filters used in the BloxOne portal.
  5. Events by Queries/Source IP Dashboard: Gives users a closer look into the queries and where they are originating form.

These dashboards can be customized as per the user’s requirements and can gain valuable insights into network activity and identify any potential issues or areas of concern.

The Infoblox BloxOne Splunk plugin includes TIDE and Dossier dashboards. The TIDE dashboard has insights about the data TIDE data indexed from the Infoblox Threat Intelligence Data Exchange service. This includes the number of threat indicators, types of indicators, indicators over time, and details about the threat level, confidence, and score. The Dossier dashboard provides detailed information about the selected indicator with a link to the BloxOne Dossier summary page.

All the dashboards can be accessed in the app menu bar by selecting Dashboards, Dossier, or TIDE.

Note: The dashboards will only show data as per the available license. For the TIDE dashboard a valid API Key is also required.

Where can I get it?

The Infoblox BloxOne® Splunk plugin is available on Splunkbase. For the app to display metrics in the dashboards we need data from BloxOne into the Splunk that the plugin will use.

To send data from BloxOne to Splunk we need an On-Prem Host with Data Connector functionality. Also, we need to configure the Source and Destinations for the Traffic Flow.

Once you have configured the Traffic Flow, you can install the Infoblox BloxOne Splunk plugin. We will use the most straightforward way to install the plugin, by using the Splunk Web UI. Other methods are also mentioned in the Deployment guide.

Once the Infoblox BloxOne Splunk plugin is installed, you should be able to see the dashboard metrics. For TIDE and Dossier dashboards, we need to configure the data inputs and API key in the plugin. After configuring the API key and the inputs, the data should be able to see the metrics populate for the dashboards.

It is important to note that the API key is specific to your Infoblox instance and should be kept confidential. Without a valid API key, the TIDE events will not be available in the plugin. Detailed steps are mentioned in the Deployment guide.

Resources

Infoblox BloxOne Splunk plugin is available on Splunkbase

Deployment guide for Infoblox BloxOne Splunk plugin is available here

Conclusion

In conclusion, the Infoblox BloxOne Splunk plugin provides valuable insights into your network’s data. The plugin includes predefined dashboards for DNS, DHCP, Security Activity, and TIDE (Threat Intelligence Data Exchange), and allows users to customize the dashboards as per their requirements. The Dossier dashboard provides detailed information about the selected indicator with a link to the BloxOne Dossier portal. With its ability, the Infoblox BloxOne Splunk plugin is a valuable addition to any network infrastructure.

Labels:

Shukran Naqati

Technical Marketing Engineer at Infoblox

Shukran Naqati is a Technical Marketing Engineer at Infoblox. He is currently working on REST APIs, Splunk, Ansible, Automation, and Development Projects. Shukran holds a bachelor’s degree in Computer Science Engineering from Islamic University of Science and Technology. Previously he has worked in App Developer, Data Engineer, and Support Engineer roles. In his free time, he enjoys movies, food, and spending time with family and friends.

View All Posts

You might also be interested in

You might also be interested in

×