The Infoblox ecosystem includes a number of integrations with various technology partners. The idea behind the ecosystem is to maximize the value from Infoblox and other network and security products used by the enterprise. The integrations will enable the data exchange to derive the context and intelligence required to deliver the value from each product. As an example, The Active Trust Cloud integration (ATC) with Splunk provides an ATC perspective in Splunk. This blog focuses on our support for Splunk Enterprise Security, which is an add-on to Splunk and widely used by security teams in an enterprise.
Enrich Splunk Enterprise Security with Threat Intelligence from Infoblox TIDE/Dossier
The Splunk Enterprise Security provides proactive and reactive mechanisms for external feed integrations. Infoblox has solutions in the pipeline for threat feed absorption. In the reactive space, the Infoblox threat intelligence kit includes Infoblox TIDE and Infoblox Dossier. Threat Intelligence Data Exchange (TIDE) for ActiveTrust® uses highly accurate machine-readable threat intelligence data to aggregate, curate and enable distribution of data across a broad range of infrastructure. While Infoblox Dossier serves as a comprehensive threat investigation tool with detailed context for active threats.
This integration involves add-ons for Infoblox TIDE and Infoblox Dossier. Each addon is designed to work as an adaptive response action on Splunk Enterprise Security. The add-ons can be triggered in a correlation search or executed during notable event investigations. For instance, the TIDE add-on queries the TIDE API and responds with all the attributes for a recognized indicator of compromise. This is extremely useful information for a security analyst in the midst of a notable event investigation. The Infoblox Dossier can be similarly used to gain detailed context information through the Dossier API.
The integration is easy to accomplish using the spl or tgz files of the add-ons. The add-ons are supported by Infoblox and the only prerequisite is to have an account on the ActiveTrust Cloud Platform. Through the ActiveTrust account, the necessary information for configuring the add-ons can be gathered. Splunk Enterprise Security requires a license and has certain additional requirements.
Enhanced security insight
The power of a security platform relies on the mechanisms it provides for accurate and fast incident resolutions. In that context, the Infoblox add-ons work in perfect tandem with Splunk Enterprise Security to aid in the accurate and speedy resolution of security events.
References
http://docs.splunk.com/Documentation/ES