Page tree

Contents

Infoblox TIDE leverages highly accurate machine-readable threat intelligence data via a flexible TIDE (Threat Intelligence Data Exchange) to aggregate, curate, and enable distribution of data across a broad range of infrastructure. TIDE enables organizations to ease consumption of threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to cyber threats. TIDE threat indicators are enriched with threat classification, scoring, TTL and  is backed by the Infoblox threat intelligence team that normalizes and refines high-quality threat intelligence data feeds.

TIDE collects and manages curated threat intelligence from internal and external sources in a single platform. It enables security operations to remediate threats more rapidly by sharing normalized TIDE data in real time with third-party security systems such as firewalls, SIEM, XDR, TIP, SOAR, etc. By leveraging highly accurate machine-readable threat intelligence (MRTI) data to aggregate and selectively distribute data across a broad range of security infrastructure, the end result is a highly refined feed with a very low historical false-positive rate.

The TIDE API consists of the Data API. The Data API is used to submit and retrieve threat indicators and consists of the following:

  • Threat Batch APIs (batch): Used to submit threat indicators and retrieve details about uploaded batches.
  • Property APIs (property): Used to retrieve threat properties registered on the Cloud Services Portal.
  • Threat APIs (threat): Used to search threat indicators on the Cloud Services Portal.
  • Threat Class APIs (threat_class): Used to retrieve threat classes registered on the Infoblox Cloud Services Platform.

Before using the TIDE API, you must verify your account using the Cloud Services Platform’s token authentication service.

The original version of Malware Analysis is being replaced with Malware Analysis Version 3. Infoblox highly recommends customers begin using Malware Analysis Version 3 going forward. 

All Python examples provided in this document were scripted using Python 3.0.

How do I use the API Guides?

Additional API calls are available using the Cloud Services Portal Swagger documentation.

Before you can make any API calls you must enter a valid api key in the "api_key" text field and click on the "Explore" button, which will load the key. Once the api key is loaded you can make API calls by clicking on the "Try it out!" button available for each call. The names for the required call parameters are in bold.

Back to top of page


How do I create an API key?

If you are a signed-in user on the Cloud Services Portal, you can create user API keys for yourself. Your administrator cannot create user API keys for you. You can create multiple user API keys that associate with your identity for different purposes. For example, you can create a key for an API script that retrieve a list of lookalike target domains, and create another key for a script that updates security policies.

To create a new user API key, complete the following:

  1. From the Cloud Services Portal, click your user name at the lower left-hand corner of the portal and select User Profile -> User API Keys tab.
  2. On the User API Keys tab, click Create.
  3. In the Create User API Keys dialog, complete the following:
    • Name: Enter the name of the user API key. Use a name that identifies the purpose of the key, so you can easily locate it in the future.
    • Expires at: Click the calendar icon to select a date and time when the user API key should expire. The maximum expiration time is 56 weeks or 13 months.
  4. Click Save & Close to save the configuration.
  5. Click Copy in the confirmation dialog to copy the user API key and save it for future use.

The user API key you created appears only once in the dialog box. When you close the dialog, you will not be able to retrieve it. Ensure that you copy it and save it in a place where you can locate it in the future. Use a name that identifies the key if you have multiple keys.

Back to top of page


What is a data profile?

Data profiles are used to identify data in the platform from one or many data submissions. A data profile must be specified when data is submitted. A default policy called ‘default-csp’ is created for each organization and data profiles created by the organization are associated with this profile. The Cloud Services Portal data profiles may be viewed on the Data Profiles page.  

Back to top of page


How do I create a data profile?

You can create a new data profile using the Resource Info API in the Cloud Services Portal (Manage -> TIDE Data ->Data Profiles). Only the TD Administrator Role has the required permissions to manage data profiles. 

Example curl:

curl  -X POST 'https://csp.infoblox.com/tide/admin/v1/resources/dataprofiles' -H 'Authorization: Token <CSP API key>'-H 'Content-Type: application/json' --data-raw '{
"name": "my_data_profile",
"description": "My Data Profile"
}'

Sample response:


{
    "profile" {
    "id": "IID:my_data_profile",
"name": "my_data_profile",
"description": "My Data Profile",
"policy": "default-csp",
"default_ttl": true,
"active": true
}
}

See the API docs located here to learn more about the call.

How do I submit data?

1Use the Threat Batch API provided by the Data Service located at Manage -> TIDE Data -> Data Upload page. Only the TD Administrator Role has the required permissions to upload data. Make sure to check the 'status' field in the API call response. If the 'status' field is set to 'PENDING' the submitted data has been accepted for processing, but it's still not processed. Use the the data submission status API call to find out when the submitted data is fully processed. The other possible values for the 'status' field are 'DONE' and 'DONE_WITH_ERRORS'. Do note that the profile can be specified in the payload or as a query parameter ‘profile’.

python

# note: Using python3
# note: Install the 'requests' library first:
# pip install -U requests
import requests
# note: replace this api_key value with your api key!
api_key = 'INSERT_YOUR_API_KEY_HERE'
api_endpoint = 'https://csp.infoblox.com'
api_path = '/tide/api/data/batches/'

my_batch = {
    "feed": {
        "profile": "test_profile",
        "record_type": "host",
        "record": [
            {
                "host": "badhostname.net",
                "property": "DDoS_Generic",
                "detected": "20210105T220000Z"
            }
        ]
    }
}

Example Curl:

curl -H 'Authorization: Token <CSP API key>' -H 'Content-Type: application/json' -X POST 'https://csp.infoblox.infoblox.com/tide/api/data/batches' -d '{
    "feed": { 
        "profile": "test_profile",
        "record_type": "host",
        "record": [
            {
                "host": "badhostname.net",
                "property": "DDoS_Generic",
                "detected": "20210105T220000Z",
            }
        ]
    }
}'

See the API docs located here to learn more about the call.

How do I format the data I submit?

You can submit data using the following formats: JSON, CSV, XML, TSV (tab separated values). JSON is the preferred format. 

For all data formats the submitted data must identify the data/record type in addition to the list of data records. For CSV and TSV the record type must be provided as one of the columns. For JSON and XML the record type is defined in a separate top level field. The record type field can be one of the following values: “host”, “ip”, “url”, “email”, or “hash”.

Here's a sample data submission using JSON:

  {
    "feed": {
      "record_type": "ip",
      "record": [ {
        "ip": "1.162.130.163",
        "property": "Bot Generic",
        "detected": "20200505T103644Z"
    }]}
  }

See the API docs located here to learn more about the call.

How do I check my data submission status?  

Use the Threat Batch API provided by the Data Service. Use the batch ID returned by the corresponding data submission call. If you lost the batch ID you can list your data submissions using the 'GET /api/data/batches' calls, which will also return the submission status for all returned submissions.

python

#note: install the 'requests' library first:
#pip install -U requests
import requests

#note: replace this api_key value with your api key!
api_key = 'INSERT_YOUR_API_KEY_HERE'
api_endpoint = 'https://csp.infoblox.com'
api_path = '/api/data/batches/'
api_path = '/tide/api/data/batches/'
batch_id = 'cebf7300-9e1f-11eb-8943-6962d4bdf9de'
url = '%s%s%s' % (api_endpoint,api_path,batch_id) r = requests.get(url, headers={"Authorization": "Token "+api_key},verify=True)
print(r.status_code)
print(r.json())

Sample result

200

{u'description': u'Batch submission on July 15, 2014, 16:06:57',
 u'id': u'92c1f7af-0c5b-11e4-913b-fb8aa419fdba',
 u'imported': u'2014-07-15T20:06:57.174Z',
 u'link': [{u'href': u'/data/batches/92c1f7af-0c5b-11e4-913b-fb8aa419fdba',
            u'rel': u'self'},
           {u'href': u'/data/batches/92c1f7af-0c5b-11e4-913b-fb8aa419fdba/detail',
            u'rel': u'detail'}],
 u'method': u'web',
 u'num_errors': 0,
 u'num_successful': 1,
 u'organization': u'OrgA',
 u'profile': u'OrgA:my_data_profile',
 u'status': u'DONE',
 u'submitted': u'2014-07-15T20:06:57.174Z',
 u'total': 1,
 u'type': u'IP',
 u'user': u'UserA'}
    

See the API docs located here to learn more about the call.

curl

curl  https://csp.infoblox.com/tide/api/data/batches/0c944caa-90e8-11eb-b195-5dd0776dce38 -H 'Authorization: Token <CSP API key>' 

Sample response

{
"link": [
{
"href": "/data/batches/0c944caa-90e8-11eb-b195-5dd0776dce38",
"rel": "self"
},
{ "href": "/data/batches/0c944caa-90e8-11eb-b195-5dd0776dce38/detail",
"rel": "detail"
}
],
"id": "0c944caa-90e8-11eb-b195-5dd0776dce38",
"submitted": "2021-03-29T23:39:48.284Z",
"imported": "2021-03-29T23:39:48.284Z",
"profile": "IID:tidengapitest",
"status": "DONE",
"user": "someone@somewhere.com",
"organization": "IID",
"method": "api",
"type": "HOST",
"total": 1,
"num_successful": 1,
"num_errors": 0
}

See the API docs located here to learn more about the call.

How do I search all my data? 

To search all data shared with you use the Info API provided by the Admin Service. Do note that this API call includes historical threat data in addition to current threats.

python

#note: install the 'requests' library first:
#pip install -U requests
import requests

#note: replace this api_key value with your api key!
api_key = 'INSERT_YOUR_API_KEY_HERE'
api_endpoint = 'https://csp.infoblox.com'
api_path = '/tide/api/data/threats/'
batch_id = 'cebf7300-9e1f-11eb-8943-6962d4bdf9de'
url = '%s%s%s' % (api_endpoint,api_path)
parameters = {‘rlimit’: 10, ‘property’: ‘phishing_generic’, ‘type’: ‘host’} r = requests.get(url, headers={"Authorization": "Token "+api_key},
params=parameters, verify=True)
print(r.status_code)
print(r.json())

Sample result

200

{u'status': u'success', u'code': 0, u'data': [u'Infoblox']}

See the API docs located here to learn more about the call.

curl

curl -X GET 'https://csp.infoblox.com/tide/api/data/threats?rlimit=2' -H 'Authorization: Token <CSP API key>'

Sample result

{ 
"threat": [
{
"id": "2e2dc131-f68e-11e9-a628-679f316f9ffd",
"type": "HOST",
"host": "go0gie.com",
"domain": "go0gie.com",
"tld": "com",
"profile": "IID",
"property": "APT_MalwareC2",
"class": "APT",
"threat_level": 100,
"detected": "2019-04-17T21:02:54.385Z",
"received": "2019-10-24T18:43:33.204Z",
"imported": "2019-10-24T18:43:33.204Z",
"expiration": "2021-04-17T21:02:54.385Z",
"dga": false,
"up": true,
"batch_id": "2e2d9a20-f68e-11e9-a628-679f316f9ffd",
"threat_score": 10,
"threat_score_rating": "Critical",
"threat_score_vector":
"TSIS:1.0/AV:N/AC:L/PR:L/UI:N/EX:H/MOD:H/AVL:L/CI:H/ASN:H/TLD:N/DOP:N/P:T",
"confidence_score": 0.1,
"confidence_score_rating": "Unconfirmed",
"confidence_score_vector": "COSIS:1.0/SR:N/POP:N/TLD:N/CP:T",
"risk_score": 9.9,
"risk_score_rating": "Critical",
"risk_score_vector":
"RSIS:1.0/TSS:C/TLD:N/CVSS:C/EX:H/MOD:H/AVL:L/T:H/DT:H",
"extended": {
"cyberint_guid": "047126240eb5908a422ac1b916b1fda4",
"notes": "DNS tunneling domains",
"threat_actor": "OilRig",
"threat_actor_vector":
"STARS:1.0/NAME:OILRIG/AKA:[APT34,CHRYSENE,COBALT_GYPSY,CRAMBUS,HELIX_KITTEN,HELIX_KITTEN,TWISTED_KITTEN]
/OPS:N/OVLP:N/REGN:IRAN/DESC:Y/TACT:N/TRGT:N/TOOL:[ALMA_COMMUNICATOR,BONDUPDATER,CVE-2017-0199,CVE-2017-11882,
CLAYSLIDE,DARKSEAGREENSHELL,ELVENDOOR,HELMINTH,ISMDOOR,INVOKE-OBFUSCATION,LITTLEFACE),OOPSIE,PLINK,POWBAT,
POWRUNER_(PS_BACKDOOR),PSEXEC,QUADAGENT,SSH_TUNNELS_TO_WINDOWS_SERVERS,WEBSHELLS_(TWOFACE,CUSTOMIZED_MIMIKATZ,
MALICIOUS_RTF_FILES_CVE-2017-0199_AND_CVE-2017-11882]/REFS:Y"
}
},
{
"id": "11891e90-83f0-11ea-94fe-ededbc8e1ec7",
"type": "HOST",
"host": "eicar.co",
"domain": "eicar.co",
"tld": "co",
"profile": "IID",
"property": "MaliciousNameserver_Generic",
"class": "MaliciousNameserver",
"threat_level": 0,
"confidence": 100,
"detected": "2020-02-11T10:36:44.000Z",
"received": "2020-04-21T16:49:29.780Z",
"imported": "2020-04-21T16:49:29.780Z",
"expiration": "2040-02-11T10:36:44.000Z",
"dga": false,
"batch_id": "1188d06f-83f0-11ea-94fe-ededbc8e1ec7",
"extended": {
"rpz": "base"
}
}
],
"record_count": 2
}

See the API docs located here to learn more about the call.

How do I view all of my organization's data profiles?

To view all your organization's data profiles, run the /tide/admin/v1/resources/dataprofiles API. Data profiles can also be viewed in the Cloud Services Portal by navigating to the Data Profiles page (Manage -> TIDE Data -> Data Profiles). On the Data Profiles page, you can view a list of all your organization's data profiles.

See the API docs located here to learn more about the call.

How do I see what RPZ feeds I have access to with my Cloud Services Portal License?

To view what RPZ feeds you have access to with your Cloud Services Portal license, run the /tide/api/entitlements/feeds{ API. The API response will provide you with a list of RPZ feeds your account has permission to view. Please note, entitlements vary based on entitlement. 

{
"allow": true,
"feeds": [
"antimalware",
"antimalware-ip",
"base",
"bogon",
"bot-ip",
"cryptocurrency",
"dhs-ais-domain",
"dhs-ais-ip",
"eecn-ip",
"exploitkit-ip",
"ext-antimalware-ip",
"ext-base-antimalware",
"ext-exploitkit-ip",
"ext-ransomware",
"ext-tor-exit-node-ip",
"fresh-domain.surbl",
"malware-dga",
"multi-domain.surbl",
"nccic-host",
"nccic-ip",
"public-doh",
"public-doh-ip",
"ransomware",
"sanctions-ip",
"spambot-dnsbl-ip",
"spambot-ip",
"surbl-lite",
"tor-exit-node-ip",
"subscriberservicesadvanced",
"subscriberservicesconsumer",
"subscriberservicesurldata"
]
}

See the API docs located here to learn more about the call.

How do I see what data profiles I have access to with my Cloud Services Portal License?

To view what data profiles you have access to with your Cloud Services Portal license, run the tide/api/entitlements/profiles API. The API response will provide you with a list of data profiles your account has permission to view. Please note, entitlements vary based on entitlement. 


{
"allow": true,
"profiles":[
"AISCOMM:AIS-COMMERCIAL",
"IID:ANALYST",
"IID:CRIME",
"IID:DTQ_IP",
"IID:IID",
"IID:IID Internal",
"IID:IID_BH_DECLARED",
"IID:IID_IRD",
"IID:IID_TTL",
"IID:LookalikeDomains",
"IID:OTHER",
"IID:PARTNER",
"IID:PORTAL_AK",
"IID:POWERSHARK",
"IID:RateShark",
"IID:IB_VGC1",
"SURBL:FRESH",
"SURBL:SURBL_multi_list",
"IID:IB_VGC2"
]
}

See the API docs located here to learn more about the call.

How do I search data in the last X time units? 

Use the Threat API provided by the Data Service. You must specify the time period using the "period" query string parameter. Format: "[number of units] [unit type]". Available unit types: minutes/minute, hours/hour, days/day, weeks/week, months/month, quarters/quarter, years/year. 

To make samples a bit easier to use the calls also specify the 'rlimit' query string parameter. It's an optional parameter that limits the number of returned records.

python


#note: install the 'requests' library first
#pip install -U requests
import requests
#note: replace this api_key value with your api key!
api_key = 'INSERT_YOUR_API_KEY_HERE'
api_endpoint = 'https://csp.infoblox.com'
api_path = '/tide/api/data/threats'
url = '%s%s' % (api_endpoint,api_path)
parameters = {‘period’: “4 days”, ‘rlimit’: 2}
r = requests.get(url, headers={"Authorization": "Token "+api_key}, 
params=parameters, verify=True)
print(r.status_code)
print(r.json())


Example Curl:

curl -H 'Authorization: Token <CSP API key>' 'https://csp.infoblox.com/tide/api/data/threats?period=15%20minutes&rlimit=2' 

How do I get Infoblox's current active threat data?  

 For more information see the Active Indicator page in the Cloud Services Portal. 

  • No labels

This page has no comments.