Infoblox

Version: Infoblox DDI (DHCP, DNS, and IPAM) with NIOS version 7.0.x and later

Infoblox DDI is a critical technology with DNS, DHCP, IPAM functionalities which provides maximum protection and offers minimum attack surface. Infoblox DDI forwards logs to Netsurion Open XDR via syslog. Netsurion Open XDR receives DNS, DHCP, and IPAM logs from Infoblox DDI. Netsurion Open XDR Infoblox DDI report provides information about DHCP IP assignment and DHCP IP lease expiration of the systems.

These reports help to track, client’s events receiving suspicious responses by the DNS response policy zone.

Dashboards display a graphical representation of the object management, user logon activities, DHCP activities. For e.g. Object management events include, new object (DHCP range, a record, MX record, etc.) creation, existing object modification or deletion.

Alerts are triggered when a user performs any of the following activities: new object creation, old objects modification or deletion, user login fails, etc.

• Security – DNS response policy zone and threat protection logs
• Operations – System management and DHCP IP assignment
• Compliance – Object changelogs and user logon activities

After Infoblox DDI is configured to deliver events to Netsurion Open XDR, alerts, dashboards, and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type	Name	Description
Operations	Infoblox DDI – High CPU Usage Detected	This alert is triggered when the CPU usage is critical.
Operations	Infoblox DDI – High Disk Usage Detected	This alert is triggered when the disk space usage is critical.
Operations	Infoblox DDI – High Memory Usage Detected	This alert is triggered when the memory usage is critical.
Compliance	Infoblox DDI – Object created deleted and modified	This alert is triggered when an object (DHCP range, a record, etc.) is either deleted or modified.
Compliance	Infoblox DDI – User login failed	This alert is triggered when a user tries to login but fails. For e.g. Incorrect username or password. (i.e. when user tries to login from GUI).

Reports

Type	Name	Description
Security	Infoblox DDI – Threat detection detail	This report provides information related to suspicious URLs detected as DDoS activities, severity, IP address, port number, etc.
Security	Infoblox DDI – DNS response policy zone threat detail	This report provides information related to Infoblox DDI to create rules for handling specific queries, IP address, port details, severity level, URL address, etc.
Operations	Infoblox DDI – DHCP IP assignment details	This report provides information related to the assignment, release and expiration of the IP address to the system which includes IP address, MAC address, lease-duration and status (assign, renew, release or expired) fields.
Operations	Infoblox DDI – DNS query and responses	This report provides information related to client requested queries and server responses, IP address, URL address, and record type.
Compliance	Infoblox DDI – Object created deleted and modified	This report provides information related to the creation, deletion and modification of the objects (like DHCP range, A record, MX record) which includes object type, object name, action and messages (information about the changes) fields.
Compliance	Infoblox DDI – User login allowed	This report provides information related to user login and logout success which includes device address, username, group name, source address, console type, logon status, reason, and authentication type fields.
Compliance	Infoblox DDI – User login failed	This report provides information related to user login failed which includes device address, username, group name, source address, console type, logon status, reason, and authentication type fields.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and Infoblox.

Download Integration Guide and How-to Guide for configuration instructions and more information.