Infoblox

Version: Infoblox DDI (DHCP, DNS, and IPAM) with NIOS version 7.0.x and later

Infoblox DDI is a critical technology with DNS, DHCP, IPAM functionalities which provides maximum protection and offers minimum attack surface. Infoblox DDI forwards logs to Netsurion Open XDR via syslog. Netsurion Open XDR receives DNS, DHCP, and IPAM logs from Infoblox DDI. Netsurion Open XDR Infoblox DDI report provides information about DHCP IP assignment and DHCP IP lease expiration of the systems.

These reports help to track, client’s events receiving suspicious responses by the DNS response policy zone.

Dashboards display a graphical representation of the object management, user logon activities, DHCP activities. For e.g. Object management events include, new object (DHCP range, a record, MX record, etc.) creation, existing object modification or deletion.

Alerts are triggered when a user performs any of the following activities: new object creation, old objects modification or deletion, user login fails, etc.

  • Security – DNS response policy zone and threat protection logs
  • Operations – System management and DHCP IP assignment
  • Compliance – Object changelogs and user logon activities

After Infoblox DDI is configured to deliver events to Netsurion Open XDR, alerts, dashboards, and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Operations Infoblox DDI – High CPU Usage Detected This alert is triggered when the CPU usage is critical.
Operations Infoblox DDI – High Disk Usage Detected This alert is triggered when the disk space usage is critical.
Operations Infoblox DDI – High Memory Usage Detected This alert is triggered when the memory usage is critical.
Compliance Infoblox DDI – Object created deleted and modified This alert is triggered when an object (DHCP range, a record, etc.) is either deleted or modified.
Compliance Infoblox DDI – User login failed This alert is triggered when a user tries to login but fails. For e.g. Incorrect username or password. (i.e. when user tries to login from GUI).

Reports

Type Name Description
Security Infoblox DDI – Threat detection detail This report provides information related to suspicious URLs detected as DDoS activities, severity, IP address, port number, etc.
Security Infoblox DDI – DNS response policy zone threat detail This report provides information related to Infoblox DDI to create rules for handling specific queries, IP address, port details, severity level, URL address, etc.
Operations Infoblox DDI – DHCP IP assignment details This report provides information related to the assignment, release and expiration of the IP address to the system which includes IP address, MAC address, lease-duration and status (assign, renew, release or expired) fields.
Operations Infoblox DDI – DNS query and responses This report provides information related to client requested queries and server responses, IP address, URL address, and record type.
Compliance Infoblox DDI – Object created deleted and modified This report provides information related to the creation, deletion and modification of the objects (like DHCP range, A record, MX record) which includes object type, object name, action and messages (information about the changes) fields.
Compliance Infoblox DDI – User login allowed This report provides information related to user login and logout success which includes device address, username, group name, source address, console type, logon status, reason, and authentication type fields.
Compliance Infoblox DDI – User login failed This report provides information related to user login failed which includes device address, username, group name, source address, console type, logon status, reason, and authentication type fields.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and Infoblox.

Download Integration Guide and How-to Guide for configuration instructions and more information.