Infoblox Integration Guide🔗
Secureworks® Taegis™ XDR ingests Infoblox BloxOne Threat Defense Data Connector logs when they are delivered as CEF over syslog to the Taegis™ XDR Collector. Messages must match the Data Connector CEF header pattern of: CEF:<version>|Infoblox|Data Connector|....
For field and log-type reference, see the following Infoblox documentation:
Supported log types (enhanced normalization): CEF Name (Infoblox log type), DNS Query, and DNS Response. Other Data Connector CEF messages with the same vendor and product may still be received; use Infoblox’s mapping documentation linked above for available extensions and log types.
Configure syslog forwarding to XDR using Infoblox’s documentation for your BloxOne deployment so that Data Connector output is sent to the collector address and port below.
Firewall Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Infoblox BloxOne / syslog forwarding host | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integrations🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Infoblox (BloxOne Threat Defense Data Connector, CEF) | DNS |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Logging Configuration Instructions🔗
Use Infoblox’s BloxOne Threat Defense documentation to enable Data Connector logging and to send those logs to an external syslog server using the following guidance:
- Point the syslog destination at the XDR Collector using UDP port 514.
- Ensure the stream includes CEF payloads where the CEF device vendor is Infoblox and the CEF device product is Data Connector (per the mapping guides linked above).
Exact menus and prerequisites depend on your BloxOne products and version. Follow the vendor guide for your environment.
Note
Data Connector events are normalized with XDR sensor type Infoblox.
NIOS BIND named syslog🔗
Some NIOS grids forward DNS activity as classic BIND named syslog lines (the text includes a named[<pid>]: process stamp, not a Data Connector CEF header), which is handled in XDR as follows:
- Traffic is matched by the generic Named syslog parsers and not by the Infoblox Data Connector CEF parser.
- Events are normalized with XDR sensor type
named, which is separate from theInfobloxsensor type used for BloxOne Threat Defense Data Connector CEF messages described earlier on this page.