To mitigate DNS data exfiltration, Infoblox DNS threat analytics employs analytics algorithms that analyze incoming DNS queries and responses to detect DNS tunneling traffic.
The Grid threat analytics object contains settings and information about updates download, and mitigation response policy zone to which queries on blacklisted domains are transfered.
References to grid:threatanalytics are object references.
The name part of the Grid threat analytics object reference has the following components:
- The name of the Grid
The object does not support the following operations:
The object cannot be managed on Cloud Platform members.
These fields are actual members of the object; thus, they can be requested by using _return_fields, if the fields are readable.
The basic version of the object contains the field(s): enable_auto_download, enable_scheduled_download, module_update_policy, name.
Disable domain collapsing at grid level
Type
Bool.
Create
The default value is False.
Search
The field is not available for search.
The current threat analytics module set.
Type
String.
This field supports nested return fields as described here.
Search
The field is not available for search.
Notes
The current_moduleset cannot be updated.
current_moduleset cannot be written.
The Grid whitelist.
Type
String.
This field supports nested return fields as described here.
Search
The field is not available for search.
Notes
The current_whitelist cannot be updated.
current_whitelist cannot be written.
The list of response policy zones for DNS tunnelling requests.
Type
A/An zone_rp object array.
This field supports nested return fields as described here.
Create
The default value is empty.
Search
The field is not available for search.
Level of domain collapsing
Type
Unsigned integer.
Create
The default value is 2.
Search
The field is not available for search.
Determines whether the automatic threat analytics module set download is enabled.
Type
Bool.
Create
The default value is False.
Search
The field is not available for search.
Notes
The enable_auto_download is part of the base object.
Determines whether the scheduled download of the threat analytics module set is enabled.
Type
Bool.
Create
The default value is False.
Search
The field is not available for search.
Notes
The enable_scheduled_download is part of the base object.
Indicates whether auto download service is enabled
Type
Bool.
Create
The default value is False.
Search
The field is not available for search.
Indicates whether the custom scheduled settings for auto download is enabled. If false then default frequency is once per 24 hours
Type
Bool.
Create
The default value is False.
Search
The field is not available for search.
The last time when the threat analytics module set was checked for the update.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_checked_for_update cannot be updated.
last_checked_for_update cannot be written.
Timestamp of last checked whitelist
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_checked_for_whitelist_update cannot be updated.
last_checked_for_whitelist_update cannot be written.
The last update time for the threat analytics module set.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_module_update_time cannot be updated.
last_module_update_time cannot be written.
The version number of the last updated threat analytics module set.
Type
String.
Search
The field is not available for search.
Notes
The last_module_update_version cannot be updated.
last_module_update_version cannot be written.
The last update time for the threat analytics whitelist.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_whitelist_update_time cannot be updated.
last_whitelist_update_time cannot be written.
The version number of the last updated threat analytics whitelist.
Type
String.
Search
The field is not available for search.
Notes
The last_whitelist_update_version cannot be updated.
last_whitelist_update_version cannot be written.
The update policy for the threat analytics module set.
Type
String.
Create
The default value is AUTOMATIC.
Search
The field is not available for search.
Notes
The module_update_policy is part of the base object.
The Grid name.
Type
String.
Search
The field is available for search via
Notes
The name is part of the base object.
The name cannot be updated.
name cannot be written.
The schedule settings for the threat analytics module set download.
Type
A/An Schedule Setting struct.
Create
The default value is empty.
Search
The field is not available for search.
Schedule setting for automatic whitelist update run
Type
A/An Schedule Setting struct.
Create
The default value is empty.
Search
The field is not available for search.
Use this method to download and apply update for the threat analytics moduleset.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
None
Output fields
None
Use this method to download and apply update for the threat analytics whitelist.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
is_whitelist ( Bool. ). This parameter is mandatory. Parameter to differentiate whether it is whitelist or moduleset
Output fields
None
Use this function to replace blacklist RPZ with analytics white lists.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
rpz_cnames ( A/An record:rpz:cname object array. ). This parameter is mandatory. The list of RPZ CNAME records to be replaced with analytics whitelists.
Output fields
None
Use this method to set last uploaded threat analytics moduleset and whitelist.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
moduleset_token ( String. ). This parameter is mandatory. The token returned by the uploadinit function call in object fileop.
Output fields
None
Use this method to test threat analytics server connectivity.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
None
Output fields
error_messages ( String array. ) The list of error messages for failed connectivty test.
overall_status ( String. Valid values are: “FAILED”, “SUCCESS” ) The overall connectivity test status.
Use this method to update threat analytics moduleset and whitelist.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
None
Output fields
None
| Field | Type | Req | R/O | Base | Search |
|---|---|---|---|---|---|
| configure_domain_collapsing | Bool | N | N | N | N/A |
| current_moduleset | String | N | Y | N | N/A |
| current_whitelist | String | N | Y | N | N/A |
| dns_tunnel_black_list_rpz_zones | [obj] | N | N | N | N/A |
| domain_collapsing_level | Unsigned int | N | N | N | N/A |
| enable_auto_download | Bool | N | N | Y | N/A |
| enable_scheduled_download | Bool | N | N | Y | N/A |
| enable_whitelist_auto_download | Bool | N | N | N | N/A |
| enable_whitelist_scheduled_download | Bool | N | N | N | N/A |
| last_checked_for_update | Timestamp | N | Y | N | N/A |
| last_checked_for_whitelist_update | Timestamp | N | Y | N | N/A |
| last_module_update_time | Timestamp | N | Y | N | N/A |
| last_module_update_version | String | N | Y | N | N/A |
| last_whitelist_update_time | Timestamp | N | Y | N | N/A |
| last_whitelist_update_version | String | N | Y | N | N/A |
| module_update_policy | String | N | N | Y | N/A |
| name | String | N | Y | Y | = |
| scheduled_download | struct | N | N | N | N/A |
| scheduled_whitelist_download | struct | N | N | N | N/A |
| whitelist_update_policy | String | N | N | N | N/A |
grid:servicerestart:status : Restart Status object.
