Page tree

Contents

BloxOne Threat Defense – August 26, 2020

New Features and Enhancements

The DossierTM Threat Research Portal offers an enhanced "Summary" section featuring the graphical representation of information contained within the full Dossier report

The redesigned "Summary " section provides a graphical representation of threat scores as well as a graphical representation of threat indicator timelines and reputation information.  Enhancements to the following Dossier report sections have also been included with this release:

    • Current DNS
    • Related Domains
    • Related URLs
    • Related IPs
    • Related File Samples
    • Related Contacts
    • Reports
    • Timeline
    • Location
    • Raw WHOIS
Dossier now supports performing a pivot off of the threat actor properties

Pivoting can be performed on threat indicators such as email, IP address, and domain. When threat indicator information is pivoted, Dossier generates a summary report for the threat indicator being pivoted. Threat indicators properties capable of being pivoted are indicated in light blue.

Dossier now supports "breadcrumb" navigation

When performing a Dossier search, a series of visually-represented links, or breadcrumbs, representative of the path the researcher has taken during the investigation is created. The breadcrumb path can be used to review prior Dossier search returns without having to initiate a new search.  

Security-Activity Report and DNS Report now support an additional search query parameter

The Security - Activity Report and the DNS Activity Report now offer " = and the NOT (!=) " as an additional search query operator when searching report data.   

BloxOne Threat Defense – August 7, 2020

New Features and Enhancements

BloxOne Endpoint now supports endpoint assignment to a custom endpoint group at the time of its installation.

When installing a new BloxOne endpoint, the endpoint can now be assigned to an existing custom endpoint group rather than being assigned to the default endpoint group. In the endpoint service logs, you can view the metadata indicating the name of the custom endpoint group to which the newly installed endpoint has been assigned.

BloxOne Threat Defense – August 5, 2020

New Features and Enhancements

Custom user roles offer administrators the flexibility to accommodate specific access authorizations by allowing more granular control of access.

As an administrator, you can define custom user roles, in addition to a selection of Infoblox provided user roles, to accommodate for specific access authorizations. This will allow for more granular control of access.

Resetting BloxOne appliances to factory condition can be done through the Device UI by enabling local access to the appliance.

You can reset BloxOne appliances to factory condition by enabling local access through the Cloud Services Portal and logging in to the on-prem host through the Device UI. The on-prem host will still be associated with the same account, but all of the service specific settings and connectivity to the cloud will be reset.

BloxOne Threat Defense – July 27, 2020

New Features and Enhancements

3rd party identify provider (IdP) integration allows customer identity to be federated with customer owned Okta or Azure AD identity providers via the SAML 2.0 protocol.

As an administrator, when you set up the 3rd party IdP integration, you can optionally configure group mapping between IdP groups assigned to your users and BloxOne user groups. This feature completely automates the onboarding and offboarding process of your employees. You can set up 3rd party IdP federation in the newly released Infoblox SSO Portal.

Multi-factor authentication (MFA) can be defined based on OktaVerify when customers store their users' identity with Infoblox.

You can now define multi-factor authentication (MFA) based on OktaVerify when you store users’ identity with Infoblox. When configured, users are asked to define their MFA authentication at their first login and are required to authenticate using their chosen way of authentication on subsequent logins. You can set up MFA federation in the newly released Infoblox SSO Portal.

Data Connector – July 17, 2020

New Features and Enhancements

The cloud-based Data Connector provides syslog UDP protocol support to communicate with SIEMs or syslog collectors, in addition to the prior syslog TCP and TLS protocol support. 
The updated syslog message format will be fully compliant with RFC 5424.

Required headers (e.g. facility, severity, host) will be added and the date/time format will be updated. 

Multiple cloud-based Data Connector can now be deployed to balance the load and optimize data transfer to Infoblox NIOS Reporting. Note that NIOS version 8.5.0 or higher is required.
Security event updates for BloxOne Threat Defense (Business Cloud and Advanced).

The security events in CEF/LEEF will be updated, as follows:

The Severity field matches data in the reports.

Redirect policy action will be reported as “Redirect” (previously reported as “TCP Only").

 

BloxOne Threat Defense – June 19, 2020

New Features and Enhancements

Eight additional reporting widgets have been added to the original seven reporting widgets available on the Cloud Services Portal Dashboard page. 

The following reporting widgets have been added to the original reporting widgets:

    • Top Web Destinations
    • Top Blocked Web Destinations
    • Top Devices by Total DNS Activity
    • Configuration and Endpoints
    • Devices by Type
    • Top Detected Threats
    • Top Threat Feeds
    • Top Attackers 

BloxOne Threat Defense – May 30, 2020

New Features and Enhancements

Two new comprehensive reports, DNS Activity Report and Activity Security Report, are available to assist in monitoring traffic activity on your network.

The DNS Activity Report monitors all DNS activity on your network . The report consolidates the DNS Report, DNS Source Report, DNS Devices Report, and  the DNS Users Report into one easily understandable, comprehensive report. Each individual report is also available for viewing. 

The Activity Security Report monitors all activity and security events occurring on your network. The report consolidates the Security Events Report, DNS Firewall Report, Web Content Report, Threat Insight Report, Devices Report, Users Report, and Sources Report into one easily understandable, comprehensive report. Each individual report is also available for viewing. 

TIDE – May 28, 2020

New Features and Enhancements

TIDE now supports searching for IPv6 and search queries for emails and checksums/hashes (MD5)

In addition to host, ip, url, threat type searches, TIDE now supports IPv6, email, and checksum/hash (MD5) searches. Email address records are known to be malicious.

BloxOne Threat Defense – May 11, 2020

New Features and Enhancements

The task of moving a BloxOne Endpoint to an Endpoint Group has been simplified and made more efficient 

Moving one or more BloxOne endpoints to an endpoint group can now be accomplished directly on the Endpoints page without having to edit the endpoint group configuration page. Changes to ATCAPI means BloxOne Endpoint accommodates even more  data. In the Cloud Services Portal, the ability to add an endpoint to a group on the Endpoints Groups page has been removed and replaced with a new Move Endpoints dialog box making the move process much more user-friendly and expeditious.

Customer-defined threat and confidence scores can now be applied to Custom and Threat Insight lists

By assigning a customer-defined threat level and confidence score, the default threat level and confidence score can be overridden and the user-defined values applied instead.

BloxOne Threat Defense – May 8, 2020

New Features and Enhancements

Where an authoritative server includes CNAME RDATA, DNS domain, or subdomains requests not included in a feed, a block/redirect policy is applied

When a DNS request is made for a domain or subdomain not included in a feed, if the upstream, authoritative server includes CNAME RDATA, then a block/redirect policy will be applied to the request.

BloxOne Threat Defense – April 21, 2020

New Features and Enhancements

New dark color scheme on the Cloud Services Portal enhances viewing experience in low-light environments

Infoblox introduces a new dark color scheme on the Cloud Services Portal, which delivers an alternative viewing experience to users. Dark color scheme can be beneficial in low-light environments. You can switch between light mode and dark mode in User Preferences. 

Automatic upgrades on the on-prem hosts ensure that your hosts are secure and contain the latest updates in functionality

Infoblox now automatically upgrades your on-prem hosts, physical or virtual, with new versions of services. This is implemented to ensure that your on-prem hosts are secure and contain the latest updates in functionality. Most of the updates happen in the background without any need to restart services or without any interference in the function of services deployed on the on-prem hosts. In some cases, there is the need for a service restart, which could interrupt those services for a few seconds. We understand that those few seconds at the wrong time of the day could affect your business. Therefore, we are adding the ability for you to schedule these updates to a specific time window during the week. The one-time update time will take into consideration the time zone set for the specific host. For example, setting an update window for Saturday from 6 to 10 a.m. would perform pending updates between 6 and 10 a.m. on Saturday CET in Berlin, EST in New York, and CST in Beijing. You can alternatively defer updates up to four weeks for the most critical times of the year.

Defining notification settings by user groups helps reduce the number of notification messages for specific users

You can now use user groups to define notification settings to reduce the number of notification messages users receive to a subset that is important to them. For example, you can configure for the administrator to receive account and host related notifications via e-mail, other users receive host and service notifications in-app only, while pager duty services could be used just for specific service notifications. You can also add additional text to e-mail notifications, for example, to identify next steps in resolution. 

Enabling multiple Cloud Data Connectors to receive data from a single NIOS Grid provides flexibility and improves performance during the transfers of log data

If you use NIOS in connection with BloxOne, you can now leverage increased scalability of the Cloud Data Connector (CDC) service. Several CDCs can be set up to receive data from a single NIOS Grid, providing increased flexibility and performance in transferring your NIOS log data.

BloxOne Threat Defense – April 9, 2020

New Features and Enhancements

Infoblox InfoRanks data reports information for the most popular second-level domains (SLD) updated daily from aggregated data collected from multiple sources

The Infoblox InfoRanks list provides the most popular second-level domains (SLDs) updated each day from an aggregated dataset based on DNS records from various data sources. The process used to determine the rank for each domain includes count information in combination with statistical inference techniques to accurately estimate all second-level domains' true ranks over time. 

Dossier Usage Reports has been revamped to include License Summary information

Dossier Usage Reports are available to administrators of BloxOne Threat Defense Business On-Premises, BloxOne Threat Defense Business Cloud, and BloxOne Threat Defense Advanced subscriptions. The reports display data for an organization’s or a team’s TIDE and Dossier usage. Three Dossier usage reports are available; License Summary, User Summary, and Transactions

BloxOne Threat Defense – April 6, 2020

New Features and Enhancements

Multiple data connectors can now be configured per NIOS grid.

Each member of NIOS grid master can be configured using multiple data connector when sending the DNS Query/Response logs and RPZ Logs.

BloxOne Threat Defense – February 25, 2020

New Features and Enhancements

Custom Lookalike Domain Monitoring allows users to detect potential lookalike domains targeting their domain

This feature provides the power of the global lookalike domain feature to be targeted for specific critical domains for the user. You can now add the company's own domain, or domains frequently visited by or controlled by the organization in order to provide advanced warning of common attack vectors. With this, users can potentially avert unknown attacks, and prevent potentially 'brand-affecting" incidents. To use Custom Lookalike Domain Monitoring, a user supplied list of critical domains are compared against Infoblox's database of known registered domains to identify potential lookalike domains. If a detection does occur, you will be notified via the Cloud Services Portal and via email. Custom Lookalike Domain Monitoring is available for subscribers of BloxOne Threat Defense Advanced.

DNS over HTTPS (DoH) Solution comprises a suite of tools supporting security policy enforcement to prevent the bypass of your security policies to 3rd-party DoH servers

DNS over HTTPS (DoH) will soon be supported by all major browsers. While DoH offers privacy for some users, this may be at the expense of security best practices within an organization. Organizations wishing to provide security policy enforcement through DNS may wish to prevent the bypass of your security policies to 3rd-party DoH servers. This feature provides a threat intelligence feed called “Public-DoH” (public-doh.infoblox.local), which provides a negative response to “DoH Canary” domains (such as use-application-dns.net), which signals compliant browsers that DoH should not be used within the existing environment. The Infoblox DNS over HTTPS (DoH) Solution is available for subscribers of BloxOne Threat Defense Essentials, BloxOne Threat Defense Business On-Premises, BloxOne Threat Defense Business Cloud, and BloxOne Threat Defense Advanced.

The Infoblox DNS over HTTPS (DoH) Solution is comprised of the following items: 

    • Policy threat intelligence feeds for DoH: Provides the ability to control the DNS access method used to detect and mitigate threats by disabling DoH-based security policies. A threat intelligence feed containing canary domains is available to achieve this.
    • Enable DoH Feed in Cloud Services Portal: Makes the DoH feed available through the Cloud Service Portal UI.
    • DoH Policy feed for known DoH domains and IPs: Adds the DoH domain and IP feed data to TIDE. 
    • Dossier update of DoH domains/IPs: Provides the ability to review DoH-related domains and IPs within Dossier. 
    • RPZ creation for the policy domains: Provides a threat intelligence feed called “Public-DoH” (public-doh.infoblox.local), which provides a negative response to the “DoH Canary” domains (such as use-application-dns.net), which signals compliant browsers that DoH should not be used within the existing environment.
Data Connector Enhancements allows users to forward DNS Firewall logs data

With this release, Data Connector has been enabled to forward DNS Firewall logs (RPZ logs) to Splunk and Infoblox Reporting. Data Connector is available for subscribers of BloxOne Threat Defense Business Cloud, Advanced and Security Ecosystem Business.

Threat Insight BloxOne Cloud Usage of TIDE Global Whitelist

With this release, any domain that is in the whitelist is not added to the RPZ. This feature enhancement provides a dynamic whitelist for TIDE, partially created from the user’s high impact domains that make up the TIDE global whitelist. Using a dynamic whitelist will prevent the list from going stale. Threat Insight BloxOne Cloud Usage of TIDE Global Whitelist requires a subscription to Threat Defense Business Cloud or BloxOne Threat Defense Advanced and Threat Intelligence Data Exchange (TIDE).

Comprehensive Security Report provides data and statistics which can be exported to other security tools

The Comprehensive Security Report purpose is to inform and familiarize the user with the data and statistics available when in BloxOne Threat Defense. From this report, you can determine what information is to be displayed in the Cloud Services Portal. Additionally, information from this report can be exported to your SIEM or integrated into other security tools. The Comprehensive Security Report is available to subscribers of BloxOne Threat Defense Business Cloud and BloxOne Threat Defense Advanced. The Comprehensive Security Report is unavailable for BloxOne Threat Defense Essentials or for BloxOne Threat Defense Business On-Premises subscribers.

Executive Summary Report provides data reporting for data exfiltration Activity and unauthorized web categories

This Executive Summary Report enhancement adds two additional report types to the already available report: Data Exfiltration Activity and Access to Unauthorized Web Categories. The Data Exfiltration Activity report documents the unauthorized transfer of data from a computer. DNS threat analytics can detect and automatically block data exfiltration attempts via DNS, without the need for endpoint agents or additional network infrastructure. The target domains can originate from any geographic location. The Access to Unauthorized Web Categories report displays a breakdown of web activity to sites classified by the user as unauthorized by means of a content category. The Executive Summary Report is available to subscribers of BloxOne Threat Defense Business Cloud and BloxOne Threat Defense Advanced. The Executive Summary Report is unavailable for BloxOne Threat Defense Essentials or for BloxOne Threat Defense Business On-Premises subscribers.

BloxOne Threat Defense – January 14, 2020

BloxOne Threat Defense Cloud New Features and Enhancements

Replacing On-Prem Hosts

When you plan to replace an on-prem host with a new one, Infoblox now offers a “Replace” functionality to support zero-touch provisioning through the Cloud Services Portal. You can set up the new host and connect it to the Cloud Services Portal through zero-touch provisioning, while the old host is inactive. The replace function will automatically move the service configuration from the old host to the new one without the need to configure individual services. Services from the old host will be removed, and the host will be in the Pending state, which will require approval to rejoin the BloxOne Cloud.

Security Enhancement

BloxOne Cloud offers a security enhancement that allows you to disconnect problematic on-prem hosts due to misconfiguration or theft in the case of a physical host. You can disconnect the affected on-prem host from the BloxOne Cloud, which will stop all the services on the host. When you disconnect the host, it is no longer accessible from the cloud and is disconnected at the first reconnection to the internet. The on-prem host can be reconnected to the BloxOne Cloud only through a new zero-touch provisioning process, using a new token or a specific approval from the administrator in the case of a physical hosts.

Additional Diagnostic Tools

Infoblox has implemented additional diagnostic tools that administrators can use to get more visibility into individual on-prem hosts. Administrators can execute these tools on selected on-prem hosts and display the diagnostic results in a browser connected to the BloxOne Cloud, with the ability to download the results as well. The new diagnostic tools include the following: Traceroute, DNStest, Traffic Capture, NTP test, and the display of DNS and DHCP configuration file from the on-prem hosts.

Delivering RPZ Logs to On-Prem SIEMs

NIOS users who use the BloxOne Cloud can now benefit from an advanced Data Connector feature to deliver the RPZ logs to the on-prem SIEMs in CEF or LEEF format. They can also deliver the data to Splunk for reporting purposes in the CSV format.

Page Settings

The Cloud Services Portal now saves the last settings of a specific page, including filters and displayed columns. When you leave the page and log back in, the page will display information using the last configured filters and displayed columns. When necessary, you can reset the page configuration to default, which will remove the filters and restore to the default columns.

Notifications Enhancements

You can now integrate additional services, such as PageDuty and Webhooks, to receive notifications.

User Permissions Enhancements

This release expands user roles to include more granular permissions. For each user role, users can view all the supported permissions in the detailed panel to gain more visibility.

BloxOne Threat Defense – December 5, 2019

BloxOne Threat Defense Cloud Enhancement

User Experience Enhancement

This release of BloxOne Cloud introduces a modern, more dynamic, user experience. Main menus have been moved from the top of the screen to the left-hand side, where they can be expanded to show accordion-style, sub-menus or can be collapsed to display only individual icons when not in use. All workflows will remain unchanged.

Resources

This release of BloxOne Cloud introduces three new research and resource tools: Alexa Top, Default TTL (time-to-live), and Excluded Bogon List. Alexa Top is a tool that ranks the most popular sites on the Internet based on popularity. The default TTL list displays each threat class’s default time-to-live value. The Excluded Bogons List allows customers to view or edit lists of invalid IP ranges that may be used by malicious entities.

BloxOne Threat Defense – November 25, 2019 

BloxOne Threat Defense Cloud New Feature

Enabling and Disabling of Geolocation Support for Security Policies

This release of BloxOne Cloud provides the ability to enable or disable geolocation support on a per-policy (per-customer) basis when resolving DNS queries.

BloxOne Threat Defense – November 22, 2019

BloxOne Threat Defense Cloud Enhancement

Infoblox Eastern Europe and China Policy (EECN) Policy Zone Modification

As businesses and supply chains have evolved, we now find many customers have offices, business partners, and supply chains that extend into many of the European countries which are part of the European Union. To accommodate theses customers, the newly updated Eastern Europe and China Policy (EECN )policy zone now excludes those countries that are part of the European Union. The updated policy zone will now only include Belarus, China, Moldova, Russian Federation, Turkey, and Ukraine; countries who are not members of the European Union.

BloxOne Threat Defense – October 28, 2019

BloxOne Threat Defense Cloud New Features and Enhancements

Executive Summary Report

This release of BloxOne Cloud introduces the Executive Summary Report. The Executive summary report provides high-level, cyber-security information utilizing highly informative visuals and key metrics delivered in an easy to read and highly understandable format. The information contained within the executive summary report is typically used to report the state of the business and its cybersecurity efforts to other interests within the organization. Graphics and visuals generated within the report can be incorporated into other reports or can be included in PowerPoint and other presentations. 

Dashboard Update

This release of BloxOne Cloud introduces a new Cloud Services Portal Dashboard page. The updated dashboard displays new widgets and the ability to print the page/screen.

BloxOne Threat Defense – October 24, 2019

BloxOne Threat Defense Cloud New Features

DNS Forwarding Proxy Service Level Logging

This release of BloxOne Cloud provides DNS Forwarding Proxy service level logs when deploying standalone and DNS Forwarding Proxy and NIOS. DNS Forwarding Proxy service logs assist in managing operations and workflows.

Audit Log Viewing

Audit logs can now be viewed in BloxOne Cloud. When an administrator makes changes to a BloxOne Threat Defense Cloud configuration through the UI or API, the configuration changes are logged in the audit log. Logged configuration information includes the username of the person updating or modifying the configuration, the IP address from where the configuration changes originated, the object name or configuration option being changed, such as named lists, bypass lists, DNS forwarding proxy, internal domains, enabling and disabling of apps on an on-prem host, etc., and the new configuration values.

Custom List Improvements

When adding domains or IP addresses to a custom list, an additional description field for entries has been added.

Bypass List IPv6 Support

This release of BloxOne Cloud provides IPv6 address support for bypass internal domains lists.

Root Certificate for Bypass Codes and Blocked Page Relocation

The root certificate required when creating bypass codes for blocked pages has been relocated to the Downloads page under the Administration tab.

Scaling of Custom RPZ Feeds - Phase 2: Threat indicators

This release of BloxOne Cloud provides the option of creating a custom RPZ feed containing malicious threat indicators (domains and IP addresses) and wildcard rules for blocking threat indicators residing on subdomains. The custom RPZ feed is customer-generated and is limited to 10,000 or fewer records with an expiration TTL within the range of 1 to 30 days. The custom RPZ feed can be fetched using a preconfigured TSIG key in the account which works only with the associated custom zone.

Data Connector Enhancement

Enhanced traffic Flow Status and Syslog Destination

This release of Data Connector provides enhanced traffic flow status information and generic syslog destination including BloxOne Cloud. 

BloxOne Threat Defense – October 1, 2019

BloxOne Threat Defense Cloud New Features

  • Role-based Access Control
    • This release of BloxOne Cloud provides improved access control for customers with introduction of user groups, roles, and permissions. Assigning individual users to different user groups will change the permissions for the user. To make this process easier, Infoblox provides a set of default user groups corresponding to the "Administrator" and "User" roles, and adds new user groups for BloxOne DDI Administrators, BloxOne TD Administrators, BloxOne DDI Users, BloxOne TD Users, and Account Management. To keep existing access for users, no action is necessary. Infoblox will automatically assign existing users to the Administrators and User user groups based on their current access.
  • Managing Tags
    • For the purpose of easier grouping and identification of objects (such as hosts) within BloxOne Cloud, Infoblox is expanding the capabilities of tags to include “restricted” tag type in addition to the previously existing “free-form” tags. With restricted tags, users have to choose the tag value from a set of previously defined choices, whereas the free-form tags can either accept any text as a tag value or any text that corresponds to previously specified pattern.
  • Troubleshooting Physical On-Prem Hosts
    • When an on-prem host is experiencing issues, troubleshooting problems can be accomplished using the Device UI. The Device UI displays a comprehensive view of the networking health for your on-prem host and can be used to perform corrective actions to address applicable issues.
  • Notification Enhancements
    • In this release, the notification enhancements allow you to choose between pager duty or custom for notifications and use a custom SMTP server for receiving alerts and notifications. Other enhancements include the ability to enter a name for the notification service, the ability to enter a URL for the notification service, and the ability to define and test authenticity for the notification service.
  • Host Type Display and Sorting
    • The Cloud Services Portal now displays the host type, and sorting based on host type is also supported.

Dossier Enhancement

  • This release of Dossier includes additional threat information, including threat, confidence, and risk scores for reported threats. Using threat, confidence, and risk scores, more informed decisions can be made regarding potential threats impacting your network.

Data Connector New Feature

  • Best Practices

This release of Data Connector introduces configuring and monitoring of threshold levels for Host CPU Usage, Host Disk, Usage, and Host Memory Usage. Threshold level notifications of events are reported via the Cloud Services Portal.

  • Traffic Flow Health Status

This release of Data Connector introduces reporting of the end-to-end, health status and details for individually configured traffic flows. Details for individual traffic flows can now be viewed in the traffic flows Details pane.  

BloxOne Threat Defense – July 31, 2019

BloxOne Threat Defense Cloud New Features

  • InfoBlox Cloud Data Connector
    • The Infoblox Data Connector is a utility designed to collect DNS query and response data and security logs from specified sources, and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and supported SIEM (Security Information and Event Manager), such as Splunk, QRadar, EMS, and ArcSight.
  • BloxOne Endpoint Bypass Mode
    • BloxOne Endpoint bypass mode has been streamlined, providing more control and increased security. By enabling BloxOne Endpoint bypass mode for a BloxOne Endpoint group, you can define your own domain and response for On-Prem DNS service protected by DNS Firewall. With deployed DFP appliances (in auto mode), a unique and hashed response using a probe token, detects if an endpoint is located in a protected environment. If the endpoint is in a protected environment, then the endpoint must adhere to the policies defined for the location.
  • DNS Anycast support on DFP
    • Anycast describes a one-to-nearest communication between a single sender and the nearest recipient within a group. The routing protocol chooses one recipient within a target group based on the routing algorithm for the specific protocol, and sends data to that recipient only. DNS Anycast provides the following benefits: Improved Reliability, Load Distribution, and Improved Performance.
  • Second Anycast IP address
    • For improved resilience, a second DNS Anycast IPv4 address, 103.80.5.100, is available for DNS server forwarding configuration when used with DNS Forwarding Proxy and BloxOne Endpoints.
  • Activity Report
    • The Activity Report includes information about cloud and on-prem activities and provides powerful data visualization capabilities utilizing extensive filtering and search capabilities.
  • Active Indicators
    • The Active Indicators search tool enables filter-based searches of threat indicators by data type, threat class/property, and data provider. The indicator data returned from a search is displayed on the Active Indicators page. The returned indicator search data can also be exported in CSV, JSON, and XML formats. Active Indicator data is also available through the API.
  • Internal Domains
    • The"Bypass Domains" feature has been renamed "Internal Domains." The updated Internal Domains feature now supports multiple internal domains lists along with raising the maximum number of internal domain entries to 3,000 records (in total).

Data Connector New Feature

  • InfoBlox Cloud Data Connector

This release of BloxOne Threat Defense Cloud introduces a new workflow that streamlines the Data Connector deployment process. In your hybrid cloud environment, you can deploy the Data Connector as a service on an on-prem host and connect it to BloxOne Threat Defense Cloud, so you can configure and manage the Data Connector through the Cloud Services Portal. You can deploy the Data Connector as a service on virtual machines in an infrastructure of your choice using the Docker or OVA package that Infoblox provides.

BloxOne Threat Defense – July 13, 2019

BloxOne Threat Defense Cloud New Features

  • On-Prem Host Management
    • This release of BloxOne Threat Defense introduces a new workflow that streamlines the deployment of DNS forwarding proxies. The workflow uses a secure join token mechanism to authenticate and deploy virtual appliances that you configure in your VM environments.
  • Notifications
    • The Cloud Services Portal now displays notifications for specific events, such as license expiration or CPU usage. Infoblox implements deduplication for notifications to prevent notification floods, which identifies identical notifications and sets a grace period to stop duplicated notifications before sending them again.
  • Response Rate Limiting
    • Using Response Rate Limiting (RRL), the controlling of excessive UDP responses that are the same or similar can be accomplished through configuration of the DNS Forwarding Proxy.

BloxOne Threat Defense – June 15, 2019

BloxOne Threat Defense Cloud New Features

  • Access to Dossier from within the Cloud Services Portal Security and Category Reports
    • When viewing the Security or the Category reports in The Cloud Service Portal, a Dossier threat report can be invoked  by selecting a threat indicator from the Hits tab and clicking on either the Query or Response information associated with the threat indicator. The Dossier report for the threat indicator will be displayed in a new browser tab.

  • Scaling of threat intelligence through custom RPZ feeds
    • Custom RPZ feeds can now be configured and deployed by customers with malicious indicators scaled (domains and IPs) for smaller devices. 

  • New infoblox BloxOne Threat Defense licensing and subscriptions
    • New information added describing the new Infoblox BloxOneTM Threat Defense subscriptions: BloxOneTM Threat Defense Essentials, BloxOneTM Threat Defense Business On-Premises, BloxOneTM Threat Defense Business Cloud, and BloxOneTM Threat Defense Advanced.

BloxOne Threat Defense – May 8, 2019

TIDE Enhancements

TIDE Threat Data Filtering by Threat Score, Risk Score, and Confidence Score

TIDE now supports extended threat data filtering via the API based on score (numeric), score rating (qualitative), and vector score (vector string).

  • Threat data filtered queries can be made for rating, score, and for a range of scores.

BloxOne Threat Defense – April 26, 2019

BlpxOne Threat Defense Cloud New Features

  • Security Policy - Block-Bypass / Override
    • Users receiving a blocked DNS query when using BloxOne Threat Defense Cloud can retrieve a valid bypass code from their network administrator. Bypass codes override content filtering, granting temporary access to restricted web content.

  • DNS Forwarding Proxy Fallback to a Local DNS Server
    •  If BloxOne Threat Defense Cloud is unreachable, the DNS Forwarding Proxy will fall back to the DNS resolver instead of the default DNS resolution path. Using DNS Forwarding Proxy fallback, remote offices can be protected even when BloxOne Threat Defense Cloud is unavailable.

BloxOne Threat Defense Cloud Enhancements

  • Block/Redirect of Unknown and Uncategorized Domains
    • Unknown and uncategorized domains can now be blocked or redirected, preventing access to potentially harmful websites. Besides the default redirect page options, a custom redirect option is also available, allowing you to create and customize the redirect page as well as displaying contextual information and actions.
  • On-Prem DNS Firewall TSIG Key SHA Format Support
    • BloxOne Threat Defense Cloud now supports HMAC-SHA256 256-bit encryption for generating on-prem DNS Firewall TSIG keys. You can choose between the current MD5 128-bit algorithm and the newly supported SHA256 256-bit encryption algorithm when configuring your feed distribution servers.
  • UI/UX Enhancements to Security Policies Pages
    • The Cloud Service Portal security policies pages have a new look and feel through the adoption of a composite UI design framework, utilizing the current best practices in delivering high quality, user-centric experiences when interacting with the Security Policies, Custom Lists, and Category Filters pages.
  • TIDE - Migrating Dossier Usage Data Pages to the Cloud Services Portal
    • The Dossier Metric Reports have been migrated from the TIDE platform to the Cloud Service Portal. The following three Dossier reports are available to account administrators:
      • Organizational Summary
      • User Summary
      • Transactions
  • Tracking of Private BloxOne Endpoint IP Addresses through the Threat API
    • Tracking of BloxOne Endpoint private IP addresses, as well as public IP addresses, is now available via the BloxOne Threat Defense Cloud Threats API.
  • Whitelist Enhancements
    • The Threat Insight whitelist now offers more refined internal governance in combination with more active curation and monitoring, resulting in far fewer false positives impacting your network operations.

BloxOne Threat Defense – March 13, 2019

TIDE Enhancements

TIDE Threat Data Filtering by CIDR range or CIDR ranges

TIDE now supports threat data filtering via the API by CIDR range and multiple CIDR ranges.

  • Threats can be filtered by specifying a single CIDR range or by specifying Multiple CIDR ranges. Multiple CIDR ranges can be filtered using either a comma or an ampersand to separate multiple CIDR ranges in the API query. 

BloxOne Threat Defense Cloud – December 10, 2018

New Feature

  • Inclusion of IP metadata
    • The inclusion of IP metadata (MAC address, Source IP, etc.) in BloxOne Threat Defense Cloud reports allowing for easier correlation of events.

BloxOne Threat Defense Cloud – December 3, 2018

New Feature

  • Public API Expansion for BloxOne Threat Defense Cloud
    • Three additional public-facing APIs; Hostname, Tagging, and Audit Log are available for ATC. Each of the new API calls can be run via a Swagger page.

Enhancements

This release adds the following enhancements related to the Cloud Services Portal:

  • Cloud Services Portal login and landing page redesign
    • The Cloud Service Portal login and landing pages have been completely revamped. The landing page now boasts a new, user-centric design focused on assisting the user in getting started with important tasks such as defining networks, creating custom lists, and configuring security policies. Important tasks are determined based on license entitlement and user role. The landing page also makes it easier for you to explore content and get questions answered on topics such as partner integrations, community resources, and receiving support.

  • Cloud Services Platform navigation updates

    • An improved navigation structure utilizing current best practices complementing a new look and feel has been adopted for the Cloud Services Platform. The navigation changes have been implemented to better facilitate user productivity and user experience when interacting within the portal’s ecosystem by reorganizing and optimizing user workflows and categorizing system features into logical groups.
  • UI changes include the following:
    • A newly redesigned Welcome page: The landing page now makes it easier for you to get started with important tasks, explore content, and get answers.

    • Relocation of features into logical work groups and workflows, enhancing productivity and usability and optimizing efficiency. For example, the introduction of the Policies tab to BloxOne Threat Defense Cloud and BloxOne On-Prem customers for items that were previously located under the Manage and Administration tabs.

    • The BloxOne DNS Forwarding Policy (DFP) Configuration page has been renamed On-Prem Hosts and relocated under the Manage tab.

    • The Analyze page’s left side panel has been reorganized into two sections: Research and Reports. Under Reports, DNS Requests, Security, Category, Data Exfiltration, Malware, and Command and Control reports can be found. Dossier and Threat Look Up are available in the Research section.

    • Under the Administration tab, a new Downloads page has been added. By consolidating all downloads and placing them on their own page, you can easily locate any download needed which greatly enhances the user experience. In the Downloads section, BloxOne Endpoint Download has been renamed to Endpoint Download, BloxOne DNS Forwarding Proxy to On-Prem Hosts, and Download Data Connector VM to Data Connector.
  • New Cloud Services Portal site navigation
        • Many features within the portal’s ecosystem have been organized into logical workflows and workgroups. The following table lists the new navigation schema and the corresponding menu items residing under each tab.

          TAB

          MENU ITEM



            Manage






          On-Prem Hosts

          External Networks

          Endpoints

          Bypassed Domains

          TI Data Exchange



            Policies



          Security Policies

          Redirect

          On-Prem DNS Firewall



            Analyze








          DNS Requests

          Security

          Category

          Data Exfiltration

          Malware

          Command and Control

          Dossier

          Threat Lookup



            Administration








          License Entitlements

          Users

          Alerts

          User Audit Logs

          DNS Response Logs
          Data Connectors

          Downloads

          Support


  • S3 bucket support for multiple data formats
    • With enhanced S3 bucket support, you can now convert file formats from Parquet to CEF, JSON, and CSV based on their own requirements when pulling data directly into their systems

TIDE – October 17, 2018

Enhancements

TIDE data can now be requested through the API without headers and using a custom delimiter or delimiters.

  • Data Request without Headers 
    TIDE data may now be requested without headers through the API. When requesting data without headers, the following values will not be returned: id, batch_id, class, detected, ip, url, hostname, property, threat_level, and header text.
  • Data Request using a Custom Delimiter
    A custom delimiter, or delimiters, may now be used when requesting TIDE data using the API. IPs, Hostnames, and URLs can all be retrieved using a custom delimiter.

BloxOne Threat Defense Cloud – September 5, 2018

Enhancements

  • Dossier Bulk API
    • Dossier Bulk API calls are now supported. Using the Dossier Bulk API call, it is possible to make calls containing multiple indicators at the same time. With this release, up to 100 indicators may be submitted per call. It is no longer necessary to make each indicator call separately. This enhancement is available for Cloud and On-Prem customers.
  • Dossier Export to PDF
    • Dossier reports may now be exported to PDF for download.
  • Policy Precedence
    • As part of ATC’s policy precedence, Custom Lists and Category Filters have been relocated under Security Policies (Manage -> Security Policies), where each is available under its respective tab.
  • Threat Insight Reports
    • Threat Insight reports have been restructured using a tabular format promoting better usability and easier access to information. The three Threat Insight reports, ‘Malware’, ‘Command and Control’, and ‘Data Exfiltration’, are each available under their own separate tabs along with the specific report’s details. This enhancement is available to Cloud and On-Prem customers.
  • IP Address Configuration for Infoblox Threat Intelligence Feeds
    • When configuring your Infoblox Threat Intelligence RPZ feeds, IPv6 addresses can now be used when setting up the feeds distribution server and the feeds notification server. This enhancement is available to Cloud and On-Prem customers.
  • New Feeds
    • New feeds are available to Cloud and On-Prem customers, depending on your subscription level. The new feeds are as follows:
      • Cryptocurrency Feed
        • This feed identifies threats allowing malicious actors to perform illegal and/or fraudulent activities allowing cryptocurrency mining to occur without the site user’s consent. This feed identifies malicious or unauthorized use of resources, including coinhive, which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking, where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency. The Cryptocurrency feed is available at the Plus and Advanced subscription levels.
      • Spambot DNSBL IP Feed
        • In DNSBL format, this feed contains IPs of known spam servers. The Spambot DNSBL IP feed enables protection against computers or bot nodes acting as part of a botnet by sending out spam. This feed can be used to assist in blocking incoming spam and other potentially malicious emails from known spam sources by feeding into your email platform or appliance. The Spambot DNSBL IP feed is available at the Advanced subscription level.
      • NCCIC Host & IP Feeds
        • DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is a 24×7 cyber situational awareness, incident response, and management center that serves as the hub of information sharing activities among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Indicators contained in this feed appear on the watchlist from the National Cybersecurity & Communications Integration Center (NCCIC) and are not verified or validated by DHS or Infoblox. The NCCIC Host & NCCIC IP feeds are available at the Standard, Plus, and Advanced subscription levels.

Dossier – September 5, 2018

Enhancement

  • Dossier Bulk API
    Dossier Bulk API calls are now supported. Using the Dossier Bulk API call, it is possible to make calls containing multiple indicators at the same time. With this release, up to 100 indicators may be looked up per call. It is no longer necessary to make each indicator call separately. This enhancement is available for Cloud and On-Prem customers.

BloxOne Threat Defense Cloud – July 31, 2018

New Features

  • BloxOne Endpoint Groups
    • When applying security policies to multiple BloxOne Endpoint devices, you can make the process more efficient by organizing the endpoint devices into BloxOne Endpoint groups. You can then add the endpoint groups to the network scope when you configure a security policy. Note that BloxOne Threat Defense Cloud comes with a default endpoint group called All BloxOne Endpoints (default) that is associated with the default global policy.
  • Precedence Ranking and Rule Actions for Security Policies
    • This release of BloxOne Threat Defense Cloud gives you the ability to configure precedence ranking and rule actions for your security rules based on your business requirements. When you configure security policies, you can now add any configured BloxOne Endpoint groups to the network scope. You can also define the precedence order for the custom lists and category filters you add to the security policy as well as overriding the precedence ranking for the threat intelligence feeds and Threat Insight rules that are inherited from the default global policy. Depending on your business needs, you can also define specific actions for all the rules in your security policy.

TIDE – July 10, 2018

Enhancement

TIDE Metric Reports

The following additional information is now available when running TIDE metric reports:

    • Dossier Report
      The Dossier Org Summary report and Dossier User Summary report will bring back the following additional information: Organization Name, Party Number, MDM Party ID, and Storage ID. The Dossier Transactions report will bring back the following additional information: Organization Name.
    • Login Report
      The Login User Summary report and Login History report will bring back the following additional information: Organization Name.

BloxOne Threat Defense Cloud – June 29, 2018

New Feature

  • DNS over TLS (Transport Layer Security)
    • BloxOne Threat Defense Cloud now runs DNS over TLS for communication between clients (including the latest versions of the BloxOne Endpoint and the DNS Forwarding Proxy) and its cloud infrastructure. DNS over TLS is an IETF standard and provides full-stream encryption that makes your DNS service more resistant to certain types of attacks. It also allows BloxOne Threat Defense Cloud to use just TCP port 443 for communication, which simplifies your setup and provides you with a better out-of-the-box experience.

BloxOne Threat Defense Cloud – June 19, 2018

New Features

  • Support for CSV Export
    • This release supports exporting data to CSV format. You can export data to CSV files for the following functions: Security Report, Category Report, Data Connectors, Portal Users, and License Entitlements.

Dossier – May 23, 2018

New Feature

  • Dossier 2.0 (early release)
    Dossier 2.0 has been redesigned and re-engineered from the ground up to provide a more powerful set of threat research and analysis tools, making the threat research experience faster, easier, and more effective. Dossier 2.0 resides within the Cloud Services Portal, meaning you are no longer redirected away from the Cloud Services Portal when using Dossier’s threat intelligence tools.

BloxOne Threat Defense Cloud – May 23, 2018

New Features

  • BloxOne Dossier 2.0 (early release)
    • Dossier 2.0 has been redesigned and re-engineered from the ground up to provide a more powerful set of threat research and analysis tools, making the threat research experience faster, easier, and more effective. Dossier 2.0 resides within the Cloud Services Portal, meaning that you are no longer redirected away from the Cloud Services Portal when using Dossier’s threat intelligence tools.
  • Detection for Dictionary DGAs
    • This release adds the detection for Dictionary DGA domains. Dictionary DGA detection uses lexical analysis to detect domains based on wordlists. Dictionary DGA has been used by malware families, including Suppobox and Matsnu.

TIDE – May 23, 2018

New Feature

  • Lookalike Domains
    This release of TIDE supports the search for lookalike domains through TIDE API calls or the TIDE UI. Lookalike domains are domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusion ones (e.g. o to 0, l to 1, w to vv), switching to different top-level domains (e.g. .com to .cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection, and phishing.

BloxOne Threat Defense Cloud – May 17, 2018

New Feature

  • BloxOne Endpoint Deployment through McAfee ePolicy Orchestrator
    • If you are using McAfee ePO (ePolicy Orchestrator) to manage your endpoint software, you can now integrate BloxOne Endpoint and subsequently install it on your endpoint devices to redirect DNS traffic to BloxOne Threat Defense Cloud.

BloxOne Threat Defense Cloud – May 9, 2018

New Feature

  • Response Log Export
    • BloxOne Threat Defense Cloud provides DNS response logs that help you troubleshoot and analyze your network security. You can export these logs to a dedicated Amazon S3 bucket. BloxOne Threat Defense Cloud currently supports the following log types: DNS queries and responses, RPZ (Response Policy Zones) hits, and IPAM metadata.

TIDE – May 1, 2018

New Feature

  • Organization Admin User Management
    A new OrgAdmin user management role is now available in TIDE. The OrgAdmin role can create, edit, deactivate, and re-activate users within an organization. The OrgAdmin role can also reset other users’ passwords within the organization. With the introduction of the OrgAdmin user role, it is now possible for organizations to manage their own organization’s users in the way that best suits the needs of the organization.

BloxOne Threat Defense Cloud – March 28, 2018

New Features

  • BloxOne Threat Defense Cloud API for Custom Lists
    • In this release, you can use the BloxOne Threat Defense Cloud API to perform bulk operations for custom lists, such as viewing, creating, modifying, and deleting custom list objects and custom list items using HTTP methods.
  • Category Filters
    • Category filters are content categorization rules that BloxOne Threat Defense Cloud uses to detect and filter internet content. Based on your needs and configuration, you can apply specific actions, such as Allow, Block, Log, and Redirect, to the filtered content.
  • Custom Redirect Destinations
    • You can now create custom redirect destinations to redirect traffic to custom pages or integrate BloxOne Threat Defense Cloud with third-party proxies, secure web gateways, blackholes, honeypots or sinkhole solutions. BloxOne Threat Defense Cloud allows you to configure up to five custom redirect actions for your security policies.

BloxOne Threat Defense Cloud – February 8, 2018

New Feature

  • Dual Stack Support for BloxOne Endpoint
    • BloxOne Endpoint supports dual-stack IPv4 and IPv6 DNS configurations, thereby protecting all devices regardless of their network environments. BloxOne Endpoint in a dual-stack environment is able to proxy IPv6 DNS queries and forward them to BloxOne Threat Defense Cloud over IPv4. Note that BloxOne Endpoint does not support an IPv6-only environment.

BloxOne Threat Defense Cloud – January 17, 2018

New Feature

  • Security Report
    • This release introduces a new Security Report that provides a comprehensive filterable and searchable view of threats detected by BloxOne Threat Defense Cloud. This report allows you to quickly identify and mitigate malware infection and other malicious activities on your network. The default Hits tab of the report shows a list of all threat hits detected by BloxOne Threat Defense Cloud within the selected time period and a graphical view of hit activities over time. The other tabs show views of the threat activities aggregated by devices, users, networks, threat classes, or properties. This allows you to identify the types of threats that are affecting your network and the devices and users that are impacted for rapid investigation and mitigation.

BloxOne Threat Defense Cloud – December 19, 2017

New Feature

  • Threats API
    • This release introduces the Threats API that allows you to make RESTful API calls to gather DNS security data from BloxOne Threat Defense Cloud for SIEM (Security Information and Event Management) purposes. Based on your business needs, you can configure a SIEM system in your network to collect the DNS security data so you can filter the data and create custom reports.

BloxOne Threat Defense Cloud – September 12, 2017

New Feature

  • Support for Custom Message for Redirect Page
    • This release adds support for creating custom messages when BloxOne Threat Defense Cloud blocks malicious domains based on your security policies. When blocking users from accessing malicious domains, you can now redirect them to a page that delivers a default message about the action, use a redirect page of your own, or customize the redirect message.

BloxOne Threat Defense Cloud – August 07, 2017

New Feature

  • Detection for Domain Generation Algorithm (DGA) Activities
    • This release adds the detection for DGA activities, a scheme used by malware for domain fluxing. DGAs are algorithms used to generate variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, blacklists, reputation systems, security gateways, intrusion prevention systems, and other security methods. An infected system could create thousands of domain names and would attempt to contact a portion of these to receive updates or commands. BloxOne Threat Defense Cloud tracks DGA activities and displays the affected devices in the Command & Control report. You can also add a default custom list to your security policies for detecting DGA activities.

BloxOne Threat Defense Cloud – July 19, 2017

New Feature

  • Detection for Fast Flux Activities
    • This release adds the detection for Fast Flux activities. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery. BloxOne Threat Defense Cloud tracks Fast Flux activities and displays the affected devices in the Command & Control report. You can also add a default custom list to your security policies for detecting Fast Flux activities.

BloxOne Threat Defense Cloud – July 17, 2017

Enhancement

  • DNS Forwarding Proxy
    • This release enhances the OVA deployment to support using ESXi time synchronization by default. In the event that this option is disabled during OVA deployment, the DNS Forwarding Proxy will use the following NTP servers: ntp.ubuntu.com and ubuntu.pool.ntp.org. You must open the UDP 123 port for the NTP servers.

BloxOne Threat Defense Cloud – June 14, 2017

New Features

  • DNS Forwarding Proxy
    • BloxOne Threat Defense Cloud is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. You can access the services by deploying the BloxOne Endpoint agent or the DNS forwarding proxy. For remote office deployments or in cases where installing an endpoint agent is not desirable or possible, you can use the DNS forwarding proxy. It is a software that runs on bare-metal or VM infrastructures and embeds the client IPs in DNS queries before forwarding them to BloxOne Threat Defense Cloud. The communications are encrypted and client visibility is maintained. The proxy also provides DNS resolution to local DNS zones when you configure local resolvers. Once you set up a DNS forwarding proxy, it becomes the main DNS server for your remote site. It will also cache responses to speed resolution of future queries. Infoblox provides two installation methods: Docker container and the OVA file. You can install the DNS forwarding proxy using either one of the methods.
  • Deploying BloxOne Endpoint for Multiple Users
    • You can now deploy BloxOne Endpoint on multiple users instantaneously and more effectively by using a Group Policy Object (GPO) for Microsoft Windows users or the Apple Remote Desktop (ARD) for Apple users. Once you deploy BloxOne Endpoint for your remote users, they no longer need to manually register in order to protect their devices–this applies to single user deployments as well.
  • Detection for the DNSMessenger Malware
    • In addition to other DNS tunneling activities, BloxOne Threat Defense Cloud can now detect DNSMessenger malware activities. DNSMessenger is a Remote Access Trojan (RAT) that attackers use to conduct malicious Powershell commands on compromised devices. DNSMessenger uses DNS record queries and responses to create a bidirectional C&C channel that allows the submission of Powershell commands to infected devices and the return of responses back to the attackers. BloxOne Threat Defense Cloud tracks these malware activities and displays malicious devices in the Malware report.

Enhancements

  • BloxOne Endpoint automatic bypass upon detection of DNS Forwarding Proxy
    • If a system on which you have installed BloxOne Endpoint is connected to a corporate network that is protected by a DNS Forwarding Proxy, BloxOne Endpoint will automatically enter bypass mode and all DNS traffic will be sent to the locally configured DNS resolvers. The DNS Forwarding Proxy then sends the requests to BloxOne Threat Defense Cloud. This feature ensures DNS queries traverse the corporate DNS infrastructure when the client is on the corporate network, but provides protection via the BloxOne Endpoint when the client is roaming.
  • Reports
    • If you have DNS forwarding proxies configured for your BloxOne infrastructure, you can filter applicable reports by specific DNS forwarding proxies. The new Malware report lists the devices that have the most malware activities caused by DNSMessenger malware, so you can examine the data and take appropriate actions to secure your network.
  • Security Policies
    • When configuring security policies, you can now select the “Log” action, which grants the “Allow” action to traffic and logs the queries to all relevant reports.
  • No labels

This page has no comments.