Skip to content
/ feed-to-csp Public template

BloxOne Threat Defense integration with Fortinet and Palo Alto domain names and IPs brings an even wider IOC coverage by threat intelligence unification. Fortinet IOCs are enforced at DNS level globally on all DNS even for roaming users who have not established their VPN

7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

njeanselme/feed-to-csp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits

images

images

 
 

log

log

 
 

1-feeds-to-db.py

1-feeds-to-db.py

 
 

2-age-db.py

2-age-db.py

 
 

3-dedup-iocs-to-db.py

3-dedup-iocs-to-db.py

 
 

4-push-to-csp.py

4-push-to-csp.py

 
 

README.md

README.md

 
 

a-analyze-overlapping.py

a-analyze-overlapping.py

 
 

b-farsight-time-gained.py

b-farsight-time-gained.py

 
 

c-notable-timelines.py

c-notable-timelines.py

 
 

config.yml

config.yml

 
 

d-farsight-time-gained-backtest.py

d-farsight-time-gained-backtest.py

 
 

e-notable-timeline-backtest.py

e-notable-timeline-backtest.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

feed-to-csp

BloxOne Threat Defense integration with Fortinet, Palo Alto and Cyber threat coalition domain names and IPs brings an even wider IOC coverage by threat intelligence unification. Third party IOCs are enforced at DNS level globally on all DNS even for roaming users who have not established their VPN

Feed integration:

  • 1-feed-to-db.py

Download Fortinet/ Palo Alto / TIDE IOCs

  • 2-age-db.py

Age list by removing older than X days IOCs

  • 3-dedup-iocs-to-db.py

Build list of deduplicated IOCs and write to db

  • 4-push-to-csp.py

downloads third party vendor named_lists from csp.infoblox.com removes entries from csp.infoblox.com that are not anymore in the list of new IOCs creates new named_lists if capacity requires it adds entries from the list of new IOCS to the named_lists

Farsight Newly Observed Domains analysis:

  • a-analyze-db.py

Determine overlap and Build Venn diagram

Example output: Alt text

  • b-farsight-time-gained.py

Determine IOCs confirmed by security vendors and time gained by Farsight NOD

Example output: Alt text

  • c-notable-timelines.py

Build timelines for IOCs confirmed by more than 3 security vendors to highlight time gained by Farsight NOD

Example output: Alt text

Backtesting Farsight NOD hits from BloxOne Threat Defense

  • d-farsight-time-gained-backtest.py

Determine IOCs confirmed by security vendors from NOD actual hit

  • e-notable-timeline-backtest.py

Build timelines for IOCs confirmed by security vendors from NOD actual hits

Installation:

Modify fortinet, palo alto, tide and csp api keys and palo alto url in the config.yml file

Modify the data you want to see in the Venn Diagram (up to 6 - 4 recommended for optimal readability) by commenting / uncommenting line 57-72

Automation

Once every step is tested and working as expected, you can automate the full execution with:

python3 1-feeds-to-db.py && python3 2-age-db.py && python3 3-dedup-iocs-to-db.py && python3 4-push-to-csp.py

Resources

Note that for a fully loaded database for 30 days of all supported vendors (SURBL, Crowdstrike, Infoblox, Farsight NOD, Fortinet, Palo Alto and Cyberthreat coalition), database takes 5GB and 3-dedup-iocs-to-db.py can take up to 48GB or memory. Tests have been done with 16GB of RAM and 32GB of swap under 30 minutes for 1-4 full process

About

BloxOne Threat Defense integration with Fortinet and Palo Alto domain names and IPs brings an even wider IOC coverage by threat intelligence unification. Fortinet IOCs are enforced at DNS level globally on all DNS even for roaming users who have not established their VPN

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages