[Infoblox] New CDFs

tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox High Risk Event Severity.yaml

@@ -0,0 +1,14 @@
+title: Infoblox High Risk Event Severity
+description: Infoblox detection for high risk events. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_High_Risk" in the vendorParsed data. This indicates that the event has been flagged as high risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mappingtags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"severity\":\"8\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox Medium Risk Event Severity.yaml

@@ -0,0 +1,15 @@
+title: Infoblox Medium Risk Event Severity
+description: Infoblox detection for medium risk events. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_Med_Risk" in the vendorParsed data. This indicates that the event has been flagged as medium risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"severity\":\"5\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Malicious Traffic Distribution System.yaml

@@ -0,0 +1,15 @@
+title: Malicious Traffic Distribution System
+description: Infoblox detection for malicious traffic distribution systems.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Malicious_TDS\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Malware Download.yaml

@@ -0,0 +1,15 @@
+title: Malware Download
+description: Infoblox detection for malware downloads. Detects for downloads of malware based on the presence of the "InfobloxThreatProperty" field with the value "MalwareDownload_Generic" in the vendorParsed data. This indicates that the domain has been flagged for hosting or distributing malware by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"MalwareDownload_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Malicious Connection Established.yaml

@@ -0,0 +1,15 @@
+title: Possible Generic Malicious Connection Established 
+description: Infoblox detection for possible malicious connections. Detects connections that may be indicative of malicious activity based on the presence of the "InfobloxThreatProperty" field with the value "Malicious_Connection" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Malicious_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Phishing Website Visited.yaml

@@ -0,0 +1,14 @@
+title: Possible Generic Phishing Website Visited 
+description: Infoblox detection for possible generic phishing website visits. Detects visits to websites that may be hosting or distributing phishing content based on the presence of the "InfobloxThreatProperty" field with the value "Phishing_Generic" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mappingtags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Phishing_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Proxy Connection Established.yaml

@@ -0,0 +1,15 @@
+title: Possible Proxy Connection Established
+description: Infoblox detection for possible proxy connections. Detects connections that may be indicative of proxy activity based on the presence of the "InfobloxThreatProperty" field with the value "Proxy_Connection" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Proxy_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Emergent Domain.yaml

@@ -0,0 +1,15 @@
+title: Suspicious Emergent Domain
+description: Infoblox detection for suspicious emergent domains. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_Med_Risk" in the vendorParsed data. This indicates that the domain has been flagged as medium risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_EmergentDomain\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Nameserver.yaml

@@ -0,0 +1,15 @@
+title: Suspicious Nameserver
+description: Infoblox detection for suspicious nameservers.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_Nameserver\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1

tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Traffic Distribution System.yaml

@@ -0,0 +1,15 @@
+title: Suspicious Traffic Distribution System
+description: Infoblox detection for suspicious traffic distribution systems.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_TDS\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1