[infoblox_threat_defense] Initial release of Infoblox Threat Defense (#14284)

The initial release includes an event data stream featuring data types
such as Audit, Service, Atlas notifications, SOC insights, DNS
response, RPZ events, and DHCP lease, along with their corresponding
dashboards and visualizations.

Infoblox Threat Defense fields are mapped to their corresponding ECS
fields where possible.

Test samples were derived from documentation.

Author: muskan-agarwal26

.github/CODEOWNERS

@@ -273,6 +273,7 @@
 /packages/infoblox @elastic/security-service-integrations
 /packages/infoblox_bloxone_ddi @elastic/security-service-integrations
 /packages/infoblox_nios @elastic/security-service-integrations
+/packages/infoblox_threat_defense @elastic/security-service-integrations
 /packages/iptables @elastic/sec-deployment-and-devices
 /packages/istio @elastic/obs-ds-hosted-services
 /packages/jamf_compliance_reporter @elastic/security-service-integrations

packages/infoblox_threat_defense/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/infoblox_threat_defense/_dev/build/docs/README.md

@@ -0,0 +1,64 @@
+# Infoblox Threat Defense
+
+## Overview
+
+[Infoblox Threat Defense](https://www.infoblox.com/products/threat-defense/) is a DNS-based security solution that protects networks from cyber threats by detecting and blocking malicious domain activity in real time. It uses threat intelligence, DNS firewalling, and behavioral analytics to identify threats like malware, phishing, and data exfiltration at the DNS layer — often before they reach endpoints or firewalls. Available as a cloud-native platform (BloxOne Threat Defense), it integrates with security tools (like SIEMs and firewalls) and supports both on-prem and hybrid deployments.
+
+This integration supports CEF-formatted logs transmitted through a syslog server over TCP, UDP, or TLS protocols.
+
+## Data streams
+
+The Infoblox Threat Defense integration collects the following types of events.
+
+- **Audit:** - The audit log reports all administrative activities performed by specific user accounts.
+
+- **Service:** - The Service Log reports all service events.
+
+- **Atlas Notifications:** - Atlas Notifications reports all internal notification events.
+
+- **SOC Insights:** - The SOC Insights log reports information about SOC Insights security events.
+
+- **Threat Defense Query/Response (TD DNS):** - The Threat Defense Query/Response Log reports DNS query requests and responses in Infoblox Threat Defense.
+
+- **Threat Defense Threat Feeds Hit (TD RPZ):** - The Threat Defense Threat Feeds Hit Log reports Infoblox Threat Defense feeds hit information.
+
+- **DDI DHCP Lease (DDI DHCP):** - The DDI DHCP Lease Log reports information about Dynamic Host Configuration Protocol (DHCP) lease assignments and terminations.
+
+- **DDI Query/Response (DDI DNS):** - The DDI Query/Response Log reports DNS query requests and responses in Universal DDI.
+
+**NOTE**: While the Infoblox Threat Defense integration collects logs for various event types, we have consolidated them into a single data stream named `event`.
+
+## Requirements
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
+
+## Setup
+
+### To collect data from the Infoblox Threat Defense:
+
+1. To collect logs through the syslog server, you need to deploy a Data Connector VM by following the instructions provided [here](https://docs.infoblox.com/space/BloxOneCloud/35429862/Deploying+the+Data+Connector+Solution).
+2. Once the Data Connector is successfully deployed, you need to configure the traffic flow to forward logs to your syslog server. Refer to this [link](https://docs.infoblox.com/space/BloxOneCloud/35397475/Configuring+Traffic+Flows) for guidance.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana navigate to Management > Integrations.
+2. In "Search for integrations" top bar, search for `Infoblox Threat Defense`.
+3. Select "Infoblox Threat Defense" integration from the search results.
+4. Click on the "Add Infoblox Threat Defense" button to add the integration.
+5. Enable the data collection mode from the following: TCP, or UDP.
+6. Add all the required configuration parameters, such as listen address and listen port for the TCP and UDP, and ssl for the TLS.
+8. Click on "Save and Continue" to save the integration.
+
+## Logs reference
+
+### Event
+
+This is the `Event` dataset.
+
+**NOTE**: The `InfobloxDHCPOptions` field will not be populated because it contains a special pattern with special characters that `decode_cef` cannot parse. As a result, this field will be dropped.
+
+#### Example
+
+{{event "event"}}
+
+{{fields "event"}}

packages/infoblox_threat_defense/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,17 @@
+version: "2.3"
+services:
+  infoblox_threat_defense-log-tcp:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9600 -p=tcp /sample_logs/log.log
+  infoblox_threat_defense-log-udp:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9601 -p=udp /sample_logs/log.log
+  infoblox_threat_defense-log-tls:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9600 -p=tls --insecure /sample_logs/log.log

packages/infoblox_threat_defense/_dev/deploy/docker/sample_logs/log.log

@@ -0,0 +1,7 @@
+<134>1 2025-06-09T00:00:47Z SAMPLE_HOST dataconnector - ATLAS-NOTIFICATIONS - CEF:0|Infoblox|Data Connector|2.1.3|BloxOne-Notifications-Log|BloxOne Atlas Notifications|1|cat=\"BloxOne Atlas Notifications\" InfobloxEventOccurredTime=1749427247 InfobloxOnPremHostName=(none) msg=\"Interactive API key new is expiring at 2025-06-15 07:17:32.98 +0000 UTC\" status=RAISED InfobloxNotificationSubType=interactive_apikey_expiry InfobloxNotificationType=ACCOUNT
+<134>1 2025-06-06T12:12:54Z SAMPLE_HOST dataconnector - AUDIT-LOG - CEF:0|Infoblox|Data Connector|2.1.3|BloxOne-Audit-Log|BloxOne Audit Log|1|act=Create app=identity src=89.160.20.112 cat=\"BloxOne Audit Log\" InfobloxEventVersion= InfobloxHTTPReqBody={\"expires_at\":\"2026-07-05T12:11:00.000Z\",\"name\":\"John\",\"user_id\":\"a34b2c15-74d2-4b91-846c-3e967e82024e\"} InfobloxHTTPRespBody={\"result\":{\"account_id\":\"identity/accounts/74429b8b-5f48-4302-bbd8-030ab5807046\",\"compartment_id\":\"\",\"created_at\":\"2025-06-06T12:12:54.686856167Z\",\"created_by\":\"[email protected]\",\"expires_at\":\"2026-07-05T12:11:00Z\",\"id\":\"identity/apikeys/543056efc3cc3a403fd476b2a423d7b1\",\"key\":\"***\",\"name\":\"John\",\"state\":\"enabled\",\"type\":\"service\",\"updated_at\":\"2025-06-06T12:12:54.686856167Z\",\"user_id\":\"identity/users/a34b2c15-74d2-4b91-846c-3e967e82024e\"},\"success\":{\"message\":\"Created\"}} msg=\"Service API Key created\" InfobloxResourceDesc= InfobloxResourceId=543056efc3cc3a403fd476b2a423d7b1 InfobloxResourceType=apikeys outcome=Success InfobloxSubjectGroups=[user,act_admin,ib-access-control-admin,ib-interactive-user,ib-soc-insight-admin,ib-td-admin,ib-bloxone-nios-user,ib-trusted-partner,ib-soc-insight-user,ib-ddi-user,ib-td-user,ib-ddi-admin] InfobloxSubjectType=User [email protected]
+<134>1 2021-03-03T11:57:45Z - dataconnector - DHCP-LEASE-DELETE - CEF:0|Infoblox|Data Connector|2.1.3|DHCP-LEASE-DELETE|DHCP Lease Delete|1|src=175.16.199.0 InfobloxClientID=01:00:1A:2B:3C:4D:5E InfobloxHostID=dhcp/host/1516583 InfobloxFingerprintPr=true InfobloxRangeEnd=67.43.156.10 InfobloxRangeStart=67.43.156.0 smac=00:1A:2B:3C:4D:5E InfobloxIPSpace=ipam/ip_space/1f99d3a6-2982-11f0-b65e-fe20d626f7e6 InfobloxSubnet=175.16.199.0/24 InfobloxFingerprint=VMware::Windows: shost= InfobloxLeaseUUID=a91838a3-4679-11f0-b018-ee5154718d37 InfobloxLifetime=3600 InfobloxLeaseOp=Delete app=DHCP cat=DHCP Lease Delete InfobloxDUID= InfobloxHost= dst=1.128.0.1
+<134>1 2021-03-03T11:57:45Z - dataconnector - DNS-RESPONSE - CEF:0|Infoblox|Data Connector|2.1.3|DNS Response|DNS Response IN ANY NOTIMPL|1|InfobloxAnCount=0 app=DNS InfobloxArCount=1 InfobloxB1DNSTags=APP_Uncategorized,CAT_Government Sponsored dvc=175.16.199.0 dvchost=175.16.199.0 InfobloxB1DHCPFingerprint= InfobloxB1OPHName=SAMPLE_HOST InfobloxB1OPHIPAddress=81.2.69.142 smac= InfobloxB1Network=SAMPLE_DFP (DFP) InfobloxB1SrcOSVersion= InfobloxB1ConnectionType=dfp suser= InfobloxDNSQFlags=-EV msg=. 0 Reserved OPT  InfobloxNsCount=0 InfobloxDNSQClass=IN src=175.16.199.0 destinationDnsDomain=ap.gov. spt=31988 InfobloxDNSQType=ANY InfobloxDNSRCode=NOTIMPL InfobloxB1Region=us-east-1 dst= proto=TCP InfobloxDNSView=
+<134>1 2023-08-07T02:59:59Z - dataconnector - SERVICE-LOG - CEF:0|Infoblox|Data Connector|Service Log|BloxOne-Service-Log|9b9ca30d5be8a21c71f70d7d58054ecf/cdc_siem_out|1|InfobloxLogName=9b9ca30d5be8a21c71f70d7d58054ecf/cdc_siem_out msg=\"remove /infoblox/data/out/siem/bloxone/cef/25366/dns_1749786141_25366_2091.log: no such file or directory\" InfobloxPoolId=infra/pool/2leijkk6c7vr3mrgwt7vngqg6lbgq7hr InfobloxServiceId=infra/service/nx6s5enedoc6xleevm3dpfxga56un5tb
+<134>1 2025-06-08T20:04:58Z SAMPLE_HOST dataconnector - SOC-INSIGHTS - CEF:0|Infoblox|Data Connector|2.1.3|BloxOne-InsightsNotification-Log|SOC Insights|1|cat=SYSTEM/indicator_detected cnt=8935 InfobloxEventOccurredTime=1749413098 InfobloxInsightId=be7ac6e1-24e4-4204-b90c-17d08e5ee1c9 msg=One or more domains have been added to this Insight Botnet Discovery.<br> - Detection Class: TI-BOTNET,<br> - Detection Family: NXDOMAIN.<br> InfobloxEventsBlockedCount= InfobloxThreatConfidence=3 InfobloxInsightDescription= InfobloxInsightFeedSource= InfobloxEventsNotBlockedCount= InfobloxInsightStatus= InfobloxThreatClass=TI-BOTNET InfobloxThreatFamily=NXDOMAIN InfobloxThreatLevel=1 InfobloxInsightThreatType=Botnet Discovery InfobloxInsightUserComment= status=RAISED
+<130>1 2021-07-13T22:22:46Z - dataconnector - RPZ-QNAME-PASSTHRU - CEF:0|Infoblox|Data Connector|2.1.3|RPZ-QNAME-PASSTHRU|RPZ EVENT QNAME PASSTHRU|8|app=DNS InfobloxCSiteId=2a107fa9fa884b48baa576aae5400b07 InfobloxB1DNSTags="APP_Uncategorized,CAT_Internet Services,CAT_Parked Domain,multi-domain.surbl,surbl-lite" dvc=89.160.20.112 dvchost= InfobloxB1DHCPFingerprint= InfobloxB1OPHName=ns1.mhesi.go.th InfobloxB1FeedName=SURBL_Multi InfobloxB1FeedType=FQDN InfobloxB1OPHIPAddress=81.2.69.142 InfobloxB1Network="ns1.mhesi.go.th (DFP)" InfobloxB1SrcOSVersion= InfobloxB1PolicyAction=Log InfobloxB1PolicyName="Default Global Policy" InfobloxB1ThreatIndicator=jusuk.com msg="rpz QNAME PASSTHRU rewrite such.jusuk.com. [A] via multi-domain.surbl.such.jusuk.com." InfobloxB1ConnectionType=dfp InfobloxPolicyID=61445 InfobloxDomainCat= src=175.16.199.0 destinationDnsDomain=such.jusuk.com. spt=34640 InfobloxDNSQType=A InfobloxB1Region=ap-southeast-1 dst= InfobloxRPZ=multi-domain.surbl act=PASSTHRU smac=00:50:56:a3:29:3e InfobloxThreatConfidence=100 InfobloxThreatLevel=100 InfobloxThreatProperty=UncategorizedThreat_Generic InfobloxRPZRule=multi-domain.surbl.such.jusuk.com. suser= InfobloxDNSView=1

packages/infoblox_threat_defense/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14284