2806 - Utilizing BloxOne TIDE & Custom Response Policy Zone (RPZ)

Scenario

You’re tasked to create a data profile and upload TIDE data, create a custom RPZ, add feeds to security policies, and test the custom feeds by verifying the response for specific domains using different machines and tools.

Estimate Completion Time

• 240-300 mins

Course Reference

• 2104: Creating Custom and Country Based RPZ with BloxOne TIDE

Prerequisites

• Administrative access to the CSP

• Lab 2804: Managing BloxOne Endpoints

Tasks

• Task 1: Create a data profile

• Task 2: uploading TIDE data

• Task 3: Create Custom RPZ

• Task 4: Add feeds to security policies

• Task 5: Test custom feeds

Task 1: Create a data profile

• Create a new data profile and name it's feed techblue-custom-feed.

Task 2: uploading TIDE data

• Upload the file Tide-Data.json which should be located in the shared drive.

  • Add the file to the data profile feed you just created.

  • Verify that the feed is populated with your uploaded data.

The feed will display no records immediately after creation, this is normal as it takes up to 2 hours for records to be synchronized.

We will use the first entry directly into the security policy using the profile techblue-profile attached to the feed techblue-custom-feed, and the second entry will be used as a part of custom RPZ. 

Task 3: Create Custom RPZ

Before you continue, make sure that your feed has synchronized and do contain records in it. 

• Create a custom list and name it techblue-compdomain.

• Insure that only our uploaded data will be matched by the custom list.

• Verify that the feed is created and populated with our data.

The feed will display no records immediately after creation, this is normal as it takes up to 2 hours for records to be synchronized.

Task 4: Add feeds to security policies

Before you continue, make sure that your feed has synchronized and do contain records in it. 

• Add both feeds techblue-custom-feed and techblue-compdomain into the techblue policy security policy as rules.

  • techblue-custom-feed action should be block.

  • techblue-compdomain action should  be redirect.

Task 5: Test custom feeds

• Using your testing-windows machine, navigate to hokey.website and verify you're experiencing the correct response.

• Using Dossier, research hokey.website and verify that our uploaded feed is being utilized for the action taken by BloxOne threat Defense.

• Using your testing-linux machine, dig jobcenters.org against 10.100.0.110 and verify you're getting the correct response.

Solutions

Task 1 solution: Create a data profile

1. Switch to jump-Desktop, In your CSP browser window, navigate Manage > TIDE Data > Data profiles.

2. Click the Create Profile button, set the name to techblue-profile and the feed name to techblue-custom-feed then click Save & Close.

Task 2 solution: uploading TIDE data

1. In your CSP browser window, navigate Manage > TIDE Data > Data Upload.

2. Choose our created data profile techblue-profile from the list, click on browse for a file link and select the file Tide-Data.json should be under Shared Drive, Click Upload, and you should see a new entry appear under the upload history table.

3. In your CSP browser, navigate to Policies > On-Prem DNS Firewall and click the Feed Configuration Values button, your created RPZ should be at the bottom of the list.

4. Open Shared Drive and locate Tide-Data.json, double click the file to open it up and inspect it, there should be 2 entries:

   1. jobcenters.org of the class APT.

   2. hokey.website of the class CompromisedDomains.

We will use the first entry directly into the security policy using the profile "techblue-profile" attached to the feed "techblue-custom-feed", and the second entry will be used as a part of custom RPZ. 

The feed will display no records immediately after creation, this is normal as it takes up to 2 hours for records to be synchronized.

Before you continue, make sure that your feed has synchronized and do contain records in it. 

Task 3 solution: Create Custom RPZ

1. In your CSP browser, navigate to Manage > TIDE Data > Custom RPZ and click the Add Custom RPZ button.

2. Set the RPZ name to techblue-compdomain and ensure that ONLY the Your Uploaded Data data source is selected.

3. Choose CompromisedDomains class from the Class/Property drop-down list, set the TYPE to All, the MIN CONFIDENCE to Low, and MIN SEVERITY to Low, then click Save & Close.

The feed will display no records immediately after creation, this is normal as it takes up to 2 hours for records to be synchronized.

Task 4 solution: Add feeds to security policies

1. In your CSP browser, navigate to Policies > Security Policies, check the policy we have been working with in previous labs Techblue-Policy, and click Edit.

2. Click on the policy rules section, we will add two Feeds and Threat Insight rules (they should be the sixth and seventh rules on the list).

3. Set the name of the sixth rule to be your main feed techblue-custom-feed with the action Block- No Redirect.

4. Set the name of the seventh rule to be your custom feed techblue-compdomain with the action Block- Default Redirect. Then click Finish and Save & Close.

Task 5 solution: Test custom feeds

Before you start your testing, make sure that both your feeds have synchronized and do contain records in them.

1. Switch to the testing-windows machine, navigate to hokey.website using your web browser, and you should be redirected to a page like this:

   

2. Switch back to Jump-Desktop, navigate to Reports > Security Activity, and enter query = hokey.website.

3. Click the Blue Icon next to the domain name hokey.website, this will redirect you to a dossier page from which we can validate that our custom feed was used:

   

   

4. Switch to testing-Linux, open a terminal window, and enter the command dig @10.100.0.110 jobcenters.org, the domain should be inaccessible.