What Changed

A new CCF-based Data Connector (InfobloxSOCInsights_CCF) has been added to the Infoblox SOC Insights Solution (v3.1.0), replacing the legacy connectors deprecated in v3.0.2. The connector uses CCF REST API polling against the Infoblox BloxOne Threat Defense SOC Insights API, with a 5-minute polling interval, and ingests into the InfobloxInsight_CL table via DCR.

Four new connector files are introduced:

  • InfobloxSOCInsights_ConnectorDefinition.json: CCF connector UI and poller config
  • InfobloxSOCInsights_DCR.json: Data Collection Rule defining stream/table mapping
  • InfobloxSOCInsights_PollingConfig.json: API polling parameters (endpoint, auth, schedule)
  • table_InfobloxInsight.json: table schema definition

Authentication requires an Infoblox API key with SOC Insights access scoped to the BloxOne Cloud Services Portal. Multi-region support is configured via API base URL.

Parser Update: Dual-Schema Support

The InfobloxInsight parser (v1.0.0 to v1.1.0) has been significantly updated to support both the legacy _s/_g/_t suffix column schema (legacy connector) and the new CCF column naming convention (without suffixes). All field mappings now use coalesce with column_ifexists to resolve whichever schema is present.

Key field mapping changes:

  • InsightId (CCF) / insightId_g (legacy) maps to InfobloxInsightID
  • EventsBlockedCount / eventsBlockedCount_s maps to BlockedCount
  • MostRecentAt / mostRecentAt_t maps to LastSeen
  • StartedAt / startedAt_t maps to FirstSeen

Two new fields are exposed by the CCF connector only: ConnectorName and TenantHost.

The legacy filter on InfobloxInsightLogType_s has been replaced with column_ifexists making it safe for the CCF schema where that column does not exist.

Security Impact (Visibility and Fidelity)

Environments with the deprecated legacy connectors have had no new Infoblox SOC Insight data flowing since v3.0.2 (June 2024). The CCF connector restores visibility into:

  • Active DNS threat detections with threat class, family, and type classification
  • Persistent and spreading threat indicators across the network
  • Event blocking statistics (blocked vs. not-blocked counts)
  • Critical/High/Medium priority insight triage via the IncidentSeverity field

Any detections or hunting queries built on the InfobloxInsight parser function have been operating on stale or absent data for affected deployments since June 2024.

Affected Files

Solutions/Infoblox SOC Insights/Data Connectors/InfobloxSOCInsights_CCF/InfobloxSOCInsights_ConnectorDefinition.json
Solutions/Infoblox SOC Insights/Data Connectors/InfobloxSOCInsights_CCF/InfobloxSOCInsights_DCR.json
Solutions/Infoblox SOC Insights/Data Connectors/InfobloxSOCInsights_CCF/InfobloxSOCInsights_PollingConfig.json
Solutions/Infoblox SOC Insights/Data Connectors/InfobloxSOCInsights_CCF/table_InfobloxInsight.json
Solutions/Infoblox SOC Insights/Package/testParameters.json
Solutions/Infoblox SOC Insights/Parsers/InfobloxInsight.yaml
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_Infoblox_SOC_Insights.json, createUiDefinition.json, mainTemplate.json)