To mitigate DNS data exfiltration, Infoblox Threat Insight (also referred to as Threat Analytics in the Infoblox GUI or Grid Manager) employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see About Data Exfiltration.

Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. These types of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.

You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. You can enable the threat analytics service on the supported appliances member to start the service. For more information on supported appliances, see, Supported Appliances for Infoblox Threat Insight. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid. When you enable the threat analytics service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blacklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blacklisted domain.

Infoblox Threat Insight also includes a whitelist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The whitelist is extensible so new whitelisted domains can be added and rolled out accordingly. For Threat Insight running on an On-Prem Infoblox DDI appliance, internal governance and vetting applied by Infoblox ensures all whitelist entries are accurate and curated, and contain only valid entries.

You can also add custom whitelisted domains or move blacklisted domains to the whitelist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information, see Guidelines for Using Infoblox Threat Insight.

Infoblox Threat Insight came installed with a module set and a whitelist set. To receive subsequent module set and whitelist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Analytics Update Policy.

Licensing Requirements and Admin Permissions

You must obtain and install valid licenses on your appliance before using Infoblox Threat Insight. Contact your Infoblox representative to obtain these licenses. For more information, see Managing Licenses.

Infoblox Threat Insight

To start the threat analytics service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member). 

If you are a BloxOne Threat Defense Essentials customer, you must manually install the Threat Analytics license (not Grid-wide) on each of the Grid members that support Threat Insight. Note that this license must be different for each Grid member. If you are a BloxOne Threat Defense Business On-Premises, or a BloxOneThreat Defense Advanced customer, then you must install the Grid-wide Threat Analytics license on the Grid Master. After you install the license, all the Grid members that support Threat Insight can run the Threat Insight service. You need not manually install the license on each Grid member.

Note that running the threat analytics service might affect your system performance if the appliance has a small capacity and is taking on heavy traffic. Evaluate your Grid and Grid members to ensure that you select an appliance that is appropriate for running the threat analytics service. For more information about supported appliances for Infoblox Threat Insight and Threat Analytics Grid-wide license, see Supported Appliances for Infoblox Threat Insight and Managing Licenses.

Admin Permissions

Superusers can configure all threat protection and analytics related tasks. You can assign Security Permissions to specific admin groups and roles so these users can configure security related tasks. You can also add a global permission for managing Grid security properties or add an object permission for managing member security properties.

To manage the analytics related tasks, you must assign appropriate read-only or read/write Analytics Permissions to the specified admin groups and roles. You can also add the Global Analytics Permission as a global permission or add Member Analytics Permission to specific Grid members as an object permission. For more information about how to assign admin permissions, see Managing Permissions.

Guidelines for Using Infoblox Threat Insight

Following are some guidelines to take into consideration when using Infoblox Threat Insight:

• To start the threat analytics service, you must have at least one RPZ  and Threat Analytics license installed in your Grid (it can be installed on any Grid member). You can enable the threat analytics service on any of the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid.
• Infoblox recommends that you run the threat analytics service for a limited time to monitor and preview what has been detected before actually blocking blacklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the analytics whitelist. You should review the blacklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the analytics whitelist by adding new whitelisted domains, moving legitimate domains from the blacklisted domain list, or using CVS import and export. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed.
• Analytics whitelisted domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date whitelist, upgrade to the next NIOS release or configure the appliance to download threat analytics updates. For information about upgrades, see Upgrading NIOS Software. Note that this process may change in future NIOS releases.
• There are no configurable parameters for Infoblox Threat Insight. Infoblox uses built-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.
• DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the analytics to determine positive DNS tunneling activities.
• During an HA failover, analytics data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the analytics to reach its normal state. If there is no connection between the Grid Master and Grid member, blacklisted domains detected by the analytics cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat analytics service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight.
• The threat analytics service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.
• The analytics whitelist only applies to Infoblox Threat Insight, it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the Infoblox Threat Protection Rules available on the Support web site.
• Infoblox Threat Insight does not support RESTful APIs.

Supported Appliances for Infoblox Threat Insight

Due to memory and capacity required to perform analytics, ensure that you install the Threat Analytics and RPZ licenses, and enable the threat analytics service on an appliance that has a big enough capacity. The following are the supported Infoblox appliance models on which you can run the threat analytics service:

• PT-1405, PT-2200, PT-2205, and PT-4000.
• IB-4010, IB-4030, and IB-4030-10GE.
• TE-1415, TE-1425, TE-2210, TE-2215, TE-2220, and TE-2225.
• TE-V1415, TE-V1425, TE-V2210, TE-V2215, TE-V2220, TE-V2225, TE-V4010, and TE-V4015.

Configuring Infoblox Threat Insight

You must have at least one RPZ and Threat Analytics license installed in your Grid (it can be installed on any Grid member) and enable the threat analytics service on any of the Grid members on which you want to start the threat analytics service. You must also create a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed.

NIOS continuously collects and analyzes statistics of incoming queries and responses, detects possible DNS tunneling activities, blocks offending domains that match the known data, and updates the mitigation blacklist feed (a designated local RPZ) of any known malicious domains. For supported appliance models for Infoblox Threat Insight, see Supported Appliances for Infoblox Threat Insight.

To configure Infoblox Threat Insight, complete the following:

1. Obtain and install valid RPZ and Threat Analytics licenses on the appliance that is used to support analytics. For more information about licenses, see About Infoblox Threat Insight. Note that you must have the threat analytics service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.
2. Create and add a new local RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
3. Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see About Administrative Permissions.
4. Start the threat analytics service on the appliance that has the Threat Analytics license installed, as described in Starting and Stopping the Threat Analytics Service.

After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:

• View supported whitelisted domains for analytics, as described in Viewing the Analytics Whitelist. Note that these domains are specific to analytics only. They are not used in the anti-DNS tunneling threat protection rules.
• Manually add a custom domain to the analytics whitelist, as described in Adding Custom Whitelisted Domains.
• Review the blacklisted domains and make decisions about whether to move them to the analytics whitelist so future DNS activities will not be blocked. For more information, see Viewing Blacklisted Domains.
• Move a blacklisted domain to the analytics whitelist, as described in Moving Blacklisted Domains to the Whitelist.
• Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities.

Starting and Stopping the Threat Analytics Service

To start the threat analytics service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. You can also stop the service when necessary.

To start or stop the threat analytics service, complete the following:

1. From the Grid tab, select the Grid Manager tab -> Services tab, click the Threat Analytics service link. Grid Manager displays only the member or members with the RPZ license installed. Select the member check box.
2. From the Toolbar, click Start to start the service or Stop to stop the service.

When you stop the threat analytics service, the appliance does not detect or protect against non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.

Viewing the Analytics Whitelist

The Data Management tab -> Threat Analytics tab -> Whitelist tab of the Grid Manager lists the trusted domains on which NIOS allows DNS traffic by default. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. They are marked as System domains, and you cannot delete them, but you can disable them so NIOS does not treat them as trusted domains. You can also add custom domains or move blacklisted domains to the analytics whitelist. For more information, see Adding Custom Whitelisted Domains and Moving Blacklisted Domains to the Whitelist.

To view a complete list of trusted domains in the analytics whitelist, perform the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab.
2. The appliance displays the following for each trusted domain:
   • Actions: Click the Action icon  next to a domain and select one of the following:
     • Disable: Click this to disable the domain. When you disable a domain, the appliance does not treat this domain as a trusted domain until you enable it.
     • Edit: Click this to open the Whitelist editor. For system domains, the only property you can modify is to disable or enable them. For custom domains, however, you can also add information to the Comment field.
     • Delete: This is only applicable to custom domains. You cannot delete system domains. Select this to delete the custom domain.
   • Domain Name: The name of the trusted domain.
   • Type: Displays the domain type. This can be a System or Custom. A system domain is a trusted domain that carries legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. A custom domain is one that you have added to the whitelist or moved from the mitigation blacklist RPZ.
   • Disabled: Indicates whether this domain is disabled or not. The appliance does not treat disabled domains as trusted domains. You can disable both system and custom domains.
   • Comment: Additional information about the domain.

You can also do the following in this panel:

• Click Go to Response Policy Zone to access the blacklisted domains that are identified as offenders for DNS tunneling. Blacklisted domains are detected through Infoblox Threat Insight and automatically transferred to the blacklist RPZ feed. For information about these domains, see Viewing Blacklisted Domains.
• Export or import whitelisted domain names using the CSV import and export functionality.
• Navigate to the next or last page of the whitelist using the paging buttons at the bottom of the panel.
• Refresh the analytics whitelist by clicking the Refresh button.
• Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
• Select a quick filter to search for System or Custom whitelist entries, or both.
• Print the whitelist or export it in CSV format.

Adding Custom Whitelisted Domains

The analytics whitelist is populated with trusted domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. For more information, see Viewing the Analytics Whitelist. You can add domains that you deem trustworthy to this list. When you add a custom domain, it is marked as Custom in the whitelist.

To add a custom whitelisted domain, complete the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click the Add icon or click Add Custom Whitelist from the Toolbar.
2. In the Add Custom Whitelist wizard, complete the following:
   • Domain Name: Enter the name of the domain that you want to add to the analytics whitelist.
   • Comment: Enter additional information about this domain.
   • Disable: When you select this, the appliance does not treat this domain as a trusted domain. When you enable the domain again, it is considered as a whitelisted domain.
3. Save the configuration. You do not need to restart DNS service to update the analytics whitelist.

Configuring a Local RPZ as the Mitigation Blacklist Feed

For the threat analytics service to function properly and for NIOS to properly report detected backlisted domains, you must create and designate local RPZs as the mitigation for the Grid. You can add any Response Policy Zones to the list of RPZs from different Network and DNS Views. When a domain is detected as malicious, NIOS will update all RPZs in the list. You can configure the Highest Domain Level to block Tunnelling and specify the minimum and maximum values. The value specifies the maximum level of to block the subdomains.

If you assign an existing RPZ that is used for other purposes as the mitigation blacklist feed, you may experience the following:

• Existing RPZ hits are reported as hits detected by the analytics after an upgrade.
• If you manually add rules to the RPZ, all RPZ hits are reported as hits detected by the analytics, regardless of whether they match the manually created rules or are detected through the threat analytics service.

Infoblox recommends that you run the threat analytics service for a limited time to monitor and preview what has been detected before actually blocking domains. To do so, set Policy Override to Log Only (Disabled) when you create the RPZ so you can monitor blacklisted domains without actually blocking them.

To create and designate a local RPZ as the blacklist feed, complete the following:

1. Create a local RPZ by completing the procedure described in Configuring Local RPZs.

   Note

   To monitor the threat analytics service without blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block blacklisted domains, set Policy Override to None (Given).

2. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click the Grid Threat Analytics Properties from the Toolbar.
3. In the Grid Threat Analytics Properties editor, click the DNS Threat Analytics tab, and complete the following:

• • Click the Add icon to open the Zone Selector dialog box and select the RPZs. You must configure at least one local RPZ. To remove an RPZ, select it from the table and click Delete.

  • Select Configure Domain Level to block Tunneling and enter the Highest Domain Level to block Tunneling value. This value identifies only the level of subdomains that you want to block and not all the subdomain levels. Valid values must be between 2 to 5 (both inclusive).

    The detected domain is truncated based on the Highest Domain Level to Block Tunneling value. The domain detection depends on DNS tunneling algorithm.

    Example: Consider the Highest Domain Level to block Tunneling is set to 3.

    • If DNS queries are “subdomainA.subdomainB.subdomainC.xdomain.com“, “subdomainD.subdomainE.subdomainF.xdomain.com”, and “subdomainG.subdomainH.subdomainI.xdomain.com”, then the DNS Tunneling algorithm detects the domain to the second level (*.xdomain.com). As the Highest Domain Level to block Tunneling is set to 3, so without truncating the domain it adds "*.xdomain.com" to RPZ blacklist.
    • If DNS queries are “a1.subdomainA.subdomainB.subdomainC.xdomain.com”, “b1.subdomainA.subdomainB.subdomainC.xdomain.com”, and “c1.subdomainA.subdomainB.subdomainC.xdomain.com”, then the DNS Tunneling algorithm detects the domain to the fifth level (*.subdomainA.subdomainB.subdomainC.xdomain.com). As Highest Domain Level to block Tunneling is set to 3, so it truncates the domains to level 3 and adds "*.subdomainC.xdomain.com" to the RPZ blacklist.

• •  Save the configuration.

Enabling Integration with BloxOne Threat Defense Cloud for Threat Insight

If your network configuration includes BloxOne Threat Defense Business On-premises, BloxOne Threat Defense Business Cloud, or BloxOne Threat Defense Advanced, you can configure the cloud integration client to collect malicious domains detected by Threat Insight in the BloxOne Threat Defense Cloud. NIOS then applies the detected domains to RPZs that are configured for the on-premises Grid. This feature ensures that all malicious domains detected in BloxOne Threat Defense Cloud are also applied to on-prem Grid members.

You can use this feature when you have BloxOne Threat Defense Business On-premises, BloxOne Threat Defense Business Cloud, or BloxOne Threat Defense Advanced license. Note that you can configure only one cloud client per on-premises Grid. Ensure that you configure the email address and password in the Grid Properties Editor before you enable the integration with BloxOne Threat Defense Cloud Client. For more information, see Configuring Integration with BloxOne Threat Defense Cloud.

To enable the integration with BloxOne Threat Defense Cloud, complete the following:

1. From the Data Management tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar, and then click BloxOne Threat Defense Cloud Client.
2. In the BloxOne Threat Defense Cloud Integration Client editor, complete the following:
   • Enable Cloud Client: Select this check box to enable NIOS to get Threat Insight results in the BloxOne Threat Defense Cloud.
     The results are periodically synchronized based on the interval you set. NIOS requests only subsequent data since the last data timestamp.

   • Interval: You can specify how often to request Threat Insight results detected in BloxOne Threat Defense Cloud in seconds or minutes. The default value is 10 minutes.

   • The list of Response Policy Zones to use for blacklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add RPZs from different networks and DNS views.

     Note

     Whenever a new RPZ is added and NIOS requests Threat Insight results, Grid Manager displays a warning dialog box to confirm that you wish to request all domains detected by Threat Insight in the BloxOne Threat Defense Cloud. If you click No in the Warning dialog box, you can use the set cloud_services_portal_force_refresh CLI command in maintenance mode and set the flag to request all domains detected in BloxOne Threat Defense Cloud.

3. Click Save & Close.

Viewing Blacklisted Domains

To review the list of blacklisted domains, complete the following:

1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab, click the mitigation blacklist RPZ name.
2. Grid Manager displays the following for each blacklisted domain:
   • Name or Address: Displays the name or IP address of the blacklisted domain.
   • Policy: Displays the policy used to handle the responses when NIOS detected the blacklisted domain.
   • Data: Displays the target data about this domain.
   • Comment: Displays additional information about this domain.
   • Site: This is a pre-defined extensible attribute (if configured) that is used to indicate the location of the domain.
   • Disable: Indicates whether this domain is disabled or not. When the domain is disabled, the appliance does not block activities on this domain, and configuration for this domain does not change. When the domain is enabled, it is considered as a blacklisted domain and all DNS activities are blocked.

You can also do the following in the blacklisted domain panel:

• Click Go to Analytics Whitelist View to view the analytics whitelist. In the Whitelist panel, you can see all the trusted domains for Infoblox Threat Insight, and DNS activities are allowed on these domains. For more information, see Viewing the Analytics Whitelist.
• If you want to move a blacklisted domain to the analytics whitelist so it becomes a trusted domain, select the domain check box and click the Action icon next to the domain, and then select Move to Whitelist.
• Navigate to the next or last page of the whitelist using the paging buttons at the bottom of the panel.
• Refresh the blacklist feed by clicking the Refresh button.
• Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
• Select a quick filter to search for specific entries.
• Print the blacklist or export it in CSV format.

Moving Blacklisted Domains to the Whitelist

When the appliance detects an offending domain for possible DNS tunneling, it responds according to the policy defined in the mitigation blacklist RPZ and adds the domain to the blacklist RPZ feed. You can view all blacklisted domains and turn those you deem trustworthy into trusted domains by moving them to the analytics whitelist. Note that once you move a blacklisted domain to the whitelist, you cannot reverse the action.

To move a blacklisted domain to the analytics whitelist, complete the following:

1. From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab.
2. Select a blacklisted domain and click the Action icon next to a domain and select Move to Whitelist.

The appliance removes the selected domain from the blacklist and adds it to the analytics whitelist. You can click Go to Analytics Whitelist View to verify that the domain has been successfully moved.

Updating Threat Analytics Module and Whitelist Sets

Infoblox periodically releases threat analytics module and whitelist sets. To ensure that you can import threat analytics updates, you must have at least one Threat Analytics license installed in the Grid. The threat analytics module set consists of the analytics application .jar file, which delivers changes and updates for DNS tunneling detection, and the whitelist set consists of updated trusted domains that carry legitimate DNS tunneling traffic. You can download updates for the module set and whitelist set independently depending on how often Infoblox rolls them out. The appliance displays the version numbers of the module set and whitelist set that your Grid is currently using. To view this information before downloading updates, see Viewing Module and Whitelist Versions.

You can configure the appliance to automatically receive and apply the latest module set and/or whitelist set. When you define an automatic update policy, the appliance checks both the analytics module and whitelist files and automatically downloads the files that have changed. You can also configure a manual update policy in which the appliance notifies you through the message banner when there are updates available. You can then decide whether you want to apply the updates to your Grid or not. For information about how to define the update policy, see Defining the Threat Analytics Update Policy. For information about how to perform manual updates, see Manually Uploading Threat Analytics Updates.

Infoblox recommends that you configure the appliance to automatically receive module and whitelist updates so your appliance receives the latest information periodically. If you prefer to manually upload updates to your Grid, ensure that you apply them frequently to receive the most updated information.

Viewing Module and Whitelist Versions

To view the version number of the Threat Analytics module and whitelist that are currently running on the Grid, perform the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click the Grid Threat Analytics Properties from the Toolbar.
2. In the Grid Threat Analytics Properties editor, click the Updates tab. This tab displays the following information:
   • Active Whitelist Version: Displays the version number of the threat analytics whitelist set that is currently running on the Grid.
   • Active Module Set Version: Displays the version number of the threat analytics module set that is currently active on the Grid.

Defining the Threat Analytics Whitelist Update Policy

To configure how you want to obtain the latest threat analytics updates, complete the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click the Grid Threat Analytics Properties from the Toolbar.
2. In the Grid Threat Analytics Properties editor, click the Updates tab.
3. In the WHITELIST UPDATES section, complete the following:
   • Latest Available Whitelist: Displays the latest whitelist that is available for download.
   • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.
   • Whitelist Update Policy: When you select Automatic, the appliance automatically downloads the latest whitelist based on the default or custom schedule. The appliance checks both the whitelist files and automatically downloads only the files that have changed. When you select an automatic policy, the threat analytics service on the Grid member is restarted automatically to activate the latest updates. Even if you select Manual, the latest whitelist is automatically activated. For information about how to manually apply the updates, see Manually Uploading Threat Analytics Updates.
   • Enable Automatic Whitelist Updates: Select this check box to enable the automatic upload feature. To test the connection, you can click Test Connection. When necessary, you can click Download Whitelist Now to override the automatic update policy.

In the Schedule section, select one of the following to set up a recurring schedule for automatic downloads:

• • Default: When you select this, the appliance downloads the updates between 12:00 A.M. and 6:00 A.M. local time based on the time zone configured on your appliance. The appliance automatically selects a time between this time window the first time it performs an automatic update. All subsequent updates then follow the same schedule based on the selected time.
  • Custom: Select this and click the calendar icon to configure a custom schedule. In the Automatic Whitelist Updates Scheduler, you can select Hourly, Daily, Weekly, or Monthly based on how often you want to update the whitelist

When you select Hourly, complete the following:

• • • Schedule every hour(s) at: Enter the number of hours between each update instance. You can enter a value from 1 to 24.
    • Minutes past the hour: Enter the number of minutes past the hour. For example, enter 5 if you want to schedule the rule update five minutes after the hour.
    • Time Zone: Select the time zone for the scheduled time from the drop-down list.

When you select Daily, you can select either Every day or Every Weekday and then complete the following:

• • • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.
    • TimeZone: Select the time zone for the scheduled time from the drop-down list. When you select Weekly, complete the following:
    • Schedule every week on: Select any day of the week.
    • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.
    • Time Zone: Select the time zone for the scheduled time from the drop-down list. When you select Monthly, complete the following:
    • Schedule the day of the month: Enter the day of the month and the monthly interval. For example, to schedule the rule update on the first day after every 2 months, you can enter Day 1 every 2 month(s).
    • Time: Enter a time in hh:mm:ss AM/PM (hours:minutes:seconds AM or PM) format. You can also select a time from the drop-down list by clicking the time icon.
    • Time Zone: Select the time zone for the scheduled time from the drop-down list.

4. Save the configuration.

Defining the Threat Analytics Module Set Update Policy

To configure how you want to obtain the latest threat analytics updates, complete the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click the Grid Threat Analytics Properties from the Toolbar.
2. In the Grid Threat Analytics Properties editor, click the Updates tab.
3. In the MODULE SET UPDATES section, complete the following:
   • Latest Available Module Set: Displays the latest module set that is available for download.
   • Last Checked For Updates: Displays the timestamp when the Grid last checked for updates.
   • Module Set Update Policy: When you select Automatic, the appliance automatically downloads the latest module set based on the default or custom schedule. The appliance checks the module files and automatically downloads only the files that have changed. When you select an automatic policy, the threat analytics service on the Grid members is restarted automatically to activate the latest updates. If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when a new update is available. You must then decide whether to apply the updates to the Grid or not. For information about how to manually apply the updates, see Manually Uploading Threat Analytics Updates.
   • Enable Automatic Module Set Updates: Select this check box to enable the automatic upload feature. To test the connection, you can click Test Connection. When necessary, you can click Download Module Set Now to override the automatic update policy.

In the Schedule section, select one of the following to set up a recurring schedule for automatic downloads:

• • Default: When you select this, the appliance downloads the updates between 12:00 A.M. and 6:00 A.M. local time based on the time zone configured on your appliance. The appliance automatically selects a time between this time window the first time it performs an automatic update. All subsequent updates then follow the same schedule based on the selected time.
  • Custom: Select this and click the calendar icon to configure a custom schedule. In the Automatic Module Set Updates Scheduler, you can select Hourly, Daily, Weekly, or Monthly based on how often you want to update the module set.

For information about configuring an Hourly schedule, see Custom Hourly Schedule.

4. Save the configuration.

Manually Uploading Threat Analytics Updates

You can manually upload the latest whitelist or moduleset files and update them.

To manually upload threat analytics updates, complete the following:

1. From the Data Management tab, select the Threat Analytics tab -> Whitelist tab, click Updates -> Manual Update from the Toolbar.
2. The Threat Analytics Upload dialog displays the following:
   • Current Whitelist Version: Displays the active version of the whitelist that is currently running on the Grid. 
   • Last Applied On: Displays the timestamp and time zone when the last whitelist set was applied to the Grid. This field changes each time when a whitelist set is applied.
   • Latest Available Module Set: Displays the version string of the latest available module set. This field changes each time when the module set is updated.
   • Last Applied On: Displays the timestamp and time zone when the last module set was applied to the Grid. This field changes each time when a module is applied.

To upload the module set or whitelist set, complete the following:

• • File: Click Select to navigate to the file location, and then upload the file. The appliance displays the file name in this field. You can upload either a module set or a whitelist set. Check the current version numbers of the whitelist and module sets to verify if they have changed before uploading new files.

Click Test to check the changes that will occur during the update, without actually applying the update. You can view update details in the Syslog Viewer. The appliance preserves the uploaded file if you do not click Update to update the module set or whitelist set. When you manually upload next time, this file name is displayed in the dialog. You can then choose to apply the update from this file or upload a new file before performing the update. Uploading a new file will remove the file that has not been applied.

3. Click Update to update the module set or whitelist set. You can also click View Update Results to view the update results.

Monitoring DNS Tunneling Activities

You can monitor DNS tunneling activities through the following:

• Pre-defined Reports: If you have a reporting appliance configured in the Grid, you can generate the following reports that include DNS tunneling data:
  • DNS Top Tunneling Activity
  • DNS Tunneling Traffic by Category
  • Top Malware and DNS Tunneling Events by Client
• Syslog: All DNS tunneling activities are logged to the syslog. You can view this log to identify specific activities related to DNS tunneling. For more information, see Using a Syslog Server.