Problem
Security teams often need to push indicators of compromise (IOCs) into DNS-layer security solutions like Infoblox Threat Defense. Without automation, uploading and maintaining threat lists becomes manual, slow, and error-prone — limiting an organization’s ability to respond rapidly to emerging threats.
Objective
This article explains how the Infoblox Threat Defense Action integrates with ThreatQuotient TDR Orchestrator (TQO) to automate IOC uploads and deletions in Infoblox custom lists. It also summarizes configuration considerations and supported indicator types.
Overview
Released on March 26, 2025, the Infoblox Threat Defense Action allows ThreatQuotient users to upload or delete indicators from a custom list inside the Infoblox Threat Defense Cloud platform.
This action provides a streamlined, automated mechanism for updating DNS-layer defenses with the latest threat intelligence. By connecting ThreatQ directly to Infoblox, analysts can rapidly enrich detections and synchronize blocklists or allowlists as part of broader orchestration workflows.
This Action Bundle aligns with the integration patterns described in the Infoblox BloxOne / Threat Defense Action documentation on the ThreatQ Help Center.
Integration Action
Infoblox Threat Defense Action
Uploads or deletes indicators from a custom list in the Infoblox Threat Defense Cloud environment.
Key capabilities from the documentation include:
-
Supports both upload (add) and delete operations.
-
Receives a collection of indicators from a TQO workflow and processes them in batches.
-
Uses Infoblox API authentication to communicate with your Threat Defense tenant.
-
Logs responses, results, and error messages for analyst visibility.
➡️ Reference: Public doc — Infoblox BloxOne / Threat Defense Action (ThreatQ Help Center)
Supported Indicator Types
The integration supports the following indicator types, consistent with the official documentation:
-
CIDR Block
-
FQDN
-
Indicator (generic)
-
IP Address
TDR Orchestrator will ignore unsupported object types during execution.
Prerequisites
-
An active ThreatQ TDR Orchestrator (TQO) license
-
Valid Infoblox Threat Defense Cloud credentials
-
BloxOne hostname
-
Username and password
-
Appropriate API permissions
-
The documentation notes that configuration parameters — such as Infoblox hostname and authentication values — must be provided before the action can run.
Typical Workflow Behavior (From Documentation)
When triggered by a TQO workflow:
-
The action receives a data collection containing indicators.
-
It filters to supported indicator types (CIDR, FQDN, IP, etc.).
-
For each indicator, it performs one of the following:
-
Upload → Adds indicator to the designated Infoblox custom list
-
Delete → Removes indicator from the designated list
-
-
Returns an action report including:
-
Success/failure status
-
Any API return messages
-
Objects updated in ThreatQuotient
-
This enables feedback loops and logging within ThreatQ.
Why It Matters
The Infoblox Threat Defense Action allows teams to:
-
Automate the sharing of high-risk indicators with DNS-layer defenses.
-
Retract indicators automatically when they are deprecated or reassessed.
-
Maintain synchronized lists between ThreatQ and Infoblox in real time.
-
Enhance SOAR orchestration by embedding DNS security updates into detection, enrichment, and response workflows.
This helps strengthen an organization’s defensive posture by keeping protective DNS policies aligned with evolving threat intelligence.
Learn More
Full integration documentation:
https://helpcenter.threatq.com/Integration_Documentation/actions/Infoblox_BloxOne_Action.htm