From f91ac1c1d9acb748f87935db089b099d300ecb57 Mon Sep 17 00:00:00 2001
From: mcdequiroz <markchester_dequiroz@trendmicro.com>
Date: Thu, 12 Mar 2026 10:41:44 +0800
Subject: [PATCH] Add Infoblox Sigma rules for third-party logs

Add 10 new CDF under tm-v1-sigma-rules/third_party_logs/Infoblox to detect Infoblox threat-intel hits. Each rule matches vendorParsed content (InfobloxThreatProperty values or severity fields) to surface events such as MalwareDownload, Malicious_TDS, Phishing_Generic, Proxy_Generic, Suspicious_Nameserver/EmergentDomain/TDS, and high/medium risk severities. Rules target THIRD_PARTY_LOG product Infoblox, use level: info and taxonomy: tm-v1 to capture vendor-flagged detections.
---
 .../Infoblox High Risk Event Severity.yaml        | 14 ++++++++++++++
 .../Infoblox Medium Risk Event Severity.yaml      | 15 +++++++++++++++
 .../Malicious Traffic Distribution System.yaml    | 15 +++++++++++++++
 .../Infoblox/Malware Download.yaml                | 15 +++++++++++++++
 ... Generic Malicious Connection Established.yaml | 15 +++++++++++++++
 ...Possible Generic Phishing Website Visited.yaml | 14 ++++++++++++++
 .../Possible Proxy Connection Established.yaml    | 15 +++++++++++++++
 .../Infoblox/Suspicious Emergent Domain.yaml      | 15 +++++++++++++++
 .../Infoblox/Suspicious Nameserver.yaml           | 15 +++++++++++++++
 .../Suspicious Traffic Distribution System.yaml   | 15 +++++++++++++++
 10 files changed, 148 insertions(+)
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox High Risk Event Severity.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox Medium Risk Event Severity.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Malicious Traffic Distribution System.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Malware Download.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Malicious Connection Established.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Phishing Website Visited.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Proxy Connection Established.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Emergent Domain.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Nameserver.yaml
 create mode 100644 tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Traffic Distribution System.yaml

diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox High Risk Event Severity.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox High Risk Event Severity.yaml
new file mode 100644
index 0000000..4924f3a
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox High Risk Event Severity.yaml	
@@ -0,0 +1,14 @@
+title: Infoblox High Risk Event Severity
+description: Infoblox detection for high risk events. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_High_Risk" in the vendorParsed data. This indicates that the event has been flagged as high risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mappingtags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"severity\":\"8\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox Medium Risk Event Severity.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox Medium Risk Event Severity.yaml
new file mode 100644
index 0000000..720a9e4
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Infoblox Medium Risk Event Severity.yaml	
@@ -0,0 +1,15 @@
+title: Infoblox Medium Risk Event Severity
+description: Infoblox detection for medium risk events. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_Med_Risk" in the vendorParsed data. This indicates that the event has been flagged as medium risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"severity\":\"5\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Malicious Traffic Distribution System.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Malicious Traffic Distribution System.yaml
new file mode 100644
index 0000000..272f287
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Malicious Traffic Distribution System.yaml	
@@ -0,0 +1,15 @@
+title: Malicious Traffic Distribution System
+description: Infoblox detection for malicious traffic distribution systems.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Malicious_TDS\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Malware Download.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Malware Download.yaml
new file mode 100644
index 0000000..325d5e1
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Malware Download.yaml	
@@ -0,0 +1,15 @@
+title: Malware Download
+description: Infoblox detection for malware downloads. Detects for downloads of malware based on the presence of the "InfobloxThreatProperty" field with the value "MalwareDownload_Generic" in the vendorParsed data. This indicates that the domain has been flagged for hosting or distributing malware by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"MalwareDownload_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Malicious Connection Established.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Malicious Connection Established.yaml
new file mode 100644
index 0000000..afe745c
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Malicious Connection Established.yaml	
@@ -0,0 +1,15 @@
+title: Possible Generic Malicious Connection Established 
+description: Infoblox detection for possible malicious connections. Detects connections that may be indicative of malicious activity based on the presence of the "InfobloxThreatProperty" field with the value "Malicious_Connection" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Malicious_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Phishing Website Visited.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Phishing Website Visited.yaml
new file mode 100644
index 0000000..734bb70
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Generic Phishing Website Visited.yaml	
@@ -0,0 +1,14 @@
+title: Possible Generic Phishing Website Visited 
+description: Infoblox detection for possible generic phishing website visits. Detects visits to websites that may be hosting or distributing phishing content based on the presence of the "InfobloxThreatProperty" field with the value "Phishing_Generic" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mappingtags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Phishing_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Proxy Connection Established.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Proxy Connection Established.yaml
new file mode 100644
index 0000000..11babbc
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Possible Proxy Connection Established.yaml	
@@ -0,0 +1,15 @@
+title: Possible Proxy Connection Established
+description: Infoblox detection for possible proxy connections. Detects connections that may be indicative of proxy activity based on the presence of the "InfobloxThreatProperty" field with the value "Proxy_Connection" in the vendorParsed data. This indicates that the domain has been flagged by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Proxy_Generic\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Emergent Domain.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Emergent Domain.yaml
new file mode 100644
index 0000000..68c872f
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Emergent Domain.yaml	
@@ -0,0 +1,15 @@
+title: Suspicious Emergent Domain
+description: Infoblox detection for suspicious emergent domains. This detection is based on the presence of the "InfobloxB1FeedName" field with the value "Infoblox_Med_Risk" in the vendorParsed data. This indicates that the domain has been flagged as medium risk by Infoblox's threat intelligence feed.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_EmergentDomain\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Nameserver.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Nameserver.yaml
new file mode 100644
index 0000000..524f064
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Nameserver.yaml	
@@ -0,0 +1,15 @@
+title: Suspicious Nameserver
+description: Infoblox detection for suspicious nameservers.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_Nameserver\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file
diff --git a/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Traffic Distribution System.yaml b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Traffic Distribution System.yaml
new file mode 100644
index 0000000..8f5ae13
--- /dev/null
+++ b/tm-v1-sigma-rules/third_party_logs/Infoblox/Suspicious Traffic Distribution System.yaml	
@@ -0,0 +1,15 @@
+title: Suspicious Traffic Distribution System
+description: Infoblox detection for suspicious traffic distribution systems.
+references: 
+    - https://docs.infoblox.com/space/BloxOneDDI/209453743/DNS+Security+Policy+Hit+and+RPZ+Hit+Log+Message+Mapping
+tags: []
+logsource:
+    category: THIRD_PARTY_LOG
+    product: Infoblox
+    definition: THIRDPARTY_THIRDPARTY
+detection:
+    string_condition_0:
+        vendorParsed: "*\"InfobloxThreatProperty\":\"Suspicious_TDS\"*"
+    condition: string_condition_0 
+level: info
+taxonomy: tm-v1
\ No newline at end of file