If you’ve ever had to manually wrangle external threat intel feeds — CSVs, JSON dumps, or raw text files full of Indicators of Compromise — you know it’s a pain.
Some sources send you neat JSON, others hand you a 2 MB CSV. Then you’ve got to clean it, chunk it, and somehow import it into your Infoblox Threat Defense custom lists.
So, I built a Tines Story that automates the entire process — from upload to enrichment to custom list creation. It works across multiple formats and takes all the manual formatting out of the equation.
👉 Import the done-for-you Tines Story here
(You can import it directly into your workspace and start using it within minutes.)
🚀 The Problem: IOC Chaos
Every organization collects external IOCs — including URLs, hashes, and IPs — from vendors, feeds, and intelligence partners.
But these lists rarely look the same:
- CSV/Text feeds: One IOC per line
- JSON feeds: Nested structures or key-value maps
- Mixed files: Even worse
Without automation, teams have to manually normalize, split, and upload — which wastes time and introduces human error.
💡 The Solution: Let Tines Do the Heavy Lifting
This Tines Story automatically:
- Accepts any IOC file upload (JSON, CSV, or Text)
- Detects the file type
- Decodes the contents
- Splits massive lists into 50,000-entry chunks (to meet API limits)
- Creates named lists in Infoblox BloxOne Threat Defense through API calls
- Verifies list creation before reporting completion
🧱 Story Flow Breakdown
1. Upload IOCs (Tines Pages)
The Story starts with a Form Agent that allows you to upload a file and specify a list name.
Users can choose a file type — JSON, Text, or CSV — and Tines will take care of the rest.
{ "name_of_the_list": "malicious_ips_oct", "file_type": "JSON", "file_upload": "ioc_file.json"
}
2. Base64 Decode and Normalize
Depending on the file type, the Story uses a decoding and transformation step to normalize the IOC data:
Example transformation for JSON input:
{ "message": "<<BASE64_DECODE(upload_iocs.body.file_upload.contents)>>"
}
This ensures the data is flattened and chunked into manageable 50 K blocks — ready to be pushed via the Infoblox API.
3. Create Named Lists via Infoblox API
Once the IOC data is structured, Tines automatically sends it to the Infoblox BloxOne API.
API Endpoint:
POST https://csp.infoblox.com/api/atcfw/v1/named_lists
Example cURL equivalent:
curl -X POST "https://csp.infoblox.com/api/atcfw/v1/named_lists" \ -H "Authorization: Token $INFOBLOX_BLOXONE_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "malicious_ips_oct-1", "items": ["1.2.3.4", "5.6.7.8", "malicious-domain.com"], "type": "custom_list" }'
Tines handles this automatically — looping over every 50 K block until the entire feed is uploaded.
4. Validate and Confirm
Finally, the workflow checks whether the list already exists using:
GET https://csp.infoblox.com/api/atcfw/v1/named_lists
and verifies the created list name matches your upload.
If the list exists, it redirects to a “Name Exists” confirmation screen; if not, it proceeds to create it.
🧩 Why It Matters
This Story helps teams:
- Avoid format errors when ingesting new threat feeds
- Reduce upload times for large IOC lists
- Ensure consistency across different formats (Text/JSON/CSV)
- Save hours of manual cleanup every week
Instead of juggling Excel sheets, you now have a Tines Form that takes care of everything — just drop in your file and click Submit.
🔗 Import & Try It Yourself
Want to test this in your own environment?
Here’s the pre-built Story ready to import and run:
👉 Infoblox Threat Defense — Add External IOCs to Custom List (Tines Library)
Once imported, connect your Infoblox credentials in Tines (CREDENTIAL.infoblox_bloxone) and you’re off to the races.
🧠 Final Thoughts
This automation is a great example of using Tines not just as a playbook builder — but as a true integration layer between your security tools.
With a few reusable Python transformations and clean API calls, you can turn repetitive work into something elegant and scalable.
If you build or modify this flow, tag me — I’d love to see your variations or how you extend it (e.g., auto-enrichment, deduplication, or alerting via Slack).
Stay curious, keep automating.
