If you’ve ever had to manually wrangle external threat intel feeds — CSVs, JSON dumps, or raw text files full of Indicators of Compromise — you know it’s a pain.
Some sources send you neat JSON, others hand you a 2 MB CSV. Then you’ve got to clean it, chunk it, and somehow import it into your Infoblox Threat Defense custom lists.
So, I built a Tines Story that automates the entire process — from upload to enrichment to custom list creation. It works across multiple formats and takes all the manual formatting out of the equation.
👉 Import the done-for-you Tines Story here (You can import it directly into your workspace and start using it within minutes.)
🚀 What’s the Problem with Manual IOC Management?
Every organization collects external IOCs — including URLs, hashes, and IPs — from vendors, feeds, and intelligence partners. But these lists rarely look the same:
-
CSV/Text feeds: One IOC per line
-
JSON feeds: Nested structures or key-value maps
-
Mixed files: Even worse
Without automation, teams have to manually normalize, split, and upload — which wastes time and introduces human error.
💡 How Can Tines Automate IOC Management End-to-End?
This Tines Story automatically:
- Accepts IOC file uploads in JSON, CSV, or text format via a Tines form
- Decodes and normalizes the file contents (base64 decode + format parsing)
- Chunks the data into manageable 50K blocks
- Creates named lists via the Infoblox BloxOne Threat Defense API
- Loops through every chunk until the full feed is uploaded
- Validates the created list and confirms success
🧱 How Does the Tines IOC Automation Story Flow Work?
Step 1: How Do You Upload IOCs via Tines Pages?
The Story starts with a Form Agent that allows you to upload a file and specify a list name.
Users can choose a file type — JSON, Text, or CSV — and Tines will take care of the rest.
{
"name_of_the_list": "malicious_ips_oct",
"file_type": "JSON",
"file_upload": "ioc_file.json"
}
Step 2: How Does Tines Decode and Normalize IOC Data?
Depending on the file type, the Story uses a decoding and transformation step to normalize the IOC data:
Example transformation for JSON input:
{
"message": "<<BASE64_DECODE(upload_iocs.body.file_upload.contents)>>"
}
This ensures the data is flattened and chunked into manageable 50 K blocks — ready to be pushed via the Infoblox API.
Step 3: How Does Tines Create Named Lists via the Infoblox API?
Once the IOC data is structured, Tines automatically sends it to the Infoblox BloxOne API.
API Endpoint:
POST https://csp.infoblox.com/api/atcfw/v1/named_lists
Example cURL equivalent:
curl -X POST "https://csp.infoblox.com/api/atcfw/v1/named_lists" \
-H "Authorization: Token $INFOBLOX_BLOXONE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "malicious_ips_oct-1",
"items": ["1.2.3.4", "5.6.7.8", "malicious-domain.com"],
"type": "custom_list"
}'
Tines handles this automatically — looping over every 50 K block until the entire feed is uploaded.
Step 4: How Does Tines Validate and Confirm the Upload?
Finally, the workflow checks whether the list already exists using:
GET https://csp.infoblox.com/api/atcfw/v1/named_lists
and verifies the created list name matches your upload. If the list exists, it redirects to a “Name Exists” confirmation screen; if not, it proceeds to create it.
🧩 Why Does Automated IOC Management Matter?
This Story helps teams:
-
Avoid format errors when ingesting new threat feeds
-
Reduce upload times for large IOC lists
-
Ensure consistency across different formats (Text/JSON/CSV)
-
Save hours of manual cleanup every week
Instead of juggling Excel sheets, you now have a Tines Form that takes care of everything — just drop in your file and click Submit.
🔗 How Do You Import and Try This Tines Story?
Want to test this in your own environment? Here’s the pre-built Story ready to import and run: 👉 Infoblox Threat Defense — Add External IOCs to Custom List (Tines Library)
Once imported, connect your Infoblox credentials in Tines (CREDENTIAL.infoblox_bloxone) and you’re off to the races.
🧠 What Are the Key Takeaways?
This automation is a great example of using Tines not just as a playbook builder — but as a true integration layer between your security tools.
With a few reusable Python transformations and clean API calls, you can turn repetitive work into something elegant and scalable.
If you build or modify this flow, tag me — I’d love to see your variations or how you extend it (e.g., auto-enrichment, deduplication, or alerting via Slack).
Stay curious, keep automating.
Frequently Asked Questions
What file formats does the Tines IOC automation Story support? The Story accepts IOC files in three formats: JSON, CSV, and plain text. The Tines form lets you select the file type, and the workflow normalizes the data automatically — base64 decoding the upload and flattening the structure — regardless of the source format.
Why does Tines chunk IOC data into 50K blocks before uploading to Infoblox?
The Infoblox BloxOne Threat Defense API has size limits per request. Chunking the data into 50,000-item blocks ensures each POST to https://csp.infoblox.com/api/atcfw/v1/named_lists stays within those limits. The Story then loops through every chunk automatically until the entire feed is uploaded.
How does the Story verify that an IOC list was successfully created?
After uploading, the workflow sends a GET to https://csp.infoblox.com/api/atcfw/v1/named_lists and checks whether the returned list name matches the name you submitted. If found, it redirects to a “Name Exists” confirmation screen; if not, it proceeds to create the list.