topic Autofocus Mindmeld whitelist microsoft in General Topics

Autofocus Mindmeld whitelist microsoft

Sec101 — Thu, 01 Nov 2018 15:30:35 GMT

I'm running into an issue where I can pull in indicators from autofocus by creating a minemeld miner, the only problem is that I am getting a lot of windows.com and microsoft.com domains in the list. I've had the search from autofocus entered as malicious/grayware/phishing, but still the miner is pulling in microsoft domains and windowsupadate.com domains that I want to ensure are always whitelisted. I have whitelist local miners that i can manually add these to, but how do I *.windowsupdate.com or *.microsoft.com these so I never see these in the list. These miners are useless to me if I can't more granularly control what is coming in on the list...

Re: Autofocus Mindmeld whitelist microsoft

lmori — Tue, 20 Nov 2018 13:25:32 GMT

Hi @Sec101,

are you selecting only High Confidence indicators from AF? The microsoft.com, ... should all have low confidence.

Re: Autofocus Mindmeld whitelist microsoft

Sec101 — Tue, 20 Nov 2018 19:30:40 GMT

I think that was it. Thank you.

Found it on one of your other posts:

https://live.paloaltonetworks.com/t5/MineMeld-Discussions/Confidence-level-in-logs/td-p/219849

I was using the below ouput:

stdlib.feedRedWithValue

Your saying that if I filter by output node, with confidence greater than 75 I should be good to go and not have to worry about these? Do you suggest specifying a Wildfire verdict in the search, or is that something that AF takes care of with confidence levels?

Re: Autofocus Mindmeld whitelist microsoft

lmori — Tue, 20 Nov 2018 22:54:28 GMT

I would specify it to avoid processing useless samples, but AF also takes care of it in the IOC confidence level.

Re: Autofocus Mindmeld whitelist microsoft

Sec101 — Wed, 21 Nov 2018 14:42:08 GMT

Thank you. This is the perfect answer for this. Hopefully this helps someone else out as well.