How to export sample miner from minemeld app in autofocus

jilim — Wed, 28 Mar 2018 00:43:33 GMT

Hi experts,

I have a customer who uses Autofocus with Minemeld and, uses splunk.

This customer is using two minemeld. One of Minemeld is from Autofocus app and, another is Standalone Minemeld deployed on Splunk.

but, I found out difference number of miner samples between Autofocus app and Standalone Minemeld.

Below is number of samples when search keyword "autofocus"

1. Standalone Minemeld

2. Autofocus app Minemeld

So, Customer wants to export miner samples from Autofocus app and, import samples on Standalone Minemeld.

Please advise to me and will appreciated.

Thanks

Jihoon

Re: How to export sample miner from minemeld app in autofocus

xhoms — Fri, 30 Mar 2018 07:31:19 GMT

Hi @jilim,

Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.

Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.

The following is a step-by-step guide on how to achieve this.

Step 1: Route your AF samples indicators to a feed output node

The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.

Click on the output node to confirm the number of indicators and other details for the feed.

Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.

Copy the URL of the feed. You'll need it in the next step.

Step 2: Create a new JSONSeq miner prototype

Look in your on-premises MineMeld instance for the JSONSeq standard prototype.

Click on it an create a new prototype from this base.

Use, in the new prototype, the URL you captured in the step 1

Now locate this recently created prototype and clone it to a working node.

Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.

As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.

Click on any node's log entry to confirm not only the indicators but the full context is being extracted.

topic How to export sample miner from minemeld app in autofocus in General Topics

How to export sample miner from minemeld app in autofocus

Re: How to export sample miner from minemeld app in autofocus