topic Re: Query MineMeld for a single IP\IoC? in General Topics

Query MineMeld for a single IP\IoC?

apackard — Fri, 11 May 2018 12:52:35 GMT

We are looking at various options to build a SOC framework and one of the objectives is to be able to have an internal 'queryable' API that we can use to investigate a single IP\IoC.

Is there anyway to make MineMeld work in that manner i.e. so we can query a list to see if an IP is included- https://minemeld/feeds/badlist?ip=8.8.8.8, rather than downloading the entire list and then having to muge the data as a secondary task.

Re: Query MineMeld for a single IP\IoC?

xhoms — Tue, 15 May 2018 08:47:29 GMT

Hi @apackard,

I'm afraid the current MineMeld API does not provide such an entry point. You could think on contributing with it 😉

Said that, are you aware of the multiple formats supported by the output feed? https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

It won't save you from downloading the full list but can make your investigation much easier.

For instance, request the list in JSON format and with CDIR transformation

https://rancher.xhoms.local:8443/feeds/inboundfeedhc?v=json&tr=1

You'll get a JSON response like the following one

[
{"indicator":"113.201.51.0/24","value":null},
{"indicator":"118.26.116.0/22","value":null},
{"indicator":"119.227.224.0/19","value":null},
{"indicator":"120.128.128.0/18","value":null},
{"indicator":"120.128.192.0/18","value":null},
{"indicator":"120.129.0.0/17","value":null},
{"indicator":"120.129.128.0/17","value":null},
{"indicator":"120.130.0.0/17","value":null}
]

You can pipe the result using a JMESPath engine to get a boolen result

contains([].indicator, `119.227.224.0/19`) -> true
contains([].indicator, `119.227.225.0/19`) -> false

Re: Query MineMeld for a single IP\IoC?

apackard — Wed, 16 May 2018 00:45:06 GMT

Thanks very much!

Though, believe me, you don't want my cide anywhere near the product...!