topic Re: MineMeld Splunk App in General Topics

MineMeld Splunk App

ammaleswaran — Tue, 31 Jan 2017 00:29:47 GMT

Hi Guys,

I'm new to this community. At the moment, we are actively exploring MineMeld in our environment and would like to know if there is any connectors available for Splunk to consume intel collected by MineMeld .

Please advise.

Thank you.

Re: MineMeld Splunk App

btorresgil — Fri, 03 Feb 2017 16:59:52 GMT

Hello,

My name is Brian Torres-Gil and my team owns the Splunk integration at Palo Alto Networks. A Minemeld-Splunk integration is in the works, and I'd love to hear any use cases you have so we can ensure they're handled by the integration. Please tell me what you'd like to see from a Splunk integration with Minemeld and any problems you'd solve with it. This will really help us with the final design.

Thanks!

-Brian

Re: MineMeld Splunk App

gafrol — Tue, 14 Feb 2017 10:19:35 GMT

We will provide MineMeld as a Service for our PAN Firewall customers. Therefore it would be nice to see a graphical presentation of the currently connected Firewalls and to which feeds.

Thanks

Roland

Re: MineMeld Splunk App

lmori — Wed, 15 Feb 2017 10:03:33 GMT

Hi @gafrol,

this would be a nice feature to have inside MineMeld. With the current release if you are already using Splunk or a system able to process syslog logs to create a dashboard, you can configure nginx on MineMeld to forward logs to an external syslog server. Using the nginx logs you can visualize and track firewalls connecting to the different feeds.

Details: https://nginx.org/en/docs/syslog.html

Re: MineMeld Splunk App

mboehlke — Mon, 27 Mar 2017 17:36:06 GMT

I would also be interested in using the minemeld app to ingest the node logs into Splunk, so that Splunk could have knowledge of the additions, updates, withdrawls, etc. occuring for each indicator.

Re: MineMeld Splunk App

lmori — Wed, 29 Mar 2017 09:58:56 GMT

Hi @mboehlke,

are you interested in sending indicators updates/withdraws to Splunk ? Or using the MineMeld feeds as lookup tables inside Splunk ?

Thanks !

luigi

Re: MineMeld Splunk App

mboehlke — Wed, 29 Mar 2017 11:46:28 GMT

I was primarily interested in sending the updates/withdraws to Splunk. There's some hesitation to implementing dynamic block lists everywhere on our network and being able to audit the lists through a utility everyone is familiar with would do a lot to help assuage that.

I had been looking at just putting a forwarder on the minemeld instance, but the log files I found that appear to contain the logs read in by the MineMeld UI don't exclusively contain text? It looks like there's some binary data in there as well?

Re: MineMeld Splunk App

lmori — Thu, 30 Mar 2017 12:28:08 GMT

Hi @mboehlke,

there are 2 things you could now for this:

1 - use the logstash output node to push indicators to LogStash and then configure logstash to forward the messages to Splunk. An open point here is the best format to be used on LogStash to push indicators to Splunk.

2 - use the minemeld-cef extension to generate messages in CEF format. My understanding is that Splunk can understand CEF

Re: MineMeld Splunk App

soc_enav — Mon, 09 Oct 2017 07:35:23 GMT

I found this page while looking at some Splunk/MineMeld integration post.

I wrote a series of blog posts on Threat Intelligence automation using MineMeld and Splunk

You can find here
https://scubarda.wordpress.com/category/threat-intelligence/

Some note:

on post 1 I show the architecture
on post 2 I show how-to write a custom prototype and the IoC integration with our SOC Splunk application. This is the fully automated near real feature we are using today to check IoC access.
on post 3 I show how-to create a STIX/TAXII output miner to export IoC
on post 4 I show how I integrated IoC events (updates/withdraw) into Splunk; to do this I wrote a TA to parse coming data (via logstash connector) and an app to show some stats (both on github).

Hope this is useful
Giovanni

Re: MineMeld Splunk App

michael.gabriel — Wed, 30 May 2018 20:19:13 GMT

Hi! I know I'm late to the party but I'd also like to monitor node updates coming from MM to Splunk, and I'm having trouble finding the right queries to do so.. propably due to the fact that we are very unknowledgeable concerning Splunk here hahahha.

Our 7.1 Splunk instance is connected to some MM outputs, and I can correctly find the indicators by using the | `mm_indicators` search or | from inputlookup:"minemeldfeeds_lookup" . What I need to do is compare last month's feeds to this month's feeds and return all the new indicators that have appeared in the last 30 days. All this is utlimately to compare to NGFW security policy hits within the last month to know if the new indicators have been hit or not.

Hopefully someone here could help us with this, maybe @btorresgil or @lmori ?

Thanks!

Re: MineMeld Splunk App

btorresgil — Fri, 01 Jun 2018 18:11:17 GMT

@michael.gabriel The Splunk App/Add-on doesn't track indicators over time by default. The indicators are fed into a KVStore lookup table, which is a database, so it does not natively have a time-component like the main Splunk index does. You can easily create a scheduled search in Splunk that simply indexes the minemeld indicator lookup table every day. Then you can see how the indicators change over time. Would that suggestion work for you?

-Brian

Re: MineMeld Splunk App

michael.gabriel — Fri, 01 Jun 2018 18:23:55 GMT

Thank you so much for the quick reply @btorresgil. I believe that is exactly what I should be doing, if you have the time/patience to do so, could you briefly explain the steps to me please?

Cheers 🙂