topic Re: minemeld and feeding info via CEF into ArcSight in General Topics

minemeld and feeding info via CEF into ArcSight

socfocus.com — Mon, 15 Aug 2016 14:27:39 GMT

Can you select formatting or would I need to create a wrapper that manipulates the data pushed by minemeld to forward in CEF? Glad an opensource community on this exist for this. Additionally I need an rpm based package or just a way to compile from source I am using CentOS any thoughts or is there a source package for this

Re: minemeld and feeding info via CEF into ArcSight

lmori — Tue, 16 Aug 2016 20:35:07 GMT

Hi socfocus,

CEF output node is definitely on my todo list (see ER#39 at https://github.com/PaloAltoNetworks/minemeld-core/issues/39). I am looking of a good example on how to translate Threat Intelligence into CEF format, do you have something I could look at ?

Installation based on RPM is on the TODO list, shall be quite easy to accomplish.

Re: minemeld and feeding info via CEF into ArcSight

lmori — Mon, 06 Feb 2017 19:34:41 GMT

Hi @socfocus.com,

starting with 0.9.32 you can use an external extension to achieve this:

https://github.com/PaloAltoNetworks/minemeld-cef

luigi

Re: minemeld and feeding info via CEF into ArcSight

iThreatHunt — Wed, 05 Jul 2017 02:12:30 GMT

Dear @lmori,

Is minemeld-cef extension support Hash aggregator processors (MD5, SHA256)?

Does minemeld-cef support all aggegators on minemeld?

Thank you

Re: minemeld and feeding info via CEF into ArcSight

lmori — Wed, 05 Jul 2017 20:21:58 GMT

Hi @iThreatHunt,

this could be supported by changing the template, but in which CEF field would you put the hash indicator ?

luigi

Re: minemeld and feeding info via CEF into ArcSight

iThreatHunt — Thu, 06 Jul 2017 03:25:21 GMT

Could MD5, SHA256 mapping with Device Custom String3?

Now Device Custom field is used

Re: minemeld and feeding info via CEF into ArcSight

iThreatHunt — Sat, 08 Jul 2017 06:27:27 GMT

I found some error when activate mindmeld-cef 0.17b. Pleas advise me.

Obtaining file:///opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d
    Complete output from command python setup.py egg_info:
    Unable to find pgen, not compiling formal grammar.
    warning: no files found matching '*.pyx' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.h' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Utility'
    unable to execute 'x86_64-linux-gnu-gcc': No such file or directory
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/setup.py", line 50, in <module>
        entry_points=_entry_points
      File "/usr/lib/python2.7/distutils/core.py", line 111, in setup
        _setup_distribution = dist = klass(attrs)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 320, in __init__
        self.fetch_build_eggs(attrs['setup_requires'])
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 377, in fetch_build_eggs
        replace_conflicting=True,
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 852, in resolve
        dist = best[req.key] = env.best_match(req, ws, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1124, in best_match
        return self.obtain(req, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1136, in obtain
        return installer(requirement)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 445, in fetch_build_egg
        return cmd.easy_install(req)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 673, in easy_install
        return self.install_item(spec, dist.location, tmpdir, deps)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 699, in install_item
        dists = self.install_eggs(spec, download, tmpdir)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 880, in install_eggs
        return self.build_and_install(setup_script, setup_base)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1119, in build_and_install
        self.run_setup(setup_script, setup_base, args)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1107, in run_setup
        raise DistutilsError("Setup script exited with %s" % (v.args[0],))
    distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/

Re: minemeld and feeding info via CEF into ArcSight

iThreatHunt — Sat, 08 Jul 2017 14:26:31 GMT

Re: minemeld and feeding info via CEF into ArcSight

lmori — Tue, 11 Jul 2017 06:34:10 GMT

Hi @iThreatHunt,

installing minemeld-cef from source requires a compiler, and this is not available by default on MineMeld VMs (security).

You can instead download the wheel file from here:

https://github.com/PaloAltoNetworks/minemeld-cef/releases

And upload it to MineMeld via SYSTEM > EXTENSIONS page.

Re: minemeld and feeding info via CEF into ArcSight

ahmed_hassan — Sun, 21 Jan 2018 21:50:52 GMT

is there any CEF output that mine meld generate?

Re: minemeld and feeding info via CEF into ArcSight

xhoms — Mon, 22 Jan 2018 17:50:04 GMT

Hi @ahmed_hassan,

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.

Re: minemeld and feeding info via CEF into ArcSight

ahmed_hassan — Tue, 03 Jul 2018 21:17:50 GMT

when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.

@xhoms wrote:

Hi @ahmed_hassan,

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.

Re: minemeld and feeding info via CEF into ArcSight

ahmed_hassan — Tue, 03 Jul 2018 21:18:37 GMT

when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.

Re: minemeld and feeding info via CEF into ArcSight

ahmed_hassan — Tue, 03 Jul 2018 21:37:36 GMT

Please find this raw log that is sent to arcsight with out hashvalue:

Raw Event: <53>Feb 21 18:48:40 CEF:0|Palo Alto Networks|MineMeld CEF Output|0.1|withdraw|MineMeld IOC|0|deviceFacility=sha256 deviceExternalId=MineMeld deviceProcessName=Malicious_Hash_To_Arcsight cs2Label=Sources cn2Label=NumberOfSources deviceCustomDate1=1519148121391 deviceCustomDate2=1519148121391 deviceCustomDate2Label=LastSeen cs1Label=ShareLevel cn2=1 deviceCustomDate1Label=FirstSeen cn1=100 cn1Label=Confidence cs2=ADIB_Hash_Malware_Miner endTime=1519238920025 cs1=red

Re: minemeld and feeding info via CEF into ArcSight

ahmed_hassan — Thu, 05 Jul 2018 07:51:07 GMT

HI @lmori @xhoms

can any one help about that

Re: minemeld and feeding info via CEF into ArcSight

iThreatHunt — Fri, 26 Oct 2018 16:19:19 GMT

Please update minemeld-cef output for supporting hash value (MD5,SHA1,SHA256).