https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/139316#M98705 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/49030">@josev123</a>,</P> <P>you can do this in 3 ways (in order of performance):</P> <P>- forward only logs of accepted session to MineMeld</P> <P>- filter the session logs inside rsyslog config</P> <P>- create an indicator rule that match on the condition action == "accept"</P> Wed, 25 Jan 2017 13:41:51 GMT lmori 2017-01-25T13:41:51Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99423#M98701 <P>Hi all,</P> <P>&nbsp;</P> <P>I've successfully connected my firewall to the syslog miner and can see logs arriving. I believe I now need to create a rule to match logs to extract the indicators.</P> <P>&nbsp;</P> <P>Here's my recieve stats from the miner:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miner-stats.jpg" style="width: 468px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4916iC99C6F11C6097AB1/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="miner-stats.jpg" alt="miner-stats.jpg" /></span></P> <P>Here's the rule I'm trying to craft to extract the src_ip info..</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rule.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/4917i1A4846F9DE352474/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="rule.jpg" alt="rule.jpg" /></span>&nbsp;</P> <P>Additionally, is it possible to extract the attacker IP from the WildFire submissions log? Looks like just threats and traffic. My use-case would be to capture attacker IPs for previously unknown samples where no further samples are seen and therefore the Threat WF sigs are not activated.</P> <P>&nbsp;</P> <P>Thanks for the help.</P> <P>&nbsp;</P> <P>Tim</P> Fri, 22 Jul 2016 10:53:36 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99423#M98701 tkirk 2016-07-22T10:53:36Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99432#M98702 <P>Hi Tim,</P> <P>documentation is lacking on the syslog Miner, I will work on something better. In the meantime this a rule definition for extracing source IP from Wildfire logs. Wildfire logs are logs of type <STRONG>THREAT</STRONG> and subtype <STRONG>wildfire</STRONG>. The <STRONG>misc</STRONG> field contains the name of the file, while the <STRONG>url_idx</STRONG> field contains the hash.</P> <P>&nbsp;</P> <PRE>conditions: - type == 'THREAT' - log_subtype == 'wildfire' fields: - misc - url_idx indicators: - src_ip </PRE> <P>There are a couple of bugs in the current version of the syslog Miner (0.9.18) I am planning to fix in the next minor.</P> Fri, 22 Jul 2016 11:40:49 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99432#M98702 lmori 2016-07-22T11:40:49Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99440#M98703 <P>Working great. Thanks again Luigi. I think I have everything I need for now, so i shouldn't be hassling you for a while <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 22 Jul 2016 12:32:27 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/99440#M98703 tkirk 2016-07-22T12:32:27Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/138930#M98704 <P>Maybe I am missing something.. however I want to only parse syslogs that have been allowed, where do I go to do this. (like where do I go to add indicator rules)</P> <P>Did I miss where this was noted?</P> <P>&nbsp;</P> Mon, 23 Jan 2017 18:47:49 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/138930#M98704 josev123 2017-01-23T18:47:49Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/139316#M98705 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/49030">@josev123</a>,</P> <P>you can do this in 3 ways (in order of performance):</P> <P>- forward only logs of accepted session to MineMeld</P> <P>- filter the session logs inside rsyslog config</P> <P>- create an indicator rule that match on the condition action == "accept"</P> Wed, 25 Jan 2017 13:41:51 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/139316#M98705 lmori 2017-01-25T13:41:51Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/140273#M98706 <P>where do I go to add a indicator rule</P> Tue, 31 Jan 2017 16:02:27 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/140273#M98706 josev123 2017-01-31T16:02:27Z https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/140645#M98707 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/49030">@josev123</a>,</P> <P>you should go into NODES &gt; &lt;syslog miner node&gt; &gt; RULES to add new indicator rules. Check this forum for examples of rules you can specify:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2017-02-02 at 09.14.45.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/7591i858E8EFC9B64BE0F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Screen Shot 2017-02-02 at 09.14.45.png" alt="Screen Shot 2017-02-02 at 09.14.45.png" /></span></P> Thu, 02 Feb 2017 08:16:12 GMT https://live.paloaltonetworks.com/t5/general-topics/minemeld-syslog-indicator-rules/m-p/140645#M98707 lmori 2017-02-02T08:16:12Z