https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162097#M99018 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a>&nbsp;- thanks for your reply..</P> <P>&nbsp; &nbsp;So I am using a prototype with name "stdlib.feedHCRedWithValue <SPAN class="prototypedetail-description">PROTOTYPE"</SPAN>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As for the URL to download the feed, are you saying it would look like the following :</P> <P>&nbsp;</P> <P>https://&lt;minemeld_server&gt;/feeds/&lt;feed_output&gt;&amp;v=json</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>(I'm sure that's not it as I get an 'Unknown feed' message...)</P> <P>&nbsp;</P> <P>thanks...</P> Mon, 19 Jun 2017 21:47:46 GMT vb0398 2017-06-19T21:47:46Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/160497#M99016 <P>&nbsp;Hi,</P> <P>&nbsp; &nbsp;I noticed that when creating the '_process_item' code for a new miner, you generate data as an indicator, and a value. &nbsp;I am able to generate an EDL with my code, but it looks like the values associated with the indicators are not present. &nbsp;</P> <P>&nbsp;</P> <P>Does anybody know what types of feeds you would need to create to see the values associated with their corresponding indicators?</P> Sat, 10 Jun 2017 01:44:56 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/160497#M99016 vb0398 2017-06-10T01:44:56Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/161933#M99017 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/63193">@vb0398</a>,</P> <P>sorry for the late reply, you can click on LOGS in the top right corner of the Miner window to see all the indicators/values generatred by the Miner. See screenshots below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MineMeld-1.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9804iE0DE12A65F9E2113/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="MineMeld-1.png" alt="MineMeld-1.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2017-06-19 at 14.29.58.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9806i89BFA7C6ADC3B5C2/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2017-06-19 at 14.29.58.png" alt="Screen Shot 2017-06-19 at 14.29.58.png" /></span></P> <P>&nbsp;</P> <P>To see the value in the feed you should:</P> <UL> <LI>use a prototype with name stdlib.feed*WithValue</LI> <LI>in the URL of the feed, add the parameter to specify a format rendering the value - like v=json</LI> </UL> Mon, 19 Jun 2017 12:33:11 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/161933#M99017 lmori 2017-06-19T12:33:11Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162097#M99018 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a>&nbsp;- thanks for your reply..</P> <P>&nbsp; &nbsp;So I am using a prototype with name "stdlib.feedHCRedWithValue <SPAN class="prototypedetail-description">PROTOTYPE"</SPAN>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As for the URL to download the feed, are you saying it would look like the following :</P> <P>&nbsp;</P> <P>https://&lt;minemeld_server&gt;/feeds/&lt;feed_output&gt;&amp;v=json</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>(I'm sure that's not it as I get an 'Unknown feed' message...)</P> <P>&nbsp;</P> <P>thanks...</P> Mon, 19 Jun 2017 21:47:46 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162097#M99018 vb0398 2017-06-19T21:47:46Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162221#M99019 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/63193">@vb0398</a>,</P> <P>you should use a URL like this:</P> <P><SPAN>https://&lt;minemeld_server&gt;/feeds/&lt;feed_output&gt;<STRONG>?</STRONG>v=json</SPAN></P> <P>&nbsp;</P> <P><SPAN>(note the question mark instead of the &amp;)</SPAN></P> Tue, 20 Jun 2017 10:10:42 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162221#M99019 lmori 2017-06-20T10:10:42Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162405#M99020 <P>hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a>&nbsp;-&nbsp;</P> <P>&nbsp; &nbsp;thanks - works great.</P> <P>&nbsp;</P> <P>Ingesting this data into a Palo Alto device, I'm assuming the only way is via an EDL, and that would just be the standard/generic feed input&nbsp;(i.e., '&lt;ip address start&gt;-&lt;ip address end&gt;') &nbsp;Is that correct?</P> Tue, 20 Jun 2017 21:57:15 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162405#M99020 vb0398 2017-06-20T21:57:15Z https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162471#M99021 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/63193">@vb0398</a>,</P> <P>for ingesting with Palo Alto Networks NGFW you can use EDL format ("plain") or DAG output nodes.</P> <P>EDL can be used for IPs (/32, ranges and CIDRs), URLs and domains.</P> <P>DAG output node only for /32 IPs.</P> <P>&nbsp;</P> <P>My suggestion for traditional feeds is using EDLs.</P> Wed, 21 Jun 2017 08:34:46 GMT https://live.paloaltonetworks.com/t5/general-topics/indicators-and-values/m-p/162471#M99021 lmori 2017-06-21T08:34:46Z