https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/169409#M99160 <P>Hi,</P> <P>&nbsp;</P> <P>I just cloned a syslog miner, following the guide here:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262" target="_blank">https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262</A></P> <P>&nbsp;</P> <P>I can see the syslog processed counter moving, so looks like syslog forwarding is working. &nbsp;I'm trying to have any source IP that generates a "critical" TID to be added to the MineMeld EDL. &nbsp;I created the following rule (based on an example on the MineMeld forum):</P> <P>&nbsp;</P> <P>conditions:<BR /> - type == 'THREAT'<BR /> - severity == 'critical'<BR /> - src_zone == 'WAN'<BR />fields: null<BR />indicators:<BR /> - src_ip</P> <P>&nbsp;</P> <P>Does this look OK for what I'm trying to accomplish? &nbsp;<STRIKE>And how do I know if the rule is actually hit? &nbsp;</STRIKE></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Luca<BR />&nbsp;</P> <P>edit: oops I just noticed the "hits" column on the Rules page...</P> Tue, 01 Aug 2017 21:55:49 GMT LucaMarchiori 2017-08-01T21:55:49Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/169409#M99160 <P>Hi,</P> <P>&nbsp;</P> <P>I just cloned a syslog miner, following the guide here:</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262" target="_blank">https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262</A></P> <P>&nbsp;</P> <P>I can see the syslog processed counter moving, so looks like syslog forwarding is working. &nbsp;I'm trying to have any source IP that generates a "critical" TID to be added to the MineMeld EDL. &nbsp;I created the following rule (based on an example on the MineMeld forum):</P> <P>&nbsp;</P> <P>conditions:<BR /> - type == 'THREAT'<BR /> - severity == 'critical'<BR /> - src_zone == 'WAN'<BR />fields: null<BR />indicators:<BR /> - src_ip</P> <P>&nbsp;</P> <P>Does this look OK for what I'm trying to accomplish? &nbsp;<STRIKE>And how do I know if the rule is actually hit? &nbsp;</STRIKE></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Luca<BR />&nbsp;</P> <P>edit: oops I just noticed the "hits" column on the Rules page...</P> Tue, 01 Aug 2017 21:55:49 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/169409#M99160 LucaMarchiori 2017-08-01T21:55:49Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170060#M99161 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28602">@LucaMarchiori</a>,</P> <P>looks good to me. Have you tested it already ?</P> <P>&nbsp;</P> <P>I would probably add "log_subtype" and "threat_name" as fields in the rule, to save more context of the original log.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Fri, 04 Aug 2017 12:30:07 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170060#M99161 lmori 2017-08-04T12:30:07Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170075#M99162 <P>Hi lmori,</P> <P>&nbsp;</P> <P>Do you mean something like this:</P> <P>&nbsp;</P> <P><SPAN>conditions:</SPAN><BR /><SPAN>- type == 'THREAT'</SPAN><BR /><SPAN>- severity == 'critical'</SPAN><BR /><SPAN>- src_zone == 'WAN'</SPAN><BR /><SPAN>fields:</SPAN></P> <P>&nbsp; -&nbsp;<SPAN>"log_subtype"</SPAN></P> <P><SPAN>&nbsp; - "threat_name"</SPAN><BR /><SPAN>indicators:</SPAN><BR /><SPAN>- src_ip</SPAN></P> <P>&nbsp;</P> <P><SPAN>I had 2 "high" severity and one "critical" events in the threat log since yesterday, and the counter this morning is still at zero hits.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>This is the config currently (/opt/minemeld/local/config/syslog-miner_rules.yml):</SPAN></P> <P>&nbsp;</P> <P><SPAN>- conditions: [type == 'THREAT', log_subtype == 'vulnerability', severity == 'high',<BR /> src_zone == 'WAN']<BR /> fields: null<BR /> indicators: [src_ip]<BR /> name: threats-ALL-high<BR />- conditions: [type == 'THREAT', log_subtype == 'vulnerability', severity == 'critical',<BR /> src_zone == 'WAN']<BR /> fields: null<BR /> indicators: [src_ip]<BR /> name: threats-ALL-critical<BR /><BR /></SPAN></P> <P><SPAN>** edit 2:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Got a few pages of "high" severity threat this morning (TID 40007). &nbsp;No hits on the syslog miner node.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 04 Aug 2017 19:47:20 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170075#M99162 LucaMarchiori 2017-08-04T19:47:20Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170264#M99163 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28602">@LucaMarchiori</a>,</P> <P>which PAN-OS version are you running ?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Mon, 07 Aug 2017 07:31:57 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170264#M99163 lmori 2017-08-07T07:31:57Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170531#M99164 <P>Hi Luigi,</P> <P>&nbsp;</P> <P>I'm using 7.1.11</P> Tue, 08 Aug 2017 14:52:24 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/170531#M99164 LucaMarchiori 2017-08-08T14:52:24Z https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/171672#M99165 <P>Hi lmori,</P> <P>&nbsp;</P> <P>Any ideas why the miner node is not getting any hits? &nbsp;Is there a MineMeld rule help doc that I should be looking at instead?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Luca</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 15 Aug 2017 15:38:46 GMT https://live.paloaltonetworks.com/t5/general-topics/syslog-miner-please-check-rule-syntax/m-p/171672#M99165 LucaMarchiori 2017-08-15T15:38:46Z