https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118973#M99776 Perfect answer! Just what I needed to know! Thank you @Imori Wed, 12 Oct 2016 10:25:55 GMT Forseti 2016-10-12T10:25:55Z https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118966#M99774 <P>Hi everyone,</P><P>&nbsp;</P><P>I am currently working on connecting MineMeld with our SIEM solution. I however ran into a question.</P><P>&nbsp;</P><P>When receiving an update message it states which sources the IOC originated from, also if there are multiple. example: (binarydefense and badips)</P><P>&nbsp;</P><P>{"message":"{\"@indicator\":\"120.69.220.5-120.69.220.5\",\"direction\":\"inbound\",\"@origin\":\"IPv4_Aggregator\",\"type\":\"IPv4\",\"@timestamp\":\"2016-10-11T17:13:35.693563Z\",\"confidence\":50,\"share_level\":\"green\",\<STRONG>"sources\":[\"binarydefense.banlist\",\"badips.any_3\"]</STRONG>,\"logstash_output_node\":\"Output-To-Logstash-5514\",\"message\":\"update\",\"@version\":1,\"first_seen\":\"2016-09-30T13:50:29.164000Z\",\"last_seen\":\"2016-09-30T13:50:34.330000Z\"}","@version":"1","@timestamp":"2016-10-11T15:13:35.693Z","host":"127.0.0.1","port":34402}</P><P>&nbsp;</P><P>However all withdraw messages I receive do not include this field.</P><P>Question: are withdraw messages generated when the IOC is removed rom <STRONG>ALL</STRONG> sources or is a messages generated for <STRONG>each source</STRONG> individually?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Forseti</P> Wed, 12 Oct 2016 08:42:38 GMT https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118966#M99774 Forseti 2016-10-12T08:42:38Z https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118969#M99775 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/48459">@Forseti</a>,</P> <P>WITHDRAW messages have no body and an aggregator generates a withdraw for an indicator only when all the Miners have withdrawn the indicator.</P> <P>&nbsp;</P> <P>Longer explanation:</P> <P>&nbsp;</P> <P>Let's suppose you have a graph with 2 Miners M1 and M2, connected to an aggregator A, and A is connected to a single output node O. This is how WITHDRAWs work:</P> <OL> <LI>suppose that in the initial state both M1 and M2 have published an indicator I. M1 published I with a set of attributes AM1. M2 published I with a set of attributes AM2. Aggregator A then has published to O the indicator I with a set of attributes (AM1+AM2).</LI> <LI>Miner M1 expires indicator I (expiration of indicators depends on the age out configuration in each single Miner, i.e. each Miner can apply a different age out policy) and sends a WITHDRAW of indicator I to aggregator A.</LI> <LI>Aggregator A generates an UPDATE message to output O for indicator I with a set of attributes AM2, as AM1 have been removed.</LI> <LI>Miner M2 expires indicator I (according to its own age out policy) and sends a WITHDRAW of indicator I to aggregator A.</LI> <LI>Aggregator A at this point should remove indicator I because all the original Miners sources of I have withdrawn the indicator. Aggregator A then generates a WITHDRAW message for indicator I to output O.</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Luigi</P> Wed, 12 Oct 2016 09:37:54 GMT https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118969#M99775 lmori 2016-10-12T09:37:54Z https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118973#M99776 Perfect answer! Just what I needed to know! Thank you @Imori Wed, 12 Oct 2016 10:25:55 GMT https://live.paloaltonetworks.com/t5/general-topics/withdraw-mesage-source/m-p/118973#M99776 Forseti 2016-10-12T10:25:55Z