AlienVault taxii miner versus prebuilt reputation data miner

Reply
L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

Thanks this seems to work. I have it pulling some data. Not any feeds I subscribe to though.

L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

How could I go about changing this to mine sha256 indicators out of otx?

Highlighted
L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

Hi @chirss,

just tested this and it works for me:

Screen Shot 2017-09-15 at 12.42.59.png

L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

Thanks. I'm able to clone a miner and set it to sha256 (or sha1) and it pulls 315 indicators. What I'm trying to figure out is how it relates to subscriptions in otx, if anyone knows.

 

Thanks for confirming, I was able to at least pull data once I made a miner for them (noticed I wasn't looking for hashes in the miner itself)

L7 Applicator

Re: AlienVault taxii miner versus prebuilt reputation data miner

Good question, I hope @chrisdoman could help here 

L3 Networker

Re: AlienVault taxii miner versus prebuilt reputation data miner

I'm back on this, a year later. Trying to relate subscribing to a person or pulse to how it gets pulled by the miner, if it does.

L2 Linker

Re: AlienVault taxii miner versus prebuilt reputation data miner

Just followed the directions here and on mine the miner under nodes where i go to set the API key then asks for password? But there is no password and it will not work. What would i enter there?

L2 Linker

Re: AlienVault taxii miner versus prebuilt reputation data miner

Got this workind. any txt will do it will be ignored anyways. Go figure.

Has anyone successfully stripped http and https from a taxii Feed so that PaloAlto FWs can block those URLs? Currently aggregating the URLs into an output works and PAs can pull them into EDLs however it is pulling them with http and https which PAs then are not able to block those objects, according to PA article any url object cannot contain http:// or https://

 

I found the example here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/tac-p...

It shows how to do it against a csv/txt list but i have not been able to find it for the taxi client feed. I applied the same terminology but that did not work. Anyone else has been able to do this and can share some insight?

L0 Member

Re: AlienVault taxii miner versus prebuilt reputation data miner

Hi,

 

In the EDL Create List window on the firewall you can add the "Source"...

It should be like this :      https://minemeldserver.internal/feeds/OTXURLOutput?v=panosurl

 

Cheers

Joris

L2 Linker

Re: AlienVault taxii miner versus prebuilt reputation data miner

@joris_vd thank you for responding however i have that part done it is not what i am asking. What i am asking is how you can have minemeld strip the http and https from the list of indicators as the PaloAlto firewalls are ingesting the list containing http and https for all urls and it is not supported, it needs to be just like google.com for example rather than what minemeld list is holding http://google.com

 

With a txt/csv file minemeld feed you can manipulate it and tell it to drop the http and https from all URL indicators however i have not been able to find it for taxifeed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!