MineMeld: What is the difference of Share Level and stdlib name with/without value

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MineMeld: What is the difference of Share Level and stdlib name with/without value

L2 Linker

Dear All Brothers,

 

I'm a new user to testing the MineMeld, but I cannot find any document to know the detail information.

In our environment testing, we would like to implement the Feed List to deny the traffic to a high-risk IP address and our testing, and we find below information is difficult to know the difference.

 

Case:

1. stdlib.feedHCGreen and stdlib.feedHCGreenWithValue

      EDL for high confidence indicators (>75) and share level green, with value

      What is the difference of with value or without value?

2. share_level (Red, Green, Yellow, Unknown)

     Normally, you can use the Red, and Green for feed output, but the yellow comes from stdlib.listIPv4Generic

     A. How to use the Yellow share level, and what is the main difference or propose of the share_level?

     B. In Current MineMeld, you can generate and export the feed for Red, and Green. How about the Yellow or Unknow Share_Level?

 
Thanks & Regards,
James C
3 REPLIES 3

L7 Applicator

Hi @JamesChim,

which Miner is generating indicators with share level "Yellow"?

Looks like a bug, the right share level should be "amber": https://github.com/PaloAltoNetworks/minemeld-core/blob/master/docs/schema-indicator-0-1.json#L61

 

About with and without value, please just the ones "WithValue". WithValue means that both the indicators and its metadata (the "value") are stored in the feed, while the ones without value do not store metadata to save memory. The "WithValue" prototypes are more flexibile.

Hi @lmori and @xhoms

 

In MM 0.9.46 we have the "libraesva" miners prototypes. All of them with share level Yellow. But we don't have an output prototype with this share level. I tried to create a new one from std.feedHCGreen, but it doesn't allow to change the share level to Yellow.

 

What is the best way to create an output prototype with share level Yellow?

 

Best regards.

  • 5109 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!