MineMeld: What is the difference of Share Level and stdlib name with/without value

Reply
L0 Member

MineMeld: What is the difference of Share Level and stdlib name with/without value

Dear All Brothers,

 

I'm a new user to testing the MineMeld, but I cannot find any document to know the detail information.

In our environment testing, we would like to implement the Feed List to deny the traffic to a high-risk IP address and our testing, and we find below information is difficult to know the difference.

 

Case:

1. stdlib.feedHCGreen and stdlib.feedHCGreenWithValue

      EDL for high confidence indicators (>75) and share level green, with value

      What is the difference of with value or without value?

2. share_level (Red, Green, Yellow, Unknown)

     Normally, you can use the Red, and Green for feed output, but the yellow comes from stdlib.listIPv4Generic

     A. How to use the Yellow share level, and what is the main difference or propose of the share_level?

     B. In Current MineMeld, you can generate and export the feed for Red, and Green. How about the Yellow or Unknow Share_Level?

 
Thanks & Regards,
James C
L7 Applicator

Re: MineMeld: What is the difference of Share Level and stdlib name with/without value

Hi @JamesChim,

which Miner is generating indicators with share level "Yellow"?

Looks like a bug, the right share level should be "amber": https://github.com/PaloAltoNetworks/minemeld-core/blob/master/docs/schema-indicator-0-1.json#L61

 

About with and without value, please just the ones "WithValue". WithValue means that both the indicators and its metadata (the "value") are stored in the feed, while the ones without value do not store metadata to save memory. The "WithValue" prototypes are more flexibile.

L4 Transporter

Re: MineMeld: What is the difference of Share Level and stdlib name with/without value

Hi @lmori and @xhoms

 

In MM 0.9.46 we have the "libraesva" miners prototypes. All of them with share level Yellow. But we don't have an output prototype with this share level. I tried to create a new one from std.feedHCGreen, but it doesn't allow to change the share level to Yellow.

 

What is the best way to create an output prototype with share level Yellow?

 

Best regards.

L5 Sessionator

Re: MineMeld: What is the difference of Share Level and stdlib name with/without value

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!