Minemeld processors have no indicators

Reply
L3 Networker

Minemeld processors have no indicators

I have created a new event processor and output node, but i'm not getting any of the indicators from the two nodes, and could use some assistance. @mjanik@alixpartners.com

L1 Bithead

Re: Minemeld processors have no indicators

Hello, I apologize for the lack of details on this, this had just started out as a support case/question.

 

I had created a new processor and a new output node because i wanted two specific miners for an output into a test firewall rule, but once i linked everything together, it seems that no Indicators are being forwarded, and i'm just curious on why. Any assistance would be greatly appreciated, thank you!

 

Attached is also as creenshot of what i've done with the Spamhaus feeds.

L7 Applicator

Re: Minemeld processors have no indicators

Hi @mjanik01,

could you export the config from the config tab and paste it here?

 

L1 Bithead

Re: Minemeld processors have no indicators

I apologize for the late response, i was OOO for a few days. Here is the config:

 

nodes:
Tor-exit-nodes_IPv4_list:
inputs:
- Tor_engine_IPv4
output: false
prototype: stdlib.feedHCGreen
office365_O365RemoteAnalyzers:
inputs: []
output: true
prototype: office365.O365RemoteAnalyzers
office365_O365:
inputs: []
output: true
prototype: office365.O365
O365_URL_list:
inputs:
- O365_engine_URL
output: false
prototype: stdlib.feedHCGreen
office365_sway:
inputs: []
output: true
prototype: office365.sway
Inbound_IPv4_HC_list:
inputs:
- Inbound_engine_IPv4
output: false
prototype: stdlib.feedHCGreen
office365_ipv6aggregator:
inputs:
- office365_O365
- office365_exchangeOnline
- office365_exchangeOnlineProtection
- office365_O365ProPlus
- office365_O365RemoteAnalyzers
- office365_identity
- office365_crls
- office365_office365Video
- office365_officeMobile
- office365_officeOnline
- office365_officeiPad
- office365_oneNote
- office365_planner
- office365_sharepointOnline
- office365_skypeBusinessOnline
- office365_sway
- office365_yammer
output: true
prototype: stdlib.aggregatorIPv6Simple
office365_O365ProPlus:
inputs: []
output: true
prototype: office365.O365ProPlus
aggregatorIPv4Inbound-1499177669119:
inputs: []
output: true
prototype: stdlib.aggregatorIPv4Inbound
aggregatorIPv4Inbound-1499698016985:
inputs:
- Tor_engine_IPv4
output: true
prototype: stdlib.aggregatorIPv4Inbound
Inbound_IPv4_LC:
inputs:
- Inbound_engine_IPv4
output: false
prototype: stdlib.feedLCGreen
office365_identity:
inputs: []
output: true
prototype: office365.identity
Inbound_engine_IPv4:
inputs:
- Blocklist_all
- DShield_Blocklist
- BruteForceBlocker_List
- Tor-exit-nodes
- MalwareDomainList_IP
- ZeusTracker_BadIPS
- OutBound_Bad_SSL_Intelligence
output: true
prototype: stdlib.aggregatorIPv4Inbound
office365_office365Video:
inputs: []
output: true
prototype: office365.office365Video
OutboundFeed_LC:
inputs:
- OutBound_IPv4_engine
output: false
prototype: stdlib.feedLCGreen
office365_URLaggregator:
inputs:
- office365_O365
- office365_exchangeOnline
- office365_exchangeOnlineProtection
- office365_O365ProPlus
- office365_O365RemoteAnalyzers
- office365_crls
- office365_identity
- office365_office365Video
- office365_officeMobile
- office365_officeOnline
- office365_officeiPad
- office365_oneNote
- office365_planner
- office365_sharepointOnline
- office365_skypeBusinessOnline
- office365_yammer
- office365_sway
output: true
prototype: stdlib.aggregatorURL
AMAZON-AWS-IPs:
inputs: []
output: true
prototype: aws.AMAZON
office365_officeMobile:
inputs: []
output: true
prototype: office365.officeMobile
O365_login:
inputs: []
output: true
prototype: office365.O365
AzureCloudIPs:
inputs: []
output: true
prototype: azure.cloudIPs
OutboundFeed_HC:
inputs:
- OutBound_IPv4_engine
output: false
prototype: stdlib.feedHCGreen
office365_sharepointOnline:
inputs: []
output: true
prototype: office365.sharepointOnline
O365_CRL_list:
inputs: []
output: true
prototype: office365.crls
O365_officeiPad:
inputs: []
output: true
prototype: office365.officeiPad
office365_exchangeOnline:
inputs: []
output: true
prototype: office365.exchangeOnline
Blocklist_all:
inputs: []
output: true
prototype: blocklist_de.all
aggregatorIPv4OutboundAzureIPs:
inputs:
- AzureCloudIPs
output: true
prototype: stdlib.aggregatorIPv4Outbound
office365_exchangeOnlineProtection:
inputs: []
output: true
prototype: office365.exchangeOnlineProtection
BruteForceBlocker_List:
inputs: []
output: true
prototype: bruteforceblocker.blist
AmazonAWSAggregator:
inputs:
- AMAZON-AWS-IPs
output: true
prototype: stdlib.aggregatorIPv4Inbound
office365_IPv6s:
inputs:
- office365_ipv6aggregator
output: false
prototype: stdlib.feedHCWithValue
OutBound_Bad_SSL_Intelligence:
inputs: []
output: true
prototype: sslabusech.ipblacklist
O365_Portal_and_Identity:
inputs: []
output: true
prototype: office365.O365
office365_ipv4aggregator:
inputs:
- office365_O365
- office365_exchangeOnline
- office365_exchangeOnlineProtection
- office365_crls
- office365_O365ProPlus
- office365_O365RemoteAnalyzers
- office365_identity
- office365_office365Video
- office365_officeMobile
- office365_officeOnline
- office365_officeiPad
- office365_oneNote
- office365_planner
- office365_sharepointOnline
- office365_skypeBusinessOnline
- office365_sway
- office365_yammer
output: true
prototype: stdlib.aggregatorIPv4Generic
O365_IPv4_list:
inputs:
- O365_engine_IPv4
output: false
prototype: stdlib.feedHCGreen
Tor_engine_IPv4:
inputs: []
output: true
prototype: stdlib.aggregatorIPv4Generic
office365_URLs:
inputs:
- office365_URLaggregator
output: false
prototype: stdlib.feedHCWithValue
office365_oneNote:
inputs: []
output: true
prototype: office365.oneNote
feedHCWithValue-AzureIPs:
inputs:
- aggregatorIPv4OutboundAzureIPs
output: true
prototype: stdlib.feedHCWithValue
office365_crls:
inputs: []
output: true
prototype: office365.crls
IPv4ArtifactsOutput:
inputs:
- incomingIPv4Aggregator
output: true
prototype: autofocus.artifactsOutput
WannaCry:
inputs: []
output: true
prototype: autofocus.samplesMiner
incomingIPv4Aggregator:
inputs:
- spamhaus_DROP
- spamhaus_EDROP
output: true
prototype: stdlib.aggregatorIPv4Generic
office365_yammer:
inputs: []
output: true
prototype: office365.yammer
OutBound_IPv4_engine:
inputs:
- ZeusTracker_BadIPS
- MalwareDomainList_IP
- OutBound_Bad_SSL_Intelligence
- Tor-exit-nodes
output: true
prototype: stdlib.aggregatorIPv4Outbound
O365_engine_IPv4:
inputs:
- WannaCry
output: true
prototype: stdlib.aggregatorIPv4Generic
office365_IPv4s:
inputs:
- office365_ipv4aggregator
output: false
prototype: stdlib.feedHCWithValue
O365_engine_URL:
inputs:
- O365_Portal_and_Identity
- O365_login
- O365_CRL_list
- O365_officeiPad
output: true
prototype: stdlib.aggregatorURL
MalwareDomainList_IP:
inputs: []
output: true
prototype: malwaredomainlist.ip
spamhaus_EDROP:
inputs: []
output: true
prototype: spamhaus.EDROP
Tor-exit-nodes:
inputs: []
output: true
prototype: tor.exit_addresses
DShield_Blocklist:
inputs: []
output: true
prototype: dshield.block
office365_officeiPad:
inputs: []
output: true
prototype: office365.officeiPad
ZeusTracker_BadIPS:
inputs: []
output: true
prototype: zeustracker.badips
office365_planner:
inputs: []
output: true
prototype: office365.planner
spamhaus_DROP:
inputs: []
output: true
prototype: spamhaus.DROP
office365_skypeBusinessOnline:
inputs: []
output: true
prototype: office365.skypeBusinessOnline
AWS-IPs-feedHCGreen:
inputs:
- AmazonAWSAggregator
output: false
prototype: stdlib.feedHCGreen
office365_officeOnline:
inputs: []
output: true
prototype: office365.officeOnline
CLOUDFRONT-AWS-IPRanges:
inputs: []
output: true
prototype: aws.CLOUDFRONT
Inbound-CloudFront-AWS-IPRanges:
inputs:
- CLOUDFRONT-AWS-IPRanges
output: true
prototype: stdlib.aggregatorIPv4Inbound
CloudFront-IPs-feedHCGreen:
inputs:
- Inbound-CloudFront-AWS-IPRanges
output: false
prototype: stdlib.feedHCGreen
BlockIPs-Test:
inputs: []
output: true
prototype: ETOpen.blockIPs
aggregatorIPv4BlockIPs:
inputs:
- BruteForceBlocker_List
- MalwareDomainList_IP
output: true
prototype: stdlib.aggregatorIPv4Inbound
IPv4BlockIPs:
inputs:
- aggregatorIPv4BlockIPs
- DShield_Blocklist
output: true
prototype: stdlib.aggregatorIPv4Inbound
IPv4-BlockIPsOutput:
inputs:
- aggregatorIPv4BlockIPs
output: false
prototype: stdlib.taxiiDataFeed
IPV4-feedHCGreen:
inputs:
- IPv4BlockIPs
output: false
prototype: stdlib.feedHCGreen
BadSSLOutBoundIPv4:
inputs:
- OutBound_Bad_SSL_Intelligence
output: true
prototype: stdlib.aggregatorIPv4Outbound
OutBound-BadSSL-HCGreen:
inputs:
- BadSSLOutBoundIPv4
output: false
prototype: stdlib.feedHCGreen
SpamhausProcessor:
inputs:
- spamhaus_EDROP
- spamhaus_DROP
output: true
prototype: stdlib.aggregatorIPv4Outbound
SpamhausOutbound:
inputs:
- SpamhausProcessor
output: false
prototype: stdlib.feedHCWithValue

L7 Applicator

Re: Minemeld processors have no indicators

Hi @mjanik01,

to solve the issue change the prototype of SpamhausProcessor from aggregatorIPv4Outbound to aggregatorIPv4Generic.

Also, please do not use the old o365 Miners, they are deprecated. Use the o365-api miners instead.

 

 

Highlighted
L1 Bithead

Re: Minemeld processors have no indicators

I apologize for the delay in responding, but i was able to perform the fix you suggested and it did indeed work.

 

For my own knowledge, what was causing this to not work, just so i don't make the same mistake in the future?

 

Thank you again!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!