Reply
Highlighted
L4 Transporter
Posts: 126
Registered: ‎09-23-2010

Non-reordered IoC feed

I have an IP IoC feed that I would like to ingest and re-publish via MM.

 

The feed is ordered by priority i.e. earlier addresses are newer\more active\higher risk, but if I ingest and publish (miner -> output) it is re-ordered by numeric order.  Is there any way to prevent this and maintain the initial order?

 

Technically I have a way around it by inserting another solution between the original source and MM (ultimately I'm trying to limit the number of IoC's as there are more than we can ingest into our PA's and I was using the ?n=x option) but it's a bit clunky!

L5 Sessionator
Posts: 259
Registered: ‎11-15-2012

Re: Non-reordered IoC feed

@apackard,

 

is it a plain list? no attributes attached to the indicators other than its possition in the list to indicate its relative risk?

 

If it is just a list over HTTP then you could think on extending the HttpFT class to attach to each indicator a numerical attribute with its order position value. And then use this value as an input filter criteria in the output node (i.e. order < 100)

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!