Simple Explination of Share Levels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Simple Explination of Share Levels

L0 Member

I have read all the documentation, and have a test environment for MineMeld, but I still cant work out what share levels are being used for.

I was of the beleif that it was green=good (i.e. whitelist these) and red=bad (i.e. block these) however this doesnt seem to be the case in most the current prototypes.

@lmori Said the following, but I am not quite processing what this entails if it is different from my above belief: "This attribute is added to the indicator by the Miner to signal to other nodes in the graph the target audiance of the indicator, similar to the Traffic Light Protocol. Typically this is used by input filters in Output nodes." - https://live.paloaltonetworks.com/t5/MineMeld-Discussions/About-Share-Level/m-p/77537/highlight/true...

A simple explination of what share levels are indicating would be much appreciated.

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @KazpaJosh,

share_level is just a tag associated to an indicator to be used for filtering in the output feeds to avoid human errors in sharing with 3d parties. It is used to represent the confidentiality of an indicator. Typical rules:

- indicators from OSINT are marked with share_level green

- indicators from commercial Threat Intelligence vendor or TIP are marked with red

- indicators from syslog Miner are marked with red

 

Hope this gives a better idea on the meaning of share_level, if not let me know 🙂

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @KazpaJosh,

share_level is just a tag associated to an indicator to be used for filtering in the output feeds to avoid human errors in sharing with 3d parties. It is used to represent the confidentiality of an indicator. Typical rules:

- indicators from OSINT are marked with share_level green

- indicators from commercial Threat Intelligence vendor or TIP are marked with red

- indicators from syslog Miner are marked with red

 

Hope this gives a better idea on the meaning of share_level, if not let me know 🙂

Makes perfect sense! Thankyou!

So, what is yellow for?

  • 1 accepted solution
  • 5755 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!