I have read all the documentation, and have a test environment for MineMeld, but I still cant work out what share levels are being used for.
I was of the beleif that it was green=good (i.e. whitelist these) and red=bad (i.e. block these) however this doesnt seem to be the case in most the current prototypes.
@lmori Said the following, but I am not quite processing what this entails if it is different from my above belief: "This attribute is added to the indicator by the Miner to signal to other nodes in the graph the target audiance of the indicator, similar to the Traffic Light Protocol. Typically this is used by input filters in Output nodes." - https://live.paloaltonetworks.com/t5/MineMeld-Discussions/About-Share-Level/m-p/77537/highlight/true...
A simple explination of what share levels are indicating would be much appreciated.
Solved! Go to Solution.
share_level is just a tag associated to an indicator to be used for filtering in the output feeds to avoid human errors in sharing with 3d parties. It is used to represent the confidentiality of an indicator. Typical rules:
- indicators from OSINT are marked with share_level green
- indicators from commercial Threat Intelligence vendor or TIP are marked with red
- indicators from syslog Miner are marked with red
Hope this gives a better idea on the meaning of share_level, if not let me know :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!