Looking for some information on the fields to use for the syslog miners...
I am trying to pick indicators from a certain direction, sourced from a certain zone, and according to the log description document linked above it is the "from" or "to" field though I am unable to find any other documention on what is available with this minemeld syslog miner.
I was trying this:
conditions: - type == 'THREAT' - severity == 'high' - from == 'Internet' fields: null indicators: - src_ip
It doesn't seem to be working.
you can find a list of fields here: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
Could you try this:
conditions: - type == 'THREAT' - severity == 'high' - src_zone == 'Internet' fields: null indicators: - src_ip
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!