Zscaler and Minemeld

Reply
L1 Bithead

Zscaler and Minemeld

Hello,

 

I'm using Minemeld 0.9.44 and I would to get 'range' from the URL https://ips.zscaler.net/cenr/json.

After several attempts with JSON prototype, trying to set different extractor, field (indicator set as range).

 

I'm still not able to get any information.

 

Could you please let me know what is the best what to extract 'range'? 

 

Thank you
Regards

 

L5 Sessionator

Re: Zscaler and Minemeld

Hi @lvmh_onenetwork,

 

the following SimpleJSON based prototype works for me

 

age_out:
    default: null
    interval: 257
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: IPv4
extractor: '"zscaler.net".*.*[][]'
indicator: range
prefix: zs
source_name: zscaler
url: https://ips.zscaler.net/cenr/json

 

 

 

 

Highlighted
L1 Bithead

Re: Zscaler and Minemeld

Hello @xhoms

 

it works perfectly, but i'm not sure to understand the 

'"zscaler.net".*.*[][]'

 

how does it works? 

 

Regards 

L5 Sessionator

Re: Zscaler and Minemeld

@lvmh_onenetwork,

 

are you familiar with JMESPath expressions? Do you know the site http://jmespath.org/ ?

 

I highly recommend you to paste the JSON code from the ZSCALER URL into the JMESPath interactive test site to play with different expressions.

 

But, basically,

  • "zscaler.net" selects the root object
  • .* selects any object inside "zscaler.net" ("continent : Europe", "continent : US & Canada", ...)
  • .* selects any object insite the continents ("city : Amsterdam", "city : Brussels", ...)

If you play in the interactive site you'll realize that "zscaler.net".*.* produces an array of continents containing each one of them an array of rages for each city.

  • [] is a flatten projection that removes the "city" dimension to achieve all ranges to be direct elements inside each "contient"
  • the second [] flatten projection removes the "continent" dimension to achieve all ranges being direct elements of the top array.

The result is an array of ranges whose elements can be yielded into the MineMeld engine.

L1 Bithead

Re: Zscaler and Minemeld

Thank you for the detail.  I will study that.

 

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!