cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Zscaler and Minemeld

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
lvmh_onenetwork
lvmh_onenetwork
L1 Bithead
‎05-04-2018 10:39 AM
‎05-04-2018 10:39 AM

Zscaler and Minemeld

Hello,

 

I'm using Minemeld 0.9.44 and I would to get 'range' from the URL https://ips.zscaler.net/cenr/json.

After several attempts with JSON prototype, trying to set different extractor, field (indicator set as range).

 

I'm still not able to get any information.

 

Could you please let me know what is the best what to extract 'range'? 

 

Thank you
Regards

 

0 Likes
Reply
xhoms
xhoms
L5 Sessionator
‎05-09-2018 11:18 PM
‎05-09-2018 11:18 PM

Re: Zscaler and Minemeld

Hi @lvmh_onenetwork,

 

the following SimpleJSON based prototype works for me

 

age_out:
    default: null
    interval: 257
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: IPv4
extractor: '"zscaler.net".*.*[][]'
indicator: range
prefix: zs
source_name: zscaler
url: https://ips.zscaler.net/cenr/json

 

 

 

 

0 Likes
Reply
lvmh_onenetwork
lvmh_onenetwork
L1 Bithead
‎05-10-2018 12:45 PM
‎05-10-2018 12:45 PM

Re: Zscaler and Minemeld

Hello @xhoms

 

it works perfectly, but i'm not sure to understand the 

'"zscaler.net".*.*[][]'

 

how does it works? 

 

Regards 

0 Likes
Reply
xhoms
xhoms
L5 Sessionator
‎05-10-2018 02:29 PM
‎05-10-2018 02:29 PM

Re: Zscaler and Minemeld

@lvmh_onenetwork,

 

are you familiar with JMESPath expressions? Do you know the site http://jmespath.org/ ?

 

I highly recommend you to paste the JSON code from the ZSCALER URL into the JMESPath interactive test site to play with different expressions.

 

But, basically,

  • "zscaler.net" selects the root object
  • .* selects any object inside "zscaler.net" ("continent : Europe", "continent : US & Canada", ...)
  • .* selects any object insite the continents ("city : Amsterdam", "city : Brussels", ...)

If you play in the interactive site you'll realize that "zscaler.net".*.* produces an array of continents containing each one of them an array of rages for each city.

  • [] is a flatten projection that removes the "city" dimension to achieve all ranges to be direct elements inside each "contient"
  • the second [] flatten projection removes the "continent" dimension to achieve all ranges being direct elements of the top array.

The result is an array of ranges whose elements can be yielded into the MineMeld engine.

0 Likes
Reply
lvmh_onenetwork
lvmh_onenetwork
L1 Bithead
‎05-10-2018 11:32 PM
‎05-10-2018 11:32 PM

Re: Zscaler and Minemeld

Thank you for the detail.  I will study that.

 

Regards

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks