minemeld and feeding info via CEF into ArcSight

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

minemeld and feeding info via CEF into ArcSight

L0 Member

Can you select formatting or would I need to create a wrapper that manipulates the data pushed by minemeld to forward in CEF?  Glad an opensource community on this exist for this.  Additionally I need an rpm based package or just a way to compile from source I am using CentOS any thoughts or is there a source package for this

15 REPLIES 15

L7 Applicator

Hi socfocus,

CEF output node is definitely on my todo list (see ER#39 at https://github.com/PaloAltoNetworks/minemeld-core/issues/39). I am looking of a good example on how to translate Threat Intelligence into CEF format, do you have something I could look at ?

 

Installation based on RPM is on the TODO list, shall be quite easy to accomplish.

Hi @socfocus.com,

starting with 0.9.32 you can use an external extension to achieve this:

https://github.com/PaloAltoNetworks/minemeld-cef

 

luigi

Dear @lmori,

Is minemeld-cef extension support Hash aggregator processors (MD5, SHA256)?

 

Does minemeld-cef support all aggegators on minemeld?

 

Thank you

Hi @iThreatHunt,

this could be supported by changing the template, but in which CEF field would you put the hash indicator ?

 

luigi

Could MD5, SHA256 mapping with Device Custom String3?

 

Now Device Custom field is used

06-07-2017 10-23-53.jpg

I found some error when activate mindmeld-cef 0.17b. Pleas advise me.

 

Obtaining file:///opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d
    Complete output from command python setup.py egg_info:
    Unable to find pgen, not compiling formal grammar.
    warning: no files found matching '*.pyx' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.h' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Utility'
    unable to execute 'x86_64-linux-gnu-gcc': No such file or directory
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/setup.py", line 50, in <module>
        entry_points=_entry_points
      File "/usr/lib/python2.7/distutils/core.py", line 111, in setup
        _setup_distribution = dist = klass(attrs)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 320, in __init__
        self.fetch_build_eggs(attrs['setup_requires'])
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 377, in fetch_build_eggs
        replace_conflicting=True,
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 852, in resolve
        dist = best[req.key] = env.best_match(req, ws, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1124, in best_match
        return self.obtain(req, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1136, in obtain
        return installer(requirement)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 445, in fetch_build_egg
        return cmd.easy_install(req)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 673, in easy_install
        return self.install_item(spec, dist.location, tmpdir, deps)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 699, in install_item
        dists = self.install_eggs(spec, download, tmpdir)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 880, in install_eggs
        return self.build_and_install(setup_script, setup_base)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1119, in build_and_install
        self.run_setup(setup_script, setup_base, args)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1107, in run_setup
        raise DistutilsError("Setup script exited with %s" % (v.args[0],))
    distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/

08-07-2017 21-23-47.jpg

Hi @iThreatHunt,

installing minemeld-cef from source requires a compiler, and this is not available by default on MineMeld VMs (security).

You can instead download the wheel file from here:

https://github.com/PaloAltoNetworks/minemeld-cef/releases

 

And upload it to MineMeld via SYSTEM > EXTENSIONS page.

L1 Bithead

is there any CEF output that mine meld generate?

Hi @ahmed_hassan,

 

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.

when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.


@xhoms wrote:

Hi @ahmed_hassan,

 

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.



when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.




L1 Bithead

Please find this raw log that is sent to arcsight with out hashvalue:

 

Raw Event: <53>Feb 21 18:48:40 CEF:0|Palo Alto Networks|MineMeld CEF Output|0.1|withdraw|MineMeld IOC|0|deviceFacility=sha256 deviceExternalId=MineMeld deviceProcessName=Malicious_Hash_To_Arcsight cs2Label=Sources cn2Label=NumberOfSources deviceCustomDate1=1519148121391 deviceCustomDate2=1519148121391 deviceCustomDate2Label=LastSeen cs1Label=ShareLevel cn2=1 deviceCustomDate1Label=FirstSeen cn1=100 cn1Label=Confidence cs2=ADIB_Hash_Malware_Miner endTime=1519238920025 cs1=red

HI @lmori @xhoms

 

can any one help about that

  • 8028 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!