minemeld and feeding info via CEF into ArcSight

Reply
L5 Sessionator

Re: minemeld and feeding info via CEF into ArcSight

Hi @ahmed_hassan,

 

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.

L1 Bithead

Re: minemeld and feeding info via CEF into ArcSight

when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.


@xhoms wrote:

Hi @ahmed_hassan,

 

could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.



L1 Bithead

Re: minemeld and feeding info via CEF into ArcSight

when sending Hashes using CEF format , Hash value is not sent to Arcsight.

so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.




L1 Bithead

Re: minemeld and feeding info via CEF into ArcSight

Please find this raw log that is sent to arcsight with out hashvalue:

 

Raw Event: <53>Feb 21 18:48:40 CEF:0|Palo Alto Networks|MineMeld CEF Output|0.1|withdraw|MineMeld IOC|0|deviceFacility=sha256 deviceExternalId=MineMeld deviceProcessName=Malicious_Hash_To_Arcsight cs2Label=Sources cn2Label=NumberOfSources deviceCustomDate1=1519148121391 deviceCustomDate2=1519148121391 deviceCustomDate2Label=LastSeen cs1Label=ShareLevel cn2=1 deviceCustomDate1Label=FirstSeen cn1=100 cn1Label=Confidence cs2=ADIB_Hash_Malware_Miner endTime=1519238920025 cs1=red

L1 Bithead

Re: minemeld and feeding info via CEF into ArcSight

HI @lmori @xhoms

 

can any one help about that

Highlighted
L3 Networker

Re: minemeld and feeding info via CEF into ArcSight

Please update minemeld-cef output for supporting hash value (MD5,SHA1,SHA256).
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!