minemeld and feeding info via CEF into ArcSight

Reply
L0 Member

minemeld and feeding info via CEF into ArcSight

Can you select formatting or would I need to create a wrapper that manipulates the data pushed by minemeld to forward in CEF?  Glad an opensource community on this exist for this.  Additionally I need an rpm based package or just a way to compile from source I am using CentOS any thoughts or is there a source package for this

L7 Applicator

Re: minemeld and feeding info via CEF into ArcSight

Hi socfocus,

CEF output node is definitely on my todo list (see ER#39 at https://github.com/PaloAltoNetworks/minemeld-core/issues/39). I am looking of a good example on how to translate Threat Intelligence into CEF format, do you have something I could look at ?

 

Installation based on RPM is on the TODO list, shall be quite easy to accomplish.

L7 Applicator

Re: minemeld and feeding info via CEF into ArcSight

Hi @socfocus.com,

starting with 0.9.32 you can use an external extension to achieve this:

https://github.com/PaloAltoNetworks/minemeld-cef

 

luigi

L3 Networker

Re: minemeld and feeding info via CEF into ArcSight

Dear @lmori,

Is minemeld-cef extension support Hash aggregator processors (MD5, SHA256)?

 

Does minemeld-cef support all aggegators on minemeld?

 

Thank you

L7 Applicator

Re: minemeld and feeding info via CEF into ArcSight

Hi @iThreatHunt,

this could be supported by changing the template, but in which CEF field would you put the hash indicator ?

 

luigi

L3 Networker

Re: minemeld and feeding info via CEF into ArcSight

Could MD5, SHA256 mapping with Device Custom String3?

 

Now Device Custom field is used

06-07-2017 10-23-53.jpg

L3 Networker

Re: minemeld and feeding info via CEF into ArcSight

I found some error when activate mindmeld-cef 0.17b. Pleas advise me.

 

Obtaining file:///opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d
    Complete output from command python setup.py egg_info:
    Unable to find pgen, not compiling formal grammar.
    warning: no files found matching '*.pyx' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.h' under directory 'Cython/Debugger/Tests'
    warning: no files found matching '*.pxd' under directory 'Cython/Utility'
    unable to execute 'x86_64-linux-gnu-gcc': No such file or directory
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/setup.py", line 50, in <module>
        entry_points=_entry_points
      File "/usr/lib/python2.7/distutils/core.py", line 111, in setup
        _setup_distribution = dist = klass(attrs)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 320, in __init__
        self.fetch_build_eggs(attrs['setup_requires'])
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 377, in fetch_build_eggs
        replace_conflicting=True,
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 852, in resolve
        dist = best[req.key] = env.best_match(req, ws, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1124, in best_match
        return self.obtain(req, installer)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1136, in obtain
        return installer(requirement)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 445, in fetch_build_egg
        return cmd.easy_install(req)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 673, in easy_install
        return self.install_item(spec, dist.location, tmpdir, deps)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 699, in install_item
        dists = self.install_eggs(spec, download, tmpdir)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 880, in install_eggs
        return self.build_and_install(setup_script, setup_base)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1119, in build_and_install
        self.run_setup(setup_script, setup_base, args)
      File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1107, in run_setup
        raise DistutilsError("Setup script exited with %s" % (v.args[0],))
    distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
    
    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/

L3 Networker

Re: minemeld and feeding info via CEF into ArcSight

08-07-2017 21-23-47.jpg

L7 Applicator

Re: minemeld and feeding info via CEF into ArcSight

Hi @iThreatHunt,

installing minemeld-cef from source requires a compiler, and this is not available by default on MineMeld VMs (security).

You can instead download the wheel file from here:

https://github.com/PaloAltoNetworks/minemeld-cef/releases

 

And upload it to MineMeld via SYSTEM > EXTENSIONS page.

L1 Bithead

Re: minemeld and feeding info via CEF into ArcSight

is there any CEF output that mine meld generate?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!