panos_syslog IP indicator - withdraw

Reply
L1 Bithead

panos_syslog IP indicator - withdraw

 

I am trying to create an IPv4 indicator list based on PAN-OS threat logs.

Below is the rule code attached to the syslogminer class stdlib.syslogMiner.

 

 

RULE:

age_out:
   default: last_seen+30d
   interval: 1800
   sudden_death: false
attributes:
   confidence: 50
   type: IPv4
conditions:
   - type == 'THREAT'
config:
   share_level: green
   fields: null
indicators:
   - src_ip

 

Unfortunately all the IP addresses are withdrawn.

 

ThreatFeedMCGreen ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
ThreatFeedMCGreen RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
ThreatFeedMCRedWithValue ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
ThreatFeedMCRedWithValue RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
inboundaggregator EMIT_WITHDRAW 192.168.1.61-192.168.1.61 _updated: 1487160033902confidence: 50panossyslog_devices: ["001606041772"]_added: 1487158094654sources: ["panos.syslog"]first_seen: 1487158094651_id: 35c6d7da-0715-42db-8b7a-b873cbb07ff2type: IPv4last_seen: 1487160033901
inboundaggregator ACCEPT_WITHDRAW 192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: panos-syslog-miner
inboundaggregator RECVD_WITHDRAW 192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: panos-syslog-miner
panos-syslog-miner EMIT_WITHDRAW 192.168.1.61 _age_out: 1487163633901confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901
ThreatFeedMCRedWithValue DROP_UPDATE 213.211.198.62-213.211.198.62 confidence: 50sources: ["panos.syslog"]first_seen: 1487159482831panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487163532361 source_node: inboundaggregator
ThreatFeedMCRedWithValue RECVD_UPDATE 213.211.198.62-213.211.198.62 confidence: 50sources: ["panos.syslog"]first_seen: 1487159482831panossyslog_devices: ["001606041772"]type: I

 

L7 Applicator

Re: panos_syslog IP indicator - withdraw

Hi @rchilukuri,

I think you have mixed prototype attributes and rule attributes, that's the reason age_out policy is ignored. The following setting should be in the syslog Miner prototype:

age_out:
   default: last_seen+30d
   interval: 1800
   sudden_death: false
attributes:
   confidence: 50
   type: IPv4
config:
   share_level: green
L1 Bithead

Re: panos_syslog IP indicator - withdraw

 

Getting,  Error validating, no "conditions" in rule

Not able to apply the rule with out any conditions.

 

Need a rule to list and keep the IP indicators for 30 days or more.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!