This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

External Dynamic List: add manual entries?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

External Dynamic List: add manual entries?

Go to solution
scottsander
L3 Networker

‎04-03-2018 06:46 AM - edited ‎04-03-2018 06:47 AM

I'm using MineMeld to scrape Microsoft's website to grab the list of Office 365 related URLs and IP addresses.  We've noticed that this feeds in *.outlook.com, but not outlook.com.  This results in the common Office 365 Outlook Web App URL https://outlook.com/owa/<realm>.mail.onmicrosoft.com not matching the External Dynamic List ("EDL") generated by MineMeld and isn't matching our Office 365 security policy in the firewall.

 

I see that there is a Manual Exception list for an EDL.  The help documentation isn't completely clear whether or not this is a way to manually add entries to an EDL or to manually remove EDL entries pulled in automatically.  I believe it is the latter, but I tried adding outlook.com/ to the Office 365 URLs Manual Exception list, but visits still aren't matching my Office 365 security policy.


Is there a way I can manually add outlook.com/ to the Office 365 URL EDL generated by MineMeld?  Or any other clever suggestion?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
scottsander
L3 Networker
In response to BPry

‎04-03-2018 01:50 PM

I figured it out.  I noticed that office365_URLaggregator is based on the prototype stdlib.aggregatorURL which seems to accept only inputs of type "URL" and the prototype stdlib.listDomainGeneric is type "Domain".  I found a prototype called stdlib.listURLGeneric and based my new miner on that instead and was able to add it to the aggregator and then verify it was showing up in the resulting EDL.

 

TL;DR:

 

I used the stdlib.listURLGeneric protoype instead of your suggested stdlib.listDomainGeneric.

 

Thanks for getting me pointed in a useful direction!

View solution in original post

4 REPLIES 4

Go to solution
BPry
Cyber Elite
Cyber Elite

‎04-03-2018 07:31 AM

@scottsander,

The Manual Exception list does exactly what you believe, this is to exclude entries already in a EDL from being utilized by the fiewall. 

I would personally add a miner that utilizes the prototype stdlib.listDomainGeneric so that you can manually add indicators and simply include the new miner in the Aggregate node that you are using for the Office output node. This way you can add indicators when you need to and it will be incorporated into your EDL. 

Go to solution
scottsander
L3 Networker
In response to BPry

‎04-03-2018 01:28 PM - edited ‎04-03-2018 02:07 PM

[UPDATE]: The issue I discuss in this particular post is solved. The resolution is in the following post.

 

Hm. OK, would you mind providing some guidance?  I am a MineMeld novice and don't find the interface very intuitive.

 

I previously followed PAN's guide on setting up MineMeld for Office 365.  So, based on that, I believe I somehow need to feed the office365_URLaggreggator (prototype: stdlib.aggregatorURL) this new miner you suggested.  The trouble is, I seem to be having problems with getting it created correctly.  After I create the new stdlib.listDomainGeneric miner and Commit, I don't seem to be able to add it to the aggregator.


Here are the steps I'm following to create the new miner.

 

  1. In MineMeld, go to Config.
  2. Scroll down and press the hamburger icon (tooltip: browse prototypes).
  3. Locate stdlib.listDomainGeneric and click it.
  4. Press Clone.
  5. Name the new node office365_additionalurls.
  6. Press Commit.
  7. Go to Nodes.
  8. Click on office365_additionalurls.
  9. Click the Indicators icon.
  10. Press the + icon, enter outlook.com in the Indicator field, and change the Share Level to Green.

 

The problem comes in when I try to then add the new office365_additionalurls miner as an Input on the office365_URLaggregator.  I click the list of inputs on the aggregator and find that office365_additionalurls is not an available selection.

0 Likes Likes

Go to solution
scottsander
L3 Networker
In response to BPry

‎04-03-2018 01:50 PM

I figured it out.  I noticed that office365_URLaggregator is based on the prototype stdlib.aggregatorURL which seems to accept only inputs of type "URL" and the prototype stdlib.listDomainGeneric is type "Domain".  I found a prototype called stdlib.listURLGeneric and based my new miner on that instead and was able to add it to the aggregator and then verify it was showing up in the resulting EDL.

 

TL;DR:

 

I used the stdlib.listURLGeneric protoype instead of your suggested stdlib.listDomainGeneric.

 

Thanks for getting me pointed in a useful direction!

Go to solution
mcragg
L1 Bithead
In response to scottsander

‎08-06-2019 06:22 AM

Thanks for the post.  New to Minemeld but learnng as I go.  I have setup this miner, processor, output node connection.  Where/How would you manually enter your entries?

0 Likes Likes
  • 1 accepted solution
  • 6846 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks