- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2018 05:43 PM
Hi experts,
I have a customer who uses Autofocus with Minemeld and, uses splunk.
This customer is using two minemeld. One of Minemeld is from Autofocus app and, another is Standalone Minemeld deployed on Splunk.
but, I found out difference number of miner samples between Autofocus app and Standalone Minemeld.
Below is number of samples when search keyword "autofocus"
1. Standalone Minemeld
2. Autofocus app Minemeld
So, Customer wants to export miner samples from Autofocus app and, import samples on Standalone Minemeld.
Please advise to me and will appreciated.
Thanks
Jihoon
03-30-2018 12:31 AM
Hi @jilim,
Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.
Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.
The following is a step-by-step guide on how to achieve this.
Step 1: Route your AF samples indicators to a feed output node
The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.
Click on the output node to confirm the number of indicators and other details for the feed.
Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.
Copy the URL of the feed. You'll need it in the next step.
Step 2: Create a new JSONSeq miner prototype
Look in your on-premises MineMeld instance for the JSONSeq standard prototype.
Click on it an create a new prototype from this base.
Use, in the new prototype, the URL you captured in the step 1
Now locate this recently created prototype and clone it to a working node.
Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.
As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.
Click on any node's log entry to confirm not only the indicators but the full context is being extracted.
03-30-2018 12:31 AM
Hi @jilim,
Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.
Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.
The following is a step-by-step guide on how to achieve this.
Step 1: Route your AF samples indicators to a feed output node
The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.
Click on the output node to confirm the number of indicators and other details for the feed.
Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.
Copy the URL of the feed. You'll need it in the next step.
Step 2: Create a new JSONSeq miner prototype
Look in your on-premises MineMeld instance for the JSONSeq standard prototype.
Click on it an create a new prototype from this base.
Use, in the new prototype, the URL you captured in the step 1
Now locate this recently created prototype and clone it to a working node.
Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.
As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.
Click on any node's log entry to confirm not only the indicators but the full context is being extracted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!