How to export sample miner from minemeld app in autofocus

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to export sample miner from minemeld app in autofocus

L1 Bithead

Hi experts,

 

I have a customer who uses Autofocus with Minemeld and, uses splunk. 

This customer is using two minemeld. One of Minemeld is from Autofocus app and, another is Standalone Minemeld deployed on Splunk. 

 

but, I found out difference number of miner samples between Autofocus app and Standalone Minemeld. 

Below is number of samples when search keyword "autofocus"

1. Standalone Minemeld

stand.jpg

 

2. Autofocus app Minemeld 

clould.jpg

 

So, Customer wants to export miner samples from Autofocus app and, import samples on Standalone Minemeld. 

 

Please advise to me and will appreciated.

 

Thanks

Jihoon

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @jilim,

 

Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.

 

Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.

 

The following is a step-by-step guide on how to achieve this.

 

Step 1: Route your AF samples indicators to a feed output node

The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.2018-03-30_08-47-21.png

 

 

Click on the output node to confirm the number of indicators and other details for the feed.

 

2018-03-30_08-49-09.png

 

Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.

 

Copy the URL of the feed. You'll need it in the next step.

 

Step 2: Create a new JSONSeq miner prototype

Look in your on-premises MineMeld instance for the JSONSeq standard prototype.

 

2018-03-30_08-52-20.png

 

Click on it an create a new prototype from this base.

 

2018-03-30_08-53-00.png

 

Use, in the new prototype, the URL you captured in the step 1

 

2018-03-30_08-55-24.png

 

Now locate this recently created prototype and clone it to a working node.

 

2018-03-30_08-56-30.png

 

2018-03-30_08-57-07.png

 

2018-03-30_08-57-46.png

 

Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.

 

2018-03-30_08-59-11.png

 

 

As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.

 

2018-03-30_09-00-18.png

 

 

Click on any node's log entry to confirm not only the indicators but the full context is being extracted.

 

2018-03-30_09-01-04.png

 

 

 

View solution in original post

1 REPLY 1

L5 Sessionator

Hi @jilim,

 

Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.

 

Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.

 

The following is a step-by-step guide on how to achieve this.

 

Step 1: Route your AF samples indicators to a feed output node

The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.2018-03-30_08-47-21.png

 

 

Click on the output node to confirm the number of indicators and other details for the feed.

 

2018-03-30_08-49-09.png

 

Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.

 

Copy the URL of the feed. You'll need it in the next step.

 

Step 2: Create a new JSONSeq miner prototype

Look in your on-premises MineMeld instance for the JSONSeq standard prototype.

 

2018-03-30_08-52-20.png

 

Click on it an create a new prototype from this base.

 

2018-03-30_08-53-00.png

 

Use, in the new prototype, the URL you captured in the step 1

 

2018-03-30_08-55-24.png

 

Now locate this recently created prototype and clone it to a working node.

 

2018-03-30_08-56-30.png

 

2018-03-30_08-57-07.png

 

2018-03-30_08-57-46.png

 

Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.

 

2018-03-30_08-59-11.png

 

 

As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.

 

2018-03-30_09-00-18.png

 

 

Click on any node's log entry to confirm not only the indicators but the full context is being extracted.

 

2018-03-30_09-01-04.png

 

 

 

  • 1 accepted solution
  • 4240 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!