- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-25-2016 10:23 PM
Hi Luigi,
One of my customers needs to allow traffic to Microsoft Azure Datacenter IP Ranges for Microsoft Power Bi. Any plans to add a miner for it?
The URL source is http://www.microsoft.com/EN-US/DOWNLOAD/confirmation.aspx?id=41653
The file is in XML format
I tried to create a new prototype but I couldn't find an XML class. Are you planning to add it?
Thanks,
05-25-2016 11:57 PM
Hi Mauricio,
there is no Miner for Azure IP Ranges yet, but it will be easy to add. It will be added for the next minor release, sometime next week.
I have created minemeld-core enhancement #14 to track this.
I have also created enhancement #15 and #16 to track development of Miner for GCE and Google IP ranges.
10-06-2016 02:08 AM
Hi,
did you solve your issue? i also need to import azure ip range to palo.
thank you in advance
10-06-2016 06:36 AM
Yes, Miners for GCE, Google IPs and Azure are now available in MineMeld.
05-24-2017 04:36 PM - edited 05-24-2017 06:02 PM
I can see the prototype for the azure ranges on the Github page. But how do I go about adding it into my minemeld config? Total rookie here.
Cheers
05-26-2017 12:28 AM
Hi @El-ahrairah,
just go to CONFIG, press IMPORT and copy & paste the following. Click on APPEND and then COMMIT. After the COMMIT you will find a new output node under NODES called azureIPv4s with the list of IPs used by Azure.
nodes: azure_cloudIPs: inputs: [] output: true prototype: azure.cloudIPs cloud_IPv4s: inputs: - azure_cloudIPs output: true prototype: stdlib.aggregatorIPv4Generic azureIPv4s: inputs: - cloud_IPv4s output: false prototype: stdlib.feedHCWithValue
10-02-2017 01:40 PM - edited 10-02-2017 04:34 PM
Right now, there's only one miner for all Azure Datacenter IPs -- there's an opportunity to split by region (e.g. USWest, USEast, etc) so that Minemeld users can more granularly select what IPs they want.
Is there any thought to expanding out the miner definitions so that there's one per region?
Thanks!
10-03-2017 01:15 AM
@michaelseto : The azure miner attachs the azure_region attribute to the indicators. You can see it in the miner logs.
{ "_age_out": 4294967295000, "confidence": 100, "azure_region": "uksouth", "share_level": "green", "_last_run": 1507016882946, "sources": [ "azure.xml" ], "first_seen": 1507016882946, "type": "IPv4", "last_seen": 1507016882946 }
That means that you can use the output node input filter capabilities to accept/drop indicators based on that indicator's attribute value. For instance, the following 'infilters' configuration would only accept indicators for the region 'uksouth'
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - azure_region == 'uksouth' - share_level == 'green' name: accept azure IP for region uksouth - actions: - drop name: drop all
10-05-2017 09:21 AM
Ah thank you @xhoms.
Your solution is more elegant than my own.
I ended up modifying some of the python (/opt/minemeld/engine/core/minemeld/ft/azure.py) and creating new miner prototypes per region.
At least I learned something? haha.
-Mike
12-11-2018 03:16 PM
Can anybody suggest where I can learn about how to apply/modify the mentioned "output node input filter capabilities"? I guess my question is -- where would I put input filter code such as is shown here?
Thanks,
12-19-2018 11:29 AM - edited 12-19-2018 12:22 PM
It would like something like this
nodes: azure_cloudIPs: inputs: [] output: true prototype: azure.cloudIPs cloud_IPv4s: inputs: - azure_cloudIPs output: true prototype: stdlib.aggregatorIPv4Generic azure_IPv4s: inputs: - cloud_IPv4s output: false prototype: stdlib.feedHCWithValue azure_uksouth_IPv4s: inputs: - cloud_IPv4s output: false prototype: stdlib.feedHCWithValue config:
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - azure_region == 'uksouth' - share_level == 'green' name: accept azure IP for region uksouth - actions: - drop name: drop all
01-22-2019 07:24 AM
Hi All
I've got a follow on to this discussion. I've tried the Azure IP miner and it works nicely, but it doesn't give the level of granularity that I need. It lists prefixes by azure region, but not by Azure service.
I need to end with a list of IP addresses by PaaS service, specifically storage & sql in my case. There is a differnet url that holds all the prefixes in json format here - https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519
Does anyone have a miner prototype that can do this?
Thanks
01-23-2019 05:51 AM
Thanks for the suggestion, I opened a FR to track this: https://github.com/PaloAltoNetworks/minemeld-core/issues/311
11-19-2019 04:40 AM
Hello,
did you see the link used will be deprecated by June 30, 2020
IP Ranges for each cloud, broken down by region and by the tagged services in that cloud are now available on MS Download: Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
These JSON files are updated weekly and include versioning both for the full file and each individual service tag in that file. The “AzureCloud” tag provides the IP ranges for that entire cloud (Public, USGov, Germany, China) and is also broken out by region within that cloud. Finally, the list of service tags in the file will be increasing as we’re constantly onboarding new azure teams to service tags.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!