08-15-2016 07:27 AM
Can you select formatting or would I need to create a wrapper that manipulates the data pushed by minemeld to forward in CEF? Glad an opensource community on this exist for this. Additionally I need an rpm based package or just a way to compile from source I am using CentOS any thoughts or is there a source package for this
08-16-2016 01:35 PM
Hi socfocus,
CEF output node is definitely on my todo list (see ER#39 at https://github.com/PaloAltoNetworks/minemeld-core/issues/39). I am looking of a good example on how to translate Threat Intelligence into CEF format, do you have something I could look at ?
Installation based on RPM is on the TODO list, shall be quite easy to accomplish.
02-06-2017 11:34 AM
Hi @socfocus.com,
starting with 0.9.32 you can use an external extension to achieve this:
https://github.com/PaloAltoNetworks/minemeld-cef
luigi
07-04-2017 07:12 PM
Dear @lmori,
Is minemeld-cef extension support Hash aggregator processors (MD5, SHA256)?
Does minemeld-cef support all aggegators on minemeld?
Thank you
07-05-2017 01:21 PM
Hi @iThreatHunt,
this could be supported by changing the template, but in which CEF field would you put the hash indicator ?
luigi
07-05-2017 08:25 PM
Could MD5, SHA256 mapping with Device Custom String3?
Now Device Custom field is used
07-07-2017 11:27 PM
I found some error when activate mindmeld-cef 0.17b. Pleas advise me.
Obtaining file:///opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d
Complete output from command python setup.py egg_info:
Unable to find pgen, not compiling formal grammar.
warning: no files found matching '*.pyx' under directory 'Cython/Debugger/Tests'
warning: no files found matching '*.pxd' under directory 'Cython/Debugger/Tests'
warning: no files found matching '*.h' under directory 'Cython/Debugger/Tests'
warning: no files found matching '*.pxd' under directory 'Cython/Utility'
unable to execute 'x86_64-linux-gnu-gcc': No such file or directory
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/setup.py", line 50, in <module>
entry_points=_entry_points
File "/usr/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 320, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 377, in fetch_build_eggs
replace_conflicting=True,
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 852, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1124, in best_match
return self.obtain(req, installer)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1136, in obtain
return installer(requirement)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/dist.py", line 445, in fetch_build_egg
return cmd.easy_install(req)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 673, in easy_install
return self.install_item(spec, dist.location, tmpdir, deps)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 699, in install_item
dists = self.install_eggs(spec, download, tmpdir)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 880, in install_eggs
return self.build_and_install(setup_script, setup_base)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1119, in build_and_install
self.run_setup(setup_script, setup_base, args)
File "/opt/minemeld/engine/0.9.40/local/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 1107, in run_setup
raise DistutilsError("Setup script exited with %s" % (v.args[0],))
distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /opt/minemeld/local/library/7d86cdf2-c97e-4835-a5df-acdad36fd48d/
07-10-2017 11:34 PM
Hi @iThreatHunt,
installing minemeld-cef from source requires a compiler, and this is not available by default on MineMeld VMs (security).
You can instead download the wheel file from here:
https://github.com/PaloAltoNetworks/minemeld-cef/releases
And upload it to MineMeld via SYSTEM > EXTENSIONS page.
01-21-2018 01:50 PM
is there any CEF output that mine meld generate?
01-22-2018 09:50 AM
Hi @ahmed_hassan,
could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.
07-03-2018 02:17 PM
when sending Hashes using CEF format , Hash value is not sent to Arcsight.
so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.
@xhoms wrote:
Hi @ahmed_hassan,
could you elaborate a bit your question? CEF is just an interface to encapsulate indicators. MineMeld supports such an interface through an extension which means that you can output anything that your want to a CEF receiver.
07-03-2018 02:18 PM
when sending Hashes using CEF format , Hash value is not sent to Arcsight.
so, i view raw data that is sent to Arcsight , i found field that cantain Hash value is empty.
07-03-2018 02:37 PM
Please find this raw log that is sent to arcsight with out hashvalue:
Raw Event: <53>Feb 21 18:48:40 CEF:0|Palo Alto Networks|MineMeld CEF Output|0.1|withdraw|MineMeld IOC|0|deviceFacility=sha256 deviceExternalId=MineMeld deviceProcessName=Malicious_Hash_To_Arcsight cs2Label=Sources cn2Label=NumberOfSources deviceCustomDate1=1519148121391 deviceCustomDate2=1519148121391 deviceCustomDate2Label=LastSeen cs1Label=ShareLevel cn2=1 deviceCustomDate1Label=FirstSeen cn1=100 cn1Label=Confidence cs2=ADIB_Hash_Malware_Miner endTime=1519238920025 cs1=red
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
