MineMeld Splunk App

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MineMeld Splunk App

L0 Member

Hi Guys,

 

I'm new to this community. At the moment, we are actively exploring MineMeld in our environment and would like to know if there is any connectors available for Splunk to consume intel collected by MineMeld .

Please advise.

Thank you.

11 REPLIES 11

L4 Transporter

Hello,

 

My name is Brian Torres-Gil and my team owns the Splunk integration at Palo Alto Networks.  A Minemeld-Splunk integration is in the works, and I'd love to hear any use cases you have so we can ensure they're handled by the integration.  Please tell me what you'd like to see from a Splunk integration with Minemeld and any problems you'd solve with it.  This will really help us with the final design.

 

Thanks!

 -Brian

We will provide MineMeld as a Service for our PAN Firewall customers. Therefore it would be nice to see a graphical presentation of the currently connected Firewalls and to which feeds.

 

Thanks

Roland

Hi @gafrol,

this would be a nice feature to have inside MineMeld. With the current release if you are already using Splunk or a system able to process syslog logs to create a dashboard, you can configure nginx on MineMeld to forward logs to an external syslog server. Using the nginx logs you can visualize and track firewalls connecting to the different feeds.

Details: https://nginx.org/en/docs/syslog.html

L1 Bithead

I would also be interested in using the minemeld app to ingest the node logs into Splunk, so that Splunk could have knowledge of the additions, updates, withdrawls, etc. occuring for each indicator.

Hi @mboehlke,

are you interested in sending indicators updates/withdraws to Splunk ? Or using the MineMeld feeds as lookup tables inside Splunk ?

 

Thanks !

luigi

I was primarily interested in sending the updates/withdraws to Splunk. There's some hesitation to implementing dynamic block lists everywhere on our network and being able to audit the lists through a utility everyone is familiar with would do a lot to help assuage that.

 

I had been looking at just putting a forwarder on the minemeld instance, but the log files I found that appear to contain the logs read in by the MineMeld UI don't exclusively contain text? It looks like there's some binary data in there as well? 

Hi @mboehlke,

there are 2 things you could now for this:

1 - use the logstash output node to push indicators to LogStash and then configure logstash to forward the messages to Splunk. An open point here is the best format to be used on LogStash to push indicators to Splunk.

2 - use the minemeld-cef extension to generate messages in CEF format. My understanding is that Splunk can understand CEF

I found this page while looking at some Splunk/MineMeld integration post.

 

I wrote a series of blog posts on Threat Intelligence automation using MineMeld and Splunk

 

You can find here
https://scubarda.wordpress.com/category/threat-intelligence/

 

Some note:

  1. on post 1 I show the architecture 

  2. on post 2 I show how-to write a custom prototype and the IoC integration with our SOC Splunk application. This is the fully automated near real feature we are using today to check IoC access.

  3. on post 3 I show how-to create a STIX/TAXII output miner to export IoC

  4. on post 4 I show how I integrated IoC events (updates/withdraw) into Splunk; to do this I wrote a TA to parse coming data (via logstash connector) and an app to show some stats (both on github).

Hope this is useful
Giovanni

L1 Bithead

Hi! I know I'm late to the party but I'd also like to monitor node updates coming from MM to Splunk, and I'm having trouble finding the right queries to do so.. propably due to the fact that we are very unknowledgeable concerning Splunk here hahahha.

 

Our 7.1 Splunk instance is connected to some MM outputs, and I can correctly find the indicators by using the  | `mm_indicators` search or | from inputlookup:"minemeldfeeds_lookup" . What I need to do is compare last month's feeds to this month's feeds and return all the new indicators that have appeared in the last 30 days. All this is utlimately to compare to NGFW security policy hits within the last month to know if the new indicators have been hit or not. 

 

Hopefully someone here could help us with this, maybe @btorresgil or @lmori ? 

 

Thanks! 

@michael.gabriel The Splunk App/Add-on doesn't track indicators over time by default.  The indicators are fed into a KVStore lookup table, which is a database, so it does not natively have a time-component like the main Splunk index does.  You can easily create a scheduled search in Splunk that simply indexes the minemeld indicator lookup table every day.  Then you can see how the indicators change over time.  Would that suggestion work for you?

 -Brian

Thank you so much for the quick reply @btorresgil. I believe that is exactly what I should be doing, if you have the time/patience to do so, could you briefly explain the steps to me please? 

 

Cheers 🙂 

  • 16400 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!