- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-30-2017 04:29 PM
Hi Guys,
I'm new to this community. At the moment, we are actively exploring MineMeld in our environment and would like to know if there is any connectors available for Splunk to consume intel collected by MineMeld .
Please advise.
Thank you.
02-03-2017 08:59 AM
Hello,
My name is Brian Torres-Gil and my team owns the Splunk integration at Palo Alto Networks. A Minemeld-Splunk integration is in the works, and I'd love to hear any use cases you have so we can ensure they're handled by the integration. Please tell me what you'd like to see from a Splunk integration with Minemeld and any problems you'd solve with it. This will really help us with the final design.
Thanks!
-Brian
02-14-2017 02:19 AM
We will provide MineMeld as a Service for our PAN Firewall customers. Therefore it would be nice to see a graphical presentation of the currently connected Firewalls and to which feeds.
Thanks
Roland
02-15-2017 02:02 AM - edited 02-15-2017 02:03 AM
Hi @gafrol,
this would be a nice feature to have inside MineMeld. With the current release if you are already using Splunk or a system able to process syslog logs to create a dashboard, you can configure nginx on MineMeld to forward logs to an external syslog server. Using the nginx logs you can visualize and track firewalls connecting to the different feeds.
03-27-2017 10:36 AM
I would also be interested in using the minemeld app to ingest the node logs into Splunk, so that Splunk could have knowledge of the additions, updates, withdrawls, etc. occuring for each indicator.
03-29-2017 02:58 AM
Hi @mboehlke,
are you interested in sending indicators updates/withdraws to Splunk ? Or using the MineMeld feeds as lookup tables inside Splunk ?
Thanks !
luigi
03-29-2017 04:46 AM
I was primarily interested in sending the updates/withdraws to Splunk. There's some hesitation to implementing dynamic block lists everywhere on our network and being able to audit the lists through a utility everyone is familiar with would do a lot to help assuage that.
I had been looking at just putting a forwarder on the minemeld instance, but the log files I found that appear to contain the logs read in by the MineMeld UI don't exclusively contain text? It looks like there's some binary data in there as well?
03-30-2017 05:27 AM - edited 03-30-2017 05:28 AM
Hi @mboehlke,
there are 2 things you could now for this:
1 - use the logstash output node to push indicators to LogStash and then configure logstash to forward the messages to Splunk. An open point here is the best format to be used on LogStash to push indicators to Splunk.
2 - use the minemeld-cef extension to generate messages in CEF format. My understanding is that Splunk can understand CEF
10-09-2017 12:35 AM
I found this page while looking at some Splunk/MineMeld integration post.
I wrote a series of blog posts on Threat Intelligence automation using MineMeld and Splunk
You can find here
https://scubarda.wordpress.com/category/threat-intelligence/
Some note:
on post 1 I show the architecture
on post 2 I show how-to write a custom prototype and the IoC integration with our SOC Splunk application. This is the fully automated near real feature we are using today to check IoC access.
on post 3 I show how-to create a STIX/TAXII output miner to export IoC
on post 4 I show how I integrated IoC events (updates/withdraw) into Splunk; to do this I wrote a TA to parse coming data (via logstash connector) and an app to show some stats (both on github).
Hope this is useful
Giovanni
05-30-2018 01:19 PM
Hi! I know I'm late to the party but I'd also like to monitor node updates coming from MM to Splunk, and I'm having trouble finding the right queries to do so.. propably due to the fact that we are very unknowledgeable concerning Splunk here hahahha.
Our 7.1 Splunk instance is connected to some MM outputs, and I can correctly find the indicators by using the | `mm_indicators` search or | from inputlookup:"minemeldfeeds_lookup" . What I need to do is compare last month's feeds to this month's feeds and return all the new indicators that have appeared in the last 30 days. All this is utlimately to compare to NGFW security policy hits within the last month to know if the new indicators have been hit or not.
Hopefully someone here could help us with this, maybe @btorresgil or @lmori ?
Thanks!
06-01-2018 11:11 AM
@michael.gabriel The Splunk App/Add-on doesn't track indicators over time by default. The indicators are fed into a KVStore lookup table, which is a database, so it does not natively have a time-component like the main Splunk index does. You can easily create a scheduled search in Splunk that simply indexes the minemeld indicator lookup table every day. Then you can see how the indicators change over time. Would that suggestion work for you?
-Brian
06-01-2018 11:23 AM
Thank you so much for the quick reply @btorresgil. I believe that is exactly what I should be doing, if you have the time/patience to do so, could you briefly explain the steps to me please?
Cheers 🙂
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

