Hi @porq91 ,
To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...
Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.
Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above
{
"indicator": "bad.example.com",
"type": "domain",
"comment": "Phishing domain",
"share_level": "green",
"confidence": 100,
"ttl": "disable"
}
Indicator - contain the suspicious domain
Type - must be set to domain (other options are IPv4, URL, hash)
Comment - Optional, but good practice to keep track for the reason why this domain was added
Share_level, Confidence - Optional, used for filtering internally in MineMeld
TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully
Hi @porq91 ,
To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...
Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.
Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above
{
"indicator": "bad.example.com",
"type": "domain",
"comment": "Phishing domain",
"share_level": "green",
"confidence": 100,
"ttl": "disable"
}
Indicator - contain the suspicious domain
Type - must be set to domain (other options are IPv4, URL, hash)
Comment - Optional, but good practice to keep track for the reason why this domain was added
Share_level, Confidence - Optional, used for filtering internally in MineMeld
TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully
Hi @porq91 ,
- Yes my-minemeld.com is just an example, which you need to replace with the hostname/ip address of your own MineMeld. Same goes for "XXXXXXXX-bad-domain" - you need to replace that as well with the name you use in your config
- I ment HTTP POST request - if you look at the link, somewhere around the end of the post there is "Annex 2" which is explaining how you can send API request to add/remove new indicators to the list. What I forgot to mention is that you can add/remove indicators manually through MineMeld GUI - go to Nodes -> Click on your localDB miner, there will be additional tab listing all current indicators and allowing you add or remove
Adding indicators via the GUI could be tidious, especially if you need to add bulk of indicators. In addition you can have somekind of automation that could benefit from the API and add/remove indicators using the explained API POST requests.
