This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

panos_syslog IP indicator - withdraw

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

panos_syslog IP indicator - withdraw

rchilukuri
L1 Bithead

‎02-15-2017 03:30 PM

 

I am trying to create an IPv4 indicator list based on PAN-OS threat logs.

Below is the rule code attached to the syslogminer class stdlib.syslogMiner.

 

 

RULE:

age_out:
   default: last_seen+30d
   interval: 1800
   sudden_death: false
attributes:
   confidence: 50
   type: IPv4
conditions:
   - type == 'THREAT'
config:
   share_level: green
   fields: null
indicators:
   - src_ip

 

Unfortunately all the IP addresses are withdrawn.

 

15/2/2017 08:07:04 -0500 ThreatFeedMCGreen ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCGreen RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCRedWithValue ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCRedWithValue RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 inboundaggregator EMIT_WITHDRAW 192.168.1.61-192.168.1.61 _updated: 1487160033902confidence: 50panossyslog_devices: ["001606041772"]_added: 1487158094654sources: ["panos.syslog"]first_seen: 1487158094651_id: 35c6d7da-0715-42db-8b7a-b873cbb07ff2type: IPv4last_seen: 1487160033901
15/2/2017 08:07:04 -0500 inboundaggregator ACCEPT_WITHDRAW 192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: panos-syslog-miner
15/2/2017 08:07:04 -0500 inboundaggregator RECVD_WITHDRAW 192.168.1.61 confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901 source_node: panos-syslog-miner
15/2/2017 08:07:04 -0500 panos-syslog-miner EMIT_WITHDRAW 192.168.1.61 _age_out: 1487163633901confidence: 50sources: ["panos.syslog"]first_seen: 1487158094651panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487160033901
15/2/2017 07:58:52 -0500 ThreatFeedMCRedWithValue DROP_UPDATE 213.211.198.62-213.211.198.62 confidence: 50sources: ["panos.syslog"]first_seen: 1487159482831panossyslog_devices: ["001606041772"]type: IPv4last_seen: 1487163532361 source_node: inboundaggregator
15/2/2017 07:58:52 -0500 ThreatFeedMCRedWithValue RECVD_UPDATE 213.211.198.62-213.211.198.62 confidence: 50sources: ["panos.syslog"]first_seen: 1487159482831panossyslog_devices: ["001606041772"]type: I

 

0 Likes Likes
2 REPLIES 2

lmori
L7 Applicator

‎02-17-2017 05:56 AM

Hi @rchilukuri,

I think you have mixed prototype attributes and rule attributes, that's the reason age_out policy is ignored. The following setting should be in the syslog Miner prototype:

age_out:
   default: last_seen+30d
   interval: 1800
   sudden_death: false
attributes:
   confidence: 50
   type: IPv4
config:
   share_level: green
0 Likes Likes

rchilukuri
L1 Bithead
In response to lmori

‎02-17-2017 07:53 AM - edited ‎02-26-2017 07:16 AM

 

Getting,  Error validating, no "conditions" in rule

Not able to apply the rule with out any conditions.

 

Need a rule to list and keep the IP indicators for 30 days or more.

 

0 Likes Likes
  • 3533 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks