05-11-2018 05:52 AM
We are looking at various options to build a SOC framework and one of the objectives is to be able to have an internal 'queryable' API that we can use to investigate a single IP\IoC.
Is there anyway to make MineMeld work in that manner i.e. so we can query a list to see if an IP is included- https://minemeld/feeds/badlist?ip=8.8.8.8, rather than downloading the entire list and then having to muge the data as a secondary task.
05-15-2018 01:47 AM
Hi @apackard,
I'm afraid the current MineMeld API does not provide such an entry point. You could think on contributing with it 😉
Said that, are you aware of the multiple formats supported by the output feed? https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170
It won't save you from downloading the full list but can make your investigation much easier.
For instance, request the list in JSON format and with CDIR transformation
https://rancher.xhoms.local:8443/feeds/inboundfeedhc?v=json&tr=1
You'll get a JSON response like the following one
[
{"indicator":"113.201.51.0/24","value":null},
{"indicator":"118.26.116.0/22","value":null},
{"indicator":"119.227.224.0/19","value":null},
{"indicator":"120.128.128.0/18","value":null},
{"indicator":"120.128.192.0/18","value":null},
{"indicator":"120.129.0.0/17","value":null},
{"indicator":"120.129.128.0/17","value":null},
{"indicator":"120.130.0.0/17","value":null}
]
You can pipe the result using a JMESPath engine to get a boolen result
contains([].indicator, `119.227.224.0/19`) -> true contains([].indicator, `119.227.225.0/19`) -> false
05-15-2018 01:47 AM
Hi @apackard,
I'm afraid the current MineMeld API does not provide such an entry point. You could think on contributing with it 😉
Said that, are you aware of the multiple formats supported by the output feed? https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170
It won't save you from downloading the full list but can make your investigation much easier.
For instance, request the list in JSON format and with CDIR transformation
https://rancher.xhoms.local:8443/feeds/inboundfeedhc?v=json&tr=1
You'll get a JSON response like the following one
[
{"indicator":"113.201.51.0/24","value":null},
{"indicator":"118.26.116.0/22","value":null},
{"indicator":"119.227.224.0/19","value":null},
{"indicator":"120.128.128.0/18","value":null},
{"indicator":"120.128.192.0/18","value":null},
{"indicator":"120.129.0.0/17","value":null},
{"indicator":"120.129.128.0/17","value":null},
{"indicator":"120.130.0.0/17","value":null}
]
You can pipe the result using a JMESPath engine to get a boolen result
contains([].indicator, `119.227.224.0/19`) -> true contains([].indicator, `119.227.225.0/19`) -> false
05-15-2018 05:45 PM
Thanks very much!
Though, believe me, you don't want my cide anywhere near the product...!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
