Query MineMeld for a single IP\IoC?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Query MineMeld for a single IP\IoC?

L4 Transporter

We are looking at various options to build a SOC framework and one of the objectives is to be able to have an internal 'queryable' API that we can use to investigate a single IP\IoC.

 

Is there anyway to make MineMeld work in that manner i.e. so we can query a list to see if an IP is included- https://minemeld/feeds/badlist?ip=8.8.8.8, rather than downloading the entire list and then having to muge the data as a secondary task.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @apackard,

 

I'm afraid the current MineMeld API does not provide such an entry point. You could think on contributing with it 😉

 

Said that, are you aware of the multiple formats supported by the output feed? https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

 

It won't save you from downloading the full list but can make your investigation much easier.

 

For instance, request the list in JSON format and with CDIR transformation

https://rancher.xhoms.local:8443/feeds/inboundfeedhc?v=json&tr=1

You'll get a JSON response like the following one

[
{"indicator":"113.201.51.0/24","value":null},
{"indicator":"118.26.116.0/22","value":null},
{"indicator":"119.227.224.0/19","value":null},
{"indicator":"120.128.128.0/18","value":null},
{"indicator":"120.128.192.0/18","value":null},
{"indicator":"120.129.0.0/17","value":null},
{"indicator":"120.129.128.0/17","value":null},
{"indicator":"120.130.0.0/17","value":null}
]

You can pipe the result using a JMESPath engine to get a boolen result

contains([].indicator, `119.227.224.0/19`) -> true
contains([].indicator, `119.227.225.0/19`) -> false

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @apackard,

 

I'm afraid the current MineMeld API does not provide such an entry point. You could think on contributing with it 😉

 

Said that, are you aware of the multiple formats supported by the output feed? https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

 

It won't save you from downloading the full list but can make your investigation much easier.

 

For instance, request the list in JSON format and with CDIR transformation

https://rancher.xhoms.local:8443/feeds/inboundfeedhc?v=json&tr=1

You'll get a JSON response like the following one

[
{"indicator":"113.201.51.0/24","value":null},
{"indicator":"118.26.116.0/22","value":null},
{"indicator":"119.227.224.0/19","value":null},
{"indicator":"120.128.128.0/18","value":null},
{"indicator":"120.128.192.0/18","value":null},
{"indicator":"120.129.0.0/17","value":null},
{"indicator":"120.129.128.0/17","value":null},
{"indicator":"120.130.0.0/17","value":null}
]

You can pipe the result using a JMESPath engine to get a boolen result

contains([].indicator, `119.227.224.0/19`) -> true
contains([].indicator, `119.227.225.0/19`) -> false

Thanks very much!

 

Though, believe me, you don't want my cide anywhere near the product...!

  • 1 accepted solution
  • 3638 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!