Re: configure airgapped miner for on premise minemeld

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Re: configure airgapped miner for on premise minemeld

L1 Bithead

Hi guys,

we recently setup a minemeld server meant for a airgapped environment and we are trying to figure out how to setup a airgapped miner with the other information found here on customizing a miner.

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-to-Create-a-Custom-Miner/ta-p/...

 

is there any available article for a requirement to a airgapped setup for the miner as well as if the miner must use https/http to access the intell feeds or any other format eg:scp/ssh/smb will do? 

 

1 REPLY 1

L5 Sessionator

Hi @Gerard_Ng,

 

unfortunately there isn't any "generic miner" capable of extracting indicators from local files (or network mounted files).

 

Option 1 is to code a new miner (either contributing to minemeld-core or creating a minemeld extension)

Option 2 is to use the "LocalDB" miner and push local indicators to it.

 

If you want to explore Option 2 then I'd recoment to take a look at the article https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-MineMeld-as-an-Incident-Response-Platfo... and to take a closer look to its Annex 2 where the API for the LocalDB Miner is explained. You could also leverage the minemeld-sync.py script created by @lmori that allows you to sync the LocalDB stored indicators with the ones present on a given local file.

  • 2627 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!