Update List Using REST \ similar

apackard · ‎11-07-2016

Maybe a stupid question and\or I've missed the obvious...

One of the issues we have with our Palo firewalls is - when we deploy 'active' IPS rules (block-ip etc) the maximum length of time is 3600 seconds.

We have a log solution that we use to trigger alerts if we're being probed over multiple days etc and would like to trigger a script, rather than the current manual email, to poke the offending IP address into a block list. As we've already started using MineMeld to serve up blocklists as I wondering if its possible to call a RESTful API - or similar - to push the IP address to an output list?

Longer term we'd be looking for a bit more intelligence i.e. checking whether it's already on the list, removing after a period of time (say 7 days), but initially it would just be a simple "if source IP triggers threat 3 times in 3 hours trigger (PowerShell) script to poke address into custom blocklist" type scenario

lmori · ‎11-07-2016

Hi @apackard,

MineMeld has a REST API you can use to add indicators to lists. You could use that to push block-ips.

Is there a public documentation of your log solution I could use to check their integration capabilities ?

Thanks,

luigi

nbilal · ‎11-08-2016

Hey @lmori,

Do you have documentation anywhere for using the Minemeld API? I have been hunting live and the github wiki to no avail. (Nice docs btw!) Sorry if you've already posted this somewhere.

I'm trying to help my customer automate some integration between ServiceNow and PAN for their approval process for whitelisting domains and IPs, and it would be great to use Minemeld EDLs/DAGs to eliminate the need to commit.

I currently have a python script that goes and manually updates the indicator YML files via paramiko, but I'd prefer to use the API.

Thanks again for the great tool and looking forward to continued improvement.

-Nasir

lmori · ‎11-08-2016

This is the basic way to add an indicator to a list.

Scenario: you have a Miner of type stdlib.listIPv4 with name my_ipv4_list

To add 1.1.1.2 to the list of indicators:

curl -XPOST  -H "Content-Type: application/json" -u <username>:<password> https://<minemeld>/config/data/my_ipv4_list_indicators/append?h=my_ipv4_list -d '{
    "indicator": "1.1.1.2",
    "type": "IPv4",
    "share_level": "red",
    "comment": "Test"
}'

(do not forget the Content-Type header)

nbilal · ‎11-09-2016

Thanks @lmori, this is gold! How about to remove an indicator?

Would I just replace the "append" keyword with another method? I've tried "delete", "del", "remove", "rem", "erase", "strip", and other similar verbs to no avail. It'd be awesome if we could put together a real simple document outlining use of the API.

BTW here's a working sample of Python code we're building into our API integration for adding indicators. It'll be very handy if we can get a list of supported actions with their syntax so that we can modify and remove indicators as well.

import pycurl, json

def add_indicator_api(**kwargs):
url = "https://{hostname}:{port}/config/data/{miner}_indicators/append?h={miner}".format(**kwargs)
payload = json.dumps({"indicator": "{indicator}".format(**kwargs), "share_level": "green", "comment": "{comment}".format(**kwargs)})
curl = pycurl.Curl()
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.URL, url)
curl.setopt(pycurl.POST, 1)
curl.setopt(pycurl.HTTPHEADER, ['Content-Type: application/json'])
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
curl.setopt(pycurl.USERPWD, "{username}:{password}".format(**kwargs))
curl.setopt(pycurl.POSTFIELDS, payload)
curl.perform()
curl.close()

Update List Using REST \ similar

Update List Using REST \ similar

Show your appreciation!