Update List Using REST \ similar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Update List Using REST \ similar

L4 Transporter

Maybe a stupid question and\or I've missed the obvious...

 

One of the issues we have with our Palo firewalls is - when we deploy 'active' IPS rules (block-ip etc) the maximum length of time is 3600 seconds. 

 

We have a log solution that we use to trigger alerts if we're being probed over multiple days etc and would like to trigger a script, rather than the current manual email, to poke the offending IP address into a block list.  As we've already started using MineMeld to serve up blocklists as I wondering if its possible to call a RESTful API - or similar - to push the IP address to an output list?

 

Longer term we'd be looking for a bit more intelligence i.e. checking whether it's already on the list, removing after a period of time (say 7 days), but initially it would just be a simple "if source IP triggers threat 3 times in 3 hours trigger (PowerShell) script to poke address into custom blocklist" type scenario

12 REPLIES 12

L7 Applicator

Hi @apackard,

MineMeld has a REST API you can use to add indicators to lists. You could use that to push block-ips.

Is there a public documentation of your log solution I could use to check their integration capabilities ?

 

Thanks,

luigi

Hey @lmori,

 

Do you have documentation anywhere for using the Minemeld API? I have been hunting live and the github wiki to no avail. (Nice docs btw!) Sorry if you've already posted this somewhere.

 

I'm trying to help my customer automate some integration between ServiceNow and PAN for their approval process for whitelisting domains and IPs, and it would be great to use Minemeld EDLs/DAGs to eliminate the need to commit.

 

I currently have a python script that goes and manually updates the indicator YML files via paramiko, but I'd prefer to use the API.

 

Thanks again for the great tool and looking forward to continued improvement.

 

-Nasir

This is the basic way to add an indicator to a list.

 

Scenario: you have a Miner of type stdlib.listIPv4 with name my_ipv4_list

 

To add 1.1.1.2 to the list of indicators:

curl -XPOST  -H "Content-Type: application/json" -u <username>:<password> https://<minemeld>/config/data/my_ipv4_list_indicators/append?h=my_ipv4_list -d '{
    "indicator": "1.1.1.2",
    "type": "IPv4",
    "share_level": "red",
    "comment": "Test"
}'

(do not forget the Content-Type header)

 

Thanks @lmori, this is gold! How about to remove an indicator?

 

Would I just replace the "append" keyword with another method? I've tried "delete", "del", "remove", "rem", "erase", "strip", and other similar verbs to no avail. It'd be awesome if we could put together a real simple document outlining use of the API. 

 

BTW here's a working sample of Python code we're building into our API integration for adding indicators. It'll be very handy if we can get a list of supported actions with their syntax so that we can modify and remove indicators as well.

 

 

import pycurl, json

def add_indicator_api(**kwargs):
url = "https://{hostname}:{port}/config/data/{miner}_indicators/append?h={miner}".format(**kwargs)
payload = json.dumps({"indicator": "{indicator}".format(**kwargs), "share_level": "green", "comment": "{comment}".format(**kwargs)})
curl = pycurl.Curl()
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.URL, url)
curl.setopt(pycurl.POST, 1)
curl.setopt(pycurl.HTTPHEADER, ['Content-Type: application/json'])
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_BASIC)
curl.setopt(pycurl.USERPWD, "{username}:{password}".format(**kwargs))
curl.setopt(pycurl.POSTFIELDS, payload)
curl.perform()
curl.close()

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!