- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-12-2016 01:42 AM
Hi everyone,
I am currently working on connecting MineMeld with our SIEM solution. I however ran into a question.
When receiving an update message it states which sources the IOC originated from, also if there are multiple. example: (binarydefense and badips)
{"message":"{\"@indicator\":\"120.69.220.5-120.69.220.5\",\"direction\":\"inbound\",\"@origin\":\"IPv4_Aggregator\",\"type\":\"IPv4\",\"@timestamp\":\"2016-10-11T17:13:35.693563Z\",\"confidence\":50,\"share_level\":\"green\",\"sources\":[\"binarydefense.banlist\",\"badips.any_3\"],\"logstash_output_node\":\"Output-To-Logstash-5514\",\"message\":\"update\",\"@version\":1,\"first_seen\":\"2016-09-30T13:50:29.164000Z\",\"last_seen\":\"2016-09-30T13:50:34.330000Z\"}","@version":"1","@timestamp":"2016-10-11T15:13:35.693Z","host":"127.0.0.1","port":34402}
However all withdraw messages I receive do not include this field.
Question: are withdraw messages generated when the IOC is removed rom ALL sources or is a messages generated for each source individually?
Regards,
Forseti
10-12-2016 02:37 AM
Hi @Forseti,
WITHDRAW messages have no body and an aggregator generates a withdraw for an indicator only when all the Miners have withdrawn the indicator.
Longer explanation:
Let's suppose you have a graph with 2 Miners M1 and M2, connected to an aggregator A, and A is connected to a single output node O. This is how WITHDRAWs work:
Hope this helps.
Luigi
10-12-2016 03:25 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!