This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Zscaler and Minemeld

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Zscaler and Minemeld

Go to solution
lvmh_onenetwork
L1 Bithead

‎05-04-2018 10:39 AM

Hello,

 

I'm using Minemeld 0.9.44 and I would to get 'range' from the URL https://ips.zscaler.net/cenr/json.

After several attempts with JSON prototype, trying to set different extractor, field (indicator set as range).

 

I'm still not able to get any information.

 

Could you please let me know what is the best what to extract 'range'? 

 

Thank you
Regards

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
xhoms
L5 Sessionator

‎05-09-2018 11:18 PM - edited ‎05-09-2018 11:22 PM

Hi @lvmh_onenetwork,

 

the following SimpleJSON based prototype works for me

 

age_out:
    default: null
    interval: 257
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: IPv4
extractor: '"zscaler.net".*.*[][]'
indicator: range
prefix: zs
source_name: zscaler
url: https://ips.zscaler.net/cenr/json

 

 

 

 

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
xhoms
L5 Sessionator

‎05-09-2018 11:18 PM - edited ‎05-09-2018 11:22 PM

Hi @lvmh_onenetwork,

 

the following SimpleJSON based prototype works for me

 

age_out:
    default: null
    interval: 257
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: IPv4
extractor: '"zscaler.net".*.*[][]'
indicator: range
prefix: zs
source_name: zscaler
url: https://ips.zscaler.net/cenr/json

 

 

 

 

0 Likes Likes

Go to solution
lvmh_onenetwork
L1 Bithead
In response to xhoms

‎05-10-2018 12:45 PM

Hello @xhoms

 

it works perfectly, but i'm not sure to understand the 

'"zscaler.net".*.*[][]'

 

how does it works? 

 

Regards 

0 Likes Likes

Go to solution
xhoms
L5 Sessionator
In response to lvmh_onenetwork

‎05-10-2018 02:29 PM

@lvmh_onenetwork,

 

are you familiar with JMESPath expressions? Do you know the site http://jmespath.org/ ?

 

I highly recommend you to paste the JSON code from the ZSCALER URL into the JMESPath interactive test site to play with different expressions.

 

But, basically,

  • "zscaler.net" selects the root object
  • .* selects any object inside "zscaler.net" ("continent : Europe", "continent : US & Canada", ...)
  • .* selects any object insite the continents ("city : Amsterdam", "city : Brussels", ...)

If you play in the interactive site you'll realize that "zscaler.net".*.* produces an array of continents containing each one of them an array of rages for each city.

  • [] is a flatten projection that removes the "city" dimension to achieve all ranges to be direct elements inside each "contient"
  • the second [] flatten projection removes the "continent" dimension to achieve all ranges being direct elements of the top array.

The result is an array of ranges whose elements can be yielded into the MineMeld engine.

0 Likes Likes

Go to solution
lvmh_onenetwork
L1 Bithead
In response to xhoms

‎05-10-2018 11:32 PM

Thank you for the detail.  I will study that.

 

Regards

0 Likes Likes
  • 1 accepted solution
  • 6503 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks