We are trying to integrate Recorded Future IP risk list with our SIEM to do correlation after that.
We have set up correctly the miner, which gives us around 50k indicators.
We then proceed to pass it to the processor stdlib.aggregatorIPv4Generic, which just process 20k indicators.
Finall we convert it to CEF format with the output cef.testCEF than at the same time just process around 8k indicator.
I checked the logs and some of the IPs jsut don't seem to never being grabbed by the processor as they don't show up on it's logs, but the do show up on the logs of the miner, same thing happens when it's parsing from processor to CEF.
We would like to grab those 50k indicators and when that is working going more indepth as how we can filters indicators that might be more interesting to us (higher confidence, etc).
Just as an indication this is the first time we are pulling information from this API and we currently don't have more feeds applied on Minemeld.
What is happening and why are we receiving so few numbers? Are we doing something wrong?
We are using the latest version of Minemeld and the prototypes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!