- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
Minemeld Regex
- LIVEcommunity
- Collaboration
- Tools
- MineMeld
- MineMeld Discussions
- Minemeld Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-05-2017 11:16 AM
I want to only use the url portion of this feed ignoring the protocol portion http://
https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt
My regex is below:
regex: ^(http:\/\/)(.*)
transform: \2
This works fine outside Minemeld as python regex. However, Minemeld uses the full match which includes the protocol portion not just group 2 of the match in my aggregated feed.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-07-2017 02:10 AM
Hi @bokeke,
you should do something like this (tested):
age_out:
default: null
sudden_death: true
attributes:
confidence: 100
share_level: green
type: URL
ignore_regex: ^#
indicator:
regex: ^(http[s]*:\/\/)(.*)
transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt
Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-07-2017 02:10 AM
Hi @bokeke,
you should do something like this (tested):
age_out:
default: null
sudden_death: true
attributes:
confidence: 100
share_level: green
type: URL
ignore_regex: ^#
indicator:
regex: ^(http[s]*:\/\/)(.*)
transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt
Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-07-2017 09:44 AM
Thanks imori Your regex under indicator works.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-11-2019 12:15 PM - edited 07-11-2019 12:15 PM
@lmori Has anyone got this working for a taxii client feed instead of a csv file feed?
- Unable to integrate AutoFocus Custom Feed with Output Method URL to MineMeld. in MineMeld Discussions
- Query on MineMeld setup for Azure Sentinel in MineMeld Discussions
- Split Minemeld Feed in MineMeld Discussions
- New install of Minemeld: Timeout errors in MineMeld Discussions
- MineMeld on outdated jQuery libs in MineMeld Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
