- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-28-2022 07:34 AM
Hi @porq91 ,
To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...
Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.
Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above
{
"indicator": "bad.example.com",
"type": "domain",
"comment": "Phishing domain",
"share_level": "green",
"confidence": 100,
"ttl": "disable"
}
Indicator - contain the suspicious domain
Type - must be set to domain (other options are IPv4, URL, hash)
Comment - Optional, but good practice to keep track for the reason why this domain was added
Share_level, Confidence - Optional, used for filtering internally in MineMeld
TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully