This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎05-28-2022 07:34 AM

Hi @porq91 ,

 

To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link - https://live.paloaltonetworks.com/t5/general-articles/using-minemeld-as-an-incident-response-platfor...

Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.

 

Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above

 

LocalDB miner

  • Purpose: Miner using prototype localDB allow to import indicators that are stored locally on the MineMeld. Those indicators are than parsed in format suitable for PAN FW EDL consumption
  • Steps to create:
    1. Find build-in prototype "stdlib.localDB" and  create new copy

Astardzhiev_0-1653748300820.png

 

 

  1. Since this prototype is in experimental state, we need to edit the shared level, so we can use standard output node to consume the indicators. Note here we can modify the default age_out value. Unfortunately, currently there is a bug for this typo (if age_out is modified when adding new indicator all current are removed)

Astardzhiev_1-1653748300823.png

 

 

  1. Using the new prototype create miner node

Astardzhiev_2-1653748300825.png

 

 

Astardzhiev_3-1653748300830.png

 

 

  1. Create output node using standard prototype and select as input the localdb node created earlier and commit the changes

Astardzhiev_4-1653748300835.png

 

 

  1. To add indicator to the list you need to send POST request with following details:
    1. URL: https://my-minemeld.local/config/data/XXXXXXXX-bad-domain_indicators/append?h=XXXXXXXX-bad-domain&t=localdb (highlighted string needs to correspond the miner node name you created above)
    2. Credentials: MineMeld admin account credentials are required (currently MineMeld doesn't support RBAC)
    3. Data must be in JSON format (send header Content-Type: application/json) as follow:

{

"indicator": "bad.example.com",

"type": "domain",

"comment": "Phishing domain",            

"share_level": "green",

"confidence": 100,

"ttl": "disable"                        

}

 

Indicator - contain the suspicious domain

Type - must be set to domain (other options are IPv4, URL, hash)

Comment - Optional, but good practice to keep track for the reason why this domain was added

Share_level, Confidence - Optional, used for filtering internally in MineMeld

TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks