I am trying to create an IPv4 indicator list based on PAN-OS threat logs.
Below is the rule code attached to the syslogminer class stdlib.syslogMiner.
RULE:
age_out: default: last_seen+30d interval: 1800 sudden_death: false attributes: confidence: 50 type: IPv4 conditions: - type == 'THREAT' config: share_level: green fields: null indicators: - src_ip
Unfortunately all the IP addresses are withdrawn.
15/2/2017 08:07:04 -0500 ThreatFeedMCGreen ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCGreen RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCRedWithValue ACCEPT_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 ThreatFeedMCRedWithValue RECVD_WITHDRAW 192.168.1.61-192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: inboundaggregator
15/2/2017 08:07:04 -0500 inboundaggregator EMIT_WITHDRAW 192.168.1.61-192.168.1.61 _updated: 1487160033902 confidence: 50 panossyslog_devices: ["001606041772"] _added: 1487158094654 sources: ["panos.syslog"] first_seen: 1487158094651 _id: 35c6d7da-0715-42db-8b7a-b873cbb07ff2 type: IPv4 last_seen: 1487160033901
15/2/2017 08:07:04 -0500 inboundaggregator ACCEPT_WITHDRAW 192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: panos-syslog-miner
15/2/2017 08:07:04 -0500 inboundaggregator RECVD_WITHDRAW 192.168.1.61 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901 source_node: panos-syslog-miner
15/2/2017 08:07:04 -0500 panos-syslog-miner EMIT_WITHDRAW 192.168.1.61 _age_out: 1487163633901 confidence: 50 sources: ["panos.syslog"] first_seen: 1487158094651 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487160033901
15/2/2017 07:58:52 -0500 ThreatFeedMCRedWithValue DROP_UPDATE 213.211.198.62-213.211.198.62 confidence: 50 sources: ["panos.syslog"] first_seen: 1487159482831 panossyslog_devices: ["001606041772"] type: IPv4 last_seen: 1487163532361 source_node: inboundaggregator
15/2/2017 07:58:52 -0500 ThreatFeedMCRedWithValue RECVD_UPDATE 213.211.198.62-213.211.198.62 confidence: 50 sources: ["panos.syslog"] first_seen: 1487159482831 panossyslog_devices: ["001606041772"] type: I
... View more