About Eddie_Brown

Thank you very much! It worked! ... View more

Hello I am attempting to create a miner using a paid threat intelligence providers API. The data deleivered is in a text format however the URL doesn't end in .txt. The URL does require basic authentication to view the data. I have built my new prototype based off the dsheild.block prototype.  I have some questions regarding the authentication and the indicators and transform settings. The API URL contains data in the below format with no headers above. just a giant list of text delimited with spaces and seperated into individual lines: 5.188.10.3 #Protection IP List: "hardcoded C2 for malicious downloader" Added 2018-03-14T22:49:12Z (59.939,30.3158) RU St Petersburg, Russia Question 1: Is the basic authentication peice something I add into the prototype? Question 2: I removed the following portions of the original dsheild.block  fields  I modified the indicator portion to only look for one IP address:  regex: ^([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) I modified the tranform to only list 1 value  transform: \1 Does this look correct considering my data format? Question 3: Their API does support a basic auth directly in the URL example: https://<api_username>:<api_password>@someurl.com/pan. I don't want to have my username and password in plain text within the prototype, how do I get around this?]   On a side note I have saveds this prototype and added the node. However, none of my indicators are being pulled. I'm sure I have screwed it up somewhere.   If you need any other information please let me know.   Thanks, Eddie ... View more

I ran a grep on my Ubuntu server with the username authorized for my authfeed and came up dry. I was able to see the successful authentication requests when I ran a tail follow yes mp-log ms.log and then importing the EDL shows me where it fails or succeeds. In addition, running the request system external-list show type url name URL_HighConfRed show how much of the output feed you are getting and says a yes or no for a few verification fields.   Something that is partcially related that has become a recent issue is trying to deploy the EDL's via Panorama. If I want to have the extra level of security with my EDLs using a certificate profile and authentication it doesn't seem possible from a Panorama perspective as the certificate profile doesn't cross over to the device group plane. Essentially, if I want to add my EDLs as a "shared" object I am unable to do so with a certificate profile present. As the certificate profile doesn't cross over at the "shared" level. Rather it is specific to the devices that are in the template stack where the profile exists. The only configuration this would work is if all of my devices were in one device group. This doesn't make much sence as each device has specific policies unique to itself. Not sure how to get around this as Palo Alto support didn't have a solution for me either. @lmori When you are deploying MineMeld EDLs into a Panorama configuration. Are you doing it without Authentication feeds being enabled? Or do you have one level of template where all of your devices live that matches up with the device group? ... View more

You sir are a scolar and a gentleman. Now to try it with the authfeeds enabled. ... View more

sorry I should've done some more digging. I found this article: https://live.paloaltonetworks.com/t5/MineMeld-Discussions/New-minemeld-deploy-unable-to-login-to-GUI/m-p/211171#M2095 It fixed the issue. ... View more