Hi everyone, I am currently working on connecting MineMeld with our SIEM solution. I however ran into a question. When receiving an update message it states which sources the IOC originated from, also if there are multiple. example: (binarydefense and badips) {"message":"{\"@indicator\":\"120.69.220.5-120.69.220.5\",\"direction\":\"inbound\",\"@origin\":\"IPv4_Aggregator\",\"type\":\"IPv4\",\"@timestamp\":\"2016-10-11T17:13:35.693563Z\",\"confidence\":50,\"share_level\":\"green\",\"sources\":[\"binarydefense.banlist\",\"badips.any_3\"],\"logstash_output_node\":\"Output-To-Logstash-5514\",\"message\":\"update\",\"@version\":1,\"first_seen\":\"2016-09-30T13:50:29.164000Z\",\"last_seen\":\"2016-09-30T13:50:34.330000Z\"}","@version":"1","@timestamp":"2016-10-11T15:13:35.693Z","host":"127.0.0.1","port":34402} However all withdraw messages I receive do not include this field. Question: are withdraw messages generated when the IOC is removed rom ALL sources or is a messages generated for each source individually? Regards, Forseti
... View more