there are multiple explanations for this discrepancy, but the most important is that we enforce privacy on WildFire samples. Samples reports by default are visible only to customers who submitted those samples. If you search on Auotofocus same hashes will appear with some dots in the middle. These hashes are samples that the customer cannot see because they belong to other customers. IOC from those files won't be published by MineMeld.
... View more
Being able to extract indicators from AutoFocus searches is one of the few features not available in the MineMeld Community edition. Only the AutoFocus hosted MineMeld instance includes a miner capable of it.
Said that, there is a special miner named "JSONSeq" that allows a MineMeld-to-MineMeld kind of connection. Using this miner you can "pipe" all indicators from the hosted MineMeld instance to your on-premises MineMeld one.
The following is a step-by-step guide on how to achieve this.
Step 1: Route your AF samples indicators to a feed output node
The following screen capture shows a graph in an AutoFocus MineMeld instance routing samples searches to a feed output node.
Click on the output node to confirm the number of indicators and other details for the feed.
Note that, by default, all AutoFocus hosted feeds are authenticated (in this case with the tags "active_campaigns" and "test_tag"). This means that you'll need the corresponding user and password for the on-premises MineMeld instance to be able to import indicators from this feed.
Copy the URL of the feed. You'll need it in the next step.
Step 2: Create a new JSONSeq miner prototype
Look in your on-premises MineMeld instance for the JSONSeq standard prototype.
Click on it an create a new prototype from this base.
Use, in the new prototype, the URL you captured in the step 1
Now locate this recently created prototype and clone it to a working node.
Now commit the configuration. And navigate to the "Nodes" tab to realize there is an error in the miner.
As said before, AF hosted feeds are, by default, protected with basic authentication. You must provide a valid username and password to the miner so it can successfully grab the indicators. Once you do so, you'll see how the indicators are imported by the on-premises MineMeld instance.
Click on any node's log entry to confirm not only the indicators but the full context is being extracted.
... View more