Forum Discussion
Minemeld Threat Intel Integration to Sentinel
Hello guys,
I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned the Threat Intel Connector on and now I have the Threat Intel in the LogAnalytics space.
There are two issues I have, in order:
1. Currently, with threat intel of type IP, I get the IP in a field called ExternalIndicatorID. A sample value for this is: IPv4:36.119.0.0-36.119.255.255 . As you can see, we have IPv4: then a range of IPs follows. The problem is this is something that's very impractical to use from an analytics point of view. I have to write the query in such a way to ignore the "IPv4:" and then also be able to interpret range. This is impractical and the preview Threat Intel rules offered by Microsoft do not use that field. They instead use NetworkIP, NetworkDestinationIP, NetworkSourceIP ....whichever of the three they find with a value. For me however, those values are empty.
Apparently this is something that must be changed with the Minemeld processor so that it does not merge IPs and generate ranges. I have not found a way to do that.
Has anyone managed to do that or otherwise any other workarounds to be able to consume Minemeld IP Threat Intel in Sentinel?
2. The second thing and I'm not completely sure here as nr 1 was a much bigger priority, is the Microsoft Security Graph extension for Minemeld only able to consume URLs, Domains and IPs? No emails, hashes, etc?
I have also asked on Palo Alto's board, however I'm really curious and could use a hand from someone who managed to already do this.
Thank you!
GabrielNeculaHere is another trick
//datatable or watchlist can be added here, in this example i use static datatable
let IPLookup = datatable(cidr:string, cidr_name:string)
[
"16.168.0.0/16", "cidr_name_1",
"16.167.0.0/16", "cidr_name_2",
];
TABLEwithIP
| evaluate ipv4_lookup(IPLookup, from_address_s, cidr, return_unmatched = false)Is it possible to remove the "IPv4" bit when you ingest the data through the Graph API? I assume you are using some kind of scripts? I think it will be the easiest to remove it that way.
Security Graph supports the following TI's:
- Email
- file
- Network (IP address, CIDR block, URL)
More information can be found here.
The data is getting to the Graph via an Mimemeld extension provided by them here https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git
The how to can be found here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Send-IOCs-to-Microsoft-Graph-API-With-MineMeld/ta-p/258540
You are saying to remove the IPv4 bit after ingestion by the Graph?
Also that would only be part of the problem. There is still the IP range that is problematic to interpret in KQL.
