Forum Discussion
Minemeld Threat Intel Integration to Sentinel
Is it possible to remove the "IPv4" bit when you ingest the data through the Graph API? I assume you are using some kind of scripts? I think it will be the easiest to remove it that way.
Security Graph supports the following TI's:
- file
- Network (IP address, CIDR block, URL)
More information can be found here.
The data is getting to the Graph via an Mimemeld extension provided by them here https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git
The how to can be found here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Send-IOCs-to-Microsoft-Graph-API-With-MineMeld/ta-p/258540
You are saying to remove the IPv4 bit after ingestion by the Graph?
Also that would only be part of the problem. There is still the IP range that is problematic to interpret in KQL.
pavankemi nope, will likely be done at query time in Sentinel. Please let me know if you find any other workarounds.
I've checked the python code and it seems like it SHOULD provide single ips, not ranges. No idea how to solve this.
- I was thinking about changing the sync script (used by the Mimemeld extension, this is an MS Graph script) so that the IPv4 bit can be removed.
You have two options:
- Create a custom ingestion script which removes the IPv4 bit and calculates the ranges
- Keep adapting your queryBy any chance is there any solution for this. I just integrated Minemeld with Azure Sentinel and see the similar issue of getting range of IP address which will not help us to identify from which single IP the actual threat is
