Forum Discussion

GabrielNecula's avatar
GabrielNecula
Copper Contributor
Apr 10, 2020

Minemeld Threat Intel Integration to Sentinel

Hello guys,   I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned...
GabrielNecula's avatar
GabrielNecula
Copper Contributor
Apr 13, 2020

Thijs Lecomte 

 

The data is getting to the Graph via an Mimemeld extension provided by them here https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git

 

The how to can be found here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Send-IOCs-to-Microsoft-Graph-API-With-MineMeld/ta-p/258540

 

You are saying to remove the IPv4 bit after ingestion by the Graph?

Also that would only be part of the problem. There is still the IP range that is problematic to interpret in KQL.

pavankemi's avatar
pavankemi
Brass Contributor
May 18, 2020

GabrielNecula 

 

Were you able to find out any workaround or a solution to this ?

  • GabrielNecula's avatar
    GabrielNecula
    Copper Contributor
    May 19, 2020

    pavankemi nope, will likely be done at query time in Sentinel. Please let me know if you find any other workarounds.
    I've checked the python code and it seems like it SHOULD provide single ips, not ranges. No idea how to solve this.

    • GaryBushey's avatar
      GaryBushey
      Bronze Contributor
      May 19, 2020

      GabrielNecula I have a column called NetworkCidrBlock that shows me the same information in CIDR notation.  I am using the Mindmeld free stream.

      • GabrielNecula's avatar
        GabrielNecula
        Copper Contributor
        May 19, 2020

        GaryBushey 

        I know but you'd still have to parse the "/32" at query time. If it's anything other than /32, you will have to interpret that range somehow which is still hard.

Resources