Forum Discussion

Copper Contributor

Apr 10, 2020

Minemeld Threat Intel Integration to Sentinel

Hello guys, I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned...

GabrielNecula

Copper Contributor

Apr 13, 2020

Thijs Lecomte

The data is getting to the Graph via an Mimemeld extension provided by them here https://github.com/PaloAltoNetworks/minemeld-msgraph-secapi.git

The how to can be found here https://live.paloaltonetworks.com/t5/MineMeld-Articles/Send-IOCs-to-Microsoft-Graph-API-With-MineMeld/ta-p/258540

You are saying to remove the IPv4 bit after ingestion by the Graph?

Also that would only be part of the problem. There is still the IP range that is problematic to interpret in KQL.

Thijs Lecomte

Bronze Contributor

Apr 13, 2020

I was thinking about changing the sync script (used by the Mimemeld extension, this is an MS Graph script) so that the IPv4 bit can be removed.

You have two options:
- Create a custom ingestion script which removes the IPv4 bit and calculates the ranges
- Keep adapting your query

pavankemi
Brass Contributor
May 15, 2020
Thijs Lecomte

By any chance is there any solution for this. I just integrated Minemeld with Azure Sentinel and see the similar issue of getting range of IP address which will not help us to identify from which single IP the actual threat is
- Thijs Lecomte
  Bronze Contributor
  May 17, 2020
  There haven't been any developments for this. Have you check the mimemeld side of things?
  - pavankemi
    Brass Contributor
    May 17, 2020
    Yup. No luck. Could not find anything related to the IP range