search

PaloAltoNetworks / minemeld

Main MineMeld documentation repo
379 stars 64 forks source link

Add 'required' field to o365-api miner #26

Open ericmartin opened 5 years ago

ericmartin commented 5 years ago

It would be very helpful to have the miners be able to select o365 lists based on whether or not MS says the URL or IP addresses are required.

"id": 53,
"serviceArea": "Common",
"serviceAreaDisplayName": "Microsoft 365 Common and Office Online",
"urls": [],
"tcpPorts": "443",
"expressRoute": false,
"category": "Default",
"required": true
jtschichold commented 5 years ago

Hi @ericmartin, the required attribute is extracted and attached as attribute to the IPs/URLs. You can use customized filters on the Miner or on the Output node to select only required IPs/URLs. This how an O365 indicator looks like, the required attribute is extracted and place into o365_required:

{
    "indicator": "*.localytics.com",
    "value": {
        "confidence": 100,
        "o365_notes": "Portal and shared: 3rd party office integration. (including CDNs)",
        "o365_tcpPorts": "443",
        "share_level": "green",
        "sources": [
            "worldwide-exchange"
        ],
        "o365_serviceArea": "Common",
        "o365_category": "Default",
        "first_seen": 1543921101046,
        "type": "URL",
        "o365_required": false,
        "o365_expressRoute": false,
        "last_seen": 1543921101046
    }
}