No IOCs are populated when formatting MD5, Domain, and IP output feeds for use in Carbon Black Response using the v=carbonblack URL parameter.
Same symptoms as https://github.com/PaloAltoNetworks/minemeld/issues/52 so it may be a duplicate. The resolution there was unclear. I made sure I was using supported indicator types which may have been the problem there.
Expected behavior
IOCs are populated.
Current behavior
The feed populates as expected when formatting for JSON, CSV, or when passing no parameters. When formatting for Carbon Black using v=carbonblack only the report "boilerplate" and encoded icons are output with no IOCs. The "ipv4", "dns", and "md5" sections are empty.
Possible solution
None. I checked the code but did't see any obvious cause or solution.
Steps to reproduce
Can be reproduced on the latest (0.9.70.post1) version using the Docker deployment and the default IP feeds with the following steps:
We are hoping to use domain and IP from MineMeld in a local Carbon Black Response instance.
Your Environment
Confirmed this happens with MD5, domain, and IP feeds in MineMeld version 0.9.60b4 (What we have in production).
Confirmed this happens with the default IP feeds in MineMeld version 0.9.70.post1 using Docker deployment.
Describe the bug
No IOCs are populated when formatting MD5, Domain, and IP output feeds for use in Carbon Black Response using the
v=carbonblackURL parameter.Same symptoms as https://github.com/PaloAltoNetworks/minemeld/issues/52 so it may be a duplicate. The resolution there was unclear. I made sure I was using supported indicator types which may have been the problem there.
Expected behavior
IOCs are populated.
Current behavior
The feed populates as expected when formatting for JSON, CSV, or when passing no parameters. When formatting for Carbon Black using
v=carbonblackonly the report "boilerplate" and encoded icons are output with no IOCs. The "ipv4", "dns", and "md5" sections are empty.Possible solution
None. I checked the code but did't see any obvious cause or solution.
Steps to reproduce
Can be reproduced on the latest (0.9.70.post1) version using the Docker deployment and the default IP feeds with the following steps:
v=carbonblackparameter to get https://YOUR_IP_ADDRESS/feeds/inboundfeedhc?v=carbonblackScreenshots
Context
We are hoping to use domain and IP from MineMeld in a local Carbon Black Response instance.
Your Environment
Confirmed this happens with MD5, domain, and IP feeds in MineMeld version 0.9.60b4 (What we have in production). Confirmed this happens with the default IP feeds in MineMeld version 0.9.70.post1 using Docker deployment.