- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Empty minemeld feeds
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Empty minemeld feeds
Running Splunk 7.0.3 and the most recent Palo Alto Networks Splunk app + TA, and trying to integrate with AutoFocus and MineMeld. Almost everything seems to be working properly, but I'm struggling with the MineMeld integration.
I've added my AutoFocus API key to the Palo Alto Networks App for Splunk. I then ran this command:
| panautofocustags
And now when I run
| `pan_autofocus_tags`
I can see all of the AutoFocus tags from within Splunk... thousands of entries. So far, so good.
I've also created a MineMeld Input, using the URL from the AutoFocus-hosted MineMeld output node. (I've verified that the URL is good, as I can visit it from my PC and I see the list of indicators/IP addresses). These indicators do not seem to be importing into Splunk. I run this command:
| `mm_indicators`
And 0 responses are returned. (Coincidently, there was an issue opened in the github repository not too long ago for something similar, but was closed because it wasn't an appropriate troubleshooting venue). I'm having the same problem it seems.
How do we troubleshoot this? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to track this down to authentication/permissions from my splunk box to the minemeld feed URL. My desktop had authenticated and had access, but the Splunk TA had not. Here's the logfiles + entries that helped me track it down:
grep UNAUTHORIZED /opt/splunk/var/log/splunk/Splunk_TA_paloalto_minemeld_feed.log
2018-04-26 10:54:06,935 ERROR pid=14717 tid=MainThread file=base_modinput.py:log_error:307 | Failed to get entries for "AFtest": 401 Client Error: UNAUTHORIZED for url: https://redacted.paloaltonetworks-app.com/feeds/AF-Ransomware-FeedHCRedWithValue-IPv4?tr=1&v=json
I used a different minemeld feed with less restrictive access controls and it seems to be working correctly:
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | START Splunk_TA_paloalto indicator retrieval for "AF_o365_IPv4"
2018-05-03 18:20:15,283 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,314 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | Removing 502 previous entries for MineMeld feed "AF_o365_IPv4"
2018-05-03 18:20:15,316 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,366 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,665 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | Saving 502 entries for MineMeld feed "AF_o365_IPv4"
2018-05-03 18:20:15,665 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,712 INFO pid=16561 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2018-05-03 18:20:15,743 INFO pid=16561 tid=MainThread file=base_modinput.py:log_info:293 | END Splunk_TA_paloalto indicator retrieval for "AF_o365_IPv4"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
