: AutoFocus Prototypes
Focus
Focus
Table of Contents

AutoFocus Prototypes

The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged out, MineMeld withdraws the indicator from the outputs that received them.
Prototype
Description
Default Behavior
Samples Miner
The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search. You must set the search conditions when you create this miner node.
The samples miner does not extract all sample artifacts; it only extracts statistically important artifacts that AutoFocus has determined to be indicators based on their tendency to be seen with malware.
  • Accepts all indicator types.
  • Initially extracts indicators from samples that meet the criteria of the search based on the last 24 hours.
  • After the initial poll for indicators, extracts indicators from samples every hour.
  • Each time this miner extracts indicators, it only extracts indicators from the first 10,000 samples.
  • Only forwards indicators that it has not seen previously.
  • Ages out indicators 24 hours after the last time they were seen in the sample search results.
Indicator Store Miner
The indicator store miner extracts indicators from external sources that are currently stored in the AutoFocus Indicator Store (see Manage Threat Indicators). You must connect this miner to a processor and output node to forward the indicators to a destination outside of AutoFocus, such as a Palo Alto Networks firewall or other SIEM platforms.
The indicator store miner is an updated version of the deprecated artifact miner.
  • Accepts all indicator types.
  • Initially extracts indicators that were added to the Indicator Store in the last 24 hours.
  • After the initial poll for indicators, extracts indicators from the store every hour.
  • Only forwards indicators that it has not seen previously.
  • Ages out indicators 30 days after the last time they were added or updated in the Indicator Store, or as soon as an indicator is marked as expired in the store.
Expired indicators are indicators that have been removed from the feed from which they came.
Indicator Store Output
The indicator store output sends indicators from external threat intelligence sources directly to the AutoFocus Indicators Store (see Manage Threat Indicators). AutoFocus highlights indicators in your samples that match the indicators in the store, allowing you to Find High-Risk Artifacts.
The indicator store output is an updated version of the deprecated artifact output.
  • Accepts all indicators types.
  • Does not allow you to use the artifacts miner to send indicators back to the Indicator Store.
Export List Miner
The export list miners sends artifacts from an AutoFocus export list to a destination outside of AutoFocus.
Unlike the other AutoFocus prototypes, the export list miner can be used in either AutoFocus-hosted MineMeld or a MineMeld instance you deployed in your own environment.
Accepts IPv4, URL, and domain indicators.