AutoFocus™ Administrator’s Guide
    : Introduction to MineMeld
    Focus
    PDF Cover Image
    Download PDF
    Focus
    1. Home
    2. AutoFocus
    3. AutoFocus™ Administrator’s Guide
    4. Introduction to MineMeld
    PDF Cover Image
    Download PDF

    AutoFocus™ Administrator’s Guide

    Introduction to MineMeld

    Table of Contents

    Introduction to MineMeld

    Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort, especially as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator sources, since they are updated at different times and not always on a regular basis. MineMeld automates many of these manual processes so you can use indicators to dynamically enforce policy with your firewall or to investigate threats with AutoFocus.
    Three types of MineMeld nodes make it possible to automate the flow of indicators from source to destination:
    • Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat intelligence service like AutoFocus.
    • Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators, and merge different sets of metadata for the same indicator. For example, a common type of processor is one that receives only IPv4 indicators.
    • Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators from external threat feeds to AutoFocus or the firewall).
    Nodes are the building blocks of MineMeld, and you can create the most basic MineMeld connection by connecting a single miner node to a processor node and connecting the processor node to an output node.
    MineMeld provides pre-built miner, processor, and output prototypes, which are templates you can use to create a node. There are AutoFocus-specific prototypes, which you can use create miner nodes that use AutoFocus as a source of threat indicators (see Forward AutoFocus Indicators to MineMeld) or output nodes that send threat indicators to AutoFocus (see Forward MineMeld Indicators to AutoFocus). For more information on MineMeld basics, view a Quick Tour of the MineMeld Default Configuration.

    © 2024 Palo Alto Networks, Inc. All rights reserved.