AutoFocus-Hosted MineMeld
You can now use MineMeld directly in the
AutoFocus™ interface, removing the need to deploy and host it in
your own environment. MineMeld is an open-source
threat intelligence processing tool that extracts threat indicators
from various sources and compiles the indicators into multiple formats
that are compatible with AutoFocus, the Palo Alto Networks® next-generation
firewall, and other security information and event management (SIEM)
platforms. An indicator is an artifact
that security experts typically observe to detect signs that a network
has been compromised.
Three types of MineMeld nodes make
it possible to automate the flow of indicators from source to recipient:
- Minersextract indicators from sources of threat intelligence, such as a threat indicator feed or a threat intelligence service like AutoFocus.
- Processorsreceive indicators from miners and can aggregate indicators, eliminate duplicated indicators, and merge different sets of metadata for the same indicator. For example, a common type of processor is one that receives only IPv4 indicators.
- Outputsreceive indicators from processors. Output nodes format the indicators and allow MineMeld to dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators from external threat feeds to AutoFocus).
Nodes are the building
blocks of MineMeld, and you can create the most basic MineMeld connection
by connecting a single miner node to a processor node and connecting
the processor node to an output node. For more information on MineMeld
basics, view a Quick Tour of the MineMeldDefault
Configuration.
A major benefit of using AutoFocus-hosted
MineMeld is the ability to forward indicators from AutoFocus to
MineMeld and vice versa. You can now store up to 180 million indicators
from external sources in AutoFocus, and AutoFocus highlights indicators
in your samples that match these stored indicators.
MineMeld
is available on a per support account basis. Follow the procedure
below to get started with MineMeld.
- Start MineMeld (Apps).
- When MineMeld finishes deploying, accessMineMeldfrom the navigation pane.
- Get an overview of miner, processor, and output nodes currently in use on theDashboard.
- View a library of miner, processor, and outputPrototypesyou can clone to Create a MineMeld Node.
- View a complete list ofNodesyou’ve created.
- Choose other nodes from which a node will receive indicators. Edit the inputs of the nodeConfigto Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node.
- View theLogs, which is a record of indicators that MineMeld extracted from feed sources.
For more guidance on how to use MineMeld, see MineMeld. - To determine if any WildFire analysis artifacts for your samples match indicators from external threat feeds, Forward MineMeld Indicatorsto AutoFocus.
- Find sample indicators that match indicators from MineMeld.
- Click on the indicators tag to view all sample indicators that match indicators from MineMeld.
- ClickIndicatorson the navigation pane to Manage Threat Indicators from MineMeld.
- To use AutoFocus as a source of indicators for MineMeld, Forward AutoFocus Indicators to MineMeld.You can forward indicators from:
- Samples that meet the conditions of an AutoFocus search.
- The Indicators Store (Indicators), if you need to forward indicators that MineMeld previously forwarded to AutoFocus to a destination outside of AutoFocus.
- An AutoFocus export list.
Use AutoFocus Miners with the Palo Alto Networks Firewall, so that the firewall can dynamically retrieve AutoFocus indicators for an external dynamic list. - (Optional) While MineMeld is running, it extracts and processes indicators based on the nodes that are connected. To pause the retrieval of indicators through MineMeld or to restore MineMeld to its default configuration, learn how to Start, Stop, and Reset MineMeld.
