Forward AutoFocus Indicators to MineMeld
Table of Contents
Forward AutoFocus Indicators to MineMeld
Use MineMeld to send indicators from AutoFocus
to the firewall and other SIEM platforms. Learn more about how you can Use
AutoFocus Miners with the Palo Alto Networks Firewall.
- Use an AutoFocus Samples Miner to forward Indicators from sample search results.
- Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
- Work with the Search Editor to set up a search.
- Create MineMeld Miner(
) from the search page.The node details include:- Name—Give the miner a descriptive name.
- Prototype—The prototype is pre-selected (autofocus.samplesMiner).
- Query—This field is pre-populated with the conditions of your search.
- Scope—Select the scope of the search results: global, private, and public.
- Artifacts—Select which indicators AutoFocus will forward to MineMeld:Anyindicators, only indicators that match MineMeld indicators, orNone(MineMeld only extracts hashes from the sample search results).
- Connect to Processors—Select processors that will receive indicators from the miner.If you select a Scope of global, the miner extracts indicators from your private samples and public samples from you and other AutoFocus users; it does not extract indicators from other users’ private samples.
- Connect MineMeld Nodes (processor and output) to the miner you just created.
- Use an AutoFocus Indicator Store Miner to forward indicators from external sources stored in AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus.
- Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
- ClickIndicatorson the navigation pane and optionally, Filter the indicators.
- Create MineMeld Miner(
).The node details include:
- Name—Give the miner a descriptive name.
- Prototype—The prototype is pre-selected (autofocus.indicatorStoreMiner).
- Query—If you filtered the indicators, this field is pre-populated with the filter you used.
- Connect to Processors—Select processors that will receive indicators from the miner.
- Connect MineMeld Nodes (processor and output) to the miner you just created.
- Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list.You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a MineMeld instance you deployed in your own environment. The default behavior of the miner is the same in either version of MineMeld.
- Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
- Create a Minemeld Node based on the prototypeautofocus.exportList.When completing the additional required fields for the node, provide your AutoFocusAPI Keyand theLabelof the export list from which MineMeld will extract indicators.