AutoFocus-Hosted MineMeld

You can now use MineMeld directly in the AutoFocus™ interface, removing the need to deploy and host it in your own environment. MineMeld is an open-source threat intelligence processing tool that extracts threat indicators from various sources and compiles the indicators into multiple formats that are compatible with AutoFocus, the Palo Alto Networks® next-generation firewall, and other security information and event management (SIEM) platforms. An indicator is an artifact that security experts typically observe to detect signs that a network has been compromised.
Three types of MineMeld nodes make it possible to automate the flow of indicators from source to recipient:
  • Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat intelligence service like AutoFocus.
  • Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators, and merge different sets of metadata for the same indicator. For example, a common type of processor is one that receives only IPv4 indicators.
  • Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators from external threat feeds to AutoFocus).
Nodes are the building blocks of MineMeld, and you can create the most basic MineMeld connection by connecting a single miner node to a processor node and connecting the processor node to an output node. For more information on MineMeld basics, view a Quick Tour of the MineMeldDefault Configuration .
A major benefit of using AutoFocus-hosted MineMeld is the ability to forward indicators from AutoFocus to MineMeld and vice versa. You can now store up to 180 million indicators from external sources in AutoFocus, and AutoFocus highlights indicators in your samples that match these stored indicators.
MineMeld is available on a per support account basis. Follow the procedure below to get started with MineMeld.
  1. Start MineMeld (Apps).
  2. When MineMeld finishes deploying, access MineMeld from the navigation pane.
    • Get an overview of miner, processor, and output nodes currently in use on the Dashboard.
    • View a library of miner, processor, and output Prototypes you can clone to Create a MineMeld Node .
    • View a complete list of Nodes you’ve created.
    • Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to Connect MineMeld Nodes . The Config tab also allows you to Delete a MineMeld Node .
    • View the Logs, which is a record of indicators that MineMeld extracted from feed sources.
    For more guidance on how to use MineMeld, see MineMeld .
  3. To determine if any WildFire analysis artifacts for your samples match indicators from external threat feeds, Forward MineMeld Indicatorsto AutoFocus.
    • Find sample indicators that match indicators from MineMeld.
    • Click on the indicators tag to view all sample indicators that match indicators from MineMeld.
  4. Click Indicators on the navigation pane to Manage Threat Indicators from MineMeld.
  5. To use AutoFocus as a source of indicators for MineMeld, Forward AutoFocus Indicatorsto MineMeld .
    You can forward indicators from:
    • Samples that meet the conditions of an AutoFocus search.
    • The Indicators Store (Indicators), if you need to forward indicators that MineMeld previously forwarded to AutoFocus to a destination outside of AutoFocus.
    • An AutoFocus export list.
    Use AutoFocus Miners with the Palo Alto Networks Firewall , so that the firewall can dynamically retrieve AutoFocus indicators for an external dynamic list .
  6. (Optional) While MineMeld is running, it extracts and processes indicators based on the nodes that are connected. To pause the retrieval of indicators through MineMeld or to restore MineMeld to its default configuration, learn how to Start, Stop, and Reset MineMeld .

Related Documentation