Palo Alto Networks Minemeld - Part II - Custom Miner Configuration

The purpose of this post is to elaborate on the configuration used to walk you through how Minemeld works in my previous post. If you haven't read through part 1, I highly recommend that you start there prior to moving forward.

NOTE: The post(s) associated with this topic assume(s) that you already have an active Minemeld instance running (either open source or via AutoFocus), and that you already have a firewall or third party security tool configured in a manner that can consume the data. More information about initial configuration can be found here (for hosted) and here (for open source).

Configuration Steps

1. Let's start fresh by deleting existing nodes under Config.
2. Navigate to Prototypes, which has its own tab in the AutoFocus-hosted version. You can get there in the open source version by navigating to Config -> Browse Prototypes (three lines in lower right-hand corner).
3. Search for and select ETOpen.blockIPs. 
4. Note that there are two options, New and Clone. We are going to select New.
1. New - this option allows you to take the prototype and create another one from it.
2. Clone - this option allows you to take the prototype and create a node from it.
5. Enter/edit the following information:
1. Name - cisco_talos
2. Description - Cisco Talos threat intelligence feed.
3. Tags - ShareLevelGreen and ConfidenceHigh
4. Config - 
   1. attributes:
   1.     confidence: 80
   2.     share_level: green
   3.     type: IPv4
   2. ignore_regex: ^#
   3. source_name: cisco_talos.blf
   4. url: https://talosintelligence.com/documents/ip-blacklist
6. Select OK. 
7. Back in Prototypes, search for cisco, and you should see the prototype you just created.

8. Select the prototype and make sure it looks like the screenshot above, then select Clone.
9. Enter cisco_talos for the name and then select OK.
10. Navigate to Prototypes, search for and select stdlib.aggregatorIPv4Generic, and then select Clone.
11. Enter aggregatorIPv4 for the name and then select OK.
12. Navigate to Prototypes, search for a select stdlib.feedHCGreen, and then select Clone.
13. Enter ip_feedHC for the name and then select OK.
14. In the Config pane, click on the INPUTS field for aggregatorIPv4, select cisco_talos, and then select OK.
15. In the Config pane, click on the INPUTS field for ip_feedHC, select aggregatorIPv4, and then select OK.
16. In the Config pane, select Commit.

Upon commit, you should be able to navigate to Nodes, select cisco_talos, and then graph (the asterisk icon), which should show all of your nodes as connected and processing data.

The next post will expound upon this blacklist use case to include additional open source lists, paid lists, Palo Alto Networks competitor lists, etc.