Palo Alto MineMeld

MineMeld is an open-source application from Palo Alto Networks that streamlines the aggregation, enforcement and sharing of threat intelligence.

Requirements

• Palo Alto MineMeld installation and license. MineMeld is available on GitHub or as a pre-built virtual machine (VM) for easy deployment.
• Access to your Splunk Intelligence Management API Key and API Secret.

Configuring the TAXII Client

To set up MineMeld to work with the Splunk Intelligence Management TAXII Server, you need to execute the following procedures:

1. Install the MineMeld TAXII extension and then activate it.
2. Create a MineMeld prototype
3. Create a MineMeld node

Installing the MineMeld TAXII extension

1. Log into MineMeld.
2. Click System to display the Systems window.
3. Click the Extensions icon (a small grid of nine dots). This displays all extensions currently installed.
4. In the lower left of the Extensions window, click the .git icon. If you then see a warning dialog, click OK.
5. In the Install selection from .git dialog, enter this URL: https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git
6. Click Version, then select the most recent version available.
7. Click Install to begin the installation.
8. After the installation has completed, click the Activate button next to the extension in the MineMeld Extensions window.

Creating a MineMeld Prototype

1. Click Config on the MineMeld menu bar. This displays a list of configurations.
2. Below the list, on the right, click the grid icon (a small grid of nine dots). This displays a list of prototypes.
3. Click the taxiing.phishtank prototype to open it.
4. Click New on the right upper corner to open a new local prototype window.
5. In the New Local Prototype window, fill in this information:
   • Name: Splunk Intelligence Management <IOC type> For example, if you will be using the URL collection, you would name this field Splunk Intelligence Management URL_collection.
   • Description: Enter text that describes what the extension will do with Splunk Intelligence Management.
   • Indicator Types:
   • Tags
6. In the Config box, you must edit these fields:
   • collection specifies a specific Splunk Intelligence Management collection. Splunk Intelligence Management provides several collections, listed in the TAXII Server documentation.
   • discovery_service specifies the location of the Splunk Intelligence Management TAXII discovery service.
   • username is your Splunk Intelligence Management API key
   • password is your Splunk Intelligence Management API secret

   collection: collection-indicator-url
   discovery_service: https://taxii.trustar.co/services/discovery
   username: <your Splunk Intelligence Management API key>
   password: <your Splunk Intelligence Management API secret>
   

7. Click OK to save your edits.

Creating a MineMeld Node

1. In the Prototypes, list, click the prototype you just created to open it.
2. Click Clone in the upper-right corner of the Prototype window.
3. Specify a name for the node. Splunk Intelligence Management recommends using the same name as the prototype, but using underscores instead of spaces, as this name cannot include any space.
4. Click OK to save your edits and return to the Nodes list.
5. At the top of the list, click Commit to commit your changes. This will stop and then restart the MineMeld server. The progress bar on top of the MineMeld menu bar shows the status of the server restart.

Viewing Splunk Intelligence Management Indicators

In the Nodes list, you can check the Splunk Intelligence Management nodes you have created to see status of Indicators (IOCs) added or removed.

Click to open the node and see a more detailed status. In this view, you can click LOGS in the upper right to see a list of Indicators that have been imported from Splunk Intelligence Management to MineMeld.