Automate Minemeld .lst entries

Timotheous — Thu, 31 Oct 2019 21:37:31 GMT

Needing Automation. Our Security analysts often send an email with URL(s), IP(s) that need to be Allowed/Blocked. We have experimented with EDL and Minemeld and are successfully using each. We are going to consolidate to using only Minemeld for these requests.

We would like to automate it, so that the initial request can easily be approved and implemented without our (Implementation) team's involvement.

Is anyone already using a simple system to accept URL/IP entries that runs the python script (minemeld-sync.py)? We could tie it into Servicenow or maybe use a simple webpage?

Appreciate any thoughts!

Re: Automate Minemeld .lst entries

jhochberg — Wed, 20 Nov 2019 00:13:52 GMT

@Timotheous ,

Thanks for your question!

As I'm sure you're aware, Minemeld is an open-source solution that is available to anyone who wants to run it. Due to it's open-source nature, there is no official support for it. I think it's best to look at your requirement(s) and determine whether it makes sense to build something on your own, or look at other methods/solutions to achieve the desired outcome.

That said, there are a couple of things that I'd recommend you take a look at:

1. Demisto - Palo Alto Networks acquired Demisto earlier this year and the product is a comprehensive Security Orchestration, Automation, and Response (SOAR) solution. Demisto has an incredibly vast ecosystem of products that it integrates with including Palo Alto Networks Next-Generation Firewall, Minemeld, and ServiceNow. You can create "playbooks" to automate SOC processes and standardize workflows. There's a "community edition" as well as an "enterprise edition". The community edition is supported through the Demisto community - the enterprise edition:

This link will allow you to view the Demisto Data Sheet:

Demisto Data Sheet

2. Palo Alto Networks AutoFocus is an officially supported threat intelligence platform that provides access to Palo Alto Networks' massive repository of threat intelligence and is consumable as a feed very similar in nature to Minemeld. There's an option for an AutoFocus-hosted version of Minemeld that removes the need for you to operate and maintain a locally hosted version of Minemeld.

This link will allow you to access the AutoFocus Data Sheet:

AutoFocus Data Sheet

Additionally, this is a link to information on the AutoFocus-hosted version of Minemeld - a chapter within the AutoFocus Administrators Guide:

AutoFocus Hosted Minemeld

ServiceNow offers an integration with AutoFocus:

ServiceNow Store: Palo Alto Networks AutoFocus for Security Operations

ServiceNow: Palo Alto Networks - AutoFocus Integration Overview

And here are details on how to configure the ServiceNow integration with AutoFocus:

ServiceNow: Activate and Configure Palo Alto Networks AutoFocus Integration

Please let me know if you have any additional questions.

Thanks for your interest in Palo Alto Networks!

-JeffH

Jeff Hochberg | Senior Solutions Engineer - Product Partnerships

Palo Alto Networks | Atlanta, GA | USA

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

topic Automate Minemeld .lst entries in Integration Discussions

Automate Minemeld .lst entries

Re: Automate Minemeld .lst entries