https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444776#M100392 <P>Hi,</P><P>Minemeld is open source so you don't need to purchase Autofocus to use it. There are a range of in-built feeds , some of which require a licence others that do not.</P><P>A little off topic but Minemeld is also very good for dynamically managing O365 IP Addresses.</P> Mon, 01 Nov 2021 16:08:32 GMT MichaelWrigh 2021-11-01T16:08:32Z https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444417#M100345 <P>PAN provides anti-spyware signatures for&nbsp;Cobalt Strike Payload Traffic Detection and Cobalt Strike Beacon Command and Control Traffic Detection that are automatically downloaded to our PAN firewall. I also use the four External Dynamic Lists that PAN provides to block known bad IPs. NJCCIC and MS-ISAC sometimes send me lists of known bad IPs that recently included Cobalt Strike IP addresses. Can anyone recommend how I can efficiently integrate this into our PAN firewalls?</P> Fri, 29 Oct 2021 18:12:27 GMT https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444417#M100345 NewProvidence 2021-10-29T18:12:27Z https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444471#M100348 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196711">@NewProvidence</a>,</P> <P>Kind of confused on what you are asking? If you just want an easy way to ingest NJCCIC and MS-ISAC indicators I would recommend setting up MineMeld and using it's API to feed in the indicators to a dedicated output node.&nbsp;</P> Fri, 29 Oct 2021 22:19:41 GMT https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444471#M100348 BPry 2021-10-29T22:19:41Z https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444762#M100388 <P>MindMeld sounds like what I am looking for. Do I need to purchase AutoFocus to use MindMeld?</P> Mon, 01 Nov 2021 15:21:55 GMT https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444762#M100388 NewProvidence 2021-11-01T15:21:55Z https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444776#M100392 <P>Hi,</P><P>Minemeld is open source so you don't need to purchase Autofocus to use it. There are a range of in-built feeds , some of which require a licence others that do not.</P><P>A little off topic but Minemeld is also very good for dynamically managing O365 IP Addresses.</P> Mon, 01 Nov 2021 16:08:32 GMT https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444776#M100392 MichaelWrigh 2021-11-01T16:08:32Z https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444799#M100394 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196711">@NewProvidence</a>,</P> <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62978">@MichaelWrigh</a>&nbsp;mentioned MineMeld itself is free. It was included with AutoFocus for a bit, but that's actually in the process of being end of lifed in favor of Cortex XSOAR's threat management solution.&nbsp;</P> <P>The MineMeld docker image is still available with installation instructions available <A href="https://web.archive.org/web/20210226224508/https://live.paloaltonetworks.com/t5/minemeld-articles/running-minemeld-using-docker/ta-p/289062" target="_self">HERE</A>&nbsp;or through MineMeld's primary <A href="https://github.com/PaloAltoNetworks/minemeld" target="_self">Github repo</A>&nbsp;from source. Your use case you may also want to look at <A href="https://gist.github.com/jtschichold/95f3906566b18b50cf2e3e1a44f1e785" target="_self">minemeld-sync.py</A></P> Mon, 01 Nov 2021 16:48:17 GMT https://live.paloaltonetworks.com/t5/general-topics/cobalt-strike-ips-and-application-and-threat-updates/m-p/444799#M100394 BPry 2021-11-01T16:48:17Z