The simple, default config included in MineMeld VM creates a graph to process IPv4 indicators for inbound connections, typically used to filter out scanning hosts or well known brute force attackers. For IPv4 indicators for outbound connections we can define a new sub-graph with its own set of output feeds. These new set of feeds can then be used in the destination part of the PAN-OS security policies.
1. Adding an outbound IPv4 aggregator
Under CONFIG press +. Configure a new node with prototype stdlib.aggregatorIPv4Outbound and Output enabled.
2. Adding a set of feeds
Under CONFIG add 3 new nodes (HC, MC and LC) for the output feeds and select the node created at point 1 as Input.
First node with stdlib.feedHCGreenWithValue as prototype
Second node with stdlib.feedMCGreenWithValue as prototype
Third node with stdlib.feedMCGreenWithValue as prototype
3. Adding a Miner
Under CONFIG add a new Miner generating IPv4 outbound indicators, like zeustracker.badips. Output should be enabled.
4. Connecting the aggregator to the Miner
Under CONFIG, click on the INPUTS field of the node created at step 1 and add the Miner.