Using Custom Indicators with MineMeld

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
No ratings

Note: Palo Alto Networks made an end-of-life announcement about the MineMeld™ application in AutoFocus™ on August 1, 2021. Please read this article to learn about our recommended migration options.


Introduction

This document provides an example of how to configure a custom miner in MineMeld in order to track custom IoCs. The miner can be configured to track IP addresses, domains, or URLs. The indicators can adapt to the Palo Alto Networks firewall for use within various policies.

 

Use Case Diagram

Picture1.png

Configuration

MineMeld

 

The first step is to create a new miner using the stdlibListURLGeneric protoype.

 

Go to the CONFIG area.

 

 

Picture2.png

 

Click on the “eye” icon in the lower left to change to expert mode. Once in expert mode, a plus icon will appear on the right, allowing you to add a MineMeld node.

 

Picture3.png

 

Select the plus sign and create a name for the new node. Prepend the name with the letters "wl" (for whitelist – although, the list can be used for positive or negative security purposes). From the PROTOTYPE drop-down, select stdlibListURLGeneric. In this example, I will show you how to create a URL miner to keep track of custom URL-based IoCs.

 

Picture4.png

 

Select OK to save the new miner node.

 

You should see the miner in the list.

 

Picture5.png

 

Next, create the Output node. This node will use the miner you just created and publish it to MineMeld’s internal web server, so the firewall can read the list and use it in various policies.

 

From the CONFIG area, select the icon to see the prototypes. In the search field, look for “OUTPUT.” Find one similar to what you want your output to look like. In this example, I used stdlib.HCREDWithValue. Select the prototype and click “New” to create a new output based on the one selected.

 

Give it a name, and you may also edit the CONFIG portion.

 

Picture6.png

 

Go back to CONFIG, enter expert mode, and click the plus icon to create a new output node based on the prototype you just created. Give it a name and select the output prototype in the dropdown. For the input, select the custom miner node previously created.

 

Picture7.png

 

Select OK to save.

 

You should see both of the custom nodes created.

 

Picture8.pngPicture9.png

 

When you're ready, select COMMIT in the upper left-hand corner to save the nodes and put them to work. Wait for the relevant services to be stopped and restarted before continuing. Watch the upper right-hand corner for status messages. 

 

To use the list, go to nodes and select +ADD INDICATOR in the upper right-hand corner.

 

Picture10.png

 

 

Picture11.png

 

Fill in the fields and click OK. In my case, I am adding the URL indicator, http://example.com. You can change the SHARE LEVEL by clicking the level until the one you want appears. Adding a comment is a helpful reminder as to why the indicator was added. 

 

Picture12.png

 

Click the OUTPUT node you created and notice the FEED BASE URL link. You can open the link to see the published list that the firewall will read.

 

Picture13.png

 

 

Picture14.pngPicture15.png

 

To manage your custom IoCs, select Nodes and the URL miner created. Click on the INDICATOR icon to see the list. Here, you can delete entries and change the SHARE LEVEL or COMMENTS.

 

Picture16.png

 

The list is now ready to be consumed by the firewall.

 

Firewall

 

To use the list within your Palo Alto Networks firewall, go to Objects > External Dynamic Lists and select the Add button in the lower left-hand portion of the screen.

 

Picture17.png

 

For Type, select the appropriate type for the node type created in MineMeld (URL List in this case). Copy the FEED BASE URL from MineMeld and paste it into Source. To test it, click the Test Source URL button.

 

Notice the additional string “?v=panosurl” at the end of the MineMeld URL. This is a MineMeld option parameter that causes MineMeld to deliver the list in a format that is understandable to the Palo Alto Networks firewall. For example, it will strip out HTTP:// and HTTPS:// for each entry since this type of prepended data is not allowed by the firewall.

 

See a full list of MineMeld parameters here: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170

 

Click OK to save.

 

Picture18.png

 

The final step is to use the EDL within a policy. In this example, we can create a Security Policy to block traffic desinated to any site within the list. Go to Policies > Security and add a new rule (or modify an existing rule) where you want the policy to take effect.

 

Picture19.png

 

In the Destination tab, under Destination Address, click Add and select the EDL you just created. Commit the config to complete the addition.

 

Picture20.png

 

 

Other Use Cases

There are other areas within the Palo Alto Networks firewall where External Dynamic Lists may be used.

 

NAT Policies

An EDL may be utilized within NAT policies in either Source or Destination Addresses.

 

Picture21.png

 

QoS Policies

Use an EDL as a Source or Destination Address within a QoS policy.

 

Picture22.png

 

Policy Based Forwarding Rules

Use an EDL as a Source or Destination Address within a Policy Based Forwarding Rule.

 

 

Picture23.png

 

Decryption Policies

Use an EDL as a Source or Destination Address within a Decryption Policy.

 

 

Picture24.png

 

Other Policies

Other policies in which an EDL may be used as a Source or Destination (or both) Address:

  • Tunnel Inspection
  • Application Override
  • Authentication
  • DoS Protection

 

 

Summary

Using MineMeld is a powerful and easy way to maintain your own threat feeds based on IP, URL, and Domain. Using these feeds in your security policy is as easy as pointing the firewall to the published list and referring to the list in one or more policies. There are many use cases for EDLs in both positive and negative enforcement scenarios. See the Live link below for additional ideas on incorporating EDLs with MineMeld into your enterprise security operations.

 

To learn more about the free MineMeld tool:

https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld

 

To learn more about External Dynamic Lists:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/policy/use-an-external-dynamic-list-...

 

Rate this article:
Comments
L0 Member

If I can use "wl" for the whitelist, is there also an option for a custom blacklist?  If I can add URLs or IPs to a custom whitelist, I'd also like the ability to have a custom blacklist as well.  Is this possible, like using "bl" instead of "wl"?

  • 11394 Views
  • 1 comments
  • 2 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎12-14-2021 06:04 AM
Updated by: