Adding a sub-graph for IPv4 outbound indicators

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator
100% helpful (2/2)

The simple, default config included in MineMeld VM creates a graph to process IPv4 indicators for inbound connections, typically used to filter out scanning hosts or well known brute force attackers. For IPv4 indicators for outbound connections we can define a new sub-graph with its own set of output feeds. These new set of feeds can then be used in the destination part of the PAN-OS security policies.


1. Adding an outbound IPv4 aggregator

Under CONFIG press +. Configure a new node with prototype stdlib.aggregatorIPv4Outbound and Output enabled.

Screen Shot 2016-01-04 at 15.53.35.png


2. Adding a set of feeds

Under CONFIG add 3 new nodes (HC, MC and LC) for the output feeds and select the node created at point 1 as Input.


First node with stdlib.feedHCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.54.17.png


Second node with stdlib.feedMCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.54.46.png


Third node with stdlib.feedMCGreenWithValue as prototype

Screen Shot 2016-01-04 at 15.55.31.png


3. Adding a Miner

Under CONFIG add a new Miner generating IPv4 outbound indicators, like zeustracker.badips. Output should be enabled.

Screen Shot 2016-01-04 at 15.55.53.png


4. Connecting the aggregator to the Miner

Under CONFIG, click on the INPUTS field of the node created at step 1 and add the Miner.

Screen Shot 2016-01-04 at 15.56.15.png


5. Commit

Check the resulting config and press COMMIT.

Screen Shot 2016-01-04 at 15.56.34.png


6. Check the sub-graph

The resulting sub-graph should look like this:

Screen Shot 2016-01-04 at 15.58.39.png

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎02-03-2016 02:00 AM
Updated by: