Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Hi @porq91 ,


To achieve what you want you need localdb prototype. The only "guide" I am aware of is from the following link -

Note that there was a bug that localdb was able to hold only single indicator and any new will replace the existing. This bug was fixed in some later version. So you definately need to run the latest version of MineMeld. Since no one from open communitity is picking up the project I believe last version is 0.9.70 and you should be fine with it.


Below are summarized steps that I writed down for myself, but if you need more detailed explanation check the link above


LocalDB miner

  • Purpose: Miner using prototype localDB allow to import indicators that are stored locally on the MineMeld. Those indicators are than parsed in format suitable for PAN FW EDL consumption
  • Steps to create:
    1. Find build-in prototype "stdlib.localDB" and  create new copy




  1. Since this prototype is in experimental state, we need to edit the shared level, so we can use standard output node to consume the indicators. Note here we can modify the default age_out value. Unfortunately, currently there is a bug for this typo (if age_out is modified when adding new indicator all current are removed)




  1. Using the new prototype create miner node







  1. Create output node using standard prototype and select as input the localdb node created earlier and commit the changes




  1. To add indicator to the list you need to send POST request with following details:
    1. URL: https://my-minemeld.local/config/data/XXXXXXXX-bad-domain_indicators/append?h=XXXXXXXX-bad-domain&t=localdb (highlighted string needs to correspond the miner node name you created above)
    2. Credentials: MineMeld admin account credentials are required (currently MineMeld doesn't support RBAC)
    3. Data must be in JSON format (send header Content-Type: application/json) as follow:


"indicator": "",

"type": "domain",

"comment": "Phishing domain",            

"share_level": "green",

"confidence": 100,

"ttl": "disable"                        



Indicator - contain the suspicious domain

Type - must be set to domain (other options are IPv4, URL, hash)

Comment - Optional, but good practice to keep track for the reason why this domain was added

Share_level, Confidence - Optional, used for filtering internally in MineMeld

TTL - this set the age out period for the indicator, it must be set to disable in order to keep the indicator forever (due to the bug we cannot set age out disabled by default, so it must be set for each indicator). If ttl is set to 0 indicator will be removed from the local db and EDL respectfully

View solution in original post

Who rated this post