How to Create a new MineMeld output node based on existing prototype
16171
Created On 02/15/20 23:41 PM - Last Modified 12/18/20 20:00 PM
Objective
This article covers the process to create an output node of IPv4 type based on OSINT miners. These output miners can be used as an extended dynamic list to feed into the Firewall.
Environment
AutoFocus MineMeld application
Procedure
MineMeld Configuration:
The first step is MineMeld configuration and proper miner selection. The prototype tab in MineMeld defines the type of miner, miner's properties, and external feed location. We can perform searches based on miners or tags.Configure a Miner:
- Login to the AutoFocus, click on the MineMeld application, and select the prototype tab.
- Select the prototype "alienvault.reputation" and click on it. A new window will pop up, take a note of the miner attributes as these will be useful in selecting the processor and output node. For example, for alienvault.reputation the attributes are as follows.
- confidence: 80
- share_level: green
- type: IPv4
Note: MineMeld team has all the right to change the attribute values based on the latest analysis.
- Select the clone button on the top right side, and the tab will shift to the config tab, select the attribute. This will create a new miner node for you, and you can give a name to the node. In the case of miner node, please leave the INPUTS tabs empty, then click OK
- If you wish to combine more miners to create an aggregated output, you can repeat the step-1 to step-3 as above. One important consideration in selecting the miner node is the attribute: confidence level and share level.
We selected two more prototypes "spamhaus.DROP" and "spamhaus.EDROP", repeat step-1 to step-3. All three prototypes have a confident level > 75 and the share level is green.
attributes
confidence: 100
direction: inbound
share_level: green
type: IPv4
Creating a processor node:
- For creating a processor ( another popular name as an aggregator) node, please select the prototype tab again, and select a processor that is designed for IPv4. Since we have selected the miner that has the type of IPv4, we will select a processor that is created for IPv4 indicators.
- Clone the processor, and select the INPUTS as formerly created miner nodes.
Creating the output Node:
- Select the prototype tab again and select an output node that will match the attribute criteria, as we need an output node that has "high confidence" and "share level Green".
- Click on the name of the node, and clone it. After cloning it, it will open a window > give an appropriate name and select the INPUTS as processor node.
- With three nodes, the output may look like the screen capture below. Your screen capture could be different based on your selection.
- Click "commit" and wait for MineMeld engine to restart, it may take few minutes. The engineer status can be checked on the "System" tab.
Verification and EDL URL:
- Switch to the node tab, and confirm your newly created nodes.
- View connection graph
You can click on any node > click on the "*" on the left-hand side bar to view the connection graph.
- Wait for a few minutes, the output node will start showing the indicators. Click on the output node ( in this example -freeHCGreenWithValues-OSINT) to check the URL address for the EDL node.
Use the URL in the "FEED BASE URL" field as EDL in your Firewall.
Summary:
Creating a miner for a third party feed is easy and powerful, you can create a miner based on the IPv4, IPv6, URL ,and domains.