Palo Alto MineMeld
MineMeld is an open-source application from Palo Alto Networks that streamlines the aggregation, enforcement and sharing of threat intelligence.
- TruSTAR TAXII Server: lists the services and collections offered by TruSTAR's TAXII service.
- TAXII FAQ
- Creating a Service Account, TruSTAR's TAXII server accesses all Enclaves that your API keys can access. Having a Service Account enables you to customize access by Enclave and it also mitigates the risk of resetting API keys. For more information on customizing Enclave access, see the TAXII FAQ document.
- Palo Alto MineMeld installation and license. MineMeld is available on GitHub or as a pre-built virtual machine (VM) for easy deployment.
- Access to your TruSTAR API Key and API Secret.
Configuring the TAXII Client
To set up MineMeld to work with the TruSTAR TAXII Server, you need to execute the following procedures:
- Install the MineMeld TAXII extension and then activate it.
- Create a MineMeld prototype
- Create a MineMeld node
Installing the MineMeld TAXII extension
- Log into MineMeld.
- Click System to display the Systems window.
- Click the Extensions icon (a small grid of nine dots). This displays all extensions currently installed.
- In the lower left of the Extensions window, click the .git icon. If you then see a warning dialog, click OK.
- In the Install selection from .git dialog, enter this URL: https://github.com/PaloAltoNetworks/minemeld-taxii-ng.git
- Click Version, then select the most recent version available.
- Click Install to begin the installation.
- After the installation has completed, click the Activate button next to the extension in the MineMeld Extensions window.
Creating a MineMeld Prototype
- Click Config on the MineMeld menu bar. This displays a list of configurations.
- Below the list, on the right, click the grid icon (a small grid of nine dots). This displays a list of prototypes.
- Click the taxiing.phishtank prototype to open it.
- Click New on the right upper corner to open a new local prototype window.
- In the New Local Prototype window, fill in this information:
- Name: TruSTAR <IOC type> For example, if you will be using the URL collection, you would name this field TruSTAR URL_collection.
- Description: Enter text that describes what the extension will do with TruSTAR.
- Indicator Types:
- In the Config box, you must edit these fields:
- collection specifies a specific TruSTAR collection. TruSTAR provides several collections, listed in the TAXII Server documentation.
- discovery_service specifies the location of the TruSTAR TAXII discovery service.
- username is your TruSTAR API key
- password is your TruSTAR API secret
username: <your TRUSTAR API key>
password: <your TRUSTAR API secret>
- Click OK to save your edits.
Creating a MineMeld Node
- In the Prototypes, list, click the prototype you just created to open it.
- Click Clone in the upper-right corner of the Prototype window.
- Specify a name for the node. TruSTAR recommends using the same name as the prototype, but using underscores instead of spaces, as this name cannot include any space.
- Click OK to save your edits and return to the Nodes list.
- At the top of the list, click Commit to commit your changes. This will stop and then restart the MineMeld server. The progress bar on top of the MineMeld menu bar shows the status of the server restart.
Viewing TruSTAR Indicators
In the Nodes list, you can check the TruSTAR nodes you have created to see status of Indicators (IOCs) added or removed.
Click to open the node and see a more detailed status. In this view, you can click LOGS in the upper right to see a list of Indicators that have been imported from TruSTAR to MineMeld.