• MineMeld ——一个IoC情报整合和分享工具,里面有一些专门做情报生产的组织,你只要订阅就可以了


    minemeld在微软sentinel上的使用(一个订阅情报示例):

    What is MineMeld?

    An extensible Threat Intelligence processing framework brought to you by Palo Alto Networks.

    What is MineMeld for?

    MineMeld is a community supported tool to manipulate list of indicators and transform/aggregate them for consumption by third party enforcement infrastructure. MineMeld has many use-cases and can easily be extended to fulfill many more. Here are a few examples:

    • Connect to the Spamhaus DROP feed and transform it for enforcement by Palo Alto Networks EDL (External Dynamic List) objects
    • Mine Office 365 IP addresses provided by Microsoft and dynamically create an EDL list for usage in a Palo Alto Networks security policy to further restrict trafic
    • Aggregate CERTs and ISACs Threat Intelligence feeds, removing duplicates, expiring entries and consolidating attack directions and confidence levels then make this list available for enforcement by third party tools
    • Extract indicators from syslog messages and aggregate them with indicators coming from 3rd party sources

    Check this page for a brief list of currently supported nodes/feeds.

    MineMeld Threat Intelligence Sharing

     

    In order to prevent successful cyberattacks, many organizations collect indicators of compromise (IOCs) from various threat intelligence providers with the intent of creating new controls for their security devices. Unfortunately, legacy approaches to aggregation and enforcement are highly manual in nature, often creating complex workflows and extending the time needed to identify and validate which IOCs should be blocked.

    Now security organizations can leverage MineMeld, an open-source application that streamlines the aggregation, enforcement and sharing of threat intelligence. MineMeld is available for all users directly on GitHub, as well as pre-built virtual machines (VMs) for easy deployment. With an extensible modular architecture, anyone can add to the MineMeld functionality by contributing code to the open-source repository.


    MineMeld use cases

    MineMeld supports a variety of use cases, with more being added each day by the community, including:

    • Aggregation and correlation of threat intelligence feeds
    • Enforcement of new prevention controls, including IP blacklists.
    • Evaluate the value of a specific threat intelligence feed for your environment.
    • Extract indicators from Palo Alto Networks device logs and share them with other security tools.
    • Share indicators with trusted peers.
    • Identify incoming sessions from Tor exit nodes for blocking or strict inspection.
    • Track Office365 URLs and IPs

    Visit the MineMeld wiki


     

    Aggregate and correlate threat intelligence feeds

    MineMeld allows you to aggregate threat intelligence across public, private and commercial intelligence sources, including between government and commercial organizations.

    MineMeld simplifies the collection and correlation of intelligence across:

    • Commercial threat intelligence feeds
    • Open-source intelligence (OSINT) providers
    • Threat intelligence platforms
    • ISACs
    • CERTs
    • Other MineMeld users

    Once indicators are collected, MineMeld can filter, unduplicate and consolidate metadata across all sources, allowing security teams to analyze a more actionable set of data, enriched from multiple sources, for easier enforcement.


    Automated enforcement of prevention-based controls

    MineMeld natively integrates with Palo Alto Networks security platforms to automatically create new prevention-based controls for URLs, IPs and domain intelligence derived from all sources feeding into the tool. Now, organizations can simplify their workflows for blocking IOCs with External Dynamic Lists and Dynamic Address Groups, without spending additional resources to manage block lists, including the automated timeout of expired indicators. MineMeld further integrates with the Palo Alto Networks AutoFocus™ contextual threat intelligence service, allowing you to identify high-value, targeted indicators – in AutoFocus – and block them on your next-generation firewall with export lists and MineMeld.


    Threat-intelligence-sharing ecosystem

    Palo Alto Networks has partnered with other leading organizations to create a threat-intelligence-sharing ecosystem with native MineMeld support built in from the start. Additionally, the open-source availability inherent in MineMeld allows other providers to easily add integration with their offerings by building a new Miner.

     
    lmori
    L7 Applicator
     
     
    100% helpful (19/19)

    The default config installed by the MineMeld loader is really simple, and can be seen in the following graph.

    undefined

    The 3 green nodes on the left are called Miners and are responsible for periodically retrieving indicators from 3 different feeds and push them downstream to the connected nodes using update messages. Miners are also responsible for aging out indicators: when indicators disappear from the original feed or when an indicator is considered dead, the corresponding Miner instructs the downstream nodes of removing the indicator via a withdraw message.

    The central red node is a Processor node. In this specific configuration, the processor node is an IPv4 aggregator node and aggregates IPv4 indicators received from the 3 Miners and sends downstream the aggregated indicators.

    The 3 yellow nodes on the right are Output nodes. These nodes receive indicators from the processor nodes and transform them into a format that could be directly consumed by external entities. In the default config the 3 output nodes translates the indicators received from the aggregator node into a format that can be consumed using the PAN-OS Dynamic Block List feature. All 3 output nodes in this graph receive the same set of indicators from the aggregator node, but each of them stores a different subset of these indicators based on the configured input filters. inboundfeedhc accepts  only indicators with confidence level > 75, inboundfeedmc only indicators with confidence level < 75 and > 50, inboundfeedlc indicators with confidence level < 50. These subset of indicators are stored into 3 different DBLs that can be used in different ways inside the PAN-OS configuration.

    1. Login

    Default credentials are admin / minemeld

    undefined

    2. Dashboard

    The dashboard page can be used to check the overall status of the MineMeld processing engine.

    undefined

    In the first row you can find the number of active nodes per type, the current total number of indicators stored inside the graph and an historical chart of the total number of indicators.  The second row is dedicated to Miners, the first panel reports the total number of indicators stored in the miner nodes, and the number of indicators that have been added and aged out since engine start. The historical chart on the right represents the number of indicators added and aged out by the miner nodes in the last period of time. The third row reports the same statistics of the second row but related to Outputs.

    3. Nodes

    The nodes view reports the status of every single active node of the graph.

    undefined

    4. Node status

    Clicking on a node in the Nodes view shows the details of the configuration of the node

    undefined

    the historical charts of the metrics of the node

    undefined

    and the connected graph where the node lives

    undefined

    5. Nodes and prototypes

    Nodes are created using libraries of prototypes. Each prototype defines the type of node and its configuration.

    To check the details of a prototype, just click on a node in the Nodes view and move the pointer over the prototype field

    undefined

    Clicking on the prototype name shows all the details about that prototype

    undefined

    6. PAN-OS External Dynamic Lists

    To use MineMeld feeds with PAN-OS External Dynamic Lists (named Dynamic Block Lists before PAN-OS 7.1), select the output node responsible for the feed in the Nodes view and copy the FEED BASE URL

    undefined

    In PAN-OS, under Object > External Dyanmic Lists (or Object > Dynamic Block Lists in PAN-OS before 7.1) define a new list using the output node URL

    undefined

    7. Whitelist indicators

    To whitelist a network, range or a single IPv4 address, click on wlWhiteListIPv4 under Nodes and select the INDICATORS option on the left. This list of indicators is treated as a whitelist by the aggregator.

    To add a new indicator click on + and specify the IPv4 indicator. Changes will be automatically saved by pressing OK.

    undefined

  • 相关阅读:
    04_远程管理常用命令
    03_文件和目录常用命令
    02_Linux 终端命令格式
    01_常用 Linux 命令的基本使用
    test
    centOS 7 更改root密码
    安装 centos7
    1
    IO模型
    使用git连接到Github
  • 原文地址:https://www.cnblogs.com/bonelee/p/15036140.html
Copyright © 2020-2023  润新知