This repository has been archived by the owner on Mar 16, 2023. It is now read-only.
Home
An extensible Threat Intelligence processing framework brought to you by Palo Alto Networks.
MineMeld is a tool to manipulate list of indicators and transform/aggregate them for consumption by third party enforcement infrastructure. MineMeld has many use-cases and can easily be extended to fulfill many more. Here are a few examples:
- Connect to the Spamhaus DROP feed and transform it for enforcement by Palo Alto Networks EDL (External Dynamic List) objects
- Mine Office 365 IP addresses provided by Microsoft and dynamically create an EDL list out of them for usage in a Palo Alto Networks security policy to further restrict trafic
- Aggregate CERTs and ISACs Threat Intelligence feeds, removing duplicates, expiring entries and consolidating attack directions and confidence levels then make this list available for enforcement by third party tools
- Extract indicators from syslog messages and aggregate them with indicators coming from 3rd party sources
- Install and Use MineMeld
- Read about MineMeld Architecture
There are 2 main components of MineMeld. Each component has its own repo:
The library of node prototypes is maintained in minemeld-node-prototypes.
- Read the contribution guidelines
- Follow the developer's guide to bootstrap your development environment
- Read how to write a simple Miner
There lots of nice OS projects around Threat Intelligence, please make sure of checking the awesome threat intelligence list. And if you want a nice introduction to Threat Intelligence indicators check this great presentation from Kyle Maxwell and Alex Pinto