My experience with Paloalto Minemeld and Splunk

I want to talk to you about something exiting and new.
A few months ago my company started looking for a new an better way to consume Cyber threat intelligence at level 2-3 (easy, simple + URL also simple++) see picture below (or in post).

The way we collected the data was with huge shell scripts using regular expression and other parsing techniques.
The posses was hard and when something changed things broke.
There is also the issue of IOC TTL(Indicator of compromise) how do we secure that an blacklisted IOC is whitelisted again after threat mediation ?.
We don’t want false positives and therefor removing old IOCs is important.

What we found to be a solution for us to handle the easiest (but also time consuming) parts of our cyber threat intelligence was the use of Minemeld by paloalto. Go to Paloalto

Minemeld is a relatively new solution provided by paloalto and it’s still an infant.

But with some help from Luigi one of the developers of Minemeld we managed to smooth out the corks and also get some awesome new features.
My favorite feature so far is age-out witch cleans old IOCs so we don’t store to much nu-nesesary old data.

So how do we use minemeld and what does what does i do for us.
Well basically minemeld correlates all our IP, DOMAIN and URL’feeds and send the data down stream to our SIEM (SPLUNK) where the data is chewed even more and splunk spits out alerts based on triggers we have designed.

So how do you get minemeld of hundreds of thousands of IPS,Domains and URLs to trigger alerts in splunk.
This is not a straight forward question.
The first thing you need to do is figure out what you want to do with the data ?.
What is important to you or your company.

What i figured out to be a great way to do stuff was to generate multiple buckets of data in a KV store in splunk.
Each bucket is then scheduled to run against multiple sources to generate triggers that is written into another list.
This list is then shown to the security analyst who reviews the data based on criticality and other factors.

If the event is of interest it is sendt down the tube for deeper inspection and analysis.

The point being having easyer managment over small indicators gives more time for security analyst to do what really matters! finding bad guys.