Palo Alto Networks MineMeld

Deprecated

Use the Palo Alto Networks MineMeld integration to manage your MineMeld miners from within Demisto. All commands require the super admin role.

Use Cases

  • Add or remove indicators from a miner.
  • Fetch miners, IP addresses, files, domains, and URLs.
  • Get a list of all your miners.

NOTE : Indicators on a whitelist get a DBot score of 1. Indicators on a blacklist get a DBot score of 3.

Supported Miner Prototypes

  • localDB
  • listURLGeneric
  • listIPv4Generic
  • listDomainGeneric
  • listIPv6Generic

Configure Palo Alto Networks MineMeld on Demisto:

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Palo Alto Networks MineMeld.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • Mine
    • meld URL : The URL of your MineMeld environment.
    • Username & Password : Your credentials in the MineMeld environment.
    • Blacklist names : Comma separated list of miners, to be added to the Demisto blacklist.
    • Whitelist names: CSV list of miners to add to the Demisto whitelist.
    • Use system proxy settings
  4. Click Test to validate the URLs and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. All commands require the super admin role.

  1. Add an indicator to a miner: minemeld-add-to-miner
  2. Remove an indicator from a miner: minemeld-remove-from-miner
  3. Get miner details: minemeld-retrieve miner
  4. Get an indicator from a miner: minemeld-get-indicator-from-miner
  5. Get IP address indicator: ip
  6. Get file indicator: file
  7. Get domain indicator: domain
  8. Get URL indicator: url
  9. Get a list of all the miners: minemeld-get-all-miners-names

1. Add an indicator to a miner


Adds a specified indicator to a specified miner. Do not add a single indicator to multiple miners.

Base Command

minemeld-add-to-miner

Input
Argument Name Description More Information
miner Miner name To find the miner name, search for List of Supported Nodes on your MineMeld environment.
indicator Indicator to add to miner

Any type of indicator.

Examples of valid indicators:

  • IP address
  • File hash
  • Domain
  • URL
  • And more
comment Textual description or comment for the indicator -

Context output

There is no context output for this command.

Command example

!minemeld-add-to-miner miner=Supicious indicator=7.7.7.7

War Room Output

2. Remove an indicator from a miner


Removes a specified indicator from a specified miner.

Base Command

minemeld-remove-from-miner

Input
Argument Name Description More Information
miner Miner name To find the miner name, search for List of Supported Nodes on your MineMeld environment.
indicator The indicator to remove

Any type of indicator.

Examples of valid indicators:

  • IP address
  • File hash
  • Domain
  • URL
  • And more

Context output

There is no context output for this command.

Command example

!minemeld-remove-from-miner miner=Suspicious indicator=7.7.7.7

War Room Output

3. Get miner details


Retrieves information about a specified miner.

Base Code

minemeld-retrieve-miner

Input
Argument Name Description More Information
miner Miner name To select all miners type miner= all .

Context Output
Path Description
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name
MineMeld.Miner.class Miner class
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.miner Miner of indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.comment Indicator comment

Command Example

!minemeld-retrieve-miner miner=Suspicious

War Room Output

4. Get an indicator within a miner


Retrieves information about a specified indicator associated with a specified miner.

Base Command

minemeld-get-indicator-from-miner

Input
Argument Name Description
miner Miner name
indicator

Any type of indicator.

Examples of valid indicators:

  • IP address
  • File hash
  • Domain
  • URL
  • And more

Context Output
Path Description
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.miner Miner of the indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.comment Indicator comment

Command Example

!minemeld-get-indicator-from-miner miner=Suspicious indicator=7.7.7.7

War Room Output

5. Get IP address indicator


Retrieves all occurrences of the specified IP address, including the context in which it is found.

For this command to succeed, the miner (associated with the IP address indicator) has to be on a Demisto blacklist or whitelist.

Base Command

ip

Input
Argument Name Description
ip IP address

Context Output
Path Description
DBotScore.Indicator The Indicator
DBotScore.Type The Indicator type
DBotScore.Vendor The DBot score vendor
DBotScore.Score The DBot score
IP.Malicious.Vendor For malicious IP addresses, the vendor defined the IP address as malicious
IP.Malicious.Description For malicious IP addresses, the reason why the vendor defined the IP address as malicious
IP.Address IP address
IP.MineMeld.Indicators Entire indicator object
IP.MineMeld.Indicators.indicator Indicator value
IP.MineMeld.Indicators.miner Miner of the indicator
IP.MineMeld.Indicators.type Indicator type
IP.MineMeld.Indicators.comment Indicator comment
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.miner Miner of the indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.comment Indicator comment
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name

Command Example

!ip ip=7.7.7.7 using-brand="Palo Alto Minemeld"

War Room Output

6. Get file indicator


Retrieves all occurrences of the specified file, including the context in which it is found.

For this command to succeed, the miner (associated with the file indicator) has to be on a Demisto blacklist or whitelist.

Base Command

file

Input
Argument Name Description
file Any type of file hash

Context Output
Path Description
DBotScore.Indicator The Indicator
DBotScore.Type The Indicator type
DBotScore.Vendor The DBot score vendor
DBotScore.Score The DBot score
File.Malicious.Vendor For malicious files, the vendor that defined the file as malicious
File.Malicious.Description For malicious files, the reason why the vendor defined the file as malicious
File.MineMeld.Indicators Entire indicator object
File.MineMeld.Indicators.indicator Indicator value
File.MineMeld.Indicators.miner Miner of the indicator.
File.MineMeld.Indicators.type Indicator type
File.MineMeld.Indicators.comment Indicator comment
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.miner Miner of the indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.comment Indicator comment
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name
File.MD5 MD5 hash of the file
File.SHA1 SHA-1 hash of the file
File.SHA256 SHA-256 hash of the file

Command example

!file file=9acb44549b41563697bb490144ec6258 using-brand="Palo Alto Minemeld"

War Room Output

7. Get domain indicator


Retrieves all occurrences of the specified domain, including the context in which it is found.

For this command to succeed, the miner (associated with the domain indicator) has to be on a Demisto blacklist or whitelist.

Base Command

domain

Input
Argument Name Description
domain Domain

Context Output
Path Description
DBotScore.Indicator The Indicator
DBotScore.Type The Indicator type
DBotScore.Vendor The DBot score vendor
DBotScore.Score The DBot score
Domain.Malicious.Vendor For malicious domains, the vendor that defined the domain as malicious
Domain.Malicious.Description For malicious domains, the reason that the vendor defined the domain as malicious
Domain.Name Domain name (value)
Domain.MineMeld.Indicators Entire indicator object
Domain.MineMeld.Indicators.indicator Indicator value
Domain.MineMeld.Indicators.miner Indicator miner
Domain.MineMeld.Indicators.type Indicator type
Domain.MineMeld.Indicators.comment Indicator comment
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.miner Miner of the indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.comment Indicator comment
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name

Command example

!domain domain=moogle.com using-brand="Palo Alto Minemeld"

War Room Output

8. Get URL indicator


Retrieves all occurrences of the specified URL, including the context in which it is found.

For this command to succeed, the miner (associated with the URL indicator) has to be on a Demisto blacklist or whitelist.

Base Command

url

Input
Argument Name Description
url URL to retrieve instances for

Context Output
Path Description
DBotScore.Indicator The Indicator
DBotScore.Type The Indicator type
DBotScore.Vendor The DBot score vendor
DBotScore.Score The DBot score
URL.Malicious.Vendor For malicious URLs, the vendor that defined the URL as malicious
URL.Malicious.Description For malicious URLs, the reason that the vendor defined the URL as malicious
URL.Data URL data (value)
URL.MineMeld.Indicators Entire indicator object
URL.MineMeld.Indicators.indicator Indicator value
URL.MineMeld.Indicators.miner Miner of the indicator
URL.MineMeld.Indicators.type Indicator type
URL.MineMeld.Indicators.comment Indicator comment
MineMeld.Indicators Entire indicator object
MineMeld.Indicators.indicator Indicator value
MineMeld.Indicators.miner Miner of the Indicator
MineMeld.Indicators.type Indicator type
MineMeld.Indicators.comment Indicator comment
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name

Command example

!url url=voogle.com/malicious.exe using-brand="Palo Alto Minemeld"

War Room Output

9. Get a list of all the miners


Retrieves the names of all the miners, the class of each miner, and how many indicators are associated with each miner.

Base Command

minemeld-get-all-miners-names

Input

There is no input for this command.

Context Output
Path Description
MineMeld.Miner Entire miner object
MineMeld.Miner.name Miner name
MineMeld.Miner.class Miner class
MineMeld.Miner.indicators Number of miner indicators

Command example

!minemeld-get-all-miners-names

War Room Output