Skip to main content

Threat Intelligence

MineMeld

MineMeld can be used to deliver threat intelligence and indicators of compromise to Splunk. Indicators are stored in the minemeldfeeds kvstore in Splunk.

MineMeld and AutoFocus are often used together to share AutoFocus threat intelligence with Splunk.

For more information on getting MineMeld indicators into Splunk, see Getting Data Into Splunk: AutoFocus and MineMeld.

AutoFocus Export List

With the Palo Alto Networks Splunk Add-on an AutoFocus export list can be added as a modular input in Splunk. The modular input utilizes AutoFocus's REST API to periodically sync an Export List from AutoFocus. The list of artifacts are stored in the KVStore and can be accessed via inputlookup macros. This data can then be used to correlate against other logs.

Two steps are needed to enable AutoFocus export list syncing:

Step 1: Add the AutoFocus API key to the Add-on configuration

The AutoFocus API key is found in the AutoFocus portal on the Settings tab at https://autofocus.paloaltonetworks.com

Navigate to the Palo Alto Networks Add-on

Click the Configuration tab at the top. Click the Add-on Settings tab. Enter your AutoFocus API key into the field.

Step 2: Add AutoFocus Export List to Splunk

Within the Add-on, click the Inputs tab at the top left. Then click Create New Input and then select AutoFocus Export.

Give your new data input a name by entering it in the Name field.

Set the name of your export list in the label field. This field must match the export list name from AutoFocus.

Verify the data is being synced by running a search | `pan_autofocus_export`

info

A pipe(|) is always used in front of the macro to do a lookup search.

Macros There are several new macros that can be used to correlate a search with the artifacts imported from the AutoFocus Export List.

| `pan_autofocus_export` - A macro to search on all export lists. This will return all entries from all AutoFocus inputs.

The remaining macros requires one argument. Set the label of the export list you want to search against. Each macro is separated by the artifact types.

| `pan_autofocus_export_dns(label)`
| `pan_autofocus_export_connection(label)`
| `pan_autofocus_export_registry(label)`
| `pan_autofocus_export_file(label)`
| `pan_autofocus_export_process(label)`