Recently, I’ve been getting familiar with an open-source project by Palo Alto Networks called MineMeld. The best way I can find to describe MineMeld is that it’s almost like an RSS feed reader for threat intelligence feeds. You configure MineMeld to acquire threat intelligence data through its “miner” functionality to go out and mine threat intel. MineMeld has numerous miners for acquiring threat intel from a wide variety of sources. You then use a processor to determine what type of indicators are going to be processed from the mined data. For instance, IPv4 addresses, URLs, user-agents, file hashes (md5, sha-256, ssdeep, etc.), filenames, mutexes, registry keys, and so on. Finally, the processed indicators can be linked to an output mechanism for consumption by analysts and/or security products downstream. The illustration below from the MineMeld web interface shows miners in blue, processors in red, and outputs in yellow, with lines illustration how data flows through the MineMeld instance.