Incoming feed - Palo Alto Networks Auto Focus Threat Intelligence#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
---|---|
Transport type |
Palo Alto Autofocus Hash Feed |
Content type |
AutoFocus Malware JSON |
Ingested data |
JSON |
Processed data |
Hash indicators with their associated extracts and tags. |
Description |
The feed provides hash indicators with their associated tags and hash observables. This provides the analyst with timely hash indicators along with their associated observables and context to help enable the analyst. The associated hash observables provide the analyst with potential pivot points within the platform to fuse Palo Alto Networks Autofocus with other intelligence feeds to provide a single clear picture of the current threats facing organisations today. |
Requirements#
The Palo Alto Networks Auto Focus Threat
Intelligence feed is compatible with EclecticIQ Platform release 2.x and later.
Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.
Configure the incoming feed#
Create and edit an incoming feed.
From the Transport type drop-down menu, select Palo Alto Autofocus Hash Feed.
From the Content type drop-down menu, select AutoFocus Malware JSON.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value:https://autofocus.paloaltonetworks.com/
.In the API key field, enter your API key.
The SSL verification checkbox is automatically selected.
In the Path to SSL certificate field, if you have client side certification: enter the path to your PEM file.
If not, leave the field empty.Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
By default, the max. amount of days in the past per each query/request is set to 365 days.
If you set an ingestion start date at a point in time further back in the past, the feed sends multiple requests to retrieve the data.To store your changes, click Save; to discard them, click Cancel.