Incoming feed - Palo Alto Networks Auto Focus Threat Intelligence


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.

Specifications

Transport type

Palo Alto Autofocus Hash Feed

Content type

AutoFocus Malware JSON

Ingested data

JSON

Processed data

Hash indicators with their associated extracts and tags.

Description

The feed provides hash indicators with their associated tags and hash observables.
This provides the analyst with timely hash indicators along with their associated observables and context to help enable the analyst.
The associated hash observables provide the analyst with potential pivot points within the platform to fuse Palo Alto Networks Autofocus with other intelligence feeds to provide a single clear picture of the current threats facing organisations today.

Requirements

The Palo Alto Networks Auto Focus Threat Intelligence feed is compatible with EclecticIQ Platform release 2.x and later.
Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

  1. Create and edit an incoming feed.

  2. From the Transport type drop-down menu, select Palo Alto Autofocus Hash Feed.

  3. From the Content type drop-down menu, select AutoFocus Malware JSON.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://autofocus.paloaltonetworks.com/.

  5. In the API key field, enter your API key.

  6. The SSL verification checkbox is automatically selected.

  7. In the Path to SSL certificate field, if you have client side certification: enter the path to your PEM file.
    If not, leave the field empty.

  8. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    By default, the max. amount of days in the past per each query/request is set to 365 days.
    If you set an ingestion start date at a point in time further back in the past, the feed sends multiple requests to retrieve the data.

  9. To store your changes, click Save; to discard them, click Cancel.

See also