How to create AutoFocus Feed and authenticate the URL type
11747
Created On 03/13/20 14:23 PM - Last Modified 01/17/24 14:22 PM
Objective
An AutoFocus user can create a list of indicators based on the FEEDs function. The "Feed" output can be in two types of format, either as EDLs or as URLs. The URLs can be consumed by the third-party SIEM, TIP, and other services that use URL lists.
The article addresses the "unauthorized" error while consuming the URL type indicator.
Environment
- AutoFocus Custom Feed for Type URLs
Procedure
Create a custom feed of type URL
- Select a Feed
Login to the AutoFocus > select Feeds on the left-hand side > select Create A Feed.
- Create a Feed
- Create a query, in this example, I have created a query for IPv4 addresses, that has verdict as C2. The output method is selected as "URL."
- This query will generate a list of indicators and access URLs as following.
https://autofocus.paloaltonetworks.com/IOCFeed/<ID>/IPv4AddressC2
Note: Maximum entries per request in a feed for a User-defined feeds 5,000. It is possible that all IoC is not included if the rate at which indicators are produced is higher than the rate at which a 3rd party is retrieving.- Access this feed
- If you are login to AutoFocus, you can view all IoCs by clicking on this feed. Mostly likely clicking will open a new tab in the browser.
- If you are not logged in, IoCs can't be displayed in the browser. You will need the API keys to access this feed outside of AutoFocus.
- An API key can be found at AutoFocus -> setting.
- In the URL, please add /api/v1.0/ in url to access feed with valid apiKey.
curl -isk -X GET "https://autofocus.paloaltonetworks.com/api/v1.0/IOCFeed/<ID>/IPv4AddressC2" -H "apikey:XXXXXX"
- Example of the query: