Invalid CIDR entries imported in XSOAR from Autofocus Daily Threat Feed

Invalid CIDR entries imported in XSOAR from Autofocus Daily Threat Feed

137
Created On 07/11/22 22:32 PM - Last Modified 11/10/25 21:48 PM


Symptom


Invalid CIDR's are imported from the "Palo Alto Networks Daily Threat Feed" into XSOAR.

Environment


XSOAR pulling indicators from the "Palo Alto Networks Daily Threat Feed".

Cause


Entries in the "Palo Alto Networks Daily Threat Feed" are originally malicious URL indicators that follow the form of http:/<ip_address>/0 through http:/<ip_address>/32

Example:
hxxp://124.34.5.2/1

The http:// and https:// prefixes are removed from the feed source (to enable direct import to Firewall EDL's), therefore, in our example this will show up in the feed as:

124.34.5.2/1

When XSOAR imports the indicator, it interprets it as a CIDR indicator, instead of a URL.

Resolution


A resolution is being analyzed in issue DIT-21272

Additional Information


https://jira-dc.paloaltonetworks.com/browse/DIT-21272
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkvJCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail