AutoFocus Feed

Use the AutoFocus Feeds integration to fetch indicators from AutoFocus. For more information click here.

Configure AutoFocus Feed on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for AutoFocus Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
feedThe fetch indicators.False
indicator_feedsThe indicator feed. Choose the requested indicator feeds. The Custom Feeds and Daily Threat Feed.True
api_keyThe AutoFocus API key.True
custom_feed_urlsThe URL for the custom feed to fetch. This applies only in cases where a Custom Feed is requested.False
scope_typeThe scope of the samples to be fetched.False
sample_queryThe query that will be used to fetch the samples.False
feedReputationThe indicator reputation.False
feedReliabilityThe source's reliability.True
feedExpirationPolicyThe feed's expiration policy.False
feedExpirationIntervalThe interval after which the feed expires.False
feedFetchIntervalThe feed fetch interval.False
feedBypassExclusionListWhether to bypass exclusion list.False
insecureWhether to trust any certificate (not secure).False
proxyWhether to use the system proxy settings.False
  1. Click Test to validate the URLs, token, and connection.

Custom Feed info:

To connect a custom AutoFocus feed you need to provide the Custom Feed URL.

The Custom Feed URL should be in this form: https://autofocus.paloaltonetworks.com/IOCFeed/{Output_Feed_ID}/{Output_Feed_Name}

Samples Feed info:

To connect a samples AutoFocus feed you need to provide the scope of the samples and the query for the samples. 1. The scope can be either: 1. public - Samples available for all organizations. 2. private - Your own samples. 3. global - Both public and private samples. 2. The samples query - is the query to be used to fetch the samples from AutoFocus. You can go to AutoFocus UI -> Search -> Sample -> Advanced -> Create your desired query -> API -> copy the query. For example: { "operator": "all", "children": [ { "field": "sample.create_date", "operator": "is after", "value": [ "30 days ago", "30 days ago" ] } ] }

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get Indicators


Gets the indicators from AutoFocus.

Note: This command does not create indicators within Cortex XSOAR.

Base Command

autofocus-get-indicators

Input
Argument NameDescriptionRequired
limitThe maximum number of indicators to return. The default value is 10.Optional
offsetThe index of the first indicator to fetch.Optional
Context Output

There is no context output for this command.

Command Example

!autofocus-get-indicators limit=4

Human Readable Output

Indicators from AutoFocus:

ValueType
demisto\<Span>.comDomain
{file hash}File
8.8.8.8IP
demsito\<Span>.com/some/aditional/pathURL

To bring the next batch of indicators run: !autofocus-get-indicators limit=4 offset=4

Demo Video