AutoFocus™ Administrator’s Guide
    : Create Custom Feeds
    Focus
    Download PDF
    Focus
    1. Home
    2. AutoFocus
    3. AutoFocus™ Administrator’s Guide
    4. AutoFocus Feeds
    5. Create Custom Feeds
    Download PDF

    AutoFocus™ Administrator’s Guide

    Create Custom Feeds

    Table of Contents

    Create Custom Feeds

    To export threat intelligence data generated from AutoFocus and other Palo Alto Networks connected services, you must create custom feeds, which organize data into a specific, user-defined set that can be output into URL lists or EDLs.
    User-defined feeds can retrieve a maximum of 100,000 IPv4 indicators or 5,000 indicators of all other types, per request. As a best practice, specify a frequency in which the firewall (or any other third party consumer of threat indicators, such as a TIP or SIEM) retrieves a feed list at a corresponding rate to which the indicators are produced. If the number of indicators in a feed list exceed the rate at which they can be retrieved, it is possible that not all of the indicators will be consumed. Alternatively, consider creating multiple feeds with more specificity to generate a manageable number of indicators per query. This allows you to better organize and control the type of threat indicators sent to an EDL or URL list.
    1. Select Feeds on the navigation pane and then select Create a Feed.
    2. Select an indicator type and search conditions to define the limits of a search and click Next to continue. Depending on the indicator type, you might have predefined values or the option to enter an exact value. You can change the scope of your indicator query by adding or removing (
      )conditions. For a preview list, click Search. This displays a list based on the search conditions you have defined.
    3. Configure the custom feed details.
      You cannot create a custom feed using duplicate query conditions.
      1. Provide a Name and Description. The name and description must be at least three and ten characters in length, respectively.
      2. Select the output method:
        • URL—Provides a standard custom URL list for use with third-party applications and devices.
        • EDL—Provides an external dynamic list to be used with the Palo Alto Networks firewall.
    4. (EDL Feeds Only) Select an indicator type.
    5. (EDL Feeds Only) Specify the EDL Feed Authentication username and password.
    6. Verify that all the entries are correct and Save to continue.
    7. After the custom feed is created, a link to the object appears at the bottom of the page. Click on the Feed URL to view the results, otherwise click Exit to return to the Custom Feeds overview page.

    © 2024 Palo Alto Networks, Inc. All rights reserved.