AutoFocus Tags Feed (Deprecated)

This Integration is part of the AutoFocus by Palo Alto Networks Pack.

Deprecated

Use Unit 42 Intel Objects Feed instead.

Configure AutoFocus Tags Feed on Cortex XSOAR

1. Navigate to Settings > Integrations > Servers & Services.

2. Search for AutoFocus Tags Feed.

3. Click Add instance to create and configure a new integration instance.

   Parameter	Description	Required
   API Key	Account's private token.	False
   AutoFocus Endpoint URL	The AutoFocus endpoint URL.	False
   Fetch indicators		False
   Indicator Reputation	Indicators from this integration instance will be marked with this reputation.	False
   Source Reliability	Reliability of the source providing the intelligence data.	True
   Traffic Light Protocol Color	The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.	False
   Feed Fetch Interval	The feed fetch interval.	False
   Bypass exclusion list	When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.	False
   Create Relationships	Create relationships between indicators as part of Enrichment.	False
   Trust any certificate (not secure)	Whether to trust any certificate (not secure).	False
   Use system proxy settings		False
   Tags	Supports CSV values.	False

4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

autofocus-tags-feed-get-indicators

---

Gets indicators from the feed.

Base Command

autofocus-tags-feed-get-indicators

Input

Argument Name	Description	Required
limit	The maximum number of results to return. Should be 50 or less. Default is 10.	Optional

Context Output

There is no context output for this command.

Command Example

!autofocus-tags-feed-get-indicators limit=10

Human Readable Output

Value	Type	Fields
DarkHotel	Threat Actor	publications: {'link': 'https://securelist.com/the-darkhotel-apt/66779/', 'title': 'The DarkHotel APT', 'source': 'Kaspersky', 'timestamp': '2018-08-20T15:25:31'},aliases: ParasiticBeast, description: The DarkHotel attackers were most infamously behind a series of attacks between 2008 and 2014 against organizations located primarily in Japan, Taiwan, China, Russia and South Korea. This campaign infiltrated multiple hotel networks and used them as a jumping-off point to infect hotel guests., lastseenbysource: 2021-05-03T01:55:18Z, updateddate: 2019-08-28T08:56:30Z ,reportedby: Unit 42

Notes

Be aware, due to API limitations, fetch-indicators fetches only a limited number of indicators for each interval. Fetching all the indicators can take up to 13 hours.