This parser extracts IOC data from Palo Alto Networks Autofocus JSON logs, mapping fields to the UDM. It handles domain, IPv4, and IPv6 indicators, prioritizingdomainand converting IP addresses to the appropriate format. It drops unsupported indicator types and defaults categorization toMALWAREunlessTrojanis specifically identified in the message.
Select a feed already created. If no feed is present, proceed to create one.
ClickaddCreate A Feed.
Provide a descriptive name.
Create aquery.
SelectOutputmethod asURL.
ClickSave.
Access the feed details:
CopyandSavethe feed<ID>from the URL. (For example,https://autofocus.paloaltonetworks.com/IOCFeed/<ID>/IPv4AddressC2)
CopyandSavethe feed name.
Set up feeds
To configure a feed, follow these steps:
Go toSIEM Settings>Feeds.
ClickAdd New Feed.
On the next page, clickConfigure a single feed.
In theFeed namefield, enter a name for the feed; for example,Palo Alto Autofocus Logs.
SelectThird party APIas theSource type.
SelectPAN Autofocusas theLog type.
ClickNext.
Specify values for the following input parameters:
Authentication HTTP header: API Key used to authenticate to autofocus.paloaltonetworks.com inapiKey:<value>format. Replace<value>with the AutoFocus API Key copied previously.
Feed ID: Custom feed ID.
Feed Name: Custom feed name.
ClickNext.
Review the feed configuration in theFinalizescreen, and then clickSubmit.
UDM Mapping Table
Log Field
UDM Mapping
Logic
indicator.indicatorType
indicator.indicatorType
Directly mapped from the raw log. Converted to uppercase.
indicator.indicatorValue
event.ioc.domain_and_ports.domain
Mapped ifindicator.indicatorTypeisDOMAIN.
indicator.indicatorValue
event.ioc.ip_and_ports.ip_address
Mapped ifindicator.indicatorTypematches "IP(V4|V6|)(_ADDRESS|)". Converted to IP address format.
Mapped if present for the first tag (index 0). Set toPAN Autofocus IOCby the parser. Set toHIGHby the parser. Set toTROJANif themessagefield containsTrojan, otherwise set toMALWARE.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis parser ingests IOC data from Palo Alto Networks Autofocus JSON logs into Google SecOps, mapping various fields to the UDM format, including domain, IPv4, and IPv6 indicators.\u003c/p\u003e\n"],["\u003cp\u003eTo utilize this functionality, users must have a Google SecOps instance and privileged access to Palo Alto AutoFocus, along with a valid license and API key.\u003c/p\u003e\n"],["\u003cp\u003eUsers will need to configure a custom feed within Palo Alto AutoFocus and then set up a corresponding feed within Google SecOps to ingest the logs, specifying parameters like the API key, Feed ID, and Feed Name.\u003c/p\u003e\n"],["\u003cp\u003eThe parser categorizes indicators as \u003cstrong\u003eMALWARE\u003c/strong\u003e by default, unless the term \u003cstrong\u003eTrojan\u003c/strong\u003e is found in the message field, in which case it is categorized as \u003cstrong\u003eTROJAN\u003c/strong\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping includes the fields indicator type, indicator value, wildfireRelatedSampleVerdictCounts, and the description of the tags, with logic for converting types and values where needed.\u003c/p\u003e\n"]]],[],null,["# Collect Palo Alto Networks IOC logs\n===================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts IOC data from Palo Alto Networks Autofocus JSON logs, mapping fields to the UDM. It handles domain, IPv4, and IPv6 indicators, prioritizing **domain** and converting IP addresses to the appropriate format. It drops unsupported indicator types and defaults categorization to **MALWARE** unless **Trojan** is specifically identified in the message.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Palo Alto AutoFocus.\n\nConfigure Palo Alto AutoFocus license\n-------------------------------------\n\n1. Sign in to Palo Alto [Customer Support Portal](https://support.paloaltonetworks.com).\n2. Go to **Assets** \\\u003e **Site Licenses**.\n3. Select **Add Site License**.\n4. Enter the code.\n\nObtain Palo Alto AutoFocus API Key\n----------------------------------\n\n1. Sign in to Palo Alto [Customer Support Portal](https://support.paloaltonetworks.com).\n2. Go to **Assets** \\\u003e **Site Licenses**.\n3. Locate the Palo Alto AutoFocus license.\n4. Click **Enable** in the Actions column.\n5. Click **API Key** in the API Key column.\n6. **Copy** and **Save** the API Key from the top bar.\n\nCreate Palo Alto AutoFocus custom Feed\n--------------------------------------\n\n1. Sign in to Palo Alto AutoFocus.\n2. Go to **Feeds**.\n3. Select a feed already created. If no feed is present, proceed to create one.\n4. Click add **Create A Feed**.\n5. Provide a descriptive name.\n6. Create a **query**.\n7. Select **Output** method as **URL**.\n8. Click **Save**.\n9. Access the feed details:\n - **Copy** and **Save** the feed `\u003cID\u003e` from the URL. (For example, `https://autofocus.paloaltonetworks.com/IOCFeed/\u003cID\u003e/IPv4AddressC2`)\n - **Copy** and **Save** the feed name.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **Palo Alto Autofocus Logs**.\n5. Select **Third party API** as the **Source type**.\n6. Select **PAN Autofocus** as the **Log type**.\n7. Click **Next**.\n8. Specify values for the following input parameters:\n - **Authentication HTTP header** : API Key used to authenticate to autofocus.paloaltonetworks.com in **`apiKey:\u003cvalue\u003e`** format. Replace `\u003cvalue\u003e` with the AutoFocus API Key copied previously.\n - **Feed ID**: Custom feed ID.\n - **Feed Name**: Custom feed name.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
