You can add 3 types of Custom Sources.

  1. Custom List Feed
  2. Custom JSON Feed
  3. Manual 

Custom List Feed

A custom list feed is a URL that publishes data in the list format.

You need to input the URL and set the check interval.  Please be mindful of the check interval and choose the value appropriately.

Custom JSON Feed

JSON feeds consist of multiple elements with no set structure.  Every feed can be organized differently.

In order to filter a JSON feed, you can specify filter parameters

  • JSON Filter Target
    • Input type: string
    • Required
    • This is the "Key" in the key, value pair where the value is the IP address(es) you want.
  • JSON Filter Target Parent
    • Input type: string
    • Optional
    • This is the parent "Key" that that target is under
  • JSON Filter Target Sibling
    • Input type: JSON
    • Optional
    • This can be 1 or more siblings of the target that also are under the parent
  • JSON Filter Target Parent Sibling
    • Input type: JSON
    • Optional
    • This can be 1 or more siblings of the target's parent

Here is an example of filtering the Azure JSON feed.

In this case, in order to filter out all the Azure IP addresses that run the ActionGroup function, we need to specify 3 JSON filters

  1. JSON Filter Target: addressPrefixes
  2. JSON Filter Target Parent: properties
  3. JSON Filter Target Parent Sibling: {"name": "ActionGroup"}
    • Though it is not needed in this case, you can specify multiple sibling by using a filter such as this
      •  {"name": "ActionGroup", "id": "ActionGroup"} 

We do not need to specify the JSON Filter Target Sibling but it is indicated on the diagram so you know what it is.

When building JSON filters first ask yourself, what do I want?  Then examine the JSON data to decide how specific you need your filters to be.


This is manual list of IP address, domains or URLs.  It is what you want it to be.

Most frequently, manual sources are used to be able to create block or allow lists that are included in an EDL.