AutoFocus is a cloud-based threat intelligence service that enables you to easily identify critical attacks, so that you can triage effectively and take action without requiring additional IT resources. AutoFocus correlates threat data from your network, industry, and global intelligence feeds, and surfaces what’s most important. This includes giving you a direct pipeline to actionable intelligence from Unit 42, the Palo Alto Networks threat research team—AutoFocus lets you know if adversaries and campaigns discovered by Unit 42 have targeted your network, or networks like yours.

Release Highlights

Date Highlights
May 2019 AutoFocus shows you the malicious domains that DNS Security has identified through machine learning and predictive analytics.
March 2019 More WildFire Data! See hashes for files that were found to be embedded within another document, and the compilation timestamp for an executable (unusual timestamps can indicate tampering).
Feb 2019 AutoFocus displays all the categories that PAN-DB—the URL Filtering cloud—has assigned to a URL, including the URL's risk category (high, medium, or low).
Nov 2018 Investigate script-based malware, which has become a common vector of attack.
Oct 2018 Check out some usability updates we've made to widgets and reports.
Sep 2018

Get visibility into files that have undergone dynamic unpacking—this means they've been encoded using custom or open source file compression or packing tools.

Looking for more?  See what else we've been working on...


Book Image

Cyber Espionage Campaign Discovered Using AutoFocus

Extended AutoFocus Threat Intelligence With New Tags

Use AutoFocus with the Firewall


AutoFocus™ What's New Guide

Learn all about the latest features in AutoFocus, the Palo Alto Networks threat intelligence service. For each new feature we describe, we've also included steps to get started. You'll also find a list of open issues that we’re working on to improve your AutoFocus experience.

AutoFocus™ Administrator’s Guide

AutoFocus™ is a threat intelligence service that provides an interactive, graphical interface for analyzing and contextualizing the threats your network faces. AutoFocus especially helps you to keep up with threat trends related to targeted cyberattacks, so that you can take a preventive approach to securing your network. The AutoFocus Administrator's Guide gives you everything you need to get started with AutoFocus: learn about how AutoFocus works, set up meaningful alerts for advanced attacks, and even use AutoFocus IoCs to enforce security policy on a Palo Alto Networks firewall.

AutoFocus™ API References

The AutoFocus™ API extends the ability to query the threat intelligence cloud through a programmatic, RESTful API. You can integrate this API into a third-party service, application, or script that accesses AutoFocus outside of the web portal. API responses are in JSON or XML-based STIX format.


Become a Threat Hunter: AutoFocus Innovations

More data doesn’t always equal better prevention. It can feel like there is an arms race underway, with security operations and response professionals in the sights of an escalating amount of alerts and threat data, which can sometimes do more harm than good. What is needed is an outcome-driven approach to threat intelligence, with a focus on prevention and operationalizing action, versus simply adding more data.

Intro to the AutoFocus API

This video demonstrates how to quickly find samples and sessions with specific artifacts in AutoFocus.

AutoFocus Integration With Firewall Logs

Launch queries from the firewall/Panorama log monitor page to AutoFocus for a selected log element, and receive information from AutoFocus in the firewall/Panorama UI.

Finding Ransomware with AutoFocus and Aperture

Using a scenario, we discover how quickly you can find information regarding ransomware in your environment using Aperture and AutoFocus.