Find High-Risk Artifacts

To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's WildFire analysis that link the sample to malware or malicious attacks.
  1. Begin a new search. Check the Tags column for:
    • Unit 42 tags—Identify threats and campaigns that pose a direct security risk.
    • Indicator tags—Highlight samples with Threat Indicators that match threat indicators that you forwarded to AutoFocus using MineMeld. The tag specifies the number of matching indicators in the sample. Not all sample artifacts are indicators; to determine whether an artifact is an indicator, AutoFocus uses a statistical algorithm based on the tendency of the artifact to be seen predominantly with malware.
    file-analysis-path.png
    Click on the indicator tag ( indicator-tag.png ) to view the matching indicators.
    indicator-tag-matches.png
  2. Click a sample hash and scan the WildFire analysis details of the sample for signs of maliciousness.
    • For every WildFire static and dynamic analysis artifact listed, compare the number of times the artifact has been detected with benign ( benign-icon.png ), grayware ( grayware-icon.png ), and malware ( malware-icon.png ) samples.
    • High-risk artifacts are displayed with icons to designate them as Suspicious or Highly Suspicious.
    • If an activity artifact has proven to be evidence of an Observed Behavior, the behavior risk level is indicated: observed-behavior-icon.png
    • Sample indicators that match threat indicators from MineMeld are highlighted with an indicator icon ( indicator-icon.png ). Learn more about how to Forward MineMeld Indicators to AutoFocus.
    wf-analysis-indicators.png
  3. View artifacts that match your search conditions (even if they’re not high-risk), highlighted in the search results.
    artifact-highlighted-in-search.png
  4. View a summary of
    Indicators
    that AutoFocus detected in the sample.
    The Indicators tab only lists artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples. Any indicators that match indicators forwarded to AutoFocus from MineMeld are marked with an indicator tag. Click the tag to view the full list of matches.
    indicators-tab-sample.png

Recommended For You