Focus
Focus
Table of Contents

Session Artifacts

Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following artifact types when you view Sample Details. Note that you can only view the details of sessions associated with your support account. For this reason, when you search with artifact types that refer to firewall-related properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Observed In, Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject, File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as tag conditions, you cannot make these tags public.
Artifact Type
Search with this Artifact Type to Find...
Application
The App-ID™ matched to the type of application traffic detected in a session. For example, a search for the Application web-browsing returns sessions during which web browsing over HTTP occurred. Visit Applipedia for an updated list of applications that Palo Alto Networks identifies.
Device Country
The country to which the IP address on a firewall is registered.
Device Country Code
The two-digit abbreviation for the Device Country. Refer to the complete list of countries and country codes in AutoFocus.
Device Hostname
A name that identifies a Palo Alto Networks firewall. To view the hostname for a firewall, log in to the firewall web interface, select DeviceSetupManagement, and view the General Settings.
Observed In
Displays the serial number of a firewall or the endpoint that the session was seen in.
Device vsys
The name of the virtual system on the firewall associated with the session.
Destination Country
The country of the IP address to which the session was destined.
Destination Country Code
The two-digit abbreviation for the Destination Country of the session. Refer to the complete list of countries and country codes in AutoFocus.
Destination IP
The destination IP address of the session.
Destination Port
The destination port that the session used.
Email Recipient Address
For email samples, the email address of the user who received the email.
Email Charset
For email samples, the character set used to display the message body of an email. Examples of character sets are UTF-8 and ISO-8859-1.
Email Sender Address
For email samples, the email address of the sender.
Email Subject
For email samples, the subject of the email.
File Name
The filename of the sample sent during the session.
File URL
The URL path for the source that hosts the sample.
IMEI
The 15-digit unique International Mobile Equipment Identity number assigned to a mobile phone.
Industry
Industry indicates the field that the source of the session (you or another AutoFocus support account) is associated with. Examples are Aerospace and Defense, High Tech, and Education. Industry is a field you select when you initially set up your AutoFocus account. Contact Palo Alto Networks Support to change it.
Recipient User ID
The username of the user who received an email sample.
Region
The WildFire public cloud to which a sample is submitted for analysis. A session in the AutoFocus search results provides information about how a source submitted a sample to WildFire. Since each session corresponds to a single WildFire submission, it can only be associated with a single WildFire cloud.
SHA256
The SHA-256 hash for the sample associated with the session.
Source Country
The country to which the IP address that initiated the session is registered.
Source Country Code
The two-digit abbreviation of the Source Country that sent the session. Refer to the complete list of countries and country codes in AutoFocus.
Source IP
The IP address of the session source.
Source Port
The source port that the session used.
Status
All samples that a Palo Alto firewall blocked. The Status for blocked samples is Blocked, while the status for allowed samples is blank. To find all allowed samples, search with the condition Statusis notBlocked.
Time
The time and date when the session started.
If you use the Time artifact with a date range condition, it must not exceed 365 days. Search queries with a date range that exceed the maximum values are automatically constrained to 1 year and a message showing the redefined range is displayed below the search settings.
Upload Source
The source that requested a WildFire verdict for a sample or submitted a sample to WildFire for analysis.
Choose from a list of possible upload sources:
  • Firewall—Samples that a Palo Alto Networks firewall forwarded to WildFire.
  • Proofpoint—Samples submitted to WildFire through Proofpoint products.
  • Traps—Samples submitted through Traps.
  • Magnifier—Samples submitted through Magnifier (Now known as Cortex XDR).
  • Manual API—Samples uploaded manually through the WildFire API or the WildFire public portal.
  • Traps Android—Samples submitted through Traps for Android.
  • WF Appliance—Samples that a WildFire appliance submitted to the WildFire public cloud.
  • Prisma SaaS—Samples submitted through Prisma SaaS.
  • Prisma Access—Samples submitted through Prisma Access.
  • Cortex XDR—Samples submitted through Cortex XDR.