Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following artifact types when you view Sample Details. Note that you can only view the details of sessions associated with your support account. For this reason, when you search with artifact types that refer to firewall-related properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Observed In, Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject, File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as tag conditions, you cannot make these tags public.
Search with this Artifact Type to Find...
The App-ID™ matched to the type of application traffic detected in a session. For example, a search for the Application
web-browsingreturns sessions during which web browsing over HTTP occurred. Visit Applipedia for an updated list of applications that Palo Alto Networks identifies.
The country to which the IP address on a firewall is registered.
Device Country Code
The two-digit abbreviation for the Device Country. Refer to the complete list of countries and country codes in AutoFocus.
A name that identifies a Palo Alto Networks firewall. To view the hostname for a firewall, log in to the firewall web interface, select
, and view the General Settings.
Displays the serial number of a firewall or the endpoint that the session was seen in.
The name of the virtual system on the firewall associated with the session.
The country of the IP address to which the session was destined.
Destination Country Code
The two-digit abbreviation for the Destination Country of the session. Refer to the complete list of countries and country codes in AutoFocus.
The destination IP address of the session.
The destination port that the session used.
Email Recipient Address
For email samples, the email address of the user who received the email.
For email samples, the character set used to display the message body of an email. Examples of character sets are
Email Sender Address
For email samples, the email address of the sender.
For email samples, the subject of the email.
The filename of the sample sent during the session.
The URL path for the source that hosts the sample.
The 15-digit unique International Mobile Equipment Identity number assigned to a mobile phone.
Industry indicates the field that the source of the session (you or another AutoFocus support account) is associated with. Examples are
Aerospace and Defense,
High Tech, and
Education. Industry is a field you select when you initially set up your AutoFocus account. Contact Palo Alto Networks Support to change it.
Recipient User ID
The username of the user who received an email sample.
The WildFire public cloud to which a sample is submitted for analysis. A session in the AutoFocus search results provides information about how a source submitted a sample to WildFire. Since each session corresponds to a single WildFire submission, it can only be associated with a single WildFire cloud.
The SHA-256 hash for the sample associated with the session.
The country to which the IP address that initiated the session is registered.
Source Country Code
The two-digit abbreviation of the Source Country that sent the session. Refer to the complete list of countries and country codes in AutoFocus.
The IP address of the session source.
The source port that the session used.
All samples that a Palo Alto firewall blocked. The Status for blocked samples is
Blocked, while the status for allowed samples is blank. To find all allowed samples, search with the condition
The time and date when the session started.
If you use the Time artifact with a date range condition, it must not exceed 365 days. Search queries with a date range that exceed the maximum values are automatically constrained to 1 year and a message showing the redefined range is displayed below the search settings.
The source that requested a WildFire verdict for a sample or submitted a sample to WildFire for analysis.
Choose from a list of possible upload sources:
Recommended For You
Recommended videos not found.