Session Artifacts
Table of Contents
Expand all | Collapse all
Session Artifacts
Sessions artifacts are artifacts that WildFire associates
with sessions only. You can find the following artifact types when
you view Sample
Details. Note that you can only view the details of sessions
associated with your support account. For this reason, when you
search with artifact types that refer to firewall-related properties
(for example, firewall serial number or hostname), AutoFocus filters
the search results by the properties of the Palo Alto Networks firewall(s)
that initiated the session.
The following session artifact types refer to private session
information: Device Hostname, Observed In, Device vsys, Destination
IP, Email Recipient Address, Email Charset, Email Sender Address,
Email Subject, File Name, File URL, Recipient User ID, and Source
IP. If any of your private tags use these artifact types as tag
conditions, you cannot make these tags public.
Artifact Type | Search with this
Artifact Type to Find... |
|---|---|
Application | The App-ID™ matched to the
type of application traffic detected in a session. For example,
a search for the Application web-browsing returns
sessions during which web browsing over HTTP occurred. Visit Applipedia for an updated list of applications
that Palo Alto Networks identifies. |
Device Country | The country to which the IP address on a
firewall is registered. |
Device Country Code | The two-digit abbreviation for the Device
Country. Refer to the complete list of countries and country codes in AutoFocus. |
Device Hostname | A name that identifies a Palo Alto Networks
firewall. To view the hostname for a firewall, log in to the firewall
web interface, select Device Setup Management |
Observed In | Displays the serial number of a firewall
or the endpoint that the session was seen in. |
Device vsys | The name of the virtual system on the firewall
associated with the session. |
Destination Country | The country of the IP address to which the
session was destined. |
Destination Country Code | The two-digit abbreviation for the Destination
Country of the session. Refer to the complete list of countries and country codes in
AutoFocus. |
Destination IP | The destination IP address of the session. |
Destination Port | The destination port that the session used. |
Email
Recipient Address | For email samples, the email address of
the user who received the email. |
Email Charset | For email samples, the character set used
to display the message body of an email. Examples of character sets
are UTF-8 and ISO-8859-1 . |
Email
Sender Address | For email samples, the email address of
the sender. |
Email Subject | For email samples, the subject of the email. |
File
Name | The filename of the sample sent during the
session. |
File
URL | The URL path for the source that hosts the
sample. |
IMEI | The 15-digit unique International Mobile
Equipment Identity number assigned to a mobile phone. |
Industry | Industry indicates the field that the source
of the session (you or another AutoFocus support account) is associated
with. Examples are Aerospace and Defense , High Tech ,
and Education . Industry is a field you select
when you initially set up your AutoFocus account. Contact Palo Alto Networks Support to
change it. |
Recipient User ID | The username of the user who received an
email sample. |
Region | The WildFire public cloud to
which a sample is submitted for analysis. A session in the AutoFocus
search results provides information about how a source submitted
a sample to WildFire. Since each session corresponds to a single
WildFire submission, it can only be associated with a single WildFire
cloud. |
SHA256 | The SHA-256 hash for the sample associated
with the session. |
Source Country | The country to which the IP address that
initiated the session is registered. |
Source Country Code | The two-digit abbreviation of the Source
Country that sent the session. Refer to the complete list
of countries and country codes in
AutoFocus. |
Source
IP | The IP address of the session source. |
Source Port | The source port that the session used. |
Status | All samples that a Palo Alto firewall blocked.
The Status for blocked samples is Blocked ,
while the status for allowed samples is blank. To find all allowed
samples, search with the condition Status is not Blocked |
Time | The time and date when the session started. If
you use the Time artifact with a date range condition, it must not
exceed 365 days. Search queries with a date range that exceed the
maximum values are automatically constrained to 1 year and a message
showing the redefined range is displayed below the search settings. |
Upload Source | The source that requested a WildFire verdict
for a sample or submitted a sample to WildFire for analysis. Choose
from a list of possible upload sources:
|