Session Artifacts

Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following artifact types when you view Sample Details. Note that you can only view the details of sessions associated with your support account. For this reason, when you search with artifact types that refer to firewall-related properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Device Serial, Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject, File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as tag conditions, you cannot make these tags public.
Artifact Type
Search with this Artifact Type to Find...
Application
The App-ID™ matched to the type of application traffic detected in a session. For example, a search for the Application
web-browsing
returns sessions during which web browsing over HTTP occurred. Visit Applipedia for an updated list of applications that Palo Alto Networks identifies.
Device Country
The country to which the IP address on a firewall is registered.
Device Country Code
The two-digit abbreviation for the Device Country. Refer to the complete list of countries and country codes in AutoFocus.
Device Hostname
A name that identifies a Palo Alto Networks firewall. To view the hostname for a firewall, log in to the firewall web interface, select
Device
Setup
Management
, and view the General Settings.
Device Serial
The serial number of a firewall.
Device vsys
The name of the virtual system on the firewall associated with the session.
Destination Country
The country of the IP address to which the session was destined.
Destination Country Code
The two-digit abbreviation for the Destination Country of the session. Refer to the complete list of countries and country codes in AutoFocus.
Destination IP
The destination IP address of the session.
Destination Port
The destination port that the session used.
Email Recipient Address
For email samples, the email address of the user who received the email.
Email Charset
For email samples, the character set used to display the message body of an email. Examples of character sets are
UTF-8
and
ISO-8859-1
.
Email Sender Address
For email samples, the email address of the sender.
Email Subject
For email samples, the subject of the email.
File Name
The filename of the sample sent during the session.
File URL
The URL path for the source that hosts the sample.
IMEI
The 15-digit unique International Mobile Equipment Identity number assigned to a mobile phone.
Industry
Industry indicates the field that the source of the session (you or another AutoFocus support account) is associated with. Examples are
Aerospace and Defense
,
High Tech
, and
Education
. Industry is a field you select when you initially set up your AutoFocus account. Contact Palo Alto Networks Support to change it.
Recipient User ID
The username of the user who received an email sample.
Region
The WildFire cloud (global or regional) to which a sample is submitted for analysis. A session in the AutoFocus search results provides information about how a source submitted a sample to WildFire. Since each session corresponds to a single WildFire submission, it can only be associated with a single WildFire cloud.
  • US
    —WildFire global cloud
  • EU
    —WildFire EU cloud
  • JP
    —WildFire Japan cloud
  • SG
    —WildFire Singapore cloud
SHA256
The SHA-256 hash for the sample associated with the session.
Source Country
The country to which the IP address that initiated the session is registered.
Source Country Code
The two-digit abbreviation of the Source Country that sent the session. Refer to the complete list of countries and country codes in AutoFocus.
Source IP
The IP address of the session source.
Source Port
The source port that the session used.
Status
All samples that a Palo Alto firewall blocked. The Status for blocked samples is
Blocked
, while the status for allowed samples is blank. To find all allowed samples, search with the condition
Status
is not
Blocked
.
Time
The time and date when the session started.
Upload Source
The source that requested a WildFire verdict for a sample or submitted a sample to WildFire for analysis.
Choose from a list of possible upload sources:
  • Firewall
    —Samples that a Palo Alto Networks firewall forwarded to WildFire.
  • Proofpoint
    —Samples submitted to WildFire through Proofpoint products.
  • Traps
    —Samples submitted through Traps.
  • Manual API
    —Samples uploaded manually through the WildFire API or the WildFire public portal.
  • WF Appliance
    —Samples that a WildFire appliance submitted to the WildFire public cloud.

Related Documentation