Table of Contents

AutoFocus Concepts

Familiarize yourself with the following AutoFocus terminology to help you as you use the tool to begin researching threats.
For both AutoFocus and WildFire, a sample refers to a file (such as a PDF or PE) or a link included in an email. The Palo Alto Networks firewall and other sources such as Traps and Proofpoint can forward unknown samples to the WildFire cloud, where WildFire performs Static Analysis and Dynamic Analysis of the sample. As WildFire observes and executes the sample in the analysis environment, WildFire associates different Artifacts with the sample. AutoFocus allows you to search for samples based on the sample hash and other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus compares all historical and new samples to the search conditions and filters the search results accordingly.
AutoFocus receives WildFire analysis information for samples submitted to the WildFire global and regional clouds.
Sessions in AutoFocus search results provide information about how a source submitted a sample to WildFire. Each session has a time stamp that indicates when WildFire received the sample. Sessions matching a sample are reported in WildFire sample searches even when the sample verdict is known. For samples forwarded by a Palo Alto Networks firewall, their associated session information provide context for the detection of the sample on the network. For samples submitted by another Upload Source (Traps, Traps for Android, Proofpoint, WildFire API, WildFire appliance, Magnifier, Prisma SaaS, Prisma Access, Cortex XDR, or manual upload to the WildFire public portal), their sessions details are limited to the time stamp, the hash of the sample that was analyzed, and the upload source. Session information also indicates if a sample was submitted to the WildFire global cloud or regional cloud. Use Session Artifacts to filter AutoFocus search results.
The session data displayed in the search results include all relevant data submitted to WildFire through various product integrations. Session data availability is not contingent on membership to other services, such as Panorama, Cortex Data Lake, or other Palo Alto Networks products.
Static Analysis
Static analysis is a type of analysis based on properties of a sample that WildFire can detect and observe in a virtual environment without executing the sample. For details on the type of static analysis information that AutoFocus reports for samples, see Artifact Types.
Dynamic Analysis
Dynamic analysis consists of executing a sample in a WildFire analysis environment to determine the behaviors and activities that a sample exhibits when it runs. During dynamic analysis, WildFire also observes other behaviors and activities that occur in the analysis environment as a result of executing the sample. For details on the type of dynamic analysis information that AutoFocus reports for samples, see Artifact Types.
An artifact is a property, activity, or behavior shown to be associated with a sample or a session through both WildFire analysis of the sample and through AutoFocus statistics. For example, types of artifacts include IP addresses, domains, URLs, applications, processes, hashes, and email addresses.
In AutoFocus, artifacts are highlighted both on the dashboard and within search results. AutoFocus search results spotlight significant artifacts that are identified according to risk. The dashboard and search editor both allow you to add an artifact directly to an ongoing search or to add it to an export list, which you can use to enforce policy on a firewall or to analyze artifacts in a SIEM.
For more details on viewing and evaluating artifacts, see also Assess AutoFocus Artifacts.
Threat Indicators
An indicator is an artifact that security experts typically observe to detect signs that a network has been compromised. Indicators are crucial for implementing a network defense strategy based on threat intelligence. The following types of artifacts are considered indicators in AutoFocus:
  • Domain
  • IPv4
  • Mutex
  • URL
  • User agent
AutoFocus determines which artifacts are indicators through a statistical algorithm based on tendency of the artifact to be seen predominantly in malware samples.
A tag is a collection of search criteria that together indicate a known or possible threat. Both historical and new samples that match the conditions defined for a tag are associated with that tag. You can perform searches and create alerts based on tags.
See AutoFocus Tags for details on creating tags and contributing to tags, including more information on Tag Types, Tag Class, Tag Status, and Tag Visibility.
Public Tags and Samples
Public tags and samples in AutoFocus are visible to all AutoFocus users.
For tags you create, you can set the status to public, so that the tag is visible to the AutoFocus community. You can revert the tag to be private at any time.
Public samples consist of samples from open-source intelligence (OSINT) and other external public sources, as well as samples that AutoFocus users have made public. Samples from your organization can only become public in two ways:
  • Open the sample details and manually set the sample to
    , in order to share it within the AutoFocus community.
  • If a private sample from your organization is later received by WildFire from a public source, the sample will become public at that time.
Private Tags and Samples
Private tags and samples in AutoFocus are visible only to AutoFocus users associated with the same support account.
Private tags and samples can be made public, with the option to revert the tag or sample back to private status at any time.
All Tab and All Samples
tab on the dashboard and the option to view
All Samples
in a search include statistics for all samples seen by Wildfire, both public and private; however, identifying details are obfuscated for private samples. The
tab on the dashboard displays all malware (including private samples) with obfuscated hashes. The
All Samples
view in a search obfuscates private sample details with the exception of the WildFire verdict for the sample, the date the sample was first submitted to WildFire, the file size, and the file type.
Suspicious artifacts:
  • Have been widely-detected across large numbers of samples.
  • Are most frequently detected with malware. Although suspicious artifacts can be detected with grayware and benign samples, they are more often found with malware.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List.
Highly Suspicious
Highly suspicious artifacts:
  • Have been detected in very few samples. The lack of distribution of these types of artifacts could indicate an attack crafted to target a specific organization.
  • Are most frequently detected with malware. In some cases, these artifacts have been exclusively seen with malware and never with grayware or benign samples.
For more on highly suspicious artifacts in AutoFocus, you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List.

Recommended For You