Familiarize yourself with the following AutoFocus terminology to help you as you use the tool to begin researching threats.
For both AutoFocus and WildFire, a
samplerefers to a file (such as a PDF or PE) or a link included in an email. The Palo Alto Networks firewall and other sources such as Traps and Proofpoint can forward unknown samples to the WildFire cloud, where WildFire performs Static Analysis and Dynamic Analysis of the sample. As WildFire observes and executes the sample in the analysis environment, WildFire associates different Artifacts with the sample. AutoFocus allows you to search for samples based on the sample hash and other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus compares all historical and new samples to the search conditions and filters the search results accordingly.
AutoFocus receives WildFire analysis information for samples submitted to the WildFire global and regional clouds.
Sessionsin AutoFocus search results provide information about how a source submitted a sample to WildFire. Each session has a time stamp that indicates when WildFire received the sample. For samples forwarded by a Palo Alto Networks firewall, their associated session information provide context for the detection of the sample on the network. For samples submitted by other Upload Source (Traps, Traps for Android, Proofpoint, WildFire API, WildFire appliance, Magnifier, or manual upload to the WildFire public portal), their sessions details are limited to the time stamp, the hash of the sample that was analyzed, and the upload source. Session information also indicates if a sample was submitted to the WildFire global cloud or regional cloud. Use Session Artifacts to filter AutoFocus search results.
Static analysisis a type of analysis based on properties of a sample that WildFire can detect and observe in a virtual environment without executing the sample. For details on the type of static analysis information that AutoFocus reports for samples, see Artifact Types.
Dynamic analysisconsists of executing a sample in a WildFire analysis environment to determine the behaviors and activities that a sample exhibits when it runs. During dynamic analysis, WildFire also observes other behaviors and activities that occur in the analysis environment as a result of executing the sample. For details on the type of dynamic analysis information that AutoFocus reports for samples, see Artifact Types.
artifactis a property, activity, or behavior shown to be associated with a sample or a session through both WildFire analysis of the sample and through AutoFocus statistics. For example, types of artifacts include IP addresses, domains, URLs, applications, processes, hashes, and email addresses.
In AutoFocus, artifacts are highlighted both on the dashboard and within search results. AutoFocus search results spotlight significant artifacts that are identified according to risk. The dashboard and search editor both allow you to add an artifact directly to an ongoing search or to add it to an export list, which you can use to enforce policy on a firewall or to analyze artifacts in a SIEM.
For more details on viewing and evaluating artifacts, see also Assess AutoFocus Artifacts.
indicatoris an artifact that security experts typically observe to detect signs that a network has been compromised. Indicators are crucial for implementing a network defense strategy based on threat intelligence. The following types of artifacts are considered indicators in AutoFocus:
AutoFocus determines which artifacts are indicators through a statistical algorithm based on tendency of the artifact to be seen predominantly in malware samples. With the MineMeld app, you can forward indicators from external threat feeds into AutoFocus. You can then Manage Threat Indicators and Find High-Risk Artifacts that match indicators to check your network for known threats.
tagis a collection of search criteria that together indicate a known or possible threat. Both historical and new samples that match the conditions defined for a tag are associated with that tag. You can perform searches and create alerts based on tags.
Public Tags and Samples
Publictags and samples in AutoFocus are visible to all AutoFocus users.
For tags you create, you can set the status to public, so that the tag is visible to the AutoFocus community. You can revert the tag to be private at any time.
Public samples consist of samples from open-source intelligence (OSINT) and other external public sources, as well as samples that AutoFocus users have made public. Samples from your organization can only become public in two ways:
Private Tags and Samples
Privatetags and samples in AutoFocus are visible only to AutoFocus users associated with the same support account.
Private tags and samples can be made public, with the option to revert the tag or sample back to private status at any time.
All Tab and All Samples
Alltab on the dashboard and the option to view
All Samplesin a search include statistics for all samples seen by Wildfire, both public and private; however, identifying details are obfuscated for private samples. The
Alltab on the dashboard displays all malware (including private samples) with obfuscated hashes. The
All Samplesview in a search obfuscates private sample details with the exception of the WildFire verdict for the sample, the date the sample was first submitted to WildFire, the file size, and the file type.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List.
For more on highly suspicious artifacts in AutoFocus, you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List.