Focus

AutoFocus® API Reference

General Artifacts

Table of Contents

General Artifacts

The following table provides field names and related information for general artifacts.

Field Name	Artifact Type as it Appears on AutoFocus Web Portal	Field Type	Acceptable Values and Examples
alias.domain	Domain	domain	Domain seen within DNS Activity, HTTP Activity, or File URL.
alias.email	Email Address	alias	Email address seen within email recipient address or email sender address.
alias.filename	Filename	alias	Valid filename as detected within a session or File Activity field.
alias.hash	Hash	alias	Valid SHA256, SHA1, or MD5 hash Example: eb4559d2debb5de11b3a90536ef36709de394b91c1e9a981e4987c4c02036b52
alias.ip_address	IP Address	alias	A IP address as it appears in connection activity, DNS activity, or HTTP activity.
sample.tag	Tag	tagList	Valid AutoFocus tag. Example: Parite
sample.tag_alias	Tag Alias	typeAheadSelect	Valid AutoFocus tag alias. Example: CryptoHost
sample.tag_class	Tag Class	simpleSelect	Actor: actor Campaign: campaign Malware Family: family Exploit: exploit Malicious Behavior: malicious_behavior
sample.tag_group	Tag Group	simpleSelect	Valid AutoFocus tag group. Example: Ransomware
sample.tag_scope	Tag Scope	simpleSelect	Private: private Public: public Information: commodity Unit 42: unit42
sample.tag_source	Tag Source	simpleSelect	Valid tag source. Example: Unit 42
sample.threat_name	Threat Name	typeAheadSelect	Valid threat name. Example: TDSS/Win32.fey.a
alias.url	URL	url	Valid File URL or URL as detected in HTTP activity.
alias.user_agent	User Agent	alias	Valid browser user agent as detected in HTTP Activity or User Agent Fragments.

Search Field Names

Sample Artifacts