AutoFocus Known Issues

The following list includes known issues found in the current AutoFocus release.
Issue ID
Description
PAN-142428
When using the remote search to find artifacts within firewall traffic, AutoFocus opens a new browser tab to access and authenticate to the firewall; however, this action drops the search request. This issue occurs only when issuing remote searches to firewalls operating PAN-OS 9.0.x and later.
PAN-8583
In some instances, when attempting to generate a PDF-exported report, the PDF generation progress meter hangs at either 0 or 100 percent.
ATF-8396/8397
If your organization has extremely large DNS Security data/log volume, widgets (including the expanded lists produced when viewing additional details) might time out and produce an error, depending on the volume of incoming data based on the search query.
ATF-8392
When you click on an applicable DNS Security dashboard widget to view detailed analytics, the last specified page counter value is retained as the default page view when pivoting to other DNS Security dashboard widget analytics pages.
ATF-8351
When you submit a hash search using the AutoFocus quick search feature (the spyglass icon on the upper-right corner), and then subsequently refresh the page while in the WildFire Report context, the sample details under the File Analysis and WildFire Report tabs display incomplete information. Workaround: Use the advanced AutoFocus search.
ATF-8349
When an extremely lengthy query is issued from the AutoFocus Search page, clicking on the Columns button situates the dropdown in the incorrect location; please scroll up to access the dropdown menu options.
ATF-8325
Changing the account type from certain AutoFocus pages might result in an error. Workaround: Refresh your browser to reload the content.
ATF-7419
Changes to the Preferred Scope setting on the AutoFocus Settings page does not take affect until you perform one of the following tasks:
  • Log out of AutoFocus and then log back in.
  • Exit the AutoFocus search, refresh your browser window, and then return to the AutoFocus search page.
ATF-7331
When using the AutoFocus advanced search, the show search history feature does not display any entries.
ATF-7322
Matching activity and behavior entries contained within an AutoFocus search are no longer highlighted.
ATF-7200
The timestamp shown on email report titles do not accurately reflect when the report was actually sent because report scheduling is based on a PDT system, while reports are generated using UTC time. As a result, an email report configured to be sent on Monday, 9:00 PM will be display Tuesday, 5:00 AM on the report cover.
ATF-7199
A private sample cannot be changed to a public sample from an AutoFocus Wildfire (sample) search.
When viewing the API request of an AutoFocus search, the Python and Curl commands might not properly reflect the from, size, and sort, parameters.
Attempting to add or remove the configured preferred hash column from the WildFire (samples) or Activity (sessions) page might result in: the de-selection of some or all other columns in the list or the inability to remove the configured preferred hash.
ATF-7092
In some cases, users might not be able to see the Session ID in the activity
Session Summary
page.
ATF-7079
In some cases, users might receive an AF Cookie Not Found error when issuing API sample queries.
ATF-7025
Tag labels might not be displayed in it’s entirety depending on the widget configuration and the length of the tag name.
ATF-6992
In some instances, the
Search
option on the custom feeds page takes some time to reload the new query results.
ATF-6812
IOCFeed APIs does not return accurate or descriptive responses.
ATF-6795
Changes made to the preferred hash setting does not have any effect on AutoFocus searches. Instead, only
SHA256
results display regardless of the preferred hash setting.
ATF-6772
Clicking on the
Back to Search Results
option after viewing the sample details page always defaults to
My Samples
regardless of the last visited page.
ATF-6768
If the required query parameters are missing when issuing a Threat Indicator Card API call, the API returns in the incorrect status codes.
ATF-6735
Time stamps shown in various AutoFocus queries are displayed in a non-human readable format when editing custom feeds.
ATF-6686
When editing the
Remote System
configuration, the verification check used to find duplicate settings, is not properly executed. Make sure to manually check for duplicate settings before editing your existing remote systems.
If AutoFocus experiences a supporting service outage when configuring a custom feed query or when initiating a search, the UI erroneously displays No Results or No Data instead of Service Temporarily Unavailable.
ATF-6586
The search condition that is automatically populated by AutoFocus when performing a
Quick Search
is not refreshed when followed up by another
Quick Search
.
ATF-6559
AutoFocus automatically populates the search condition field when pivoting from an
Indicators
search to a
WildFire
or
Activity
search, however, returning to the
Indicators
search results in an empty search string.
ATF-6524
Error message banners shown under AutoFocus
Feeds
do not automatically close.
ATF-6243
Some samples might be missing the ssdeep and imp_hash values on the
File Analysis
tab of a WildFire (sample) search.
ATF-6216
AutoFocus cannot search for samples with future-facing compilation date.
ATF-6148
The session artifact API call is unable to decode special characters.
ATF-6090
Some of the identifiers contained in the AutoFocus advanced search drop down list are not listed in alphabetical order.
ATF-6043
Certain samples do not properly display matching YARA file analysis details.
ATF-6015
Some threat signatures might not be available to view in AutoFocus under certain operational conditions.
ATF-6012
The
Malware Session Percentage By Day
widget does not auto-zoom to the proper level when opened using a saved search.
ATF-5985
The AutoFocus license exception page does not correctly display the user entity name.
ATF-5945
In some instances, AutoFocus might not allow you to create a new private tag because it erroneously believes the 100 tag limit was reached.
ATF-5635
In some instances, an AutoFocus search using the
Tag
identifier might produce results that do not match the selected tag(s).
ATF-5633
In some instances, the
Updated
field in the AutoFocus tag detail page might not properly reflect the actual revision date.
ATF-5584
Every instance of a SHA256 has an unexpected line break when exporting sample search results from browsers operating under OS X.
ATF-5570
In some instances, creating a search using the File Type indicator and subsequently adding an additional indicator before the first one finishes loading, might result in the second indicator converting to a File Type indicator.
ATF-5366
MineMeld might send double the number of entries in an EDL link to a connected firewall running PAN-OS 8.0.
ATF-5333
When the AutoFocus interface font size is increased, some elements of the information panel (such as the
Give Feedback
link) might not display correctly.
ATF-5331
The filetype counts shown in the
Top Filetypes
widget do not always match the figures provided through the API.
ATF-5254
When the maximum allowable tag limit of 100 is reached, subsequent attempts to add tags will fail without an displaying an error.
ATF-5074
In some instances, deleted scheduled reports might continue to automatically generate and send reports to specified recipients.
ATF-4881
Certain APK samples might not show the
Suspicious Pattern
section in the
File Analysis
page.
ATF-4859
In some instances, scheduled email reports might not be sent as configured.
ATF-4751
New custom reports are not displayed in
Reports
until the page is refreshed.
ATF-4750
Threat Name
searches using the
is in the list
operator do not generate consistent search results.
ATF-4723
Submitting a new quick search IOC value while viewing the search
Session Summary
does not refresh the page contents.
ATF-4682
The sort functionality present in
Open Saved Search
does not properly display content, depending on the sort settings used.
ATF-4435
Certain widgets displaying verdicts are not impacted by the dashboard and report verdict filter settings.
ATF-4323
In some instances the column widths in the sample details page might be improperly configured, making it difficult to view.
ATF-4252
Top Malware Family Tags
,
Top Campaign Tags
, and
Top Malicious Behavior Tags
widgets are preconfigured to display only Unit 42, Private, and Commodity tags. However, the
Top Tags
widget can be configured using any and all tags.
ATF-3796
In some instances, exported PDF reports containing a
Malware Percentage by Day
widget might result in the data graph overlapping with the explanatory key, depending on the browser used.
ATF-3748
External links contained in exported PDF reports have limited functionality.
ATF-2833
The
Disk
widget located in the MineMeld System tab does not show accurate disk space usage.
ATF-2284
Trying to add more than 2,000 artifacts to an export list at a time may not work when viewing the WildFire® sample analysis details in sequence or in the process tree.
ATF-2191
The AutoFocus™ API for STIX sample analysis (/stix/sample/{sample_id}/analysis) currently does not return Android artifacts. Refer to the AutoFocus API Reference for a full list of Android artifacts.
ATF-2187
The AutoFocus API for STIX sample analysis (/stix/sample/{sample_id}/analysis) currently does not support requests that include signature coverage.

Recommended For You