: Latest AutoFocus Features
Focus
Focus

Latest AutoFocus Features

Table of Contents

Latest AutoFocus Features

The following topics provide a snapshot of the AutoFocus features introduced in May 2021. This list provides context for the new features, with steps to get started. For information about past releases, refer to AutoFocus Release History.
AutoFocus Search Improvements
The AutoFocus™ search has been improved to optimize performance and reliability. By leveraging a batched search mechanism, dashboard loading times are reduced, sample & session query performance is improved, and API response times are lowered. As this update impacts all search-based components of AutoFocus, including the dashboards, advanced search, and sample/session search APIs, as well as downstream integrated solutions; it may be necessary to update certain settings to account for the coverage changes.
The following changes have been made to support the batched search improvements:
  • AutoFocus Dashboard | Report
    — The AutoFocus Dashboard and Reports can be filtered based on First Seen or Time using the following values: Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, Last 6 Months, or Last 1 Year. The Any Time value is no longer available and has been effectively replaced by the Last 1 Year option.
    If you have a custom AutoFocus report or dashboard using the Any Time value, it will automatically use the Last 1 year setting. Consider updating and/or creating additional reports using a more specific First Seen or Time value to cover the time range of the previously configured custom report.
  • AutoFocus Search
    • Simple Search
      —The AutoFocus simple search mode can filter sample and sessions filtered based on First Seen or Time using the following values: Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, Last 6 Months, or Last 1 Year. The Any Time value is no longer available and has been effectively replaced by the Last 1 Year option.
    • Advanced Search
      —Sample and Session searches conditions that use the First Seen and Time parameters must not exceed 365 days. Search queries with a date range that exceeds the maximum values are automatically constrained to 1 year and a message showing the redefined range is displayed below the search settings.
      If the results for a hash search contains session-based data, the session contents from the previous years (from the date of the search) are displayed.
  • AutoFocus API
    — AutoFocus API session and sample (excluding SHA256) queries that use the time stamp (
    session.tstamp
    ) or first seen (
    sample.create_date
    ) parameter cannot exceed 1 year from the query issuance date or have a date range longer than a year. The following API resources are affected by the change:
    • Sample Search—
      /samples/search/ and /stix/samples/search/
    • Session Histogram Search—
      /sessions/histogram/search/
    • Session Aggregate Data Search—
      /sessions/aggregate/search/
    • Session Search—
      /sessions/search/ and /stix/sessions/search/
    • Top Tags Search—
      /top-tags/search/
    If your search queries extend across a coverage range exceeding one year, consider initiating multiple search requests using one year segments.
    The following general search changes should be noted.
    • The Scan parameter returns up to 10k samples and sessions as opposed to the previous maximum of 200k.
    • Hash search queries are not restricted to the one year search range.
    • Any AutoFocus search containing sample and session data is constrained to one year chunks.
For more information about the concepts referenced in this feature, refer to: AutoFocus Search

Recommended For You