AutoFocus Search Improvements | The AutoFocus™ search has
been improved to optimize performance and reliability. By leveraging
a batched search mechanism, dashboard loading times are reduced,
sample & session query performance is improved, and API response
times are lowered. As this update impacts all search-based components
of AutoFocus, including the dashboards, advanced search, and sample/session search
APIs, as well as downstream integrated solutions; it may be necessary
to update certain settings to account for the coverage changes. The following changes have been made to support
the batched search improvements: AutoFocus Dashboard
| Report — The AutoFocus Dashboard and Reports can be filtered based
on First Seen or Time using the following values: Last 24 Hours,
Last 7 Days, Last 30 Days, Last 90 Days, Last 6 Months, or Last
1 Year. The Any Time value is no longer available and has been effectively
replaced by the Last 1 Year option. If you have a custom AutoFocus
report or dashboard using the Any Time value, it will automatically
use the Last 1 year setting. Consider updating and/or creating additional
reports using a more specific First Seen or Time value to cover
the time range of the previously configured custom report. Simple Search —The
AutoFocus simple search mode can filter sample and sessions filtered
based on First Seen or Time using the following values: Last 24
Hours, Last 7 Days, Last 30 Days, Last 90 Days, Last 6 Months, or
Last 1 Year. The Any Time value is no longer available and has been effectively
replaced by the Last 1 Year option. Advanced Search —Sample and Session searches conditions
that use the First Seen and Time parameters must not exceed 365
days. Search queries with a date range that exceeds the maximum
values are automatically constrained to 1 year and a message showing
the redefined range is displayed below the search settings.
If
the results for a hash search contains session-based data, the session
contents from the previous years (from the date of the search) are displayed.
AutoFocus API — AutoFocus API session and sample (excluding
SHA256) queries that use the time stamp ( session.tstamp )
or first seen ( sample.create_date ) parameter cannot
exceed 1 year from the query issuance date or have a date range
longer than a year. The following API resources are affected by
the change: Sample Search— /samples/search/ and /stix/samples/search/ Session Histogram Search— /sessions/histogram/search/ Session Aggregate Data Search— /sessions/aggregate/search/ Session Search— /sessions/search/ and /stix/sessions/search/ Top Tags Search— /top-tags/search/
If
your search queries extend across a coverage range exceeding one
year, consider initiating multiple search requests using one year
segments.
The following general search changes should
be noted. The Scan parameter returns up to 10k samples
and sessions as opposed to the previous maximum of 200k. Hash search queries are not restricted to the one year search
range. Any AutoFocus search containing sample and session data is
constrained to one year chunks.
For more
information about the concepts referenced in this feature, refer
to: AutoFocus Search |