For both AutoFocus and WildFire, a sample refers to a file (such as a PDF or PE) or a link included in an email. The Palo Alto Networks firewall and other sources such as Traps and Proofpoint can forward unknown samples to the WildFire cloud, where WildFire performs Static Analysis and Dynamic Analysis of the sample. As WildFire observes and executes the sample in the analysis environment, WildFire associates different Artifacts with the sample. AutoFocus allows you to search for samples based on the sample hash and other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus compares all historical and new samples to the search conditions and filters the search results accordingly.

AutoFocus receives WildFire analysis information for samples submitted to the WildFire global and regional clouds.

Sessions in AutoFocus search results provide information about how a source submitted a sample to WildFire. Each session has a time stamp that indicates when WildFire received the sample. Sessions matching a sample are reported in WildFire sample searches even when the sample verdict is known. For samples forwarded by a Palo Alto Networks firewall, their associated session information provide context for the detection of the sample on the network. For samples submitted by another Upload Source (Traps, Traps for Android, Proofpoint, WildFire API, WildFire appliance, Magnifier, Prisma SaaS, Prisma Access, Cortex XDR, or manual upload to the WildFire public portal), their sessions details are limited to the time stamp, the hash of the sample that was analyzed, and the upload source. Session information also indicates if a sample was submitted to the WildFire global cloud or regional cloud. Use Session Artifacts to filter AutoFocus search results.

Static analysis is a type of analysis based on properties of a sample that WildFire can detect and observe in a virtual environment without executing the sample. For details on the type of static analysis information that AutoFocus reports for samples, see Artifact Types.

Dynamic analysis consists of executing a sample in a WildFire analysis environment to determine the behaviors and activities that a sample exhibits when it runs. During dynamic analysis, WildFire also observes other behaviors and activities that occur in the analysis environment as a result of executing the sample. For details on the type of dynamic analysis information that AutoFocus reports for samples, see Artifact Types.

An artifact is a property, activity, or behavior shown to be associated with a sample or a session through both WildFire analysis of the sample and through AutoFocus statistics. For example, types of artifacts include IP addresses, domains, URLs, applications, processes, hashes, and email addresses.

In AutoFocus, artifacts are highlighted both on the dashboard and within search results. AutoFocus search results spotlight significant artifacts that are identified according to risk. The dashboard and search editor both allow you to add an artifact directly to an ongoing search or to add it to an export list, which you can use to enforce policy on a firewall or to analyze artifacts in a SIEM.

For more details on viewing and evaluating artifacts, see also Assess AutoFocus Artifacts.

An indicator is an artifact that security experts typically observe to detect signs that a network has been compromised. Indicators are crucial for implementing a network defense strategy based on threat intelligence. The following types of artifacts are considered indicators in AutoFocus:

AutoFocus determines which artifacts are indicators through a statistical algorithm based on tendency of the artifact to be seen predominantly in malware samples.

A tag is a collection of search criteria that together indicate a known or possible threat. Both historical and new samples that match the conditions defined for a tag are associated with that tag. You can perform searches and create alerts based on tags.

See AutoFocus Tags for details on creating tags and contributing to tags, including more information on Tag Types, Tag Class, Tag Status, and Tag Visibility.

Public tags and samples in AutoFocus are visible to all AutoFocus users.

For tags you create, you can set the status to public, so that the tag is visible to the AutoFocus community. You can revert the tag to be private at any time.

Public samples consist of samples from open-source intelligence (OSINT) and other external public sources, as well as samples that AutoFocus users have made public. Samples from your organization can only become public in two ways:

Private tags and samples in AutoFocus are visible only to AutoFocus users associated with the same support account.

Private tags and samples can be made public, with the option to revert the tag or sample back to private status at any time.

The All tab on the dashboard and the option to view All Samples in a search include statistics for all samples seen by Wildfire, both public and private; however, identifying details are obfuscated for private samples. The All tab on the dashboard displays all malware (including private samples) with obfuscated hashes. The All Samples view in a search obfuscates private sample details with the exception of the WildFire verdict for the sample, the date the sample was first submitted to WildFire, the file size, and the file type.

Suspicious artifacts:

For more on suspicious artifacts in AutoFocus, you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List.