With a valid AutoFocus subscription, you can
view AutoFocus threat intelligence data for the following artifacts
in Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering,
and Unified logs:
Threat name (only for threats of the subtype virus and wildfire-virus)
You can also open an AutoFocus
search for log artifacts.
Enable AutoFocus in Panorama to
view AutoFocus threat data for all Panorama log entries, including
those from firewalls that are not connected to AutoFocus and/or
are running PAN-OS 7.0 and earlier release versions (
Select a log type to view.
Select one of the following log types:
Open the AutoFocus Intelligence Summary for an artifact.
Click the drop-down (
) for an IP address,
URL, user agent, threat name (subtype: virus or wildfire-virus),
filename, or SHA-256 hash in any log entry.
in AutoFocus for the artifact.
View the number of sessions (1) logged in your firewall(s)
in which the firewall detected samples associated with the artifact.
Compare the WildFire verdicts (benign, malware, grayware)
for global and organization samples (2) associated with the artifact.
to samples from all WildFire submissions, while
to only samples submitted to WildFire by your organization.
Review the matching tags (3) for the artifact. AutoFocus Tags indicate
whether an artifact is linked to malware or targeted attacks. Hover
over a tag to view more details about the tag. Click on the ellipsis
to launch AutoFocus search for the artifact. The Tags column in
the AutoFocus search results displays more matching tags for the
For an IP address, domain, or URL artifact, view passive
DNS history that includes the artifact.
passive DNS history is based on global DNS intelligence in AutoFocus;
it is not limited to the DNS activity in your network. Passive DNS
history consists of the domain request, the DNS request type, the
IP address or domain returned in response to the domain request,
the number of times the request was made, and the date and time
the request was first seen and last seen.
View the latest samples in your network where WildFire
found the artifact.
displays the 5 most recently detected matching samples. Sample information
include SHA256 hash, the file type, the date that the sample was
first analyzed by WildFire, the WildFire verdict for the sample,
and the date that the WildFire verdict was updated (if applicable).