End-of-Life (EoL)

View AutoFocus Threat Data for Logs

With a valid AutoFocus subscription, you can view AutoFocus threat intelligence data for the following artifacts in Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs:
  • IP address
  • URL
  • User agent
  • Threat name (only for threats of the subtype virus and wildfire-virus)
  • Filename
  • SHA-256 hash
You can also open an AutoFocus search for log artifacts.
  1. Connect the firewall to AutoFocus to Enable AutoFocus Threat Intelligence.
    Enable AutoFocus in Panorama to view AutoFocus threat data for all Panorama log entries, including those from firewalls that are not connected to AutoFocus and/or are running PAN-OS 7.0 and earlier release versions (
    Panorama
    Setup
    Management
    AutoFocus
    ).
  2. Select a log type to view.
    1. Select
      Monitor
      Logs
      .
    2. Select one of the following log types:
      Traffic
      ,
      Threat
      ,
      URL Filtering
      ,
      WildFire Submissions
      ,
      Data Filtering
      , or
      Unified
      .
  3. Open the AutoFocus Intelligence Summary for an artifact.
    1. Click the drop-down (  autofocus-icon-dropdown.png  ) for an IP address, URL, user agent, threat name (subtype: virus or wildfire-virus), filename, or SHA-256 hash in any log entry.
    2. Click
      AutoFocus
      .
  4. View the
    Analysis Information
    available in AutoFocus for the artifact.
    af_intelligence_summary.png
    • View the number of sessions (1) logged in your firewall(s) in which the firewall detected samples associated with the artifact.
    • Compare the WildFire verdicts (benign, malware, grayware) for global and organization samples (2) associated with the artifact.
      Global
      refers to samples from all WildFire submissions, while
      organization
      refers to only samples submitted to WildFire by your organization.
    • Review the matching tags (3) for the artifact. AutoFocus Tags indicate whether an artifact is linked to malware or targeted attacks. Hover over a tag to view more details about the tag. Click on the ellipsis to launch AutoFocus search for the artifact. The Tags column in the AutoFocus search results displays more matching tags for the artifact.
  5. For an IP address, domain, or URL artifact, view passive DNS history that includes the artifact.
    Click the
    Passive DNS
    tab.
    The passive DNS history is based on global DNS intelligence in AutoFocus; it is not limited to the DNS activity in your network. Passive DNS history consists of the domain request, the DNS request type, the IP address or domain returned in response to the domain request, the number of times the request was made, and the date and time the request was first seen and last seen.
  6. View the latest samples in your network where WildFire found the artifact.
    Click the
    Matching Hashes
    tab, which displays the 5 most recently detected matching samples. Sample information include SHA256 hash, the file type, the date that the sample was first analyzed by WildFire, the WildFire verdict for the sample, and the date that the WildFire verdict was updated (if applicable).
  7. Launch an AutoFocus Search for firewall artifacts.
    • Click the link for the log artifact. AutoFocus opens in a new browser tab, with the log artifact added as a search condition.
    add_link_af_search.png
    • Click a linked artifact in the tables or charts or click any of the matching tags to launch an AutoFocus search for it.
    add_item_af_search.png
  8. Learn more about how to use AutoFocus Search to investigate threats on your network.

Recommended For You