AutoFocus Intelligence Summary

The AutoFocus Intelligence Summary offers a centralized view of information about an artifact that AutoFocus has extracted from threat intelligence gathered from other AutoFocus users, WildFire, the PAN-DB URL filtering database, Unit 42, and open-source intelligence.
af_intelligence_summary.png
AutoFocus Intelligence Summary
Analysis Information
The Analysis Information tab displays the following information:
  • Sessions—The number of sessions logged in your firewall(s) in which the firewall detected samples associated with the artifact.
  • Samples—A comparison of organization and global samples associated with the artifact and grouped by WildFire verdict (benign, malware, or grayware). Global refers to samples from all WildFire submissions, while organization refers only to samples submitted to WildFire by your organization.
  • Matching Tags—The AutoFocus tags matched to the artifact. AutoFocus Tags indicate whether an artifact is linked to malware or targeted attacks.
Passive DNS
The Passive DNS tab displays passive DNS history that includes the artifact. This passive DNS history is based on global DNS intelligence in AutoFocus; it is not limited to the DNS activity in your network. Passive DNS history consists of:
  • The domain request
  • The DNS request type
  • The IP address or domain to which the DNS request resolved (private IP addresses are not displayed)
  • The number of times the request was made
  • The date and time the request was first seen and last seen
Matching Hashes
The Matching Hashes tab displays the 5 most recently detected matching samples. Sample information includes:
  • The SHA256 hash of the sample
  • The sample file type
  • The date and time that WildFire analyzed a sample and assigned a WildFire verdict to it
  • The WildFire verdict for the sample
  • The date and time that WildFire updated the WildFire verdict for the sample (if applicable)

Related Documentation