AutoFocus Intelligence Summary
You can view a graphical overview of threat intelligence that AutoFocus compiles to help you assess the pervasiveness and risk of the following firewall artifacts:
- IP Address
- User agent (found in the User Agent column of Data Filtering logs)
- Threat name (only for threats of the subtypes virus and wildfire-virus)
- SHA-256 hash (found in the File Digest column of WildFire Submissions logs)
To view the AutoFocus Intelligence Summary window, you must first have an active AutoFocus subscription and enable AutoFocus threat intelligence (select
and edit the AutoFocus settings).
After you’ve enabled AutoFocus intelligence, hover over a log or external dynamic list artifact to open the drop-down ( ) and then click
- View Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs ().MonitorLogs
You can also launch an AutoFocus search from the firewall, to further investigate interesting or suspicious artifacts that you find.
Search AutoFocus for...
Click to launch an AutoFocus search for the artifact.
Analysis Information Tab
The number of private sessions in which WildFire detected the artifact. Private sessions are sessions running only on firewalls associated with your support account. Hover over a session bar to view the number of sessions per month.
Organization and global samples (files and email links) associated with the artifact and grouped by WildFire verdict (benign, grayware, malware, phishing).
Globalrefers to samples from all WildFire submissions, while
organizationrefers only to samples submitted to WildFire by your organization.
Click on a WildFire verdict to launch an AutoFocus search for the artifact filtered by scope (organization or global) and WildFire verdict.
AutoFocus tags matched to the artifact:
Hover over a tag to view the tag description and other tag details.
Click a tag to launch an AutoFocus search for that tag.
To view more matching tags for an artifact, click the ellipsis ( ... ) to launch an AutoFocus search for that artifact. The Tags column in the AutoFocus search results displays more matching tags for the artifact.
Passive DNS Tab
The Passive DNS tab displays passive DNS history associated with the artifact. This tab only displays matching information if the artifact is an IP address, domain, or URL.
The domain that submitted a DNS request. Click the domain to launch an AutoFocus search for it.
The DNS request type (example: A, NS, CNAME).
The IP address or domain to which the DNS request resolved. Click the IP address or domain to launch an AutoFocus search.
The Response column does not display private IP addresses.
The number of times the request was made.
The date and time that the Request, Response, and Type combination was first seen based on passive DNS history.
The date and time that the Request, Response, and Type combination was most recently seen based on passive DNS history.
Matching Hashes Tab
The Matching Hashes tab displays the five most recent private samples where WildFire detected the artifact. Private samples are samples detected only on firewalls associated with your support account.
The SHA-256 hash for a sample. Click the hash to launch an AutoFocus search for that hash.
The file type of the sample.
The date and time that WildFire analyzed a sample and assigned a WildFire verdict to it.
The date and time that WildFire updated the WildFire verdict for a sample.
The WildFire verdict for a sample: benign, grayware, malware, or phishing.