AutoFocus Intelligence Summary
You can view a graphical overview of threat intelligence that AutoFocus compiles to help you assess the pervasiveness and risk of the following firewall artifacts:
- IP Address
- User agent (found in the User Agent column of Data Filtering logs)
- Threat name (only for threats of the subtypes virus and wildfire-virus)
- SHA-256 hash (found in the File Digest column of WildFire Submissions logs)
To view the AutoFocus Intelligence Summary window, you must first have an active AutoFocus subscription and enable AutoFocus threat intelligence (select DeviceSetupManagement and edit the AutoFocus settings).
After you’ve enabled AutoFocus intelligence, hover over a log or external dynamic list artifact to open the drop-down ( ) and then click AutoFocus:
- View Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs (MonitorLogs).
You can also launch an AutoFocus search from the firewall, to further investigate interesting or suspicious artifacts that you find.
Search AutoFocus for...
Click to launch an AutoFocus search for the artifact.
Analysis Information Tab
The number of private sessions in which WildFire detected the artifact. Private sessions are sessions running only on firewalls associated with your support account. Hover over a session bar to view the number of sessions per month.
Organization and global samples (files and email links) associated with the artifact and grouped by WildFire verdict (benign, grayware, malware, phishing). Global refers to samples from all WildFire submissions, while organization refers only to samples submitted to WildFire by your organization.
Click on a WildFire verdict to launch an AutoFocus search for the artifact filtered by scope (organization or global) and WildFire verdict.
AutoFocus tags matched to the artifact:
Hover over a tag to view the tag description and other tag details.
Click a tag to launch an AutoFocus search for that tag.
To view more matching tags for an artifact, click the ellipsis ( ... ) to launch an AutoFocus search for that artifact. The Tags column in the AutoFocus search results displays more matching tags for the artifact.
Passive DNS Tab
The Passive DNS tab displays passive DNS history associated with the artifact. This tab only displays matching information if the artifact is an IP address, domain, or URL.
The domain that submitted a DNS request. Click the domain to launch an AutoFocus search for it.
The DNS request type (example: A, NS, CNAME).
The IP address or domain to which the DNS request resolved. Click the IP address or domain to launch an AutoFocus search.
The Response column does not display private IP addresses.
The number of times the request was made.
The date and time that the Request, Response, and Type combination was first seen based on passive DNS history.
The date and time that the Request, Response, and Type combination was most recently seen based on passive DNS history.
Matching Hashes Tab
The Matching Hashes tab displays the five most recent private samples where WildFire detected the artifact. Private samples are samples detected only on firewalls associated with your support account.
The SHA-256 hash for a sample. Click the hash to launch an AutoFocus search for that hash.
The file type of the sample.
The date and time that WildFire analyzed a sample and assigned a WildFire verdict to it.
The date and time that WildFire updated the WildFire verdict for a sample.
The WildFire verdict for a sample: benign, grayware, malware, or phishing.
View and Act on AutoFocus Intelligence Summary Data
View and Act on AutoFocus Intelligence Summary Data Interact with the AutoFocus Intelligence Summary to display more information about an artifact or extend your artifact ...
AutoFocus Intelligence Summary
AutoFocus Intelligence Summary The AutoFocus Intelligence Summary offers a centralized view of information about an artifact that AutoFocus has extracted from threat intelligence gathered from ...
Assess Firewall Artifacts with AutoFocus
AutoFocus Threat Intelligence for Network Traffic With a valid AutoFocus subscription, you can compare the activity on your network with the latest threat data available ...
Assess Network Traffic
Assess Network Traffic Now that you have a basic security policy, you can review the statistics and data in the Application Command Center (ACC), traffic ...
Monitor WildFire Activity
Monitor WildFire Activity Depending on your WildFire™ deployment—public, private, or hybrid—you can view samples submitted to WildFire and analysis results for each sample using the ...
Log Types Monitor Logs The firewall displays all logs so that role-based administration permissions are respected. Only the information that you are permitted to see ...
Monitor Applications and Threats
Monitor Applications and Threats All Palo Alto Networks next-generation firewalls come equipped with the App-ID technology, which identifies the applications traversing your network, irrespective of ...
Device > Setup > Management
Device > Setup > Management Device Setup Management Panorama Setup Management On a firewall, select Device Setup Management to configure management settings. On Panorama™, select ...
Enforce Policy using External Dynamic Lists and AutoFocus A...
Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API) This use case allows you to use data from AutoFocus threat intelligence to create an ...