Track Down Threats with AutoFocus

Learn how to use AutoFocus to gain visibility into the malware on your SaaS apps and malware propagation.
Prisma SaaS leverages the WildFire service to detect known and unknown malware by file type. AutoFocus provides a centralized view of all your sources, including Prisma SaaS, to help your organization assess the attack surface and specific attack vectors that make your organization vulnerable to threats.
autofocus-prisma-saas-source.png
When you configure WildFire analysis on Prisma SaaS by configuring Prisma SaaS to send contextual information with the files Prisma SaaS sends to WildFire for analysis, your global administrator on your SOC team has the necessary data to determine if an asset is part of a larger threat and details to investigate the scope of that activity.

AutoFocus Behaviors with Prisma SaaS

The most common behaviors related to Prisma SaaS assets (artifacts) on AutoFocus are as follows:
Symptom
Explanation
Solution
Some Prisma SaaS assets do not display at all in AutoFocus.
If you previously enabled WildFire analysis prior to March 2020, those scanned files do not display in AutoFocus because Prisma SaaS does not retroactively send files. However, after you enable file types for WildFire analysis, future assets display as expected. Your audit log indicates when you enabled WildFire analysis.
Nothing. This behavior is expected. configure WildFire Analysis to include all file types, even if you do not currently have an AutoFocus subscription.
Some Prisma SaaS assets in AutoFocus do not have
any
contextual information.
If you previously enabled WildFire analysis, contextual information was not included—that’s a new capability as of March 2020. Prisma SaaS does not retroactively send files. However, after you enable contextual information, all future assets along with the specified contextual information display as expected. Your audit log indicates when you enabled (or disabled) contextual information.
Nothing. This behavior is expected. enable all contextual information, even if you do not currently have an AutoFocus subscription.
Some Prisma SaaS assets in AutoFocus are missing certain contextual information.
If Prisma SaaS doesn’t have information for a file, it cannot sent that information for that file. Prisma SaaS can only send the information that’s available.
Nothing. This behavior is expected.
Your Prisma Saas tenant is not a hub tenant and your assets do not display in AutoFocus.
You might need to perform additional configuration steps to complete your integration.
Hub tenants do not require additional configuration steps.
Contact Prisma SaaS Support.

Recommended For You