You are on page 1of 150

AutoFocus Administrator’s Guide

February 2017

paloaltonetworks.com/documentation

Table of Contents
Get Started With AutoFocus........................................................................... 5
About AutoFocus.........................................................................................................................................7
First Look at the AutoFocus Portal........................................................................................................ 9
AutoFocus Concepts................................................................................................................................ 17
Use AutoFocus with the Palo Alto Networks Firewall....................................................................20
AutoFocus Portal Settings...................................................................................................................... 21

AutoFocus Dashboard..................................................................................... 23
Dashboard Overview............................................................................................................................... 25
Set the Dashboard Date Range............................................................................................................ 26
Drill Down on Dashboard Widgets...................................................................................................... 28
Customize the Dashboard...................................................................................................................... 29

AutoFocus Search.............................................................................................31
Start a Quick Search................................................................................................................................ 33
Work with the Search Editor.................................................................................................................35
Drill Down in Search Results................................................................................................................. 42
Samples........................................................................................................................................... 42
Sessions...........................................................................................................................................47
Statistics..........................................................................................................................................48
Indicators........................................................................................................................................ 50
Domain, URL, and IP Address Information............................................................................ 51
Set Up Remote Search............................................................................................................................ 54
Artifact Types.............................................................................................................................................57
General Artifacts...........................................................................................................................57
Sample Artifacts............................................................................................................................58
Session Artifacts........................................................................................................................... 60
Analysis Artifacts.......................................................................................................................... 62
Windows Artifacts....................................................................................................................... 64
Mac Artifacts................................................................................................................................. 64
Android Artifacts.......................................................................................................................... 65
Search Operators and Values................................................................................................................ 68
Guidelines for Partial Searches..............................................................................................................72
Contains and Does Not Contain Operators.......................................................................... 72
Proximity Operator...................................................................................................................... 72

AutoFocus Alerts.............................................................................................. 75
Alert Types................................................................................................................................................. 77
Email Alerts.................................................................................................................................... 77
HTTP Alerts................................................................................................................................... 78
Create Alerts.............................................................................................................................................. 80
Define Alert Actions....................................................................................................................80
Enable Alerts by Tag Type.........................................................................................................83
Create Alert Exceptions..............................................................................................................83
View Alerts in AutoFocus....................................................................................................................... 85
Edit Alerts................................................................................................................................................... 88

TABLE OF CONTENTS iii

........................................................94 Tag Visibility......................................................................................................................................................... Stop.................................................... 116 Use the Threat Summary Report to Observe Malware Trends............................................ 145 Troubleshoot MineMeld............................................. 114 Manage Threat Indicators...............................................................101 Find the Top Tags Detected During a Date Range......... 129 Use Export Lists with the Palo Alto Networks Firewall....................................................................94 Tag Status........................................................................................................................................................................................ 123 Build an AutoFocus Export List....................91 Tag Concepts............................................................................................ 105 Assess AutoFocus Artifacts...................................... 125 Create a CSV File....................................................................................................................................................................................................................................................................................................................................................................................................................146 iv TABLE OF CONTENTS ...............................................135 Introduction to MineMeld........................................................................................................ 118 View Threat Summary Report Details.......................136 Use AutoFocus-Hosted MineMeld........................................................................................................................... 103 Vote for................................. 101 Find Samples by Tag Details................................................................................................................................................................................................. 93 Tag Types...........120 Export AutoFocus Artifacts.......................................................................................................................................................................................... 142 Forward MineMeld Indicators to AutoFocus.................................. Comment on...............................................................................143 Forward AutoFocus Indicators to MineMeld........... AutoFocus Tags................................................................................................................................................................99 Work with Tags....................................................................................................................................... 96 Create a Tag.................................................................................... 118 Threat Summary Report Overview................................................................................................................................... 93 Tag Class.................................................................................. 140 Delete a MineMeld Node...................................................................................................................... 103 See the Top Tags Found with Search Results............................................................................................ and Report Tags.......................................................................................................133 MineMeld.................................................................................................................101 Filter and Sort Tags........................................................................................... and Reset MineMeld....................................... 109 Find High-Risk Artifacts.................................. 141 AutoFocus Prototypes........................................................................................................................................................................................................................................................144 Use AutoFocus Miners with the Palo Alto Networks Firewall................................................................................... 135 Start...............137 Create a Minemeld Node................................................................. 138 Connect MineMeld Nodes...................................................111 Add High-Risk Artifacts to a Search or Export List.......................131 AutoFocus Apps......................................... 95 Tag Details......................................................

AutoFocus statistics are updated to include the most recent threat samples analyzed by Palo Alto Networks®.Get Started With AutoFocus AutoFocus™ is a threat intelligence service that provides an interactive. within specific time frames. first register and activate AutoFocus. Access to this information allows you to keep up with threat trends and to take a preventive approach to securing your network. If you haven’t already. you can compare threats in your network to threat information collected from other networks in your industry or across the globe. With AutoFocus. > About AutoFocus > First Look at the AutoFocus Portal > AutoFocus Concepts > Use AutoFocus with the Palo Alto Networks Firewall > AutoFocus Portal Settings 5 . See the following topics to get started with the AutoFocus threat intelligence service. graphical interface for analyzing threats in your network.

6 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus .

Create custom alerts.. contextualize. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 7 . Unit 42 publishes Unit 42 Tag (Alerting) and Unit 42 Informational Tag (Non-Alerting) in AutoFocus that allow you to distinguish between threats or campaigns with global impact (Unit 42 alerting tags) and less impactful threats that do not pose a direct or immediate security risk (Unit 42 informational tags). AutoFocus indicates the artifacts that are most likely to be detected with malware as Suspicious or Highly Suspicious..About AutoFocus The AutoFocus threat intelligence portal enables you to quickly identify threats on your network. Unit 42.. How can I do this with AutoFocus? . properties. You can Find High- Risk Artifacts in AutoFocus search results. Check samples for high-risk artifacts. and historical context. global.prioritize events in my network Look at the dashboard. AutoFocus can send notifications to your email account or web server. environment.. Distinguish between advanced threats and commodity malware. AutoFocus harnesses data from WildFire™. and address threats affecting your network. and behaviors to be associated with that sample. the PAN-DB URL Filtering database. Create alerts based on Tags to keep track of samples linked to high-risk artifacts. and from third-party feeds (including both closed and open-source intelligence). I want to. it finds certain activities. AutoFocus then makes the data searchable and layers the data with statistics that both highlight pervasive malware and reveal connections between malware. When WildFire analyzes a sample. The AutoFocus dashboard visually weights threat Artifacts and statistics to bring focus to pervasive events. and to contextualize such events within an industry. Take a look at the following table for an overview of AutoFocus features that allow you to prioritize.

8 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . . • You can filter your view of search results to show only results from your network or from all public samples. the number of times that WildFire has detected the artifact with malware.. Get Started • Take a First Look at the AutoFocus Portal. You can also filter any dashboard view to display data for a specific date range. You can also set up prioritized alerts for your private tags or for public tags shared by the AutoFocus community. the Palo Alto Networks threat intelligence team. For each artifact. Enable Unit 42 alerts.gain context around an event. Export AutoFocus Artifacts You can add high-risk artifacts to be used with a Palo Alto Networks firewall block list or external dynamic list. Use the search editor. for your industry. You can enable alerts from Unit 42. benign. • Search results provide detailed analysis information for samples. including all artifacts found to be associated with a sample during WildFire analysis. I want to. You can add high-risk artifacts to your search as you go. Toggle the dashboard... and grayware samples is listed.. • Set up an AutoFocus Search. and on a global scale.leverage AutoFocus data... How can I do this with AutoFocus? . You can move between views that show the top activity for your network. or to support a security information and event management (SIEM) solution. • Drill down and pivot through search results to discover threat variants.

A threat artifact could be a sample hash (identifying a link included in an email or a file. You can expand or narrow the date range of the threat activity data displayed.First Look at the AutoFocus Portal The AutoFocus dashboard presents a visual landscape of network. The Dashboard widgets are interactive—hover over an artifact to view artifact details or click an artifact to add it to a search. First Look at the Dashboard Support Account Area Threat researchers who have access to multiple support accounts can select a single support account to view data from devices associated with that account. a statistic. or a behavior that shows a correlation with malware. industry. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 9 . View the AutoFocus documentation site. a file property. and global threat artifacts. or to view data at an industry or global level. Set the context of the dashboard to display activity and artifacts for your organization. Log out of the portal. such as a PDF or PE). Start a Quick Search for threat artifacts.

You can also select All time to display all data for the selected context. the dashboard displays data for the last seven days. Hover over artifacts displayed on the dashboard to reveal additional details. Threat data and activity displayed on the dashboard widgets will update to reflect the context selected (see the Dashboard Overview for details). By default. The widgets are interactive and can be used to drill down and investigate malware or event details. displaying the varying threat landscapes for your network. My Industry. • Filter by date—Set the dashboard to display data for the last 7. or 180 days. or click on an artifact to add it to the search editor. or globally. your industry. 10 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . 30. 90. First Look at the Dashboard Dashboard Select an AutoFocus Dashboard tab to set the context for the data displayed: My Organization. Filter the data displayed on the dashboard by context and date: • Filter by context—Move between the tabs to set the dashboard context. or All.

To get started. AutoFocus remembers your last dashboard settings even as you switch between the features on the navigation pane. Set up an AutoFocus Search based on threat artifacts gathered from your environment. You can then Drill Down in Search Results to find high- risk artifacts. public tags shared by other AutoFocus users. or from viewing industry or global data on the AutoFocus dashboard. • Tags—A tag is a set of conditions compared against historical and new samples. and grayware samples. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 11 . Unit 42 also publishes tags in AutoFocus to identify and help you detect known threats. Work with the Search Editor. including the number of times that an artifact. such as an IP address. you can view your private tags.First Look at the Dashboard Navigation Pane Use the navigation pane to access the following AutoFocus features: • Dashboard—Display the AutoFocus Dashboard. benign. has been detected with malware. • Search—The search editor allows you to perform free-form searches using boolean logic. and Unit 42 tags. You can create your own AutoFocus Tags. On the Tags page.

First Look at the Dashboard • Alerts—Set up AutoFocus Alerts based on tags. • Reports—Use the Threat Summary Report to Observe Malware Trends in your network. Unit 42. an open- source app whose features are integrated into AutoFocus to highlight artifacts on your network that signal the presence of a potential threat. • Apps—Launch the MineMeld app. • Settings—Update the AutoFocus Portal Settings. Create Alerts for Unit 42 tags. • Indicators—Keep track of threat indicators that you have forwarded to AutoFocus from external sources and Manage Threat Indicators. and domains. and private tags generate alerts when matched to malware and grayware samples in your network. 12 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . public. URLs. You can then use the CSV file to enable a Palo Alto Networks firewall to enforce policy based on AutoFocus artifacts or to import AutoFocus data to a security information and event management (SIEM) tool. such as IP addresses. • Exports—Export AutoFocus Artifacts. to a CSV file. This allows you to receive prioritized notifications when targeted attacks or threat campaigns identified by Unit 42 are matched to samples. Depending on your alert settings.

Use the histogram to observe spikes in new malware activity. If you don’t see any malware sessions in the histogram. An additional day with no populated data is sometimes displayed on the Malware Download Sessions histogram. regardless of the date range selected. The histogram does not include sessions with known malware (malware that was first seen before the selected date range).First Look at the Dashboard Malware Download Sessions The Malware Download Sessions histogram displays the malware sessions for samples detected for the first time in the selected date range. see Set the Dashboard Date Range. Dashboard widgets automatically update to reflect the date range you have selected. there may not be any malware detected during the selected date range. Adjust the histogram sliders to narrow or broaden the date range. For details. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 13 .

You can also zoom in to more closely examine the number of malware sessions by source or destination country. or all) and time range selected: • Top Applications—Displays the ten most used applications. Malware Sources and Destinations The Malware Sources and Destinations map allows you to view malware hot spots geographically. • Target Industries—Displays the ten industries with the highest counts of malware detected. or select Destination to display countries with high rates of targeted attacks. Refer to Countries and Country Codes for a list of the two-letter country codes used in the map. • Top Malware—Displays the ten malware samples with the most hits. First Look at the Dashboard Dashboard Widgets The dashboard widgets highlight the top ten artifacts depending on the context (my organization. • Top Firewalls—Displays the ten firewalls with most sessions where malware samples were detected. Select the Organization tab on the dashboard to display the top firewalls in your network. Click a single bar in any widget to Drill Down on Dashboard Widgets to add the artifact to a search or to tag it. Select Source to display countries with high rates of malware sessions originating from those countries. industry. 14 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . You can Customize the Dashboard to add or remove widgets. Select the All tab on the dashboard to display target industries on a global scale. Larger bubbles indicate higher rates of activity.

• Select a tag to view tag details. including a description of the condition or set of conditions that the tag identifies. For details on enabling the delivery of prioritized alerts through email or over HTTP. • Select from the options under Choose Tag Types to display the top 20 private tags. see Create Alerts. Alerts Log The Alerts Log widget displays the latest 20 alerts on malware and grayware matching enabled public.First Look at the Dashboard Top Tags The Top Tags widget lists the AutoFocus Tags matched to the highest number of samples. For each tag. You can easily distinguish the different tag types by color and icon: The Top Tags list is sorted according to the number of samples matched to the tag in the date range selected on the malware sessions histogram (at the top of the dashboard). or to add the tag to a search. the list also displays the total number of samples that have been matched to the tag and the date and time that the most recent matching sample was detected. or Unit 42 AutoFocus Tags. public tags. Unit 42 alerting tags. and/or Unit 42 informational tags. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 15 . private. On the Top Tags widget: • Filter the displayed tags by Tag Class.

and resources from Unit 42. 16 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . Feedback Link The Give Feedback link provides a quick way to send comments and requests for new features to the AutoFocus team at Palo Alto Networks. First Look at the Dashboard Recent Unit 42 Research Browse quick links to the latest research. the Palo Alto Networks threat intelligence team. news.

see Artifact Types.AutoFocus Concepts Familiarize yourself with the following AutoFocus terminology to help you as you use the tool to begin researching threats. The Palo Alto Networks firewall and other sources such as Traps and Proofpoint can forward unknown samples to the WildFire cloud. Proofpoint. WildFire also observes other behaviors and activities that occur in the analysis environment as a result of executing the sample. AutoFocus compares all historical and new samples to the search conditions and filters the search results accordingly. their associated session information provide context for the detection of the sample on the network. When you perform a search in AutoFocus. WildFire appliance. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 17 . For details on the type of static analysis information that AutoFocus reports for samples. WildFire API. Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis environment to determine the behaviors and activities that a sample exhibits when it runs. the hash of the sample that was analyzed. As WildFire observes and executes the sample in the analysis environment. see Artifact Types. For samples forwarded by a Palo Alto Networks firewall. AutoFocus receives WildFire analysis information for samples submitted to the WildFire global and regional clouds. WildFire associates different Artifacts with the sample. their sessions details are limited to the time stamp. Session information also indicates if a sample was submitted to the WildFire global cloud or regional cloud. Each session has a time stamp that indicates when WildFire received the sample. Static Analysis Static analysis is a type of analysis based on properties of a sample that WildFire can detect and observe in a virtual environment without executing the sample. where WildFire performs Static Analysis and Dynamic Analysis of the sample. or manual upload to the WildFire public portal). Concept Description Samples For both AutoFocus and WildFire. and the upload source. During dynamic analysis. Use Session Artifacts to filter AutoFocus search results. a sample refers to a file (such as a PDF or PE) or a link included in an email. For details on the type of dynamic analysis information that AutoFocus reports for samples. For samples submitted by other Upload Source (Traps. AutoFocus allows you to search for samples based on the sample hash and other Sample Artifacts. Sessions Sessions in AutoFocus search results provide information about how a source submitted a sample to WildFire.

Tag Status. You can then Manage Threat Indicators and Find High-Risk Artifacts that match indicators to check your network for known threats. Both historical and new samples that match the conditions defined for a tag are associated with that tag. and Tag Visibility. activity. With the MineMeld app. The following types of artifacts are considered indicators in AutoFocus: • Domain • IPv4 • Mutex • URL • User agent AutoFocus determines which artifacts are indicators through a statistical algorithm based on tendency of the artifact to be seen predominantly in malware samples. AutoFocus search results spotlight significant artifacts that are identified according to risk. For example. hashes. See AutoFocus Tags for details on creating tags and contributing to tags. Indicators are crucial for implementing a network defense strategy based on threat intelligence. you can forward indicators from external threat feeds into AutoFocus. Threat Indicators An indicator is an artifact that security experts typically observe to detect signs that a network has been compromised. You can perform searches and create alerts based on tags. URLs. Tags A tag is a collection of search criteria that together indicate a known or possible threat. processes. Tag Class. In AutoFocus. domains. Concept Description Artifacts An artifact is a property. including more information on Tag Types. see also Assess AutoFocus Artifacts. applications. For more details on viewing and evaluating artifacts. 18 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus . or behavior shown to be associated with a sample or a session through both WildFire analysis of the sample and through AutoFocus statistics. and email addresses. types of artifacts include IP addresses. The dashboard and search editor both allow you to add an artifact directly to an ongoing search or to add it to an export list. which you can use to enforce policy on a firewall or to analyze artifacts in a SIEM. artifacts are highlighted both on the dashboard and within search results.

The All Samples view in a search obfuscates private sample details with the exception of the WildFire verdict for the sample. with the option to revert the tag or sample back to private status at any time. Public samples consist of samples from open-source intelligence (OSINT) and other external public sources. For more on suspicious artifacts in AutoFocus. they are more often found with malware. you can set the status to public. The All tab on the dashboard displays all malware (including private samples) with obfuscated hashes. Highly Suspicious Highly suspicious artifacts: • Have been detected in very few samples. In some cases. you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List. however. Samples For tags you create. both public and private.Concept Description Public Tags and Public tags and samples in AutoFocus are visible to all AutoFocus users. the date the sample was first submitted to WildFire. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 19 . Samples from your organization can only become public in two ways: • Open the sample details and manually set the sample to Public. For more on highly suspicious artifacts in AutoFocus. • Are most frequently detected with malware. in order to share it within the AutoFocus community. • If a private sample from your organization is later received by WildFire from a public source. The lack of distribution of these types of artifacts could indicate an attack crafted to target a specific organization. as well as samples that AutoFocus users have made public. so that the tag is visible to the AutoFocus community. and the file type. • Are most frequently detected with malware. the file size. these artifacts have been exclusively seen with malware and never with grayware or benign samples. All Tab and All Samples The All tab on the dashboard and the option to view All Samples in a search include statistics for all samples seen by Wildfire. Private tags and samples can be made public. Although suspicious artifacts can be detected with grayware and benign samples. identifying details are obfuscated for private samples. the sample will become public at that time. you can Find High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export List. Suspicious Suspicious artifacts: • Have been widely-detected across large numbers of samples. Private Tags and Private tags and samples in AutoFocus are visible only to AutoFocus users Samples associated with the same support account. You can revert the tag to be private at any time.

• Use AutoFocus indicators to enforce security policy on the firewall.1 and later). URLs. The Unified log entries are filtered based on the remote search artifacts. Click on any of the artifacts in the summary window to launch an AutoFocus search for it.1 or later release versions. In AutoFocus.0 and earlier. You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus and/or are running PAN-OS 7. On the firewall.0 or earlier) or an external dynamic list (PAN-OS 7.0). open the AutoFocus Intelligence Summary for artifacts in your firewall logs to view their pervasiveness and risk. • Use AutoFocus to search for artifacts in firewall traffic. or domains) to support a dynamic block list (PAN-OS 7. • Export AutoFocus Artifacts (such as IP addresses. This feature is supported with firewalls running PAN-OS 7.1 or later release versions. This feature is supported with firewalls running PAN-OS 7. • Use AutoFocus Miners with the Palo Alto Networks Firewall to support external dynamic list (PAN- OS 8. Set Up Remote Search to specify which artifacts to look for in your firewall logs.Use AutoFocus with the Palo Alto Networks Firewall The following table highlights AutoFocus features that integrate with the Palo Alto Networks firewall: • Use AutoFocus threat intelligence to assess firewall artifacts. The firewall web interface opens in a new window in Unified log view. 20 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus .

or All Samples (private and public samples). points usage.AutoFocus Portal Settings Select Settings on the AutoFocus navigation pane to modify or enable the following settings as needed. • Preferred Scope—Select the default scope of your search results: My Samples (private). and landing page are unique for each user in a support account. SHA-256. The settings for preferred hash. Also view the API key status. you can view your key here. Public Samples. • API—If you have activated an AutoFocus API key in the customer support portal. tags that you share publicly will not list your organization as the tag owner in the tag details. You can add up to 500 remote systems. scope. Panorama. and total points. or MD-5. For more information on the AutoFocus API. • Landing Page—Select the page that displays by default after logging in to the AutoFocus portal. • Share public tags anonymously—If you select this option. or third- party log management system that AutoFocus can search remotely. View the complete workflow for how to Set Up Remote Search. the number of license users. • Remote Systems—Label and specify the address of a Palo Alto Networks firewall. • Preferred Hash—Select the hash type you would like to use as the default sample or session identifier for AutoFocus search results: SHA-1. AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 21 . refer to API documentation and examples.

22 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus .

Focus in on pervasive threat activity and add top artifacts directly to a search.AutoFocus Dashboard The AutoFocus™ dashboard visually weights your network data alongside industry and global data to provide both a context for your network activity and a window into threats targeting similar organizations. refer to the following topics for an overview of the dashboard and for details on customizing and drilling down on dashboard widgets: > Dashboard Overview > Set the Dashboard Date Range > Drill Down on Dashboard Widgets > Customize the Dashboard 23 . After taking a First Look at the Dashboard.

24 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard .

or tag the artifact as an indicator of compromise (IOC). take a First Look at the AutoFocus Portal. with the option to add the artifact to a search. or globally. with the capability to drill down and search on data for firewalls associated with the selected support account. • My Industry—View the threat landscape across your industry. The Industry and All views display statistics for all samples (public and private) but do not allow access to the details of private samples (unless they are private samples from firewalls associated with your support account). For an overview of each of the dashboard widgets. your industry. top applications. the data displayed is updated to reflect the dashboard context: • My Organization—View the threat landscape for your network. The All tab includes the additional widget Target Industries that allows you to compare malware rates across industries. You can alternate dashboard views to display the threat landscape for your organization. including top malware. Industry data is populated according to the industry associated with the selected support account (for example. high tech or healthcare). AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard 25 . Explore and examine targeted threats or trends affecting similar networks and organizations. • All—View the global threat landscape to contextualize both threats affecting your network and your industry. Top firewalls are only displayed on the organization tab and are not visible in other contexts.Dashboard Overview Scan the AutoFocus dashboard to view and drill down on pervasive artifacts. and top firewalls. Drill Down on Dashboard Widgets for more details on a threat artifact. As you move between the three dashboard tabs.

you can refresh your browser at any time to reapply the default date range. regardless of the time period that the data was collected. by setting the time range to All time. • Set the default date range. Adjust the Malware Download Sessions sliders to view sessions for a specific date range: The dashboard time range is updated automatically as you adjust the sliders. All time stamps in AutoFocus™ are displayed in Pacific Time (PST/PDT). The dashboard default time range is applied to all dashboard views (organization. • Select a custom date range. 26 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard . The default time range is also reapplied when the dashboard is refreshed. The histogram does not include sessions with known malware (malware that was first seen before the selected date range). Set the dashboard to display data for the last 7. After modifying the dashboard date range using the Malware Download Sessions histogram. If you don’t see any malware sessions in the Malware Download Sessions histogram. You can also set the dashboard to display all data by default. 30. and all) and dashboard widgets immediately update to reflect the time range selected. there may not be any malware detected during the selected date range. a custom time range.Set the Dashboard Date Range Filter the threat data displayed on the dashboard based on a default time range. or a single date. 90. industry. or 180 days by default. • Set a single date.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard 27 . this view of the dashboard shows events and artifacts only for January 15. For example. you can refresh your browser at any time to reapply the default date range. 2014: After modifying the dashboard date range using the Malware Download Sessions histogram. The dashboard widgets are then filtered to display artifacts for that date only.Click a single bar on the Malware Download Sessions histogram to view the number of sessions with newly-identified malware detected on that date.

28 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard . For example. and Target Industries widgets to reveal statistics. take a First Look at the AutoFocus Portal. • For details on interacting with the Alerts Log widget. Top Firewalls. Vote for. • Add an artifact to the search editor. hover over a single bar on the Top Malware widget (where the bar represents a malware sample) to view a close-up of the sample hash and the number of times the sample was detected during the selected date range. View Alerts in AutoFocus. Click on a single bar in the Top Applications. • For details on interacting with the Top Tags widget.Drill Down on Dashboard Widgets Use the dashboard widgets to add artifacts of interest to a search. Top Firewalls. and Report Tags. Top Malware. • View artifact details. Comment on. Artifacts added to the search editor from the dashboard are added as conditions to the existing search—they do not replace existing search conditions (although you can continue to modify the search from the search editor). For an overview of each of the dashboard widget. click on a single bar on the Top Malware widget to search on the malware sample hash. Hover over the Top Applications. and Target Industries widgets to jump to the search editor and perform a search using the data. For example. Top Malware.

Customize the Dashboard
You can customize your organization, industry, and global dashboards. Add widgets or remove them based
on your preferences, and pick the order in which they appear on the dashboard.
Dashboard settings are unique and saved for each user in a support account.

STEP 1 | Open the dashboard settings.
Click the Page Editor (1).

STEP 2 | Edit the widgets and widget placement on the dashboard.
• Remove a widget.
Click X to remove a widget (2).
Removing a widget frees up a slot on the dashboard where you can Add a widget..
• Add a widget.
Find a blank widget slot, and click Add Widget (3). Then select a widget type.
• Add a new row of widgets.
Choose an area on the dashboard where you would like to insert a new row of widgets, and click Add
Row (4). The newly added row includes two blank slots for widgets by default.
• Remove a row of widgets.
On the right side of the row you want to remove, click Remove Row (5).
• Change the number of widgets in a row.
Change Columns (6) in the row to show up to 4 widgets.

STEP 3 | Save your changes to the dashboard.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard 29

When you are finished making your changes, click the Page Editor.

STEP 4 | (Optional) Restore the default dashboard settings.
Click the Page Editor drop-down and Reset Page to Default.

30 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard

AutoFocus Search
Start a simple search for an artifact from any page in AutoFocus™, or use the AutoFocus search
editor to perform complex searches, with conditions that allow you to narrow or broaden the
scope of your search.

> Start a Quick Search
> Work with the Search Editor
> Drill Down in Search Results
> Set Up Remote Search
> Artifact Types
> Search Operators and Values
> Guidelines for Partial Searches

31

32 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .

or a URL. Toggle your view of search results to find: • The samples matched to your search conditions (Samples tab). AutoFocus lists the number of times the artifact has been detected with benign ( ). a Domain. and malware ( ) samples. Artifacts that are seen disproportionately with malware are indicated to be Suspicious or Highly Suspicious. STEP 2 | Enter an artifact to search. the string ImASampleFile.pl.Start a Quick Search Start a simple search for an artifact from any page in AutoFocus™. • And the DNS history and PAN-DB categorization of the results (Domain. AutoFocus also makes it easy to view indicators that are found with your search results. quick search suggests a list of artifact types that it recognizes.pl can be a Filename. For each artifact associated with a sample. • The sessions during which the samples were detected (Sessions tab). URL & IP Address Information tab). with conditions that allow you to narrow or broaden the scope of your search. Watch the tutorial. For example. When an artifact is incomplete. • The threat indicators found in the returned samples (Indicators tab). you can drill down in sample results to find artifacts seen with that sample. To search for the file ImASampleFile. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 33 . or use the AutoFocus search editor to perform complex searches. STEP 3 | Select the scope of the search based on the artifact type. You can also press Alt+s to open quick search. STEP 1 | Click the spyglass icon in the support account area of the portal. click the x on the top right corner of the search box or click anywhere on the dimmed area of the interface. select an area to search under the category Filename. To close quick search. • The top artifacts associated with the returned samples (Statistics tab). After performing a search. Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus portal. grayware ( ).

grayware. such as its WildFire verdict (benign. STEP 5 | Choose from the following options: • Work with the Search Editor to perform more complex searches. • Go to Sample Detail—(SHA256. and MD5 artifacts only) View details about the sample. STEP 4 | View the search results in the search editor. • Show Session Stats—View statistics based on sessions that contain the artifact. • Drill Down in Search Results to explore additional options and information related to the artifact. or malware) and analysis information. SHA1. and passive DNS history that match the artifact. • Search for My Samples—Search for the artifact in your organization’s private samples. WildFire™ active DNS history. 34 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . • Search for Public Samples—Search for the artifact in all samples that are shared to the AutoFocus community. • Search for All Samples—Search for the artifact in private and public samples. The areas to choose from vary depending on the artifact entered. • PanDB/pDNS—View PAN-DB categorization entries. • Search for Sessions—Search for the artifact in session information.

Start typing the name of the artifact type to narrow down the list of options. Drill Down in Search Results. you can use the operator to limit or expand potential results. Search Operators and Values vary depending on the type of artifact you select. • Begin a new search. For details on navigating and using the search results (including adding artifacts to your search as you go). • Click on an artifact highlighted on the dashboard. • Use a saved search. • Select Search on the navigation pane and add criteria directly to the search editor: • Begin a new search. The search editor displays with the artifact listed as a search condition. Select one of the Artifact Types from the drop-down to perform a search of global threat data based on that artifact type. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 35 . To create a search condition. Select an operator for the search condition. The search editor has a range of features for customizing and executing searches. choose the type of artifact you want to find and define the scope and value: 1.Work with the Search Editor Use the search editor to perform complex searches based on one or more artifacts. 2. or to return exact match results. • Import a search. The operator determines the scope of search results. • Open the search editor.

You can add up to 300 search conditions to a single search. and the drop- down appears to be loading for a long period of time. • Add more search conditions. try clearing your browser cache. 3. you may be able to choose from predefined values. • Remove conditions from your search. • Narrow or broaden your search. If you are attempting to select a value from a pre-populated drop-down. Depending on the artifact type and operator selected. • Add conditions to your search. Match results to all or any of the defined search conditions: • Narrow search results by selecting All. Search results are only returned for samples that match all conditions. or you might be required to enter an exact value to perform the search. Enter or select a value to define the search condition. Use negative operators such as is not or is not in the list to return more granular search results that exclude samples or sessions that match the negative condition. You can use the operator to create negative search conditions. Learn more about Search Operators and Values. 36 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .

A child query is evaluated only against the parent query to which it is added. • The email subject for the sample file contained the word test and received a WildFire verdict of either malware or grayware. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 37 . 2015. Add a child query to return more granular search results. Click Add Parent Query to nest a search condition under the preceding condition. • Add a parent query. Search results are returned for samples that match one or more conditions. AutoFocus then only evaluates the nested search condition against the parent condition. You can only add up to 4 levels of child queries nested under parent queries. The example search below shows a child query added to the Email Subject condition. where the results must match both the parent query and the child query. Search results will be returned for samples where the following is true: • The sample was first seen before March 13. A child query is a condition or a set of conditions nested within and used to qualify a parent query. • Add a child query. • Broaden search results by selecting Any.

click Add Parent Query to nest the First Seen condition under the WildFire Verdict condition. • The sample is an Adobe Flash file. • Disable a search condition. you can move it up or down to include it in a child query. Disabled search conditions are grayed out: 38 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . In the example below. and then quickly and easily add the condition back to your search if necessary. Move Up or Move Down search conditions to move conditions to or from a child query. 2016. Search results will be returned for samples where any of the following conditions is true: • The sample received a WildFire verdict of malware and was first seen before July 1. Disable a condition to temporarily remove it from a search. You can also move a condition up or down to remove it from a child query so that it is no longer a nested condition. This option provides the flexibility to temporarily adjust your search parameters. • Adjust search condition placement. Depending on the placement of a condition.

The new search launches in a separate browser window. select the ellipses icon for that condition and select Enable: • Start a new search from your current search. or third-party log management system when you Set Up Remote Search. This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto Networks® next-generation firewall. To enable a search condition that was previously disabled. Start a New Search for any of the search conditions of an existing search. Panorama. IP address. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 39 . • Add recent or frequently-used conditions to a search. Select the Show Search History icon and add Recently used or Most used search conditions to your search. This option is only available for SHA256 hash. user agent. • Add a search condition to a remote search. filename. or URL search conditions.

Click Tag Results to create a tag based on search conditions. and save the search. Open Saved Search to view an alphabetical list of previously saved searches. • Tag a search. • Use a saved search. select Export Search. • After setting up a search and viewing search results. You can export a search to share the search between support accounts or with another AutoFocus security expert. Tags can be used to define a set of conditions that indicate an important network event or a possible or known threat. When you Create a Tag. • Export a search. Tag a search so you can easily identify and track any existing or future samples that match the search. enter a name and description to identify the saved search when using it later. • Paste the search filters to a local file send the filters to another user. Select Tags on the navigation pane to manage tags you have created and to view all tags. • Save a search. Save searches that you might be performing on a regular basis. 40 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . give the tag a recognizable name and description. • Copy the search filters. or to quickly recreate useful search settings: Click the Save Search icon. and click the spyglass icon to add a saved search to the search editor.

Click Import Search to paste and import a previously exported query or a query shared by another AutoFocus security expert. Statistics. • Export AutoFocus Artifacts found in your search. • Create a MineMeld miner based on the search. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 41 . Panorama. URL & IP Address Information tabs to Drill Down in Search Results. Click the >_API link in the Samples or Sessions tab of the search editor to view the API request for initiating the current search. or third-party log management system. When the MineMeld app is running. Create MineMeld Miner to send artifacts from the sample search results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld). and Domain. • Choose from the following next steps: • Click Search to view samples matched to your search conditions. Sessions.1 or later release versions. View more details on how to Set Up Remote Search. The API request is formatted in Curl URL Request Library (cURL) and Python (see more information about using the AutoFocus API to perform a search). Select the Samples.• Import a search. • View the API request for a sample or session search. This feature is supported with firewalls running PAN-OS 7. Start a Remote Search to look for artifacts in a Palo Alto Networks firewall. • Assess AutoFocus Artifacts found in your search. • Start a remote search.

and IP Address Information Samples The Samples tab in the AutoFocus search editor displays all samples that match the conditions of the search. Set a default scope for search results to choose which samples are displayed immediately when you launch a search. See the following topics for details on the different search results views: • Samples • Sessions • Statistics • Indicators • Domain. to narrow your search by adding artifacts to the search as you go. Statistics. You must click Save changes to save the new default scope. You can drill down in the results to find correlation among artifacts. only Public Samples. and to Export AutoFocus Artifacts that are high-risk. To examine Sample Details. By default. a progress bar displays as the search is processing the complete set of results. You can check the cumulative number of samples that meet the search conditions when the search progress is complete. Click the column headers for the sample details to sort samples in ascending (up arrow) or descending (down arrow) order. click the sample hash: 42 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . or All Samples. the most recently detected samples are displayed. URL. You can also change the scope of your search from My Samples (samples found in your network only) to Public Samples or All Samples: The Samples. Indicators. private samples submitted by firewalls or sample sources other than those associated with your support account display with an obfuscated hash. and Domain. Sessions. however. After searching. All Samples includes both public and private samples. You can choose to view only My Samples. URL & IP Address Information tabs display search results in different contexts.Drill Down in Search Results An AutoFocus search returns all matching samples and their corresponding sessions (Start a Quick Search or Work with the Search Editor to set up a search). Navigate to the AutoFocus portal Settings and select a Preferred Scope.

Sample Details AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 43 .

• User Space—User space is the memory area outside of the operating system kernel. Click the minus sign ( . Sample Details Lists the sample details and properties. the kernel space is a memory area where the kernel runs operating system processes and manages other processes. In Sequence and Tree view. The nested File Analysis WildFire Dynamic Analysis section describes the sample’s observed behavior and lists each activity the sample performed when executed in the WildFire analysis environment. As you drill down in the Wildfire Dynamic Analysis details for a sample. high-risk artifacts associated with the sample are marked for easy identification and you can add Observed Behavior evidence and Activity Artifacts to a new or existing search. You can view sample details that WildFire detected in environments running different operating systems. Select a method of viewing the WildFire dynamic analysis of the sample: • Sections—Groups sample activities by activity type. • Tree—For any main parent processes that occurred when the sample executed in the WildFire analysis environment. 44 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . you can see the activities that occurred in the operating system kernel space and user space: • Kernel Space—The kernel is the core of the operating system. click the plus sign ( + ) display them.) next to a parent process to hide the child processes under it. • Sequence—Lists sample activities based on the order in which they occurred in the WildFire analysis environment. This view displays by default when you open the file analysis of a sample. the child processes and activities that they spawned are grouped under them. The processes are indented to display the visual hierarchy of parent and child processes. where applications and other user processes are executed.

Click on the indicator tag to view the matching indicators. The sessions displayed are all WildFire sessions submitted from your Palo Alto Networks firewall or another Upload Source associated with your support account. You can also revert the status of the sample to Private at any time. Make a sample Public to share the sample with other Sample Visibility AutoFocus security experts. If a sample has Threat Indicators that match indicators forwarded to AutoFocus from MineMeld. (For details on tags and how tagging works. Comment on. and you can Sample Tags also add a new tag. Select a single session for session details. and Report Tags. Hover over a tag to view more tag information in a popup. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 45 . see AutoFocus Tags).Sample Details Lists the tags the sample is associated with. You can click on the linked tag name to Vote for. Lists all sessions during which samples with the same Network Sessions SHA256 hash were detected. an indicator tag specifies the number of matching indicators. Click the File Analysis tab to navigate back to the sample details.

Depending on the sample. that you can then add to a search. set up a search for Threat Name > is and enter the Signature Name as the search value. Each behavior has an associated risk level. Signature Coverage Check signature coverage to assess the level of protection in place against malware. trojans. Sample Details Lists the WildFire signatures that match to the sample. all or some of the following signature types provide coverage: • WildFire AV Signatures identify malicious files. 15 minute. URLs the sample visited when executed in the WildFire analysis environment might also be listed. For each activity listed. You can toggle between daily. the Type column indicates the activity category and the Value column includes activity artifacts. For each of these signature types. AutoFocus uses a statistical algorithm to determine which artifacts are indicators. and spyware downloads. The first content version that included the signature is listed. and 5 minute content updates to see the versions that included the signature. worms. and you can expand a single behavior to see the matching sample activities. The table also indicates whether a signature is included in the most current content version. including the PAN-DB categorization for each URL. To find other samples that are covered by the same signature. the date that WildFire created the signature is listed. Expand the Observed Behavior section to find the total Observed Behavior number of activities that are Evidence of a specific behavior. 46 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . as well as the last content version to include an update to the signature. Examples of malware for which antivirus signatures provide protection include viruses. • Download Domain Signatures identify domains that host malware (and from which the sample was downloaded). • C2 Domain Signatures identify malicious domains that the sample attempted to resolve to when executed in the WildFire analysis environment. Lists Threat Indicators that AutoFocus detected in the Indicators sample’s WildFire analysis details. The list consists of only artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples.

For each activity artifact.. • Assess AutoFocus Artifacts found in your search. Sample indicators that match indicators forwarded to AutoFocus from MineMeld are highlighted with an indicator icon ( ). Next Steps. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 47 . Sessions The Sessions tab displays all Sessions associated with samples from your network. Based on the sample artifacts. Depending on the artifact. grayware ( ). a yellow icon indicates a medium risk behavior.. AutoFocus highlights high- risk indicators as Suspicious or Highly Suspicious. the total number times the artifact has been found with benign ( ). Click the column headers to sort sessions in ascending (up arrow) or descending (down arrow) order. (Learn more about how to Manage Threat Indicators. you can: • Add an artifact to your existing search • Add an artifact to an export list • Start a new search for the artifact in a separate browser window • View more information about domain and URL artifacts If an artifact is evidence of an observed behavior. and high-risk behavior. and a red icon indicates the artifact is evidence of a critical. Sample Details Expand an activity section to see all of the sample Activity Artifacts activities that fall under it. • Export AutoFocus Artifacts found in your search.) See Artifact Types for a detailed and expanded description of the WildFire analysis sections and the artifacts they contain. and malware ( ) samples is listed. the behavior risk level is indicated with this icon: A gray icon indicates a low risk behavior.

the Statistics tab displays information that has been filtered based on the current search. 48 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . Session details include a Session Summary. In the example above. The Statistics tab does not display the same statistics as the AutoFocus Dashboard on page 23. select Sessions and select a single session to drill down for session details: Display sessions based on the Upload Source. which are other sessions during which the same sample was detected.. • Export AutoFocus Artifacts found in your search. • Assess AutoFocus Artifacts found in your search. from which you can add artifacts to your existing search or launch a new search for an artifact in a separate browser window. • View the associated Samples. or global). and IP Address Information. Statistics The Statistics tab collects and visually weights the top artifacts associated with samples matched to your search. Add the search condition Upload Source > is to your current search and choose a session source. industry-wide. Next Steps. While the dashboard displays an overall picture of the threat landscape in different contexts (organization-wide. the sessions search results have the Upload Source Traps. which means that they are sessions associated with samples submitted to WildFire through Traps.. and Domain. Statistics. Session details also include a list of Related Sessions. The File Analysis tab displays artifacts that WildFire found in the sample detected during the session (see Sample Details for information on the File Analysis tab). You can perform specific searches by clicking on any of the individual artifacts under the Statistics tab. Session Details After performing an AutoFocus Search. URL.

Top Malware. Click on an artifact in the Top Applications. the Statistics tab widgets are filtered based on the added search condition(s). or All Samples. The API request is formatted in cURL and Python. select Statistics: View statistics on artifacts associated with My Samples.Sample Statistics After performing an AutoFocus Search on page 31. Public Samples. Click ( ) to view the API request to retrieve the artifact data displayed in a widget. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 49 . and Target Industries widgets to add it to your search. Top Firewalls.

• View associated Samples on page 42. and IP Address Information on page 51. 50 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .. Indicators The Indicators tab is a summary of Threat Indicators that AutoFocus found in the samples returned as search results. Sample Statistics Example: To view only samples that are distributed through web pages. Web-browsing is added as a search condition and the widgets. URL. Sessions on page 47. • Assess AutoFocus Artifacts on page 109 found in your search. including the Top Countries malware map. • Export AutoFocus Artifacts on page 123 found in your search. Not all sample artifacts are indicators. the Indicators tab only lists artifacts that AutoFocus has determined to be indicators through a statistical algorithm based on the tendency of the artifact to be seen predominantly in malware samples. click the web-browsing bar on the Top Applications widget.. and Domain. are updated to reflect the new web-browsing filter: Next Steps.

the Indicators tab will only display indicators from that second page of samples. you can view the number of global malware. URL & IP Address Information tab displays information about the artifact from PAN-DB. For example. and benign samples in which it was detected. grayware. Indicators List Details The Indicators tab only displays indicators drawn from the page of sample search results that you are currently viewing. Click on a hash to view sample details. the global URL database that Palo Alto Networks AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 51 . AutoFocus also filters the indicators by the scope you have selected for viewing the sample search results (view only My Samples. and IP Address Information When searching for a domain. Click on the indicator tag to view the full list of matches. Public Samples. Each indicator lists the SHA256 hash of the sample(s) in which it was detected. URL. AutoFocus groups the indicators by type: • Domain • IPv4 • Mutex • URL • User agent For each indicator. Indicators matching those forwarded to AutoFocus through MineMeld are marked with an indicator tag ( ). Domain. AutoFocus highlights indicators that are Suspicious or Highly Suspicious. which specifies the number of matching indicators. if your search returns 5 pages of search results and you are viewing the second page. or IP address artifact. or All Samples). the Domain. URL.

URL. STEP 1 | Find domain. or IP address: 1. Click a sample hash to view sample details. or IP address is associated with suspicious behavior. Work with the Search Editor to set up a search with the following types of artifacts: Domain. View a passive history of domain to IP address mappings that Passive DNS History contain matches to the artifact your searched for. DNS Activity. URL. URL. 2. Find information from the file analysis details for a sample: 1. uses for its URL filtering service. and IP Address Details View URLs associated with the domain. URL. URL & IP Address Information tab. Domain. This information can help you assess whether a specific domain. The tab also provides logs of DNS activity from all samples analyzed with WildFire and passive DNS history where AutoFocus detected instances of the artifact. Click the target icon or expand the search result listed under the Domain. IP Address. View a log of domain to IP address mappings based on all samples WildFire DNS History that launched a request to connect to a domain during Wildfire Analysis. URL. Begin a new search. 52 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . Find information for a specific domain. URL. or IP address through PAN-DB Categorization PAN-DB and the PAN-DB category for each URL. and IP address information for an artifact. or APK Embedded URL. 2.

See Assess AutoFocus Artifacts for details on drilling down in the file analysis details for a sample.. and IP Address Details for the artifact. Click the drop-down for any domains. • Export AutoFocus Artifacts found in your search. Find matches to the artifact in the Request and Response columns. STEP 3 | Choose from the following next steps. • Assess AutoFocus Artifacts found in your search. Sessions. or IP addresses. 4. and select Domain and URL info. and Statistics. • View associated Samples. STEP 2 | Review the Domain. URLs. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 53 . 3.. URL. View the full DNS Activity details for the sample.

Set Up Remote Search
Remote search enables you to use AutoFocus to find suspicious IP addresses, SHA256 hashes, URLs, user
agents, and filenames in a specific Palo Alto Networks firewall or a set of Panorama-managed firewalls.
AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a
remote search, the firewall or Panorama web interface opens in a new window and displays the search
results in Unified log view.

The remote search feature is supported with firewalls running PAN-OS 7.1 or later release
versions.

AutoFocus also now supports the ability to integrate with third-party log management systems. When
you configure your custom system to work with AutoFocus remote search, you can filter log or event
repositories with AutoFocus search conditions.

STEP 1 | Log in to the firewall or Panorama you want to search with your administrator username and
password.

STEP 2 | Configure the settings of the remote system.
Allow HTTP or HTTPS service on the management interface of your firewall or Panorama. Select the
service that matches the address of the remote system you want to search.

STEP 3 | Add a remote system to search with AutoFocus.
1. Select Settings on the navigation pane.
2. Add new remote systems.
3. Enter a descriptive Name for the remote system.
4. Select a System Type:
1. Select PanOS to add a firewall or Panorama.
2. Select Custom to add a custom system that has been configured to integrate with AutoFocus
remote search.
5. Enter the IP Address or URL of the remote system.
6. Click Save changes.
7. Click Save changes on the Settings page to finish adding the remote system. You can add up to 500
remote systems.

STEP 4 | Add conditions to a remote search:
• Add an artifact from a search result.
1. Perform a search, and view Sample Details.
2. Add any SHA256 hash, IP address, user agent, filename, or URL contained in a sample to a remote
search.
For example, add a sample hash:

54 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search

or add a domain:

3. Click Remote Search to verify that the artifact was added.
• Add a search condition to a remote search.
Click Remote Search to verify that the search condition was added.
• Create a condition to add to a remote search.
1. On the search editor, click Remote Search.
2. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search.

STEP 5 | (For Panorama Device Group and Template Administrators Only) For Panorama Device Group
and Template administrators (not superusers), an AutoFocus remote search targeted to
Panorama returns results based on the current Panorama Access Domain setting. Panorama
administrators with role-based access control must first open the Panorama web interface,
select Monitor > Logs and set the Access Domain for which to view search results. Return to
the AutoFocus portal to execute your remote search.

STEP 6 | Start a remote search.
1. Click Remote Search.
2. Review the list of search conditions that you added in Step Add conditions to a remote search:. Add
or remove conditions as needed.
3. Set the remote search to find Any or All of the artifacts on the targeted system.
4. Select one or more Remote systems to search.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 55

5. Click Search.

STEP 7 | View the search results.

If no browser tabs open when you launch remote search, change the settings on your
browser to allow pop-ups from AutoFocus.

A new browser tab opens for each remote system.
• Search results for a firewall or a Panorama are displayed in Unified log view. The list consists of all log
entries that contain the artifacts specified in the remote search.
Panorama search results include log entries from managed firewalls that are not connected to
AutoFocus and/or are running PAN-OS 7.0 or earlier.
• Each custom system opens in a new tab, with the URL formatted to include the conditions specified
in the remote search.

The maximum length for the URL generated through remote search is 1,024
characters. Performing a remote search with multiple search conditions may create a
URL that exceeds the character limit. As a best practice, check which conditions were
added to the URL after launching a search.

STEP 8 | Learn more about working with Unified logs on the firewall.

56 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search

Artifact Types WildFire detects properties... or the File URL. as well as the properties of sessions associated with the samples. and their related sessions. IP Address. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 57 . Filename. Filename The File Name of the sample or a filename that AutoFocus found in the File Activity of a sample. Artifact Type Search with this Artifact Type to Find. Mac. and behaviors when it analyzes samples during static and dynamic analysis. Domain A domain detected in the DNS Activity or HTTP Activity of a sample. Some general artifacts are tag-related. For example. and URL. you can use the artifact type Domain to search based on domains found in samples and sessions. or Android). The following general artifact types refer to private session information: Domain. Email Address. these pieces of information are referred to as Artifacts. or in both samples and sessions (general artifacts). If you search with a tag-related artifact. WildFire forwards this information to AutoFocus. the search results display all samples that have one or more tags that meet the search criteria. • General Artifacts • Sample Artifacts • Session Artifacts • Analysis Artifacts • Windows Artifacts • Mac Artifacts • Android Artifacts General Artifacts General artifacts are artifacts that WildFire associates with both samples and sessions. you cannot make these tags public. in sessions only. If any of your private tags use these artifact types as tag conditions. You can use the different types of artifacts with Search Operators and Valuesto find Samples and Sessions. In AutoFocus. Email Address An Email Recipient Address or Email Sender Address. Other artifacts are specific to a particular operating system (Windows. WildFire detects some artifacts in samples only. activities.

User Agent A user agent header detected in the HTTP Activity or User Agent Fragments of a sample.. or a type of malicious behavior. URL A File URL or a URL detected in the HTTP Activity of a sample. Artifact Type Search with this Artifact Type to Find. The search results also include samples in which AutoFocus found the hash in the File Activity of the sample. and PDF. public. File Size The size of the sample in bytes. Digital Signer The digital signature that identifies the sender of the sample. in the File Analysis details of a sample. Sample Artifacts Sample artifacts are artifacts that WildFire associates with samples only. Hash The sample’s MD5. Examples include Email Link. Tag Alias Samples filtered by Tag Alias. 58 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .. Adobe Flash File. a campaign. First Seen The date and time that the sample was first forwarded or uploaded to WildFire.1. an exploit.. your browser sends this information to the site you are visiting to determine the best way to deliver the information you requested. an actor. or an IP address detected in the Connection Activity. or HTTP Activity of a sample. Tag Source Samples with tags that are attributed to a particular Tag Source. Finish Date The date and time when WildFire analysis of the sample completed and the sample received a WildFire verdict. Tag Samples with a specific tag.. DNS Activity. Examples of user agent strings include Mozilla/4. or Destination IP in a session. or SHA256 hash. Tag Class Samples filtered by Tag Class: a malware family. Threat Name Samples that match a particular threat signature. You can find the following artifact types when you view Sample Details. Unit 42 (alerting). Artifact Type Search with this Artifact Type to Find. File Type The file type of the sample. IP Address A File URL. Tag Scope Samples filtered by Tag Scope: private. During a session. or Unit 42 informational (non-alerting).0 and Windows NT 6. Source IP. The user agent header indicates your browser type and version and your operating system and version. SHA1.

for a sample which can be used to identify samples that are very similar but not exactly alike. Imphashes can be used to identify similar samples that might belong to the same malware family. a high percentage indicates a high number of similarities between the samples.. Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the sample. SHA256 The sample’s unique cryptographic hash generated using Secure Hash Algorithm 256. or a fuzzy hash. Last Updated The date and time when WildFire changed the verdict for a sample. Region Every WildFire cloud (global or regional) to which a sample was submitted for analysis. The ssdeep program generates an ssdeep hash value.. search with the condition Region > is > US combined with the condition Region > is not for each of the other WildFire clouds. MD5 The sample’s unique cryptographic hash generated using the MD5 message- digest algorithm. fuzzy hashes are listed for malware and grayware samples only (not benign samples). Then. Import Table Hash An import hash. Imphashes are listed for malware and grayware samples only (not benign samples). to search for samples that users submitted to the WildFire global cloud only. or imphash. is a hash based on the order that API functions are listed in the import table of a Portable Executable (PE). • US—WildFire global cloud • EU—WildFire EU cloud • JP—WildFire Japan cloud • SG—WildFire Singapore cloud To find samples that have been submitted to only a single WildFire cloud (and no other WildFire clouds). In AutoFocus. In ssdeep.Artifact Type Search with this Artifact Type to Find. The ssdeep prfirewogram allows you to compare sample fuzzy hashes to produce a percentage that indicates how closely the samples match. For example. add search conditions excluding samples submitted to the other WildFire clouds from the search results. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 59 . SHA1 The sample’s unique cryptographic hash generated using the Secure Hash Algorithm 1. set up a search for a WildFire cloud. The sample details list all of the WildFire clouds to which firewalls submitted the sample (different firewalls can submit the same sample to different WildFire clouds).

. Device vsys. or Benign to the sample based on properties. Device Serial. the email address of the user who received the email. Email Recipient Address. Device Country The country to which the IP address on a firewall is registered. For example. You can find the following artifact types when you view Sample Details. and activities observed for the file or email link during static and dynamic analysis. Destination Country The country of the IP address to which the session was destined. Email Subject. Grayware. For this reason. Device vsys The name of the virtual system on the firewall associated with the session. The following session artifact types refer to private session information: Device Hostname. Visit Applipedia for an updated list of applications that Palo Alto Networks identifies. 60 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .. To view the hostname for a firewall. File Name. Destination Country The two-digit abbreviation for the Destination Country of the session. Device Serial The serial number of a firewall. Email Sender Address. WildFire Verdict WildFire assigns a verdict of Malware. Email Charset For email samples. the character set used to display the message body of an email. AutoFocus filters the search results by the properties of the Palo Alto Networks firewall(s) that initiated the session. Artifact Type Search with this Artifact Type to Find. Recipient User ID. Refer Code to the complete list of countries and country codes in AutoFocus. Destination Port The destination port that the session used. you cannot make these tags public. Email Recipient Address For email samples.. Session Artifacts Sessions artifacts are artifacts that WildFire associates with sessions only. Destination IP. and view the General Settings. If any of your private tags use these artifact types as tag conditions.. Artifact Type Search with this Artifact Type to Find. behaviors. when you search with artifact types that refer to firewall-related properties (for example. Refer to the complete list of countries and country codes in AutoFocus. Examples of character sets are UTF-8 and ISO-8859-1. firewall serial number or hostname). Application The App-ID™ matched to the type of application traffic detected in a session. select Device > Setup > Management. log in to the firewall web interface. File URL. Destination IP The destination IP address of the session. Email Charset. Device Hostname A name that identifies a Palo Alto Networks firewall. a search for the Application web-browsing returns sessions during which web browsing over HTTP occurred. and Source IP. Note that you can only view the details of sessions associated with your support account. Device Country Code The two-digit abbreviation for the Device Country.

File Name The filename of the sample sent during the session. Refer to the complete list of countries and country codes in AutoFocus. the email address of the sender.. Email Sender Address For email samples. Examples are Aerospace and Defense. Email Subject For email samples. it can only be associated with a single WildFire cloud. Region The WildFire cloud (global or regional) to which a sample is submitted for analysis. Source Port The source port that the session used. A session in the AutoFocus search results provides information about how a source submitted a sample to WildFire. Industry is a field you select when you initially set up your AutoFocus account. and Education. Industry Industry indicates the field that the source of the session (you or another AutoFocus support account) is associated with. To find all allowed samples.. Time The time and date when the session started. Status All samples that a Palo Alto firewall blocked. Source Country Code The two-digit abbreviation of the Source Country that sent the session. Contact Palo Alto Networks Support to change it. IMEI The 15-digit unique International Mobile Equipment Identity number assigned to a mobile phone. Since each session corresponds to a single WildFire submission. The Status for blocked samples is Blocked. Recipient User ID The username of the user who received an email sample. search with the condition Status > is not > Blocked. while the status for allowed samples is blank. High Tech.Artifact Type Search with this Artifact Type to Find. the subject of the email. Source Country The country to which the IP address that initiated the session is registered. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 61 . • US—WildFire global cloud • EU—WildFire EU cloud • JP—WildFire Japan cloud • SG—WildFire Singapore cloud SHA256 The SHA-256 hash for the sample associated with the session. File URL The URL path for the source that hosts the sample. Source IP The IP address of the session source.

To get an idea of the artifacts that appear in a WildFire analysis section.. Artifacts listed for each file activity include the parent process that showed activity. activities. Artifact Type Search with this Artifact Type to Find. and the Type of DNS resource record (Type column) used to resolve the DNS query. • WF Appliance—Samples that a WildFire appliance submitted to the WildFire public cloud. and the file that was altered (created. Connection Activity Processes that accessed other hosts on the network when the sample was executed in the WildFire analysis environment. File Activity Files that showed activity as a result of the sample being executed in the WildFire analysis environment. Analysis Artifacts Analysis artifacts make up the WildFire dynamic and static analysis of a sample. the port through which the process connected. or deleted). modified. Artifact Type Search with this Artifact Type to Find... Artifacts listed for each DNS activity include the hostname that was translated (Query column) the resolved domain name or IP address (Response column). start a search with an analysis artifact and for the operator. 62 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . the protocol used for the connection. View the file analysis details of the search results. select has any value. and the IP address and country of the host. Choose from a list of possible upload sources: • Firewall—Samples that a Palo Alto Networks firewall forwarded to WildFire. Upload Source The source that requested a WildFire verdict for a sample or submitted a sample to WildFire for analysis. • Manual API—Samples uploaded manually through the WildFire API or the WildFire public portal. • Traps—Samples submitted through Traps.. duplicated. WildFire Static Analysis information consist of artifacts that WildFire can observe from the sample without executing it in an analysis environment. • Proofpoint—Samples submitted to WildFire through Proofpoint products. the action the parent process performed. DNS Activity DNS activity observed when the sample was executed in the WildFire analysis environment. WildFire Dynamic Analysis information consist of properties. and behaviors that WildFire detects in the sample when it was executed in an analysis environment. expanding the section you searched for to view the artifacts that WildFire found for it. Artifacts listed for each connection activity include the process that accessed other hosts on the network.

modified the registry. HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis environment. Java API Activity Java runtime activity seen when the sample was executed in the WildFire analysis environment. Each behavior is also assigned a risk level of high. and the file that was altered. or informational.Artifact Type Search with this Artifact Type to Find.. the full URL for the first artifact is althawry. and the string originating the request (User Agent column). medium. spawned new processes. The domain (Host column) and URL values together are the URL for the request.. such as whether the sample created or modified files. Artifacts listed for each HTTP activity include the destination domain of the HTTP request. the Type column indicates the WildFire analysis section and the Value column includes artifacts that WildFire found for the section. the HTTP method that the host used. These properties appear under the WildFire Static Analysis category Suspicious File Properties. Observed Behavior Behaviors seen for the sample in the WildFire analysis environment. The artifacts displayed might vary depending on the activity category.jpg?8b96=71468. or installed browser help objects (BHOs). AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 63 . started a process. alternate between operating system columns to see the list of behaviors observed for each virtual machine in which the sample was executed.org/images/xs. the URL for the requested resource. the action the process performed. the File Activity artifacts provided include the parent process that showed activity. In the example above. The Evidence column lists the total number of sample activities that are evidence of each behavior. On the File Analysis tab within the sample details. and expand a single behavior for the list of matching activities. For each activity listed. The artifact type Observed Behavior also refers to properties that WildFire observed in a sample during static analysis. low. For example.

Artifacts listed for each process activity include the parent process that was active. the API calls made by the parent process. Other API Activity Non-Java API activity seen in the WildFire analysis environment when the sample was executed. Artifact Type Search with this Artifact Type to Find. Mac Artifacts Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS analysis environment. Artifacts listed include the parent process that was active. though the resource cannot be used by more than one program simultaneously. the mutex created when the programs start is listed along with the parent process. Artifacts listed for each registry activity include the parent process that was active.. Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. file location. the action the process performed... modified. Details for an embedded file can include the SHA256 and name of the installer or bundle.. Artifact Type Search with this Artifact Type to Find. and the parameters column lists the registry key that was set. If the sample generates other program threads when executed in the analysis environment. Process Activity Processes that showed activity when the sample was executed. and the file size in bytes. the SHA1 hash for the signature.. Mutex Activity A mutex (mutual exclusion object) allows programs to share the same resource. and the process that was modified. Registry Activity Windows Registry settings and options that showed activity when the sample was executed in the analysis environment. SHA256 hash. 64 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . file format. and the service that was created. signature status. the action that the parent process performed. the signature associated with the file and the name of the signer. Service Activity Services that showed activity as a result of the sample being executed in the WildFire analysis environment. and the process that was modified. User Agent Fragments The user agent header for HTTP requests sent when the sample was executed in the WildFire analysis environment. modified. or deleted. Windows Artifacts Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Windows OS analysis environment. the registry method used by the parent process (Action). Artifacts listed for each service activity include the process that was active. or deleted.. filename. the file’s SHA1 hash. Artifact Type Search with this Artifact Type to Find.

An APK file installs an app on an Android mobile phone or tablet. Android Artifacts Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing the samples in an Android analysis environment. orientation. the YouTube app needs to use a messaging app on your Android device to share videos.. SHA1. or by other apps on the device. an app might need to receive sensor readings from the device’s GPS for to perform location-based tasks. APK Certificate The hash value of the public key embedded in the digital certificate of the APK file. APK Defined Receiver Broadcast receivers for the APK file. Mac Embedded URL URLs that are part of a Mac file. found in an app’s manifest file. information about the certificate owner and issuer such as name and location (if provided by the owner/issuer).. and SHA256 hashes used to sign the certificate. APK App Name The name of the app that displays on the interface of an Android device. Broadcast receivers allow the app to receive intents broadcast by itself. lists the type of intents that the Filter components of the app can respond to. The Path column contains the path for the section of the app where the URL is located. APK App Icon The file path for the app icon that displays in the Android device menu. For example. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 65 . APK Defined Sensor Sensors for motion. An example of a broadcast that an app can receive is an indication that the device battery is low.. or environmental conditions that the app uses when it is running. APK Certificate File The file path for the certificate(s) embedded in the APK file. Artifact Type Search with this Artifact Type to Find. The owner or issuer may provide the following information: • CN—First name and last name • OU—Organizational unit • O—Organization name • L—City or locality • ST—State or province • C—Two-digit country code APK Defined Activity The class name of activities defined in the APK file. Artifact Type Search with this Artifact Type to Find. For example. and the MD5. An intent is a request an app sends to other apps to perform an action. by the Android device. APK Defined Intent An intent filter.. An activity is a component of the app that provides a screen users can interact with to perform a task.

AdMob. A third-party library. file path..tamapps. An example of a service is a notification service for an email app that alerts users when they have new messages. An example of an embedded library is Google’s mobile ads software development kit (SDK). APK Signer Personal information that the app owner provided when he/she signed the app certificate: • CN—First name and last name • OU—Organizational unit • O—Organization name • L—City or locality • ST—State or province • C—Two-digit country code APK Suspicious API Call API calls embedded in the APK file that access restricted services or resources. Libraries which app developers can reuse across multiple apps. and SHA256 hash of files included in the APK file. the APK Suspicious API Call lists all instances of an API call and the location of the files where the API call was found. AutoFocus marks a repackaged APK file as suspicious because an attacker can repackage a benign file to contain malicious functionality. The Path column contains the path for the section of the app where the URL is located.company. Services are operations that run in the background while the app is running. APK Package Name The unique name that identifies an app on an Android device. APK Requested The permissions that the APK file requests from users to perform processes Permission and to access data on their Android device. APK Embedded URL URLs that are part of an APK file. APK Repackaged An indication of whether an APK file has been repackaged (True) or not (False). Examples include permissions to access the camera on the device or to change the audio settings of the device. 66 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . APK Sensitive API Call API calls embedded in the APK file that access restricted services or resources.. and do not provide a user interface screen. contains files of code that accomplish a specific task. The general format for a package name is domain. Unlike APK Sensitive API Call. com. APK Internal File The file format. Artifact Type Search with this Artifact Type to Find.application (for example.learnjapanese). APK Defined Service Services configured for the APK file. APK Embedded Third-party libraries that are included in the APK file.

the value includes the text message content that the file sent. the target of the actions Behavior (if there is one). or JAR file. If the action is loading another APK. For example. For example. APK Version The version number of the app that is visible to users. for the suspicious behavior “APK files sends an SMS to a fixed number. a suspicious string can indicate that an app contains shell commands that installs or uninstalls other apps.” the target is the phone number that received the SMS. For each string.Artifact Type Search with this Artifact Type to Find. and the location of the files where the pattern occurred. the value includes the path for the file that the APK file loaded. a description what the pattern does. DEX.. APK Suspicious A sequence of actions that the APK file exhibits. if the suspicious action associated with an APK file sends SMS messages while running in the background.dex format. An example of a suspicious file is one that contains malicious native code or an executable file in . AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 67 . The Value column contains a description of the action and supporting evidence.. and the location of the files that exhibited the actions. APK Suspicious Pattern A class of patterns observed in the APK file. or the string can be a suspicious phone number. For example. APK Suspicious File Suspicious files found in the APK file and their file type. APK Suspicious String Suspicious strings of code found in the APK file. APK Suspicious Action An action that the APK file performed when it was executed in the WildFire analysis environment that may be an indicator of compromise. you can view the location of the file that contains the string.

• Option—Select a value from the drop-down. has no value Exclude samples or sessions with No value required reported values for the artifact type from the search results. is in the list Find samples or sessions with • Option—Select more than one artifacts that match at least one of value from the drop-down. Press Enter to your list.000 values in a single search with multiple search conditions. separate one value from another. Operator When to Use It Possible Values is Find samples or sessions that contain • Number the exact value you enter. You can have up to 10. the values from a list. 68 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . unknown. Operators determine which results to display based on the value you select or enter for an artifact type. or Not Found. Refer to the following table when you Work with the Search Editor to set up a search. is not Find samples or sessions that do not • Number contain the exact value you enter. The values must be exact.Search Operators and Values Search operators refine the results that are returned to you when you perform a search. including values such as 0. • String—Type more than one value You can have up to 1.000 values in (not case-sensitive). • Option—Select a value from the drop-down. • String—Type an exact value (not case-sensitive). • String—Type an exact value (not case-sensitive). has any value Find samples or sessions that have No value required reported values for the artifact type.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 69 . The values must be exact. Press Enter to separate one value from another. Learn more about the Guidelines for Use the contains Partial Searches. contains Find samples or sessions that contain String—Type a partial value (not case- the partial value you enter. proximity Perform a single search for two or String—Type partial values if you more values. value from the drop-down. You can have up to 1. operator with Analysis Learn more about the Guidelines for Artifacts to look for Partial Searches. multiple artifacts that can appear in the WildFire analysis of a sample. operator if you don’t know the exact value of an artifact. don’t know the exact value (not case- sensitive). sensitive). does not contain Find samples or sessions that do not String—Type a partial value (not case- have the partial value you enter.000 values in • String—Type more than one value your list. sensitive). (not case-sensitive).Operator When to Use It Possible Values is not in the list Exclude samples or sessions that do • Option—Select more than one not have at least one value from a list. Learn more about the Guidelines for Partial Searches. You can enter the values in Use the proximity any order.

is after Find date and time values that occur Date and Time—Select a date and after a specific date. • Number Range—Select a minimum and maximum number that a value can be. time. is before Find date and time values that occur Date and Time—Select a date and before a specific date. or Last 90 days. Last Month. or choose from a drop-down of relative dates such as Yesterday. or choose from a drop-down of relative dates such as Yesterday. greater than or equal Find values that are more than or Number equal to the number you enter. less than Find values that are less than the Number number you enter. 70 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search . greater than Find values that are more than the Number number you enter. time. or choose from a drop-down of relative dates. Operator When to Use It Possible Values is in the range Find values within a date or numerical • Date and Time Range—Select range. Last Month. or Last 90 days. the earliest and latest possible date and time that a value can be. Last Month. less than or equal Find values that are less than or equal Number to the number you enter. or Last 90 days. such as Yesterday.

Operator When to Use It Possible Values AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 71 .

but not yahoo.g. and proximity operators allow you to enter partial values in your search conditions. Enter two or more artifacts in the value field of the search condition. period.168. does not contain. space. hyphen. For more accurate search results. observe the following guidelines for using these operators. The search Email Sender Address > contains yahoo.com. Example 2: If the File Activity that WildFire has detected for a sample contains the string Windows\ServiceProfiles \LocalService. • Any special characters that are not letters or numbers (e.uk or yahoo.co.jp.com. you can use any of the following terms as partial strings to search for the sample: • Windows • ServiceProfiles • LocalService Proximity Operator • Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis category of a sample.com. Type the full strings that appear in between special characters for accurate matches. Example: The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders\AppData ueepd-a.co may return results from an email address with the domain yahoo.Guidelines for Partial Searches The contains.exereturns a sample that has both values in at least one of its registry activities: 72 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .168 in the IP address.168 from your search results. • Contains and Does Not Contain Operators • Proximity Operator Contains and Does Not Contain Operators • Use the contains and does not contain operators if you know part of a value for a single artifact. The search Email Sender Address > contains ahoo. Using the does not contain operator will exclude samples or sessions with the network identifier 192.com. backslash.com. • Searches with the contains and does not contain operators are not case-sensitive. perform the search Email Sender Address > contains yahoo. @ symbol) break up a value into two separate values.co.com will return results from an email address with the domain ahoo. Example: To search for samples or sessions with the network identifier 192. Example 1: To search for all sessions sent from email addresses with the domain yahoo. perform the search IP Address > contains 192. but not yahoo. The search Email Sender Address > contains yahoo will return results from an email address with the string yahoo in between special characters.

Example: The search Registry Activity > proximity ueepd-a. period. backslash. Example: The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion ueepd-a. hyphen.g. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 73 .exe will not return the search results above. • You can enter partial strings in a proximity search.exe HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer\Shell Folders\AppData returns the same results as the previous example. • Searches with the proximity operator are not case-sensitive. space.• The order in which the strings are entered does not affect the search results.exe returns the following results: The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\Current ueepd- a. but you must type the full strings that appear between any special characters that are not letters or numbers (e. @ symbol) for accurate matches.

74 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search .

advanced attacks from commodity malware so that you can triage your network resources accordingly. > Alert Types > Create Alerts > View Alerts in AutoFocus > Edit Alerts 75 .AutoFocus Alerts Prioritized alerts allow you to quickly distinguish targeted. The Alerts Log on the dashboard displays alerts depending on the dashboard context. You can also view the complete set of AutoFocus alerts by selecting Alerts on the navigation pane. or private tags. Set up AutoFocus™ alerts for samples based on Tag Types: Unit 42 Alerting tags. Configure AutoFocus to send alerts to an email account or directly to a web server. public tags.

76 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts .

AutoFocus Alerts YYYY hh:mm [AM/PM] (UTC) The number of unique samples detected within the alert period Number of alerts The name of the support account that created the alert For The date and time that the sample was detected in the following format: Date (UTC) Month DD. the SHA256 hash displays as a hyperlink that opens the WildFire™ analysis of the sample in AutoFocus. AutoFocus generates alerts for grayware and malware samples from all Upload Sources associated with your support account. public. When you Create Alerts on page 80 in AutoFocus. An email alert contains the following components: Name Description The date and time that the alert was sent in the following format: Month DD. • Email Alerts on page 77 • HTTP Alerts on page 78 Email Alerts AutoFocus can send alerts to your email account. as long as they match the alert criteria. you have the option to receive the notifications by email or over HTTP. In an email alert. YYYY hh:mm [AM/PM] The tag type that triggered the alert (unit42.Alert Types An alert is a notification about samples that match a set of defined criteria. You can also View Alerts in AutoFocus on page 85 for a complete log of alerts that have been sent to you. or private) Type The specific tag that triggered the alert for the sample Name AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 77 .

2016 05:56 PM' describes the date and time that a sample was detected for the alert. 78 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . The SHA256. For example. Use HTTP alerts to publish information about detected samples on a web page or a threat feed. Refer to the following table of field names and possible data types for the field values. SHA1. information about the samples are formatted as JSON name-value pairs separated by colons. When creating an HTTP alert. Name Description The WildFire verdict assigned to the sample: malware or grayware. Verdict To focus your attention on samples that exhibit malicious behavior. the name-value pair date: 'March 19. All alerts use the same set of field names. provide the URL of a server that has been preconfigured to parse the name- value pairs from the alert. but their values vary depending on the samples detected in the alert period. The data type describes how a value should be interpreted and stored by the server. In an HTTP alert. and MD5 hashes of the sample Matching Sample HTTP Alerts HTTP alerts are notifications that AutoFocus generates in JavaScript Object Notation (JSON) data format. AutoFocus does not send alerts for benign samples. AutoFocus sends HTTP alerts as plain text to the web server of your choice using standard HTTP requests.

The name of the support account that created the string for alert AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 79 .Field Name Description Data Type The number of unique samples detected within the number num_alerts alert period The date and time that the alert was sent in the string autofocus_alerts following format: Month DD. The different string alert_type alert_type values that can be displayed are: • private—private tags owned by you • public—public tags • unit42—tags issued by Unit 42 The WildFire verdict assigned to the sample: string verdict malware or grayware. YYYY hh:mm [AM/PM] A list of each sample detected and the details array alerts associated with it The date and time that the sample was detected in string date the following format: Month DD. SHA1. AutoFocus does not send alerts for benign samples. To focus your attention on samples that exhibit malicious behavior. YYYY hh:mm [AM/ PM] The SHA256. and MD5 hashes of the sample string match_sample The specific tag that triggered the alert for the sample string alert_name The tag type that triggered the alert.

You only receive notifications for samples matching the alert criteria (the tag) in the digest period you select. STEP 2 | Scroll to the bottom of the Settings tab. Public. and then select Settings. Create an alert for Unit 42 tags to receive notifications based on new threats and attacks identified by the Unit 42 threat intelligence research team. The Alert on Tag Type column describes the tag types that samples in your network must match to trigger an alert: Unit 42. Defining alert actions includes choosing to receive the alert as an email or HTTP notification and setting the alert frequency. The following steps walk you through the process of creating alerts in AutoFocus: STEP 1 | Select Alerts on the navigation pane. it does not send out an alert. Define Alert Actions Define alert actions that you can then select to Enable Alerts by Tag Type. An alert action sets the type. destination. and frequency of the alert. By default. and alerts are disabled. or Private. Select a different alert action to enable alerts for each tag type.Create Alerts Create alerts to monitor samples in your network based on their tags. the alert action for all tag types is none. and click Add Alert Action: 80 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . Use this alert action to disable alerts for tags. The default alert action none cannot be edited or deleted. STEP 3 | Enable Alerts by Tag Type. if AutoFocus does not detect matching samples during the digest period. STEP 4 | To receive alerts for certain tags and disable them for others. Create Alert Exceptions. STEP 1 | Select Alerts > Settings. STEP 2 | Define Alert Actions.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 81 . STEP 4 | Define the type of alert you want to receive: Email or HTTP.STEP 3 | Give the alert action a descriptive name. For email alerts: Enter the email address where you would like to receive Email Alerts. STEP 5 | Set the alert destination (email address or server URL).

For HTTP alerts: Enter the URL of your server that you have configured to receive HTTP Alerts. STEP 6 | Set the alert digest to 5 Minutes or Daily. public. and private tags. which you can apply to samples matched to Unit 42. The Action drop-down contains all saved alert actions. 82 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . STEP 8 | Enable Alerts by Tag Type. AutoFocus collects all samples that match the alert criteria during the digest period and sends them in a single notification. Digest sets the frequency with which AutoFocus checks for samples that match the alert criteria. STEP 7 | Click Save Changes.

Define Alert Actions. For each tag type. STEP 2 | If there are no email or HTTP Alert Actions listed. STEP 2 | If there are no email or HTTP Alert Actions listed. • View Alerts in AutoFocus.Enable Alerts by Tag Type Enable alerts based on Tag Types. STEP 5 | If necessary. Additionally. and private tags: STEP 4 | Enable the alert for a tag type. STEP 1 | Select Alerts > Settings. you can Create Alert Exceptions to set up prioritized alerts for specific tags or to disable alerts for them. Create Alert Exceptions in order to: • Create and enable custom alerts for specific tags. select Enabled? to receive alerts when AutoFocus detects samples in your network that match the tag type. public. STEP 6 | Choose from the following next steps: • Both Email Alerts and HTTP Alerts list all the samples matched to the alert criteria in the digest period. Create exceptions so that the alerts you receive for threat samples are prioritized by tag. Use this step at any time to change the alert action for a tag type. You can choose to generate an alert for all samples in your network matched to a tag type. • Disable alerts for tags for which you don’t need to receive alerts. Create Alert Exceptions You can choose different alert settings for individual tags by adding the tags as alert exceptions. Define Alert Actions. specify tags to exclude from the alert for the tag type. STEP 1 | Select Alerts > Settings. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 83 . • You can Edit Alerts or Disable Alerts. Select an alert Action for samples matched to Unit 42. STEP 3 | Choose an alert for each tag type.

and select it from the list of tags. • Select one of the email or HTTP alert actions to enable alerts for the tag.STEP 3 | Identify the tag type for which you want to create an alert exception. STEP 7 | Click Save Exception. STEP 5 | Select an alert Action for the tag. • Select none to disable alerts for the tag. and click Add Exception. Edit Alerts. start typing the tag name. STEP 4 | In the Tag field. 84 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . STEP 8 | To change or delete alert exceptions. STEP 6 | Select Enabled? to enable the alert action for samples in your network that match the tag.

click the column headers to sort the rows in ascending (up arrow) or descending (down arrow) order. or Tag.View Alerts in AutoFocus The Alerts Log on the dashboard displays alerts that were generated within the selected dashboard date range. • Search on the latest sample that triggered an alert. including the latest time and the total number of times that traffic was matched to the tag. • Select Dashboard to view the Alerts Log widget. • Select Alerts > Alerts Log to view all samples that have triggered alerts. SHA256. Alert times are displayed in Pacific Time (PST/PDT). The Alerts Log widget displays the most recent samples that matched your alert criteria. Tag Type. You can also click the SHA256 link for a sample entry to add the sample to a search: • Scan tag details. Hover over the tag on which the alert is based to view tag details. Alternatively. Click the sample hash on the Alerts Log widget to add the sample to an AutoFocus search: AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 85 . Alternatively. Sort the rows according to Time. • Find alerts. Alert logs are available for a month from the period the log was generated. select Alerts on the navigation pane to view the complete set of alert logs. beginning with the most recent alerts.

• Review and/or search on the conditions that triggered an alert. Tag details include a description of the tag and a list of the conditions defined for the tag. From the tag details. open a search based on the tag or a single condition defined for the tag: 86 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . Select a tag on the Alerts Log widget to view tag details.

to search for all historical and global samples matched to that single condition.• Add the tag to the search editor. • Add a single condition defined for the tag to the search editor. to search for all historical and global samples matched to the tag. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 87 .

and how frequent the alert is generated. • Delete an Alert Exception. the alert type (Email or HTTP).Edit Alerts Alerts are highly customizable and can be changed or deleted anytime. Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus detects a sample that matches the tag. Select the action none for a tag type. the email address or server URL that receives the alert. Change the settings of an existing alert action or alert exception as necessary. • Edit an Alert Exception. • Edit an Alert Action. To disable alerts for an alert exception. Select the action none. Disable an alert to stop receiving notifications for certain tags. Select Enabled? to enable the alert action. • Disable Alerts. To view all options for editing alerts. 88 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts . Delete an alert exception permanently. Modify the name of the alert action. select Alerts > Settings. Edit an Alert Exception.

• Delete an Alert Action. Delete an alert action permanently. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 89 .

90 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts .

Unit 42 also verifies threats discovered by third-party individuals and organizations and creates tags for these threats. and how to see tags shared by Unit 42 and other AutoFocus users: > Tag Concepts on page 93 > Tag Details on page 96 > Create a Tag on page 99 > Work with Tags on page 101 > Vote for. how to create your own tags.AutoFocus Tags Group a set of conditions with a tag. Use tags to search for samples to gain context and insight into surrounding events. See the following topics for details on tags. allowing you to take quick action to remediate possible threats. The Unit 42 threat research team shares threat intelligence with the AutoFocus community through official Unit 42-issued tags. Comment on. and Report Tags on page 105 91 . Create Alerts on page 80 based on a tag to be notified each time AutoFocus™ detects new samples that match the tag conditions. All past and future samples that match the tag conditions are automatically marked with the tag.

92 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags .

When a tag is linked to a Tag Class. My Private Tag Create a Tag that is visible only to your organization. When you enable AutoFocus Alerts for Unit 42 tags. private. Enable AutoFocus Alerts for Unit 42 tags to receive immediate notifications from AutoFocus when it detects samples in your network that match Unit 42 tags. Informational tags have faded orange outline and a Unit 42 icon. Private tags have a blue outline and a tag icon. • Tag Types • Tag Class • Tag Status • Tag Visibility Tag Types Tag colors and icons allow you to easily distinguish the different tag types at a glance. Tag Type Description Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42. to detect and identify threats and campaigns that pose a direct security risk. You can then Create Alerts for the private tags. Private tags allow you to tag a sample hash or a set of search conditions that might be specific or especially significant to your environment. Unit 42 also publishes informational tags that group and identify Alerting) commodity threats. AutoFocus does not generate alerts for samples that match Unit 42 informational tags so you can focus your resources on addressing targeted or pervasive threats. the Palo Alto Networks® threat intelligence and research team. Tags for threats discovered by an individual or organization outside of Unit 42 have a pointed and marked top right corner. threat signatures already exist and are distributed to identify and enforce the traffic identified with informational tags. Often. its default icon changes into a tag class icon. and Unit 42 tags. Unit 42 tags have an orange outline and a Unit 42 icon. Unit 42 Informational Tag (Non.Tag Concepts Click Tags on the navigation pane to view a complete list of public. Tags for threats discovered by an individual or organization outside of Unit 42 have a pointed and marked top right corner. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 93 .

or vulnerability to manipulate the Exploit behavior of the system. view the status for a specific tag. Tag Class A tag can be linked to a particular tag class. You can receive alerts for new unique samples that match the conditions of malicious behavior tags. Tag Type Description Public Tag Public tags are tags shared with the AutoFocus community by your organization and other AutoFocus users. You can identify a campaign by the malware families that are Campaign used to execute an attack. The icon can be blue. but indicates that your system has been compromised. For example. 94 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags . Tag Status On the Tags page. An example Malicious of malicious behavior is the unauthorized deletion of disk volumes. gray. the following tag is a public tag linked to malicious behavior: Tag Class Description Related malware is grouped into a malware family. Malware might be considered related based on shared properties or a common function. bug. An actor is an individual or group that instigates one or more campaigns using malware families. Special icons indicate whether a tag is associated with a tag class. or orange depending on the Tag Types. A campaign is a targeted attack which might include several incidents or sets of activities. optionally. Actor An exploit is an attack. Malware Family Malware within a malware family exhibit similar malicious behaviors to launch an attack. that takes advantage of a software or network weakness. Public tags have a gray outline and a tag icon. They are visible to all AutoFocus users. which provides more context for the type of threat information that the tag identifies. usually in the form of a script. select Sort by: Status to sort tags based on the status of the tag. Malicious behavior is behavior that is not specific to a malware family or campaign. Behavior Tag samples that exhibit malicious behaviors to flag them for you and other AutoFocus users.

you can set the visibility of the tag and change it at any time.000 hits. email and HTTP alerts are also sent for enabled tags. but the deletion is not complete. Rescoping The tag owner has modified the tag visibility to private. This status only displays for a short period of time— as the new tag scope is processed and until the update to the tag scope is complete. only to users associated with same support account as tag author). For tags you create. Public tag details include the name of the organization that created the tag. • Public—Visible to all AutoFocus users. Disabled Disabled tags are tags that have been disabled automatically after reaching 100. This status only displays for a short period of time—when the tag deletion completes. search based on the disabled tag. the tag is completely removed from the AutoFocus system. Alerts based on enabled tags are displayed in the Alerts Log on the dashboard and. Tag Status Description Enabled Enabled tags generate alerts when matched to traffic. However. tags that are matched to large numbers of samples are too general to be useful in identifying targeted threats. tags that are anonymously made public do not reveal the organization name in the tag details. Removing The tag owner has deleted the tag. public. with the option to revert the tag or sample back to a private status at any time. However. disabled tags are not applied to future samples. if configured. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 95 . This is a quality control measure. Tag Visibility There are three types of tag visibility: • Private—Visible only to your organization (more specifically. or anonymously public. and view the conditions defined for the tag. Disabled tags continue to display as a reference—you can continue to view the samples that were matched to that tag. Private tags and samples can be made public. • Public Anonymously—Visible to all AutoFocus users.

click any tag to open the Tag Detail. and the total number of samples matched to the tag. including the set of conditions that is matched to traffic. you can edit tag details. public. click the Search icon.Tag Details You can click any tag to reveal details about that tag. Deleted tags show a Tag Status of removing Delete after being deleted until the deletion is complete (when the deletion is complete. the tag is no longer available in AutoFocus). On the Tags page. Search Edit Tag Information. or anonymously public. Tag Details To open a search based on the tag. Edit Permanently delete at a tag. For tags that you have created. 96 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags . including setting the visibility of the tag to be private. the last time that set of conditions was detected.

Comment on. select Settings on the AutoFocus navigation pane and select Share public tags anonymously. You can Vote for. By default. Tags with the visibility Vote. Comment. back to a private tag). To change this default setting so that your organization is not listed as the owner of public tags. (You can also revert a tag you previously made public. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 97 . and set to private (tags created by and visible only to your organization) do not Report display these options. tags that you make public will list your organization as the tag Owner in the tag details. and Report Tags. You cannot make a tag public if it has search conditions refer to private information about your sessions. The following Session Artifacts pertain to private information: • Device Hostname • Device Serial • Device vsys • Destination IP • Email Recipient Address • Email Charset • Email Sender Address • Email Subject • File Name • File URL • Recipient User ID • Source IP The following General Artifacts may pertain to private session information: • Domain • Email Address • Filename • IP Address • URL You also cannot make a tag public if it has a search condition that points to a custom App-ID you created (Application > is [custom App-ID]).Tag Details (Private Tags Only) Share a tag with other AutoFocus users by making the Tag Visibility tag Public.

• Vote for. • Create a Tag. use this option to add conditions from an existing tag to the search editor. or might indicate similar types of threats. • # Samples—The total number of private and public samples matched to the tag. • Alias—Other names that might refer to threat that the tag defines. • Search with all tag conditions: Click the Search All icon after the last set of tag conditions to add all of the tag conditions to a new search. • Updated—The date and time that the tag was most recently modified. You can search on a tag alias to find all samples matched to tags with that alias. Tag Conditions Note that a tag can have multiple sets of conditions. Tag Details Tag information is searchable and can include some or all of the following Tag Information details: • Name—AutoFocus enforces unique tag names within an organization. and Report Tags. • Scope—The tag type is either public. • Lists all the conditions against which samples are evaluated. • Search based on a single set of tag conditions: Click the Search icon in the Actions column to the right of the condition for which you want to open a search. Comment on. • Enable Alerts by Tag Type. Next Steps. • Tag Class—The Tag Class associated with the tag. • Votes—The number of up-votes the tag has received from the AutoFocus community.. and create a new tag. • Created—The date and time that the tag was created. • Description—Summary of the threat that tag indicates. • Last Hit—The time at which the most recent sample matched to the tag was detected. • Source—Organization or individual that discovered the threat defined in the tag.. • Owner—Organization that created the tag. • Related Tags—Tags that share certain conditions. modify the conditions. • Delete a single set of tag conditions: Click the Trash icon in the Actions column to delete the set. private. or Unit 42. • References—External references provide more information or context for the threat that the tag identifies. 98 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags . Because you cannot edit the conditions defined for an existing tag. but a sample only has to match one set of conditions for it to be marked with the tag.

Provide a unique tag name and any other information that may be helpful for identifying the tag. Click a sample hash to view sample details. You cannot create a tag for searches based on tag-related information (Tag. Work with the Search Editor to create a set of search conditions.Create a Tag There are two ways to create a new AutoFocus tag: tag a sample or tag a set of search conditions. You can only click the sample hash for a public sample or any of your private samples. • Tag a sample. Edit the Tag Details to supply more information about the tagged sample. Review Tag Visibility for tagging guidelines. • Learn more about how to Work with Tags. Enter a name for the tag in the search field and click create new. You can use the tag to search for all samples that match the conditions. You can then search for the sample by the tag name instead of its hash. 1. Begin a new search. Tag Scope. Create a tag for a sample hash to keep track of a sample that exhibits unique behavior or a sample that you need to refer back to later. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 99 . all past and incoming samples that match the search conditions are tagged. Click the Tag icon to create a tag based on the defined search conditions: 3. 4. Tag Alias. and click the tag name. • Tag a search. and click Add Tag. Tag Class. Sample Details display the tags to which the sample is matched. • Use the tag to Begin a new search. The visibility of a new tag is set to Private by default. • Choose from the following next steps. and Tag Source) or the artifact Threat Name. 3. 1. 2. Create a tag for a search condition (or a set of search conditions). Search with the tag to view all AutoFocus samples that match the tag conditions. Hover over the new tag. 5. and then Tag Results. • When a tag is created. 2.

• Create Alerts to be notified when new samples match the tag. 100 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags .

Artifact Type When To Use It Tag Find samples matched to a tag. you can use Tag Alias to look for all samples that are linked to a particular malware family or campaign by different tags. Tag Class Find samples associated with a particular Tag Class: a Malware Family. The Tag Source is the individual or organization that discovered the threat that the tag identifies. there may be multiple tags related to a single malware family or campaign.Work with Tags • Find Samples by Tag Details • Filter and Sort Tags • Find the Top Tags Detected During a Date Range • See the Top Tags Found with Search Results Find Samples by Tag Details On the Search page. Filter and Sort Tags Filter and sort tags on the Tags page based on Tag Details. In this case. Tag Scope Filter samples by the scope of their tags: private. The list of tag sources to choose from is based on all tags with a Tag Visibility that is set to public. For example. an Exploit. or Unit 42 informational (non-alerting). or a type of Malicious Behavior. an Actor. Unit 42 (alerting). The Tag Alias allows the tag owner to specify common names for the threat that the tag identifies. you can find and filter samples by different tag-related artifacts. public. a Campaign. Tag Alias Find samples by the Alias field in the Tag Details. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 101 . Tag Source Find samples with tags that are attributed to a particular tag source.

Sort by: # Samples in descending order. Unified Tag View • Choose Columns to select which details to display on the Tags page. Quick Search Click on Advanced to find tags based on multiple search conditions. To find tags with the highest number of matching samples. the number of votes a tag Advanced Filter has received. To find tags that have received comments from AutoFocus users recently. Filter and Sort Tags Tags are displayed collectively in a single view to enable quick and easy filtering. including tag fields. • Select a tag detail to Sort by in ascending or descending order. You can start typing the artifact type by which you want to filter tags to narrow down the options in the drop-down. Enter a single value in the quick search field to find matching tags across all tag types. Sort by: Last Comment in descending order. Alternatively. you can click the column header for a tag detail to sort the rows in ascending (up arrow) or descending (down arrow) order. and the number of sample hits. 102 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags .

Comment on. • See the Top Tags Found with Search Results on page 103. The widgets on the dashboard (including the Top Tags widget) automatically update based on the new date range. select a tag to view tag details. STEP 1 | Click Dashboard on the navigation pane. My Industry. The list of top tags updates accordingly depending on the context selected (My Organization. STEP 3 | Filter the top tags by Tag Types. You can continue to add the tag to a search. you can view the top tags that AutoFocus matched with the search results. STEP 2 | Set the Dashboard Date Range on page 26 to adjust the displayed Malware Download Sessions. or All tab. STEP 3 | On the Top Tags widget. The Top Tags widget displays the 20 tags that AutoFocus matched with the highest number of samples based on your search. See the Top Tags Found with Search Results When performing a search. click Tags on the navigation pane. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 103 . STEP 4 | Choose from the following next steps: • Enable Alerts by Tag Type on page 83. STEP 1 | Work with the Search Editor to set up a search. or All tab).Find the Top Tags Detected During a Date Range On the AutoFocus dashboard. • Vote for. STEP 2 | Click the Statistics tab and find the Top Tags widget. and click the My Organization. the Top Tags widget lists the twenty tags with the most sample hits during the date range set for the dashboard (see Set the Dashboard Date Range on page 26). and Report Tags on page 105. To view all tags. including a description of the sample or conditions that the tag identifies. My Industry.

104 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags

Vote for, Comment on, and Report Tags
Though you cannot edit Unit 42 and public tags, you can help to curate the most relevant and useful of
these tags by voting for tags you like and adding comments to tags. You can also alert Unit 42 to a tag that
you think might be offensive or revealing, and Unit 42 will review the tag.
Vote for tags—Give up-votes to tags that provide helpful, accurate information.
Comment on tags—Provide feedback on tags or share additional, relevant information with the
AutoFocus community.
Report tags—Report tags that are misleading, too general to be meaningful, offensive, or reveal sensitive
information. Unit 42 reviews reported tags and finds the tag to either be acceptable or inappropriate:
• Acceptable tags—If Unit 42 determines that the tag is appropriate, the tag status remains public. The
user who reported the tag receives an email notification that the tag will continue to remain publicly
shared.
• Inappropriate tags—If Unit 42 determines that the tag is inappropriate, they can revert the tag scope
to private. The tag will only be visible to the organization that owns the tag and will no longer be
publicly shared. The tag author (the user who created the tag originally) and the user who reported
the tag as inappropriate will receive an email notification that the tag is no longer publicly visible.
Unit 42 can also permanently delete an inappropriate reported tag. The tag owner receives an email
notification when the tag deletion is complete.
The following table describes how to vote for, comment on, and report tags.

STEP 1 | Find tags.
• Click Tags on the navigation pane.
• Click Dashboard and view the Top Tags widget.

STEP 2 | Select a tag to view tag details.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 105

Vote for a Tag—Click Vote Up to give a tag an up-vote. You can deselect Vote Up to withdraw an
up-vote at any time.
To view tags that are highly rated by the AutoFocus community, click Tags and sort tags according to
Sort by: Up Votes. Select Sort Descending to show the tags with the highest votes.

Report a Tag—Report a tag that is misleading, offensive, or displays sensitive information. Include
details as to why you are reporting the tag.

106 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags

Comment on a Tag—Add a comment to provide feedback on a tag. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 107 . or to share information regarding the tag with the AutoFocus community.

108 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags .

though you can also view artifacts based on the sample activity timeline in the WildFire analysis environment. grayware. Find high-risk artifacts in the File Analysis details of a sample. You can also view a threat summary report.Assess AutoFocus Artifacts WildFire™ classifies previously unknown samples as either malware. High-risk artifacts seen frequently with malware are labeled Suspicious or Highly Suspicious. artifacts (such as file properties. When WildFire observes and executes a sample in a WildFire analysis environment. Add high-risk artifacts to a search. AutoFocus calls attention to sample indicators that match the threat indicators you’ve forwarded. By default. If you Forward MineMeld Indicators to AutoFocus. and activities) are revealed to be associated with the sample. so that you can then block or enforce the newly-identified traffic according to your security policy needs. AutoFocus layers statistics over artifacts found to be associated with a sample. to show the number of times the artifact has been seen with other malware. or benign. behaviors. > Find High-Risk Artifacts > Add High-Risk Artifacts to a Search or Export List > Manage Threat Indicators > Use the Threat Summary Report to Observe Malware Trends 109 . grayware. AutoFocus groups similar artifacts into WildFire static and dynamic analysis sections for easy reference. or benign samples. and artifacts associated with high-risk behaviors are indicated. or use them to Build an AutoFocus Export List. which provides a high-level overview of threat trends in your network. AutoFocus™ provides a new lens through which you can view the artifacts collected by WildFire.

110 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts .

AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 111 . The tag specifies the number of matching indicators in the sample. Check the Tags column for: • Unit 42 tags—Identify threats and campaigns that pose a direct security risk. Not all sample artifacts are indicators. to determine whether an artifact is an indicator. STEP 1 | Begin a new search. AutoFocus uses a statistical algorithm based on the tendency of the artifact to be seen predominantly with malware. Click on the indicator tag ( ) to view the matching indicators.Find High-Risk Artifacts To bring your attention to potential threats in your network. AutoFocus provides clues in a sample's WildFire analysis that link the sample to malware or malicious attacks. • Indicator tags—Highlight samples with Threat Indicators that match threat indicators that you forwarded to AutoFocus using MineMeld.

• If an activity artifact has proven to be evidence of an Observed Behavior. • High-risk artifacts are displayed with icons to designate them as Suspicious or Highly Suspicious. highlighted in the search results. • For every WildFire static and dynamic analysis artifact listed. Learn more about how to Forward MineMeld Indicators to AutoFocus. grayware ( ).STEP 2 | Click a sample hash and scan the WildFire analysis details of the sample for signs of maliciousness. STEP 3 | View artifacts that match your search conditions (even if they’re not high-risk). the behavior risk level is indicated: • Sample indicators that match threat indicators from MineMeld are highlighted with an indicator icon ( ). 112 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts . and malware ( ) samples. compare the number of times the artifact has been detected with benign ( ).

The Indicators tab only lists artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples. Any indicators that match indicators forwarded to AutoFocus from MineMeld are marked with an indicator tag. Click the tag to view the full list of matches. AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 113 . STEP 5 | (Optional) Add High-Risk Artifacts to a Search or Export List.STEP 4 | View a summary of Indicators that AutoFocus detected in the sample.

export. and drill down on file analysis artifacts.. and passive DNS history for domains. • View PAN-DB categorization. you can add these artifacts to your existing search and/or to an export list. • Add an artifact to a search. Alternatively. or URL artifact to a remote search (see Set Up Remote Search on page 54). WildFire DNS history. WildFire DNS history. See Export AutoFocus Artifacts on page 123 for steps to build an AutoFocus export list. user agent. and IP addresses..Add High-Risk Artifacts to a Search or Export List When you Find High-Risk Artifacts on page 111 in your search results. or add a SHA256. URLs. or domain artifact and click Domain and URL info. 114 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts . URL. • Add an artifact to an export list. filename.. and passive DNS history for an artifact. The following table describes how to search. Select an IP address. select Add to New Search to launch a new search for the artifact in a separate window. IP address. You can also view PAN-DB categorization information.

URL. and IP Address Information on page 51 for details. AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 115 .See Domain.

In addition to what are considered Threat Indicators in AutoFocus. • Use the filter IPv4 > matches list to find multiple IP addresses in a range. AutoFocus can receive the following additional indicator types from MineMeld: IPv6. Use this search criteria if you only know part of an indicator. • Indicator—The exact value of the indicator. filename. • Expired—If the value is True. and Ssdeep fuzzy hash. the indicator is active. • Confidence—A confidence rating that the feed owner associates with the indicators in a feed. • View all threat indicators forwarded to AutoFocus. MD5 hash. The confidence level is measured on a 0-100 scale. • IPv4—A criteria for searching for IP addresses in a range. SHA1 hash. • Metadata—Additional information about the indicator that the feed owner provided. process. the indicator is aged-out. registry key. Filter by the following criteria and click Search: • Upload Source—The app that forwarded the indicator to AutoFocus. If the value is False. URL). • Feed Source—The name of the threat feed from which an indicator was retrieved. • Use the filter IPv4 > matches to find an IP address that belongs to a range. • Time—The date and time that AutoFocus received the indicator. removed from its source feed. Filter the indicators by certain attributes and export them to the firewall or other security and information event management (SIEM) platforms through MineMeld. Mutex. with 0 indicating that feed contents have not been verified and 100 indicating that the feed contents are confirmed accurate. that is. • Type—The type of information that an indicator is (examples: IPv4. AutoFocus can store up to 180 million indicators. These indicators help you Find High-Risk Artifacts in your AutoFocus search results. Click Indicators on the navigation pane to access the Indicator Store. • Import or export filters for the indicators. and all dates and times are in Pacific Time (PST/PDT). 116 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts . • Indicator Fragments—A partial value of the indicator. • Threat Type—A default value (malicious) that MineMeld assigns to indicators.Manage Threat Indicators View and keep track of all Threat Indicators that you have forwarded to AutoFocus using the MineMeld app. • Last Seen—The date and time that the indicator was most recently seen in the threat feed. • Filter the indicators. Add or remove conditions for filtering the displayed indicators. See Artifact Types for definitions of each indicator type. SHA256 hash. • First Seen—The date and time that the indicator was first seen in the threat feed. • Share Level—The share level that the feed owner associates with the indicator.

and check the percentage of indicator storage currently in use. View all indicators (remove any existing filters). Create MineMeld Miner to create an AutoFocus artifacts miner that will extract artifacts from the Indicator Store. Click the trash icon to remove all indicators from the store. click the trash icon to remove only the indicators that match the filter criteria. • Use the Indicator Store as a source of indicators for MineMeld. Remove indicators from the store. AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 117 . • Check how much space for storing indicators is remaining. This is one of the ways to Forward AutoFocus Indicators to MineMeld.. If you are close to the maximum limit. • Remove indicators from the store. For example. Expand the entry for an indicator to check if the feed owner provided supplementary attributes or metadata about the indicator. • View additional information about the indicator provided by its source (i. To remove only a subset of indicators. Check the status of the indicator storage periodically. If you applied a filter for the indicators before clicking this button. the feed owner). Then. • Import Search to paste a query for filtering indicators from another AutoFocus user.e. the miner will be configured to extract only indicators that match the filter criteria. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of indicators that it can store (180 million indicators). • Export Search to share a query for filtering indicators to another AutoFocus user. you can apply the filter Expired > is > True and click the trash icon to remove only expired indicators from the store. first Filter the indicators.

Malware Session This chart provides: Percentage By Day • A daily count of sessions associated with malware for devices in your support account. • Tagged Malware Sessions—Out of the total malware sessions. 118 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts . • Threat Summary Report Overview • View Threat Summary Report Details Threat Summary Report Overview The threat summary report is a rundown of artifacts that AutoFocus and WildFire associate with malware.Use the Threat Summary Report to Observe Malware Trends Generate a threat summary report. • A comparison of the average percentage of malware sessions seen with your account and the average percentage of malware sessions for the industry. which provides a visual overview of threat trends based on your network traffic. Report Section Description Executive Summary The Executive Summary consists of the following highlights: • Malware Applications—The unique number of applications through which malware was delivered. (Application is the App-ID™ matched to the type of application traffic detected in a session. the report for your support account displays with a default time range of 7 days and the industry you selected when you initially set up your AutoFocus support account. You can find the threat summary report in the Reports section of the AutoFocus portal. When you View Threat Summary Report Details for the first time. the percentage of sessions linked to samples that received at least 1 tag. You can select the time range upon which the report details will be based. • The percentage of malware sessions out of the total number of sessions for devices in your support account. You also have the option to generate a PDF of the report. • The percentage of malware sessions out of the total number of sessions for all AutoFocus users in an industry. • Tagged Malware Samples—The number of malware samples that received at least 1 tag.) • Total Malware Sessions—The total number of sessions in which WildFire detected a sample with a verdict of malware.

Bottom Applications The 10 applications that distributed the least malware samples. Top Filetypes Per The number of malware sessions for the top 5 most frequently used Application applications for distributing malware. The report highlights the country that sent the most number of malware sessions. Threats by Source A map of countries from which malware sessions originated (refer to list of Country Countries and Country Codes).Report Section Description Samples Summary This chart provides: • The number of samples grouped by WildFire verdict (malware. Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to your samples. Top Filetypes The 10 filetypes most frequently associated with malware samples. Top Malicious Behavior The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus Tags matched to your samples. AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 119 . For each application. • The number of tagged malware samples versus untagged malware samples. and benign). the malware sessions are broken down by filetype. you may want to create a rule on your firewall blocking these applications. If there are applications in this list that have no legitimate business purpose in your organization. grayware. Threats by Destination A map of countries that malware sessions targeted (refer to list of Countries Country and Country Codes). Top Upload Sources The top 10 upload sources that submitted your samples to WildFire. Bottom Filetypes The 10 filetypes least frequently associated with malware samples Top Malware Family The top 10 Unit 42 and private Malware Family tags that AutoFocus matched Tags to your samples. Top Firewalls The top 10 firewalls where WildFire detected the most number of malware sessions. • The percentage of malware samples. Top Applications The 10 applications that distributed the most malware samples. The report highlights the country that received the most number of malware sessions. • The percentage of tagged malware samples.

STEP 1 | Click Reports on the navigation pane. STEP 4 | For the charts Malware Session Percentage By Day and Top Filetypes Per Application. 120 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts . STEP 3 | Hover over chart elements to view exact counts or percentages.View Threat Summary Report Details View the threat summary report on the AutoFocus portal or generate a printable PDF of the report. STEP 2 | Configure the report settings to choose a time period for filtering the report details. Hide filetypes that are seen in larger quantities to view the counts for filetypes that are seen in smaller quantities. Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a search. The version of the report on the portal is interactive and lets you see the exact figures that make up the chart data. Your Malware Session Percentage By Day is compared with the figures for your industry. select which data to display or hide. and Generate the report.

STEP 5 | Click on a tag to view Tag Details. AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 121 . STEP 6 | Click Download PDF to generate a PDF of the report.

122 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts .

select some or all of the artifacts in the export list to include them in a comma-separated value (CSV) file. such as IP addresses. you must first add artifacts found in AutoFocus to an export list. You can also use the file to dynamically enforce policy on a Palo Alto Networks® firewall. or domains. URLs. which you can then import into a security information and event management (SIEM) solution. Then. > Build an AutoFocus Export List > Create a CSV File > Use Export Lists with the Palo Alto Networks Firewall 123 . To export artifacts.Export AutoFocus Artifacts AutoFocus™ allows you to export artifacts that WildFire™ has frequently detected with malware.

124 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts .

Build an AutoFocus Export List To Create a CSV File that contains AutoFocus artifacts. 3. click the drop-down for the artifact and select Add to Export List: Select multiple artifacts from a WildFire analysis category to add to an export list. Grouping artifacts into different export lists allows you to easily generate separate CSV files for them. AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts 125 . 1. STEP 1 | Drill down to view the details for samples returned in an AutoFocus search. Select an operating system to view activities and behaviors observed when the sample was executed in that WildFire analysis environment. Begin a new search. first add the artifacts to an export list. You can build multiple export lists in AutoFocus. 2. Click a sample hash to view sample details. STEP 2 | Add artifacts to an export list: To add a single artifact to an export list.

or all highly suspicious artifacts listed for an activity or behavior category to an export list. STEP 3 | Select an export list for the artifacts. 126 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts . 2. To add sample artifacts from a different operating system. repeat Step c and continue. This turns the drop-downs next to the artifacts into checkboxes. Click the drop-down for a WildFire analysis category and select Select for Export List. Select one or more artifacts from the list. Add all artifacts. Enter a name for the new export list. Re-open the options for the category and select Add Selected to Export List. 2. Click create new. all suspicious artifacts. Add artifacts to a new export list: 1. 1. 3. This adds the artifact to the new export list. Only artifacts that were observed for the operating system selected in Step 1 are added to the export list.

• To view the latest artifacts added. For example. select Sort by: Added Time. • You can also view artifacts based on the WildFire analysis Section from which the artifact is derived. • You can click any of the column headers to sort the export list in ascending (up arrow) or descending (down arrow) order. a domain in the export list might have been added from the DNS Activity that WildFire detected for the sample. See the Artifact Types that can appear in each WildFire analysis section. Add an artifact to an existing export list: STEP 4 | View all artifacts added to an export list. Click Exports on the navigation pane and select the export list to which the artifacts were added in Step 3. and click Sort Descending. AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts 127 .

• To remove all artifacts from an export list. 128 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts . you do not have to select all the artifacts. STEP 6 | Prepare a version of the export list to export out of AutoFocus. Create a CSV File from the export list. you can simply click Delete All Items. Deleting all artifacts also automatically deletes the export list. • Select artifacts you want to remove and click Delete Selected Items.STEP 5 | (Optional) Remove artifacts from an export list.

STEP 1 | Build an AutoFocus Export List. You can format the CSV file to support a block list for a Palo Alto Networks firewall and to export additional artifact metadata. and commas separate the WildFire analysis details within each row. and choose artifacts to export: Export all artifacts in an export list: 1. the row includes full WildFire analysis details for the artifact. STEP 3 | Select an export list to open. click Export in the Actions column of the export list. To quickly export artifacts within a date range from the Exports page. 2. Export selected artifacts: 1. 3. Select one or more artifacts to export: AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts 129 . Export artifacts based on the time period they were added to an export list: 1. Click Export All Items. 2. Set Export Rows to In Date Range. To quickly export all artifacts from the Exports page. STEP 2 | Click Exports on the navigation pane.Create a CSV File Generate a CSV file from the artifacts that were added to an export list. click Export in the Actions column of the export list. Use the Added Time fields to export artifacts based on the date and time range that the artifact was added to the export list. the CSV file is formatted to contain a single row for each artifact. By default. Click Export All Items. Verify that the Export Rows option is set to All.

but the firewall only supports certain types of artifacts. This option adds the following columns to each artifact row: • Added Time—The date and time that the artifact was added to the export list. STEP 6 | Select Export to generate the CSV file. You can use the CSV file as a dynamic block list (PAN-OS 7. 130 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts .1 or later). 2. • Value—The artifact that was added to the export list. STEP 4 | (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall. • SHA256—The SHA256 hash of the sample that the artifact was found with.0 or earlier) or an external dynamic list (PAN- OS 7. Use the CSV file to import AutoFocus data into a security information and event management (SIEM) tool. • MD5—The MD5 hash of the sample that the artifact was found with. • Section—The artifact activity category. Click Export Selected Items. Learn more about how to Use Export Lists with the Palo Alto Networks Firewall. STEP 5 | (Optional) Export additional artifact data. Select Formatted for PAN-OS block list. • SHA1—The SHA1 hash of the sample that the artifact was found with. • Author Email—The email address of the user who added the artifact to the list. • Label—The name of the export list. Select Export Metadata. or Use Export Lists with the Palo Alto Networks Firewall.

STEP 2 | Create a CSV File formatted for the firewall. and HTTP Activity detected during the WildFire analysis of a sample.0 or earlier). Dynamic block lists and external dynamic lists on the Palo Alto Networks firewall only support certain artifacts. or domains only for an external dynamic list in PAN-OS 7. Connection Activity. URLs only. • Set up a dynamic block list (firewalls running PAN-OS 7. AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts 131 .0 or earlier) Dynamic Block List—Build an export list that only contains IP addresses. so you must tailor your export list based on the PAN-OS software version running on the firewall. Find IP address. • Set up an external dynamic list (firewalls running PAN-OS 7.0 or earlier. only domains. Before you export the artifacts. STEP 3 | Use the generated CSV file with the firewall.Use Export Lists with the Palo Alto Networks Firewall Export lists provide a way to dynamically enforce policy on a Palo Alto Networks firewall based on AutoFocus artifacts.1 or later) External Dynamic List—Build an export list that contains only IP addresses. Learn more about how the firewall supports the three external block list types.1 or later). (PAN-OS 7. CSV files that are formatted for a PAN-OS block list might display artifacts in an order that is different from how they appear in the AutoFocus export list. (PAN-OS 7. or only URLs.1 or later). Verify that the artifacts you plan to export are supported on the firewall (IP addresses only for a dynamic block list in PAN-OS 7. URL. The following workflow walks you through the process of building an export list designed specifically for the firewall. and domain artifacts in the DNS Activity. make sure that Formatted for PAN-OS block list is selected. STEP 1 | Build an AutoFocus Export List. IP addresses only.

132 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Artifacts .

> MineMeld 133 . an open-source threat intelligence processing tool that you can run as an app on the AutoFocus portal. The MineMeld app enriches AutoFocus data. With AutoFocus-hosted MineMeld. you can manage threat indicators from AutoFocus and from external sources of threat intelligence in one central location. The ability to use MineMeld directly in AutoFocus allows you to expand the scope of your threat research with minimal effort. calling attention to samples with artifacts that match indicators from external sources.AutoFocus Apps AutoFocus™ supports MineMeld.

134 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps .

such as a threat indicator feed or a threat intelligence service like AutoFocus. • Outputs receive indicators from processors. • Processors receive indicators from miners and can aggregate indicators. since they are updated at different times and not always on a regular basis. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 135 . Output nodes format the indicators and allow MineMeld to dynamically send the indicators to one or more destinations (for example. and other security and information event management (SIEM) platforms. MineMeld automates many of these manual processes so you can use indicators to dynamically enforce policy with your firewall or to investigate threats with AutoFocus. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. MineMeld can send indicators from external threat feeds to AutoFocus or the firewall). Three types of MineMeld nodes make it possible to automate the flow of indicators from source to destination: • Miners extract indicators from sources of threat intelligence. • Introduction to MineMeld • Start. and merge different sets of metadata for the same indicator. Stop. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort. For example. a common type of processor is one that receives only IPv4 indicators. especially as you discover new sources of indicators.MineMeld MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles the indicators into multiple formats compatible with AutoFocus. It is also difficult to keep track of updates to threat indicator sources. eliminate duplicated indicators. the Palo Alto Networks® next-generation firewall. and Reset MineMeld • Use AutoFocus-Hosted MineMeld • Create a Minemeld Node • Connect MineMeld Nodes • Delete a MineMeld Node • AutoFocus Prototypes • Forward MineMeld Indicators to AutoFocus • Forward AutoFocus Indicators to MineMeld • Use AutoFocus Miners with the Palo Alto Networks Firewall • Troubleshoot MineMeld Introduction to MineMeld Using threat intelligence to enforce security policy poses several challenges.

A progress bar indicates that MineMeld is deploying. Nodes are the building blocks of MineMeld. stop. and output prototypes. processor. Stop. STEP 1 | Click Apps on the navigation pane. Start. There are AutoFocus-specific prototypes. and you can create the most basic MineMeld connection by connecting a single miner node to a processor node and connecting the processor node to an output node. You can Use AutoFocus-Hosted MineMeld when the deployment is complete. which are templates you can use to create a node. learn how to start. view a Quick Tour of the MineMeld Default Configuration. MineMeld provides pre-built miner. STEP 2 | Choose from the following options: • Start MineMeld. or reset the MineMeld app. and Reset MineMeld Before you begin to use MineMeld. 136 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . The initial MineMeld deployment may take several minutes. For more information on MineMeld basics. which you can use create miner nodes that use AutoFocus as a source of threat indicators (see Forward AutoFocus Indicators to MineMeld) or output nodes that send threat indicators to AutoFocus (see Forward MineMeld Indicators to AutoFocus).

If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall and reset MineMeld. AutoFocus will continue to store the forwarded indicators from the deleted nodes. • Stop the running instance of MineMeld. and Start MineMeld. this permanently deletes any nodes or customizations you have made within the app. Use MineMeld to Find High-Risk Artifacts and gain more visibility into threats on your network. However. A link to MineMeld displays on the navigation pane when MineMeld starts deploying. • Reset MineMeld to its default configuration. STEP 1 | Click Apps on the navigation pane. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 137 . you must update the external dynamic list with a new link from MineMeld. To re-open the previously deployed instance of MineMeld. When MineMeld is running. When you reset MineMeld. and delivering indicators to output nodes. Use AutoFocus-Hosted MineMeld MineMeld is available on a per support account basis. processing. Stop MineMeld from retrieving. if you reset MineMeld after you Forward MineMeld Indicators to AutoFocus. you must Start MineMeld again. it extracts and processes indicators based on the nodes that are connected.

Click Indicators on the navigation pane to view the Indicator Store. When using MineMeld for the first time (or after a resetting it). the default configuration of nodes sends IP addresses. 138 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . The Config tab also allows you to Delete a MineMeld Node. Create a Minemeld Node Evaluate which sources of indicators you want to use and where to forward the indicators after MineMeld processes them.STEP 2 | Access MineMeld from the navigation pane. • View a library of miner. and output nodes based on this information. see MineMeld. • View the Logs. processor. processor. processor. STEP 1 | Verify that MineMeld is running (see Start. and output Prototypes you can clone to Create a Minemeld Node. a storage space in AutoFocus for external indicators. For more guidance on how to use MineMeld. • Choose other nodes from which a node will receive indicators. STEP 3 | Choose from the following actions: • Get an overview of miner. Edit the inputs of the node Config to Connect MineMeld Nodes. Stop. URLs. STEP 3 | Click Prototypes. STEP 2 | Click MineMeld on the navigation pane. and domains from a set of block lists to the Indicator Store. and output nodes currently in use on the Dashboard. which is a record of indicators that MineMeld extracted from feed sources. • View a complete list of Nodes you’ve created. You can then create miner. and Reset MineMeld).

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 139 . STEP 5 | Clone the prototype to create a new node from it. The node will receive indicators from the inputs you select. use the Search field to quickly find the prototype. STEP 6 | Complete the required fields for the node: • Give the node a descriptive Name. Create nodes based on AutoFocus Prototypes to Forward MineMeld Indicators to AutoFocus or to Forward AutoFocus Indicators to MineMeld. If you know the name of the prototype. • (Processor and output nodes only) Select one or more miner and/or processor nodes that the node will use as Inputs.STEP 4 | Select a prototype from the list.

Enter or select a value for the required fields. Hover over the exclamation point to see which fields are required. Click the node entry to view the node details. 2. STEP 8 | Commit to save the new node. STEP 9 | Find the new node in the list of Nodes to verify that it was saved successfully. STEP 10 | Complete additional required fields for a node. STEP 4 | Edit the Inputs for the node. processor. you must: • Select one or more miners from which a processor will receive indicators. processor. and output nodes to each other to set the direction of the flow of indicators. connect miner. Connect MineMeld Nodes After you Create a Minemeld Node. and find the node you want to connect to another node. Stop. 3. STEP 11 | Connect MineMeld Nodes to begin sending indicators to a destination.STEP 7 | Click Ok. and click Nodes to verify that the exclamation point is gone. and output nodes. which lists your newly created node. STEP 3 | Click Config. 140 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . STEP 2 | Click MineMeld on the navigation pane. 1. To establish the connection between miner. An exclamation point next to the node name notifies you that you must Complete additional required fields for a node. MineMeld switches to the Config tab automatically. STEP 1 | Verify that MineMeld is running (see Start. • Select which processors will send indicators to an output. and Reset MineMeld).

Stop. 2.STEP 5 | Commit to save your changes. Find the node in the list. and click Export. Select the Config tab. they can Import it into their MineMeld instance. STEP 6 | View the flow of indicators that the node is part of. Use the MineMeld import feature to quickly load another user’s nodes and node connections into your MineMeld instance. 1. Check the node inputs and verify that you can delete the connection to these inputs. Larger nodes process more indicators than smaller nodes. STEP 2 | Click MineMeld on the navigation pane. Importing a configuration replaces any nodes or node connections you have previously created. STEP 1 | Verify that MineMeld is running (see Start. and view the Graph ( * ) for it. View the list of Nodes. STEP 7 | Share your MineMeld nodes and node connections with another MineMeld user. use the Search field to quickly find the node. Before you delete a node. STEP 4 | Find the node you want to delete. be mindful of the nodes to which it is connected to ensure that you don’t accidentally cut off a desired flow of indicators to an output. When you share the code that this generates with other MineMeld users. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 141 . If you know the name of the node. STEP 3 | Click Config. and Reset MineMeld). Delete a MineMeld Node Delete a node if you Create a Minemeld Node and decide that you no longer need to use it.

You that meet the criteria of the search must set the search conditions when you based on the last 24 hours. Prototype Description Default Behavior Samples The samples miner extracts Threat • Accepts all indicator types. and then click Ok to confirm that you want to delete the node. it only extracts statistically hour. important artifacts that AutoFocus has • Each time this miner extracts indicators. To view the default behavior for a prototype. select the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. STEP 7 | Check that the node no longer appears in the list of Nodes to verify that it was deleted successfully. 142 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . • After the initial poll for indicators.STEP 5 | Click x. Miner Indicators from samples that meet the • Initially extracts indicators from samples conditions of an AutoFocus search. • Only forwards indicators that it has not seen previously. determined to be indicators based on their it only extracts indicators from the first tendency to be seen with malware. MineMeld withdraws the indicator from the outputs that received them. 10. • Ages out indicators 24 hours after the last time they were seen in the sample search results.000 samples. STEP 6 | Commit to delete the node. AutoFocus Prototypes The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus and Forward AutoFocus Indicators to MineMeld. When an indicator is aged out. create this miner node. The prototypes below have default intervals for extracting and aging out indicators. The samples miner does not extract all extracts indicators from samples every sample artifacts.

the export list miner can be used in either AutoFocus-hosted MineMeld or a MineMeld instance you deployed in your own environment. Unlike the other AutoFocus prototypes. AutoFocus highlights sample indicators matching the indicators that MineMeld forwarded. allowing you to Find High-Risk Artifacts. Create an output node based on the prototype autofocus. and domain indicators. Output external threat intelligence sources directly • Does not allow you to use the artifacts to the AutoFocus Indicators Store (see miner to send indicators back to the Manage Threat Indicators). AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 143 . Forward MineMeld Indicators to AutoFocus Use an AutoFocus Artifacts Output node to store indicators from one or more threat intelligence sources in AutoFocus. When you view the WildFire analysis details for samples in your search results. Artifacts The artifacts output sends indicators from • Accepts all indicators types. STEP 2 | Create a Minemeld Node that will receive processed indicators and send them to AutoFocus. Palo Alto Networks firewall or other SIEM • Only forwards indicators that it has not platforms. seen previously. URL. Prototype Description Default Behavior Artifacts The artifacts miner extracts indicators • Accepts all indicator types. STEP 1 | Verify that MineMeld is running (see Start.artifactsOutput. Miner from external sources that are currently • Initially extracts indicators that were stored in the AutoFocus Indicator Store added to the Indicator Store in the last (see Manage Threat Indicators). such as a hour. connect this miner to a processor and • After the initial poll for indicators. STEP 3 | Connect MineMeld Nodes (miner and processor) to the output node you just created. output node to forward the indicators to a extracts indicators from the store every destination outside of AutoFocus. Expired indicators are indicators that have been removed from the feed from which they came. Stop. AutoFocus Indicator Store. and Reset MineMeld). or as soon as an indicator is marked as expired in the store. highlights indicators in your samples that match the indicators in the store. Miner an AutoFocus export list to a destination outside of AutoFocus. You must 24 hours. Export List The export list miners sends artifacts from Accepts IPv4. • Ages out indicators 30 days after the last time they were added or updated in the Indicator Store.

6. 4. or None (MineMeld only extracts hashes from the sample search results). The node details include: 1. 2.artifactsMiner). • Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list. the miner extracts indicators from your private samples and public samples from you and other AutoFocus users. Learn more about how you can Use AutoFocus Miners with the Palo Alto Networks Firewall. Work with the Search Editor to set up a search. You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a MineMeld instance you deployed in your own environment. Connect to Processors—Select processors that will receive indicators from the miner. Name—Give the miner a descriptive name. Name—Give the miner a descriptive name. and public. If you select a Scope of global. 2. 144 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . 2. Artifacts—Select which indicators AutoFocus will forward to MineMeld: Any indicators. it does not extract indicators from other users’ private samples. and Reset MineMeld). Connect to Processors—Select processors that will receive indicators from the miner. 3. and Reset MineMeld).samplesMiner). Prototype—The prototype is pre-selected (autofocus. The node details include: 1. 1. private. 1. You can now easily spot sample indicators that match MineMeld indicators when you Find High-Risk Artifacts.STEP 4 | Click Indicators on the navigation pane to view the Indicator Store and Manage Threat Indicators that MineMeld forwarded. this field is pre-populated with the filter you used. Connect MineMeld Nodes (processor and output) to the miner you just created. 5. Stop. Query—This field is pre-populated with the conditions of your search. 3. The default behavior of the miner is the same in either version of MineMeld. 4. Filter the indicators. 3. Connect MineMeld Nodes (processor and output) to the miner you just created. 4. Stop. Create MineMeld Miner ( ) from the search page. Create MineMeld Miner ( ). Click Indicators on the navigation pane and optionally. 4. • Use an AutoFocus Samples Miner to forward Indicators from sample search results. Prototype—The prototype is pre-selected (autofocus. Verify that MineMeld is running (see Start. • Use an AutoFocus Artifacts Miner to forward indicators from external sources stored in AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus. The Indicator Store has space for up to 180 million indicators. Forward AutoFocus Indicators to MineMeld Use MineMeld to send indicators from AutoFocus to the firewall and other SIEM platforms. Scope—Select the scope of the search results: global. Query—If you filtered the indicators. Verify that MineMeld is running (see Start. 2. only indicators that match MineMeld indicators. 3.

Add a new certificate profile. Browse for the certificate file and attach the GoDaddy certificate you downloaded. and click OK. Create a username and password. Give the certificate a descriptive name. you can use other MineMeld miners that extract IPv4 addresses. 2. 3. 2. Click OK. 1. 3. STEP 1 | Add the root certificate authority (CA) certificate for MineMeld to the firewall. Click Tags. STEP 3 | Configure the MineMeld nodes that will send indicators to the firewall. Click Add. 1. Create a Minemeld Node based on the prototype autofocus. confirm the password. In MineMeld. Click (+) to add a new user profile for accessing the indicators from the output node. On the firewall. Restrict access to the indicators. When completing the additional required fields for the node. 1. enter a tag name to use with the output node. however. On the firewall. domains. 2. Select the output node you plan to use with an external dynamic list from the list of Nodes. To find outputs that you can use with an external dynamic list. Click Admin. Give the certificate profile a descriptive name. and URLs to forward indicators to an external dynamic list. 1. In the Access setting for the user.0 firewall. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 145 . 3. and select the Feeds Users tab. 2.com/ repository/gd-class2-root. 4. select the certificate name from the CA Certificate drop-down. 3. Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed indicators to an external dynamic list on the firewall.exportList. Click OK. 3. Use an AutoFocus sample or artifacts miner to Forward AutoFocus Indicators to MineMeld. 6. STEP 2 | Create a certificate profile for the MineMeld root CA certificate. 5. 2. Stop. 1. and click OK. 2.godaddy. select the tag for the output node and click OK. view the list of MineMeld Prototypes and search with the keyword EDL. Grant the user you just created access to the output node. Verify that MineMeld is running (see Start. and click OK. Use AutoFocus Miners with the Palo Alto Networks Firewall Use AutoFocus miners to dynamically send indicators from AutoFocus to an external dynamic list on a PAN- OS 8. provide your AutoFocus API Key and the Label of the export list from which MineMeld will extract indicators. This procedure focuses on using AutoFocus miners to forward indicators to an external dynamic list. 1. select Device > Certificate Management > Certificate Profile. select Device > Certificate Management > Certificates.crt 2. and Reset MineMeld). 1. Import the certificate to the firewall. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.

STEP 4 | Configure the firewall to access an external dynamic list based on the indicators from the
AutoFocus miners.
Follow the steps to add a new external dynamic list to the firewall and observe the following guidelines:
• Enter the MineMeld-provided link from the output node as the Source of the external dynamic list.
To find this link in MineMeld, select the output node from the list of Nodes and copy the Feed Base
URL link.
• Select the Certificate Profile you created for the MineMeld root CA certificate.
• Select Client Authentication, and enter the username and password for the user you created from
the previous step.

STEP 5 | Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.

Troubleshoot MineMeld
Refer to the procedures below to troubleshoot issues with MineMeld.

• Free up disk space on MineMeld
A red dot appears on the System tab when there is only 30% of disk space remaining in MineMeld. To
continue using MineMeld with logging enabled, you must free up more disk space.
1. In MineMeld, click the System tab.
2. A warning message notifies you that disk space is low. Verify the disk status.

3. Purge Logs.
This deletes logs of internal system processes on MineMeld; this does not delete the record of
indicators that nodes received or indicators that were aged-out in the Logs tab.

• Force an AutoFocus samples or artifacts miner to retrieve indicators.
For a samples or artifacts miner, the default interval for retrieving and forwarding indicators to a
processor is 1 hour. To trigger the miner to retrieve indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.

146 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps

2. Click Run Now to start retrieving indicators.

As the node retrieves indicators, the # Indicators count goes up.

3. Track all indicator activity associated with a node.

• Force an AutoFocus samples or artifacts miner to age out indicators.
When a miner node ages out indicators, it withdraws indicators from the outputs that received them.
The samples miner has a default age-out interval of 24 hours, while the artifacts miner has a default
interval of 30 days. To trigger these miners to age out indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.
2. Flush indicators.

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 147

3. Track all indicator activity associated with a node.

• Track all indicator activity associated with a node.
1. In MineMeld, select a node from the list of Nodes.
2. View the node Stats. By default, the statistics displayed are based on indicator activity from the last
24 hours.

1. Compare the counts from different points in the Indicators graph to determine the number of new
indicators that the node processed during a time range. A drop in the graph indicates that some
indicators associated with the node were aged out.

2. View the trend of indicators that the node added, aged out, updated, and withdrew from other
nodes.

148 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps

ACCEPT_UPDATE—A log of a node successfully receiving an indicator from another node. EMIT_UPDATE—A log of a node sending an indicator (or an indicator update) to another node. 2. click the Logs tab. • Track indicators that were successfully received by a node and indicators that were aged out. Evaluate the logs for the indicator based on the following log messages. 3. AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 149 . In the search field. 1. 1. enter indicator:[indicator value] and click the spyglass to launch the search. In MineMeld. EMIT_WITHDRAW—A log of a node aging out an indicator. View the MineMeld logs to determine if an indicator was successfully received by a node or aged out. ACCEPT_WITHDRAW—A log of a node accepting a request from another node to withdraw an aged out indicator. 3. Change the Time Range to view indicator stats for a shorter or longer time period. View the logs for a specific indicator.

Click on a log message or indicator tag to filter the logs further. View all Logs of indicator activity related to the node. 150 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps . View the logs for a specific node. 3. 2. Click the Nodes tab and select a node. 1. 2.