Professional Documents
Culture Documents
September 2020
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
September 30, 2020
AutoFocus Dashboard..................................................................................... 29
Dashboard Overview............................................................................................................................... 31
Set the Dashboard Date Range............................................................................................................ 32
Drill Down on Dashboard Widgets...................................................................................................... 34
Customize the Dashboard...................................................................................................................... 35
AutoFocus Search.............................................................................................47
Start a Quick Search................................................................................................................................ 49
Work with the Search............................................................................................................................. 51
Drill Down in Search Results................................................................................................................. 63
Sample............................................................................................................................................. 63
Sessions...........................................................................................................................................68
Indicators........................................................................................................................................ 69
Set Up Remote Search............................................................................................................................ 72
Artifact Types.............................................................................................................................................75
General Artifacts...........................................................................................................................75
Sample Artifacts............................................................................................................................76
Session Artifacts........................................................................................................................... 78
Analysis Artifacts.......................................................................................................................... 80
Linux Artifacts............................................................................................................................... 82
Windows Artifacts....................................................................................................................... 83
Mac Artifacts................................................................................................................................. 83
Android Artifacts.......................................................................................................................... 84
Search Operators and Values................................................................................................................ 87
Guidelines for Partial Searches..............................................................................................................91
Contains and Does Not Contain Operators.......................................................................... 91
Proximity Operator...................................................................................................................... 91
AutoFocus Alerts.............................................................................................. 93
Alert Types................................................................................................................................................. 95
Email Alerts.................................................................................................................................... 95
HTTP/HTTPS Alerts.................................................................................................................... 96
Create Alerts.............................................................................................................................................. 98
Define Alert Actions....................................................................................................................98
AutoFocus Feeds............................................................................................163
Feed Overview........................................................................................................................................ 165
Create Custom Feeds............................................................................................................................ 166
Use AutoFocus Custom Feeds with the Palo Alto Networks Firewall...................................... 169
Manage Custom Feeds......................................................................................................................... 171
AutoFocus Apps..............................................................................................173
iv TABLE OF CONTENTS
MineMeld..................................................................................................................................................175
Introduction to MineMeld....................................................................................................... 175
Start, Stop, and Reset MineMeld...........................................................................................176
Use AutoFocus-Hosted MineMeld........................................................................................177
Create a Minemeld Node........................................................................................................ 178
Connect MineMeld Nodes...................................................................................................... 180
Delete a MineMeld Node........................................................................................................ 181
AutoFocus Prototypes.............................................................................................................. 182
Forward MineMeld Indicators to AutoFocus......................................................................183
Forward AutoFocus Indicators to MineMeld......................................................................184
Use AutoFocus Miners with the Palo Alto Networks Firewall....................................... 185
Troubleshoot MineMeld...........................................................................................................186
TABLE OF CONTENTS v
vi TABLE OF CONTENTS
Get Started With AutoFocus
AutoFocus™ is a threat intelligence service that provides an interactive, graphical interface for
analyzing threats in your network. With AutoFocus, you can compare threats in your network
to threat information collected from other networks in your industry or across the globe,
within specific time frames. AutoFocus statistics are updated to include the most recent threat
samples analyzed by Palo Alto Networks®. Access to this information allows you to keep up
with threat trends and to take a preventive approach to securing your network.
See the following topics to get started with the AutoFocus threat intelligence service. If you
haven’t already, first register and activate AutoFocus.
7
8 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus
© 2020 Palo Alto Networks, Inc.
About AutoFocus
The AutoFocus threat intelligence portal enables you to quickly identify threats on your network, and to
contextualize such events within an industry, global, and historical context. AutoFocus harnesses data from
WildFire™, the PAN-DB URL Filtering database, Unit 42, and from third-party feeds (including both closed
and open-source intelligence). AutoFocus then makes the data searchable and layers the data with statistics
that both highlight pervasive malware and reveal connections between malware.
Take a look at the following table for an overview of AutoFocus features that allow you to prioritize,
contextualize, and address threats affecting your network.
STEP 1 | Locate the activation codes for the licenses you purchased.
When you purchased your subscriptions you should have received an email from Palo Alto Networks
customer service listing the activation code associated with each subscription. If you cannot locate this
email, contact Customer Support to obtain your activation codes before you proceed.
STEP 2 | Go to the Palo Alto Networks Customer Support portal and, if not already logged in, Sign In
now.
Dashboard Filters
Filter the contents of your dashboard based on the sample verdict,
samples/session source, and the time-frame. You can also apply
your Saved Search configurations and apply them to the Dashboard.
This allows you to create reports with greater specificity based on a
selected criteria.
• Filter by Verdict—Select from Malware, Grayware, Benign,
Phishing, and Any Verdict to filter the data set based on a verdict.
• Filter by First Seen and Time—First configure the data set to include
samples based on when it was First Seen (the time stamp of when
the sample was first forwarded or uploaded to WildFire for analysis)
or by Time (the time stamp of when the session started) and then
set the dashboard to display data for the last 1, 7, 30, 90, or 180
days. You can also set the dashboard to display all data by default,
regardless of the time period that the data was collected, by setting
the time range to Any Time.
Dashboard Tabs
Select an AutoFocus Dashboard tab to set the context for the data
displayed: My Organization, My Industry, Threat Summary Report,
or All. You can also Customize the Dashboard by adding your custom
reports to the dashboard tab.
Navigation Pane
Aggregates
• Custom Aggregation—Build a custom widget populated by data
from user-selectable artifacts.
• Top Firewalls—Displays the ten firewalls with most sessions where
malware samples were detected. Select the Organization tab on the
dashboard to display the top firewalls in your network.
• Top Malware—Displays the ten malware samples with the most hits.
• Top Applications—Displays the ten most used applications.
• Bottom Applications—Displays the ten least used applications.
• Upload Sources—Provides a breakdown of the upload sources of
malware files, typically including your firewall(s), Traps, and the
manual upload API.
• Top Filetypes—Displays the top ten filetypes that contain malware.
• Bottom Filetypes—Displays the bottom ten filestypes that contain
detected malware.
• Top Filetypes Per Application—The number of malware sessions
for the top 5 most frequently used applications for distributing
malware. For each application, the malware sessions are broken
down by filetype.
• Target Industries—Displays the ten industries with the highest
counts of malware detected. Select the All tab on the dashboard to
display target industries on a global scale.
Maps
• Flexible Map—The flexible map can be configured to show either
malware sources or destinations and allows you to view malware
hot spots geographically. Select Source to display countries with
high rates of malware sessions originating from those countries, or
select Destination to display countries with high rates of targeted
attacks. Larger bubbles indicate higher rates of activity. You can also
zoom in to more closely examine the number of malware sessions
General
• Alerts—The Alerts Log widget displays the latest 20 alerts on
malware and grayware matching enabled public, private, or Unit 42
AutoFocus Tags. For details on enabling the delivery of prioritized
alerts through email or over HTTP, see Create Alerts.
• Recent Research—Browse quick links to the latest research,
news, and resources from Unit 42, the Palo Alto Networks threat
intelligence team.
• Device Verdicts—Shows a breakdown of the number of malware,
grayware, phishing, and benign files detected by each of your
firewall devices during the selected date range. The sample source
lists all the devices configured to upload samples to your AutoFocus
account.
• Sample Verdicts—The sample verdicts chart shows the breakdown
of verdicts based on the total number of samples in the selected
date range.
Tags
• Top Tags—The Top Tags widget lists the AutoFocus Tags matched
to the highest number of samples. You can easily distinguish the
different tag types by color and icon.
The Top Tags list is sorted according to the number of samples
matched to the tag in the date range selected on the malware
sessions histogram (at the top of the dashboard). For each tag,
the list also displays the total number of samples that have been
matched to the tag and the date and time that the most recent
matching sample was detected.
On the Top Tags widget:
• Filter the displayed tags by Tag Class.
• Select from the options under Choose Tag Types to display the
top 20 private tags, public tags, Unit 42 alerting tags, and/or Unit
42 informational tags.
• Select a tag to view tag details, including a description of the
condition or set of conditions that the tag identifies, or to add
the tag to a search.
• Top Malware Family Tags—Shows only the malware family tags
detected within the given time range.
• Top Campaign Tags—Shows only the campaign tags detected within
the given time range.
Widget Visualization
Options
Feedback Link
Concept Description
Samples For both AutoFocus and WildFire, a sample refers to a file (such as
a PDF or PE) or a link included in an email. The Palo Alto Networks
firewall and other sources such as Traps and Proofpoint can forward
unknown samples to the WildFire cloud, where WildFire performs
Static Analysis and Dynamic Analysis of the sample. As WildFire
observes and executes the sample in the analysis environment,
WildFire associates different Artifacts with the sample. AutoFocus
allows you to search for samples based on the sample hash and
other Sample Artifacts. When you perform a search in AutoFocus,
AutoFocus compares all historical and new samples to the search
conditions and filters the search results accordingly.
AutoFocus receives WildFire analysis information for samples
submitted to the WildFire global and regional clouds.
Public Tags and Samples Public tags and samples in AutoFocus are visible to all AutoFocus
users.
Private Tags and Samples Private tags and samples in AutoFocus are visible only to AutoFocus
users associated with the same support account.
Private tags and samples can be made public, with the option to revert
the tag or sample back to private status at any time.
All Tab and All Samples The All tab on the dashboard and the option to view All Samples
in a search include statistics for all samples seen by Wildfire, both
public and private; however, identifying details are obfuscated for
private samples. The All tab on the dashboard displays all malware
(including private samples) with obfuscated hashes. The All Samples
view in a search obfuscates private sample details with the exception
of the WildFire verdict for the sample, the date the sample was first
submitted to WildFire, the file size, and the file type.
Suspicious
Suspicious artifacts:
• Have been widely-detected across large numbers of samples.
• Are most frequently detected with malware. Although suspicious
artifacts can be detected with grayware and benign samples, they
are more often found with malware.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.
Highly Suspicious
Highly suspicious artifacts:
• Have been detected in very few samples. The lack of distribution
of these types of artifacts could indicate an attack crafted to target
a specific organization.
• Are most frequently detected with malware. In some cases, these
artifacts have been exclusively seen with malware and never with
grayware or benign samples.
For more on highly suspicious artifacts in AutoFocus, you can Find
High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export
List.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus
and/or are running PAN-OS 7.0 and earlier.
29
30 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard
© 2020 Palo Alto Networks, Inc.
Dashboard Overview
Scan the AutoFocus dashboard to view and drill down on pervasive artifacts, including top malware, top
applications, and top firewalls. You can alternate dashboard views to display the threat landscape globally,
for your organization, your industry, and using your customized reports.
As you move between the dashboard tabs, the data displayed is updated to reflect the dashboard context:
• My Organization—View the threat landscape for your network, with the capability to drill down and
search on data for firewalls associated with the selected support account. Top firewalls are only
displayed on the organization tab and are not visible in other contexts.
• My Industry—View the threat landscape across your industry. Explore and examine targeted threats or
trends affecting similar networks and organizations. Industry data is populated according to the industry
associated with the selected support account (for example, high tech or healthcare).
• All—View the global threat landscape to contextualize both threats affecting your network and your
industry. The All tab includes the additional widget Target Industries that allows you to compare
malware rates across industries.
The Industry and All views display statistics for all samples (public and private) but do
not allow access to the details of private samples (unless they are private samples from
firewalls associated with your support account).
• Threat Summary Report—View a summary of all the threats that have been detected within the
specified time frame.
• Customized Reports—Reports that you create can be added to the dashboard view for quick reference.
You can use any of the widgets to formulate your own report; alternatively, you can use an existing
default report as the basis for a new report. The name of the tab indicates the name of the custom
report.
Drill Down on Dashboard Widgets for more details on a threat artifact, with the option to add the artifact to
a search, or tag the artifact as an indicator of compromise (IOC).
For an overview of each of the dashboard widgets, take a First Look at the AutoFocus Portal.
If you don’t see any malware sessions in the Download Sessions histogram, there may not
be any malware detected during the selected date range. The histogram does not include
sessions with known malware (malware that was first seen before the selected date range).
The time setting does not filter the scope (My Samples, (private), Public Samples, or All
Samples (private and public samples)) of the sample data set.
The dashboard default time range is applied to all dashboard views (organization, industry, and all) and
dashboard widgets immediately update to reflect the time range selected.
The default time range is also reapplied when the dashboard is refreshed.
After modifying the dashboard date range using the Download Sessions histogram, you
can refresh your browser at any time to reapply the default date range.
After modifying the dashboard date range using the Download Sessions histogram, you
can refresh your browser at any time to reapply the default date range.
For an overview of each of the dashboard widget, take a First Look at the AutoFocus Portal.
• For details on interacting with the Top Tags widget, Vote for, Comment on, and Report Tags.
• For details on interacting with the Alerts Log widget, View Alerts in AutoFocus.
2. You can reorder the report tab list by dragging and dropping the report into a new order. The report
at the top of the list corresponds to the leftmost report in the tab.
3. (Optional) For default reports, you can Upgrade Page to sync with the latest version of the report
from Palo Alto Networks. From here, you can also Edit Page to modify the widgets used in the
selected report. If you have made changes to a default report, you can Reset them to return the
report to the default configuration (this option only appears when the report has been modified).
Depending on the widget configuration and visualization options used, you might
not be able to view the entire data set presented within a widget. Adjust the widget
size by changing the number of columns per row and configuration options to best
suit your report presentation requirements.
3. Save your changes to the dashboard.
When you are finished making your changes, click the Page Editor.
4. (Optional) Restore the default dashboard settings.
The Reset Page to Default option appears only after a report has been upgraded to
the latest version and subsequently edited by a user.
39
40 AUTOFOCUS ADMINISTRATOR’S GUIDE | DNS Security Dashboard
© 2020 Palo Alto Networks, Inc.
DNS Security Dashboard Overview
Scroll through the AutoFocus DNS Security dashboard to view and drill down into various DNS trends
discovered in your network by AutoFocus. Each dashboard widget provides a unique view into how
DNS requests are processed and categorized. Clicking on widgets allow you to change the context of the
dashboard or view more information about a specific trend, domain, or statistic.
If you are running DNS Security on PAN-OS 9.x, server response and request data for
cached verdicts and benign domains on the firewall are not uploaded to AutoFocus.
Expanded Data Collection for DNS Security Improvements, which collects and forwards this
data to improve analytics, was added in PAN-OS 10.0.
Filter the contents of your dashboard based on the DNS category and the time-frame.
• Filter by DNS Category—Select from C2 (DGA, Tunneling, other C2), Malware, Newly Registered
Domain, Phishing, Dynamic DNS, Allow List, Benign/Unknown, or Any Category, to filter the data set
based on a DNS type.
The Allow List category is a list maintained by Palo Alto Networks of explicitly allowable
domains based on metrics from PAN-DB and Alexa. These allow list domains are
frequently accessed and known to be free from malicious content.
• Filter by Period—Select from Last hour, Last 24 hours, Last 7 days, or Last 30 days to display data for a
specific time-frame.
Drill Down on the DNS Security Dashboard Widgets for more details on a specific DNS request trend or
statistic.
For an overview of each of the dashboard widgets, see DNS Security Dashboard Widgets
Alternatively, you can use the DNS Category filter at the top of the
page to switch to any of the defined DNS categories. Click See All > to
view a complete list of DNS events.
Displays a bar chart showing DNS requests based on the Period and
the DNS Category filter settings at the top of the page. You can also
[Malicious] Domains
DNS Categories
Top Domains
47
48 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search
© 2020 Palo Alto Networks, Inc.
Start a Quick Search
Start a simple search for an artifact from any page in AutoFocus™, or use the AutoFocus search editor to
perform complex searches, with conditions that allow you to narrow or broaden the scope of your search.
Toggle your view of search results to find:
• The samples matched to your search conditions (WildFire tab).
• The sessions during which the samples were detected (Activity tab).
• The threat indicators found in the returned samples and the DNS history and PAN-DB categorization of
the results (Indicators tab).
After performing a search, you can drill down in sample results to find artifacts seen with that sample. For
each artifact associated with a sample, AutoFocus lists the number of times the artifact has been detected
with benign ( ), grayware ( ), and malware ( ) samples. Artifacts that are seen disproportionately
with malware are indicated to be Suspicious or Highly Suspicious. AutoFocus also makes it easy to view
indicators that are found with your search results.
Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus
portal.
STEP 1 | Click the spyglass icon in the support account area of the portal.
You can also press Alt+s to open quick search. To close quick search, click the x on the
top right corner of the search box or click anywhere on the dimmed area of the interface.
• Open the Search editor on the navigation pane and select a search type.
• Indicators—Search based on threat indicators, artifacts that have been ascertained by security
experts as exhibiting signs of a compromised network. These artifacts include: File hashes, domains,
URLS, and IP addresses.
• Sample—Search based on samples sent to WildFire for analysis by various connected appliances
and services. WildFire receives samples from the following sources: Firewalls, WildFire, Traps, Traps
Android, Magnifier, Proofpoint, Prima SaaS, manual uploads, partner integrations, and other industry
sources.
• Session—Search based on the session data provided by samples during sample submission. This
allows you to search based on various context details, such as the time stamp, upload source,
application, file URL, and more. The session data displayed in the search results include all relevant
data submitted to WildFire through your organization's various product integrations.
• See the following topics for details on using the AutoFocus search:
• Start an Indicator Search.
• Start a sample or session simple mode search.
• Start a sample or session advanced mode search.
When switching the search context from Indicators to WildFire or Activity, AutoFocus
reapplies the search term using a valid artifact type into an advanced search mode.
This allows you to quickly pivot for more information about a particular indicator.
Create a simple mode search by selecting the relevant conditions from the drop-down menus. Should
you need to run a search using other variables, you must define the scope and value in the Advanced
search:
1. Configure your search by selecting the desired search variables from the drop-down menus. You can
select from the following categories: Verdict, Seen, Source, Tags, and IOC (indicators of compromise).
The time setting does not filter the scope (My Samples, (private), Public Samples,
or All Samples (private and public samples)) of the sample data set.
• Search by Source—Select from Firewall, Proofpoint, Traps, Magnifier, Manual API, Traps Android,
WF Appliance, Prisma SaaS, Prisma Access, Cortex XDR, and Any Source to filter the data set
based on the upload source.
• Search by Tag—Select from a list of tags, tag classes, or tag groups. Alternatively, you can filter the
list of tags by entering a keyword to search for samples associated with a tag.
• Search by IOC—Search based on the following indicators of compromise: Hash, IP Address,
Domain, URL, User Agent, Email Address, and Filename.
• Apply a Saved Search—Select a Saved Search setting to quickly execute a search based on
preconfigured saved search conditions.
2. If you want to add other conditions to the search, you can switch to Advanced mode. Switching to
advanced mode retains the condition values selected from the simple search mode. From here, you
can add additional search conditions that are not available in simple search mode. For more details on
using the advanced mode search, refer to Begin a new advanced search.
If you add search conditions that are not available in Simple mode, you will be
prompted to reset your search.
1. Select one of the Artifact Types from the drop-down to perform a search of global threat data based
on that artifact type.
Start typing the name of the artifact type to narrow down the list of options.
You can use the operator to create negative search conditions. Use negative
operators such as is not or is not in the list to return more granular search results that
exclude samples or sessions that match the negative condition.
3. Enter or select a value to define the search condition. Depending on the artifact type and operator
selected, you may be able to choose from predefined values, or you might be required to enter an
exact value to perform the search.
Learn more about Search Operators and Values.
If you are attempting to select a value from a pre-populated drop-down, and the drop-
down appears to be loading for a long period of time, try clearing your browser cache.
A child query is a condition or a set of conditions nested within and used to qualify a parent query. A
child query is evaluated only against the parent query to which it is added. Add a child query to return
more granular search results, where the results must match both the parent query and the child query.
The example search below shows a child query added to the Email Subject condition. Search results will
be returned for samples where the following is true:
You can only add up to 4 levels of child queries nested under parent queries.
Click Add Parent Query to nest a search condition under the preceding condition. AutoFocus then only
evaluates the nested search condition against the parent condition.
In the example below, click Add Parent Query to nest the First Seen condition under the WildFire
Verdict condition. Search results will be returned for samples where any of the following conditions is
true:
• The sample received a WildFire verdict of malware and was first seen before July 1, 2016.
• The sample is an Adobe Flash file.
Move Up or Move Down search conditions to move conditions to or from a child query. Depending on
the placement of a condition, you can move it up or down to include it in a child query. You can also
move a condition up or down to remove it from a child query so that it is no longer a nested condition.
Alternatively, you can move a search condition using the keyboard. Placing the cursor over the left edge
of a condition displays a directional icon. Click on the icon next to the condition or condition group you
want to move and then use the keyboard arrows to change the placement. Depending on the location
of the condition, you can also create child and parent queries by pressing the right arrow key. Exit the
keyboard movement mode by pressing the escape key or by clicking the selected condition.
To enable a search condition that was previously disabled, select the ellipses icon for that condition and
select Enable:
This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto
Networks® next-generation firewall, Panorama, or third-party log management system when you Set Up
Remote Search.
This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions.
Select the Show Search History icon and add Recently used or Most used search conditions to your
search.
• Save a search.
Open Saved Search to view an alphabetical list of previously saved searches, and click the spyglass icon
to add a saved search to the search editor.
• Tag a search.
Click Tag Results to create a tag based on search conditions. Tags can be used to define a set of
conditions that indicate an important network event or a possible or known threat.
Tag a search so you can easily identify and track any existing or future samples that match the search.
When you Create a Tag, give the tag a recognizable name and description. Select Tags on the navigation
pane to manage tags you have created and to view all tags.
• Export a search.
• Import a search.
Click Import Search to paste and import a previously exported query or a query shared by another
AutoFocus security expert.
Start a Remote Search to look for artifacts in a Palo Alto Networks firewall, Panorama, or third-party log
management system. View more details on how to Set Up Remote Search.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
When the MineMeld app is running, Create MineMeld Miner to send artifacts from the sample search
results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld).
The Samples, Sessions, and Indicators tabs display search results in different contexts. You can drill down
in the results to find correlation among artifacts, to narrow your search by adding artifacts to the search as
you go, and to Export AutoFocus Artifacts that are high-risk.
See the following topics for details on the different search results views:
• Sample
• Sessions
• Indicators
Sample
The Sample tab in the AutoFocus search editor displays all samples that match the conditions of the search.
Click the column headers for the sample details to sort samples in ascending (up arrow) or descending
(down arrow) order. By default, the most recently detected samples are displayed. You can choose to view
only My Samples, only Public Samples, or All Samples. All Samples includes both public and private samples;
however, private samples submitted by firewalls or sample sources other than those associated with your
support account display with an obfuscated hash.
Set a default scope for search results to choose which samples are displayed immediately
when you launch a search. Navigate to the AutoFocus portal Settings and select a Preferred
Scope. You must click Save changes to save the new default scope.
Make a sample Public to share the sample with other AutoFocus security
Sample Visibility experts. You can also revert the status of the sample to Private at any time.
Lists the tags the sample is associated with, and you can also add a new tag. (For
Sample Tags details on tags and how tagging works, see AutoFocus Tags).
Shows the WildFire analysis report sample details based on the virtual
WildFire Report environment(s) used to analyze the file. This includes comprehensive
information about how the sample verdict was determined, including specific
behaviors and system process changes, as well as associated IoCs and causality
chain, to help you visualize how the sample infiltrated your network.
Select a drop down to view specifics for each WildFire report context:
• Summary—Displays general file information as well as an overview of the
sample analysis results as determined by WildFire. This includes the sample
verdict, hash, analysis timestamps, file property details, session information,
malware family, VirusTotal and MultiScanner hits, and the region where the
sample was analyzed.
Lists the sample details and properties. The nested WildFire Dynamic Analysis
File Analysis section describes the sample’s observed behavior and lists each activity the
sample performed when executed in the WildFire analysis environment.
You can view sample details that WildFire detected in environments running
different operating systems. If you have any reason to believe the verdict is a
false positive or a false negative, click Report as Incorrect to submit the sample
to the Palo Alto Networks threat team. The threat team performs additional
analysis on the sample to determine and verify the verdict.
Select a method of viewing the WildFire dynamic analysis of the sample:
• ( )—Groups sample activities by activity type. This view displays by
default when you open the file analysis of a sample.
• ( )—Lists sample activities based on the order in which they occurred in
the WildFire analysis environment.
• ( )—For any main parent processes that occurred when the sample
executed in the WildFire analysis environment, the child processes and
activities that they spawned are grouped under them. The processes are
indented to display the visual hierarchy of parent and child processes.
Click the minus sign ( - ) next to a parent process to hide the child processes
under it; click the plus sign ( + ) display them.
•
( )—Filters the processes and activities shown under WildFire Dynamic
Analysis. You can configure the analysis filter(s) with the following rule types:
• Line Counts—AutoFocus filters activities that exceed the user specified
artifact limits.
File Analysis The Observed Behavior section displays the total number of activities that are
(continued) Evidence of a specific behavior. Each behavior has an associated risk level, and
you can expand a single behavior to see the matching sample activities.
You can also expand an activity section to see all of the specific sample
activities that fall under it. For each activity artifact, the total number of times
the artifact has been found with benign ( ), grayware ( ), and malware ( )
samples is listed.
Depending on the artifact, you can:
• Add an artifact to your existing search
• Add an artifact to an export list
• Start a new search for the artifact in a separate browser window
• View more information about domain and URL artifacts
If an artifact is evidence of an observed behavior, the behavior risk level is
indicated with this icon:
A gray icon indicates a low risk behavior, a yellow icon indicates a medium risk
behavior, and a red icon indicates the artifact is evidence of a critical, and high-
risk behavior.
Based on the sample artifacts, AutoFocus highlights high-risk indicators as
Suspicious or Highly Suspicious. Sample indicators that match indicators
forwarded to AutoFocus from MineMeld are highlighted with an indicator icon (
). (Learn more about how to Manage Threat Indicators.)
Lists all sessions during which samples with the same SHA256 hash were
Network detected. The sessions displayed are all WildFire sessions submitted from
Sessions your Palo Alto Networks firewall or another Upload Source associated with
Lists the WildFire signatures that match to the sample. Check signature
Coverage coverage to assess the level of protection in place against malware. Depending
on the sample, all or some of the following signature types provide coverage:
• WildFire AV Signatures identify malicious files. Examples of malware for
which antivirus signatures provide protection include viruses, trojans, worms,
and spyware downloads.
Sessions
The Session tab displays all Sessions information associated with samples from your network. Click the
column headers to sort sessions in ascending (up arrow) or descending (down arrow) order.
The session data displayed in the search results include all relevant data submitted to
WildFire through your organization's various product integrations where available; however,
session data availability is not contingent on membership to other services, such as
Panorama, Cortex Data Lake, or other Palo Alto Networks products.
After performing an AutoFocus Search, select Sessions and select a single session to drill down for
session details:
Display sessions based on the Upload Source. Add the search condition Upload
Source > is to your current search and choose a session source. In the example above,
the sessions search results have the Upload Source Firewall, which means that they are
sessions associated with samples submitted to WildFire from your connected firewall.
Activity details include a Session Summary, from which you can add artifacts to
your existing search or launch a new search for an artifact in a separate browser
window.
The File Analysis tab displays artifacts that WildFire found in the sample
detected during the activity session (see Sample Details for information on the
File Analysis tab).
Activity details also include a list of Related Sessions, which are other sessions
during which the same sample was detected.
Indicators
The Indicators tab provides a summary of threat intelligence data that Palo Alto Networks has on
a particular threat indicator — URLs, domains, IP addresses (IPv4 and IPv6), and hashes. The threat
intelligence summary data, depending on the type of indicator, can include the WildFire verdict, detection
reasons, associated metadata (including the indicator source(s)), WHOIS information, tags, logs of DNS
activity from all samples analyzed with WildFire, active/passive DNS history where AutoFocus detected
You can pivot to a sample or session search on the specified indicator. This
Sample and Session automatically initiates a search based off of the initial query and can provide a
Details wider context and additional details.
The remote search feature is supported with firewalls running PAN-OS 7.1 or later release
versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When
you configure your custom system to work with AutoFocus remote search, you can filter log or event
repositories with AutoFocus search conditions.
STEP 1 | Log in to the firewall or Panorama you want to search with your administrator username and
password.
If no browser tabs open when you launch remote search, change the settings on your
browser to allow pop-ups from AutoFocus.
The maximum length for the URL generated through remote search is 1,024
characters. Performing a remote search with multiple search conditions may create a
URL that exceeds the character limit. As a best practice, check which conditions were
added to the URL after launching a search.
STEP 8 | Learn more about working with Unified logs on the firewall.
• General Artifacts
• Sample Artifacts
• Session Artifacts
• Analysis Artifacts
• Linux Artifacts
• Windows Artifacts
• Mac Artifacts
• Android Artifacts
General Artifacts
General artifacts are artifacts that WildFire associates with both samples and sessions. For example, you can
use the artifact type Domain to search based on domains found in samples and sessions.
Some general artifacts are tag-related. If you search with a tag-related artifact, the search results display all
samples that have one or more tags that meet the search criteria, and their related sessions.
The following general artifact types refer to private session information: Domain, Email Address, Filename,
IP Address, and URL. If any of your private tags use these artifact types as tag conditions, you cannot make
these tags public.
Domain A domain detected in the DNS Activity or HTTP Activity of a sample, or the
File URL.
Filename The File Name of the sample or a filename that AutoFocus found in the File
Activity of a sample.
Hash The sample’s MD5, SHA1, or SHA256 hash. The search results also include
samples in which AutoFocus found the hash in the File Activity of the sample.
Hash Lookup The sample’s MD5, SHA1, or SHA256 hash. The search results only include
samples based strictly on the primary sample hash value. Samples in which
matching hashes are found in the File Activity of the sample are not included
in the results.
Tag Class Samples filtered by Tag Class: a malware family, a campaign, an actor, an
exploit, or a type of malicious behavior.
Tag Scope Samples filtered by Tag Scope: private, public, Unit 42 (alerting), or Unit 42
informational (non-alerting).
Tag Source Samples with tags that are attributed to a particular Tag Source.
User Agent A user agent header detected in the HTTP Activity or User Agent Fragments
of a sample. The user agent header indicates your browser type and version
and your operating system and version. During a session, your browser sends
this information to the site you are visiting to determine the best way to
deliver the information you requested. Examples of user agent strings include
Mozilla/4.0 and Windows NT 6.1.
Saved Search A user-configured search setting used to quickly apply search conditions.
Sample Artifacts
Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact
types when you view Sample Details, in the File Analysis details of a sample.
Compilation Timestamp The date and time when a Portable Executable (PE) file was created.
Digital Signer The digital signature that identifies the sender of the sample.
File Type The file type of the sample. Examples include Email Link, Adobe Flash File,
and PDF.
Finish Date The date and time when WildFire analysis of the sample completed and the
sample received a WildFire verdict.
First Seen The date and time that the sample was first forwarded or uploaded to
WildFire. You can search for samples based on relative dates and absolute
dates. Using a relative date allows you to select a date range based on the
current time as a reference point, while the absolute date allows you to
specify an exact point in time.
Import Table Hash An import hash, or imphash, is a hash based on the order that API functions
are listed in the import table of a Portable Executable (PE). Imphashes can
be used to identify similar samples that might belong to the same malware
family.
Imphashes are listed for malware and grayware samples only (not benign
samples).
Last Updated The date and time when WildFire changed the verdict for a sample.
MD5 The sample’s unique cryptographic hash generated using the MD5 message-
digest algorithm.
Region Every WildFire cloud (global or regional) to which a sample was submitted for
analysis. The sample details list all of the WildFire clouds to which firewalls
submitted the sample (different firewalls can submit the same sample to
different WildFire clouds).
• US—WildFire global cloud
• EU—WildFire EU cloud
• JP—WildFire Japan cloud
• SG—WildFire Singapore cloud
SHA1 The sample’s unique cryptographic hash generated using the Secure Hash
Algorithm 1.
SHA256 The sample’s unique cryptographic hash generated using Secure Hash
Algorithm 256.
Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the
sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a
sample which can be used to identify samples that are very similar but not
exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy
hashes to produce a percentage that indicates how closely the samples match.
In ssdeep, a high percentage indicates a high number of similarities between
the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only
(not benign samples).
WildFire Verdict WildFire assigns a verdict of Malware, Grayware, Benign, or Phishing to the
sample based on properties, behaviors, and activities observed for the file or
email link during static and dynamic analysis.
Session Artifacts
Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following
artifact types when you view Sample Details. Note that you can only view the details of sessions associated
with your support account. For this reason, when you search with artifact types that refer to firewall-related
properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the
properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Observed In,
Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject,
File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as
tag conditions, you cannot make these tags public.
Application The App-ID™ matched to the type of application traffic detected in a session.
For example, a search for the Application web-browsing returns sessions
during which web browsing over HTTP occurred. Visit Applipedia for an
updated list of applications that Palo Alto Networks identifies.
Device Country Code The two-digit abbreviation for the Device Country. Refer to the complete list
of countries and country codes in AutoFocus.
Device Hostname A name that identifies a Palo Alto Networks firewall. To view the hostname
for a firewall, log in to the firewall web interface, select Device > Setup >
Management, and view the General Settings.
Observed In Displays the serial number of a firewall or the endpoint that the session was
seen in.
Device vsys The name of the virtual system on the firewall associated with the session.
Destination Country The country of the IP address to which the session was destined.
Destination Country The two-digit abbreviation for the Destination Country of the session. Refer
Code to the complete list of countries and country codes in AutoFocus.
Email Recipient Address For email samples, the email address of the user who received the email.
Email Charset For email samples, the character set used to display the message body of an
email. Examples of character sets are UTF-8 and ISO-8859-1.
Email Sender Address For email samples, the email address of the sender.
File Name The filename of the sample sent during the session.
File URL The URL path for the source that hosts the sample.
IMEI The 15-digit unique International Mobile Equipment Identity number assigned
to a mobile phone.
Industry Industry indicates the field that the source of the session (you or another
AutoFocus support account) is associated with. Examples are Aerospace
and Defense, High Tech, and Education. Industry is a field you
select when you initially set up your AutoFocus account. Contact Palo Alto
Networks Support to change it.
Recipient User ID The username of the user who received an email sample.
Region The WildFire cloud (global or regional) to which a sample is submitted for
analysis. A session in the AutoFocus search results provides information
about how a source submitted a sample to WildFire. Since each session
corresponds to a single WildFire submission, it can only be associated with a
single WildFire cloud.
• US—WildFire global cloud
• EU—WildFire EU cloud
• JP—WildFire Japan cloud
• SG—WildFire Singapore cloud
SHA256 The SHA-256 hash for the sample associated with the session.
Source Country The country to which the IP address that initiated the session is registered.
Source Country Code The two-digit abbreviation of the Source Country that sent the session. Refer
to the complete list of countries and country codes in AutoFocus.
Status All samples that a Palo Alto firewall blocked. The Status for blocked samples
is Blocked, while the status for allowed samples is blank. To find all allowed
samples, search with the condition Status > is not > Blocked.
Upload Source The source that requested a WildFire verdict for a sample or submitted a
sample to WildFire for analysis.
Choose from a list of possible upload sources:
• Firewall—Samples that a Palo Alto Networks firewall forwarded to
WildFire.
• Proofpoint—Samples submitted to WildFire through Proofpoint products.
• Traps—Samples submitted through Traps.
• Magnifier—Samples submitted through Magnifier (Now known as Cortex
XDR).
• Manual API—Samples uploaded manually through the WildFire API or the
WildFire public portal.
• Traps Android—Samples submitted through Traps for Android.
• WF Appliance—Samples that a WildFire appliance submitted to the
WildFire public cloud.
• Prisma SaaS—Samples submitted through Prisma SaaS.
• Prisma Access—Samples submitted through Prisma Access.
• Cortex XDR—Samples submitted through Cortex XDR.
Analysis Artifacts
Analysis artifacts make up the WildFire dynamic and static analysis of a sample. WildFire Dynamic Analysis
information consist of properties, activities, and behaviors that WildFire detects in the sample when it was
executed in an analysis environment. WildFire Static Analysis information consist of artifacts that WildFire
can observe from the sample without executing it in an analysis environment.
To get an idea of the artifacts that appear in a WildFire analysis section, start a search with
an analysis artifact and for the operator, select has any value. View the file analysis details of
the search results, expanding the section you searched for to view the artifacts that WildFire
found for it.
Connection Activity Processes that accessed other hosts on the network when the sample was
executed in the WildFire analysis environment. Artifacts listed for each
connection activity include the process that accessed other hosts on the
network, the port through which the process connected, the protocol used
for the connection, and the IP address and country of the host.
DNS Activity DNS activity observed when the sample was executed in the WildFire
analysis environment. Artifacts listed for each DNS activity include the
hostname that was translated (Query column) the resolved domain name or
IP address (Response column), and the Type of DNS resource record (Type
column) used to resolve the DNS query.
File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).
HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis
environment. Artifacts listed for each HTTP activity include the destination
domain of the HTTP request, the HTTP method that the host used, the URL
for the requested resource, and the string originating the request (User Agent
column).
The domain (Host column) and URL values together are the
URL for the request. For example, the full URL for the first
artifact is althawry.org/images/xs.jpg?8b96=71468.
Java API Activity Java runtime activity seen when the sample was executed in the WildFire
analysis environment.
Observed Behavior Behaviors seen for the sample in the WildFire analysis environment, such
as whether the sample created or modified files, started a process, spawned
new processes, modified the registry, or installed browser help objects
(BHOs). Each behavior is also assigned a risk level of high, medium, low, or
informational.
On the File Analysis tab within the sample details, alternate between
operating system columns to see the list of behaviors observed for each
virtual machine in which the sample was executed.
Other API Activity Non-Java API activity seen in the WildFire analysis environment when the
sample was executed. Artifacts listed include the parent process that was
active, the API calls made by the parent process, and the process that was
modified.
PE Metadata Portable Executable (PE) file metadata details extracted during WildFire
analysis. Artifacts listed for each file include the name, virtual address, virtual
size, and raw size.
Process Activity Processes that showed activity when the sample was executed. Artifacts
listed for each process activity include the parent process that was active, the
action that the parent process performed, and the process that was modified.
Service Activity Services that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each service activity include
the process that was active, the action the process performed, and the service
that was created, modified, or deleted.
User Agent Fragments The user agent header for HTTP requests sent when the sample was
executed in the WildFire analysis environment.
Linux Artifacts
Linux artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Linux
analysis environment.
Linux File Paths File paths contained within the Linux sample file.
Linux Command Action Command actions embedded into Linux sample file.
Linux File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).
Linux Suspicious Action An action that the Linux file performed with it was executed in the WildFire
analysis environment that may be an indicator of compromise.
Windows Artifacts
Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a
Windows OS analysis environment.
Mutex Activity A mutex (mutual exclusion object) allows programs to share the same
resource, though the resource cannot be used by more than one program
simultaneously. If the sample generates other program threads when
executed in the analysis environment, the mutex created when the programs
start is listed along with the parent process.
Registry Activity Windows Registry settings and options that showed activity when the sample
was executed in the analysis environment. Artifacts listed for each registry
activity include the parent process that was active, the registry method used
by the parent process (Action), and the parameters column lists the registry
key that was set, modified, or deleted.
Mac Artifacts
Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS
analysis environment.
Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. Details for an
embedded file can include the SHA256 and name of the installer or bundle,
the file’s SHA1 hash, filename, file format, file location, SHA256 hash, the
signature associated with the file and the name of the signer, the SHA1 hash
for the signature, signature status, and the file size in bytes.
Mac Embedded URL URLs that are part of a Mac file. The Path column contains the path for the
section of the app where the URL is located.
Android Artifacts
Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing
the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or
tablet.
APK App Icon The file path for the app icon that displays in the Android device menu.
APK App Name The name of the app that displays on the interface of an Android device.
APK Certificate The hash value of the public key embedded in the digital certificate of the
APK file.
APK Certificate File The file path for the certificate(s) embedded in the APK file, information
about the certificate owner and issuer such as name and location (if provided
by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign
the certificate. The owner or issuer may provide the following information:
• CN—First name and last name
• OU—Organizational unit
• O—Organization name
• L—City or locality
• ST—State or province
• C—Two-digit country code
APK Defined Activity The class name of activities defined in the APK file. An activity is a component
of the app that provides a screen users can interact with to perform a task.
APK Defined Intent An intent filter, found in an app’s manifest file, lists the type of intents that the
Filter components of the app can respond to. An intent is a request an app sends to
other apps to perform an action. For example, the YouTube app needs to use
a messaging app on your Android device to share videos.
APK Defined Receiver Broadcast receivers for the APK file. Broadcast receivers allow the app to
receive intents broadcast by itself, by the Android device, or by other apps on
the device. An example of a broadcast that an app can receive is an indication
that the device battery is low.
APK Defined Sensor Sensors for motion, orientation, or environmental conditions that the app
uses when it is running. For example, an app might need to receive sensor
readings from the device’s GPS for to perform location-based tasks.
APK Defined Service Services configured for the APK file. Services are operations that run in the
background while the app is running, and do not provide a user interface
APK Embedded Third-party libraries that are included in the APK file. A third-party library,
Libraries which app developers can reuse across multiple apps, contains files of
code that accomplish a specific task. An example of an embedded library is
Google’s mobile ads software development kit (SDK), AdMob.
APK Embedded URL URLs that are part of an APK file. The Path column contains the path for the
section of the app where the URL is located.
APK Internal File The file format, file path, and SHA256 hash of files included in the APK file.
APK Package Name The unique name that identifies an app on an Android device. The general
format for a package name is domain.company.application (for example,
com.tamapps.learnjapanese).
APK Repackaged An indication of whether an APK file has been repackaged (True) or not
(False). AutoFocus marks a repackaged APK file as suspicious because an
attacker can repackage a benign file to contain malicious functionality.
APK Requested The permissions that the APK file requests from users to perform processes
Permission and to access data on their Android device. Examples include permissions to
access the camera on the device or to change the audio settings of the device.
APK Sensitive API Call API calls embedded in the APK file that access restricted services or
resources.
APK Signer Personal information that the app owner provided when he/she signed the
app certificate:
• CN—First name and last name
• OU—Organizational unit
• O—Organization name
• L—City or locality
• ST—State or province
• C—Two-digit country code
APK Suspicious API Call API calls embedded in the APK file that access restricted services or
resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all
instances of an API call and the location of the files where the API call was
found.
APK Suspicious Action An action that the APK file performed when it was executed in the WildFire
analysis environment that may be an indicator of compromise. The Value
column contains a description of the action and supporting evidence. For
example, if the suspicious action associated with an APK file sends SMS
messages while running in the background, the value includes the text
message content that the file sent. If the action is loading another APK, DEX,
or JAR file, the value includes the path for the file that the APK file loaded.
APK Suspicious A sequence of actions that the APK file exhibits, the target of the actions
Behavior (if there is one), and the location of the files that exhibited the actions. For
example, for the suspicious behavior “APK files sends an SMS to a fixed
number,” the target is the phone number that received the SMS.
APK Suspicious File Suspicious files found in the APK file and their file type. An example of a
suspicious file is one that contains malicious native code or an executable file
in .dex format.
APK Suspicious Pattern A class of patterns observed in the APK file, a description what the pattern
does, and the location of the files where the pattern occurred.
APK Suspicious String Suspicious strings of code found in the APK file. For example, a suspicious
string can indicate that an app contains shell commands that installs or
uninstalls other apps, or the string can be a suspicious phone number. For
each string, you can view the location of the file that contains the string.
APK Version The version number of the app that is visible to users.
has any value Find samples or sessions that have No value required
reported values for the artifact type,
including values such as 0, unknown, or
Not Found.
is in the list Find samples or sessions with artifacts • Option—Select more than one value
that match at least one of the values from the drop-down.
from a list. • String—Type more than one value
You can have up to 1,000 values in your (not case-sensitive). Press Enter to
list. separate one value from another.
The values must be exact.
is not in the list Exclude samples or sessions that do not • Option—Select more than one value
have at least one value from a list. from the drop-down.
• String—Type more than one value
(not case-sensitive). Press Enter to
contains Find samples or sessions that contain String—Type a partial value (not case-
the partial value you enter. sensitive).
Learn more about the Guidelines for
Use the contains
Partial Searches.
operator if you don’t
know the exact value of
an artifact.
does not contain Find samples or sessions that do not String—Type a partial value (not case-
have the partial value you enter. sensitive).
Learn more about the Guidelines for
Partial Searches.
proximity Perform a single search for two or more String—Type partial values if you
values. don’t know the exact value (not case-
sensitive). You can enter the values in
Use the proximity any order.
operator with Analysis
Learn more about the Guidelines for
Artifacts to look for Partial Searches.
multiple artifacts that can
appear in the WildFire
analysis of a sample.
is in the range Find values within a date or numerical • Date and Time Range—Select the
range. earliest and latest possible date and
time that a value can be, or choose
from a drop-down of relative dates,
such as Yesterday, Last Month, or
Last 90 days.
greater than Find values that are more than the Number
number you enter.
greater than or equal Find values that are more than or equal Number
to the number you enter.
less than Find values that are less than the Number
number you enter.
less than or equal Find values that are less than or equal to Number
the number you enter.
is after Find date and time values that occur Date and Time—Select a date and time,
after a specific date. or choose from a drop-down of relative
dates such as Yesterday, Last Month, or
Last 90 days.
is before Find date and time values that occur Date and Time—Select a date and time,
before a specific date. or choose from a drop-down of relative
dates such as Yesterday, Last Month, or
Last 90 days.
Proximity Operator
• Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis
category of a sample. Enter two or more artifacts in the value field of the search condition.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders\AppData ueepd-a.exereturns a sample that has both values in at
least one of its registry activities:
93
94 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts
© 2020 Palo Alto Networks, Inc.
Alert Types
An alert is a notification about samples that match a set of defined criteria. When you Create Alerts in
AutoFocus, you have the option to receive the notifications by email or over HTTP. You can also View
Alerts in AutoFocus for a complete log of alerts that have been sent to you.
AutoFocus generates alerts for grayware and malware samples from all Upload Source as long as they
match the alert criteria.
• Email Alerts
• HTTP/HTTPS Alerts
Email Alerts
AutoFocus can send alerts to your email account. In an email alert, the SHA256 hash displays as a hyperlink
that opens the WildFire™ analysis of the sample in AutoFocus.
Name Description
(1) AutoFocus Alerts The date and time that the alert was sent in the following format: Month DD,
YYYY hh:mm [AM/PM] (UTC)
(2) Number of alerts The number of unique samples detected within the alert period
(3) For The name of the support account that created the alert
(4) Date (UTC) The date and time that the sample was detected in the following format: Month
DD, YYYY hh:mm [AM/PM]
(5) Type The tag type that triggered the alert (unit42, public, or private)
(6) Name The specific tag that triggered the alert for the sample
(7) Verdict The WildFire verdict assigned to the sample: malware, grayware, or phishing.
(8) Matching Sample The SHA256, SHA1, and MD5 hashes of the sample
Use HTTP alerts to publish information about detected samples on a web page or a threat
feed.
When creating an HTTP/HTTPS alert, provide the URL of a server that has been preconfigured to parse the
name-value pairs from the alert. If you are configuring an HTTPS alert with basic authentication, provide
the user credentials of an account on the server receiving the notifications. Refer to the following table
of field names and possible data types for the field values. The data type describes how a value should be
interpreted and stored by the server.
(1) num_alerts The number of unique samples detected within the alert number
period
(2) autofocus_alerts The date and time that the alert was sent in the following string
format: Month DD, YYYY hh:mm [AM/PM]
(3) alerts A list of each sample detected and the details associated array
with it
(4) date The date and time that the sample was detected in the string
following format: Month DD, YYYY hh:mm [AM/PM]
(5) match_sample The SHA256, SHA1, and MD5 hashes of the sample string
(6) alert_name The specific tag that triggered the alert for the sample string
(7) alert_type The tag type that triggered the alert. The different string
alert_type values that can be displayed are:
• private—private tags owned by you
• public—public tags
• unit42—tags issued by Unit 42
(8) verdict The WildFire verdict assigned to the sample: malware or string
grayware.
(9) for The name of the support account that created the alert string
• DHE-RSA-AES128-SHA • AES256-GCM-SHA384
• DHE-RSA-AES256-SHA • ECDHE-ECDSA-AES128-SHA
• AES128-SHA • ECDHE-ECDSA-AES256-SHA
• AES256-SHA • ECDHE-ECDSA-AES128-GCM-SHA256
• AES128-SHA256 • ECDHE-ECDSA-AES256-GCM-SHA384
• AES256-SHA256
STEP 1 | Select Alerts on the navigation pane, and then select Settings.
STEP 2 | Define Alert Actions. An alert action sets the type, destination, and frequency of the alert.
STEP 3 | Enable Alerts by Tag Type. The Alert on the Tag Type column describes the tag types that
AutoFocus samples must match to trigger an alert: Unit 42, Public, or Private. By default, the
alert action for all tag types is none, and alerts are disabled. Select a different alert action to
enable alerts for each tag type.
STEP 4 | To receive alerts for certain tags and disable them for others, Create Alert Exceptions.
Create an alert for Unit 42 tags to receive notifications based on new threats and attacks
identified by the Unit 42 threat intelligence research team.
STEP 2 | Scroll to the bottom of the Settings tab, and click Add Alert Action:
STEP 4 | Define the type of alert you want to receive: Email, HTTP, or HTTPS.
Self-signed server certificates are not supported. Server certificates must be signed
by one of the pre-installed root certificate authorities (CAs). Refer to AutoFocus Portal
Settings for more information on viewing trusted AutoFocus CAs.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.
Use this step at any time to change the alert action for a tag type.
Select an alert Action for samples matched to Unit 42, public, and private tags:
STEP 5 | If necessary, specify tags to exclude from the alert for the tag type.
Create Alert Exceptions in order to:
• Create and enable custom alerts for specific tags.
• Disable alerts for tags for which you don’t need to receive alerts.
STEP 2 | If there are no email or HTTP/HTTPS Alert Actions listed, Define Alert Actions.
STEP 3 | Identify the tag type for which you want to create an alert exception, and click Add Exception.
STEP 4 | In the Tag field, start typing the tag name, and select it from the list of tags.
STEP 6 | Select Enabled? to enable the alert action for samples in your network that match the tag.
• Find alerts.
• Select Dashboard to view the Alerts Log widget. The Alerts Log widget displays the most recent
samples that matched your alert criteria.
• Select Alerts > Alerts Log to view all samples that have triggered alerts. Sort the rows according
to Time, Tag Type, SHA256, or Tag. Alternatively, click the column headers to sort the rows in
ascending (up arrow) or descending (down arrow) order.
You can also click the SHA256 link for a sample entry to add the sample to a search:
• Disable Alerts.
Select the action none for a tag type.
To disable alerts for an alert exception, Edit an Alert Exception. Select the action none.
Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus
detects a sample that matches the tag. Select Enabled? to enable the alert action.
Modify the name of the alert action, the alert type (Email, HTTP, or HTTPS), the email address or
server URL that receives the alert, and how frequent the alert is generated.
109
110 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags
© 2020 Palo Alto Networks, Inc.
Tag Concepts
Click Tags on the navigation pane to view a complete list of public, private, and Unit 42 tags.
• Tag Types
• Tag Class
• Tag Status
• Tag Visibility
• Tag Group
Tag Types
Tag colors and icons allow you to easily distinguish the different tag types at a glance. When a tag is linked
to a Tag Class, its default icon changes into a tag class icon.
Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42, the Palo Alto Networks®
threat intelligence and research team, to detect and identify
threats and campaigns that pose a direct security risk.
Unit 42 tags have an orange outline and a Unit 42 icon. Tags for
threats discovered by an individual or organization outside of Unit
42 have a pointed and marked top right corner.
Unit 42 Informational Tag (Non- Unit 42 also publishes informational tags that group and identify
Alerting) commodity threats. Often, threat signatures already exist and
are distributed to identify and enforce the traffic identified with
informational tags.
When you enable AutoFocus Alerts for Unit 42 tags, AutoFocus
does not generate alerts for samples that match Unit 42
informational tags so you can focus your resources on addressing
targeted or pervasive threats.
Informational tags have faded orange outline and a Unit 42 icon.
Tags for threats discovered by an individual or organization
outside of Unit 42 have a pointed and marked top right corner.
My Private Tag Create a Tag that is visible only to your organization. Private tags
allow you to tag a sample hash or a set of search conditions that
might be specific or especially significant to your environment.
You can then Create Alerts for the private tags.
Private tags have a blue outline and a tag icon.
Public Tag Public tags are tags shared with the AutoFocus community by
your organization and other AutoFocus users. They are visible to
all AutoFocus users.
Public tags have a gray outline and a tag icon.
Tag Class
A tag can be linked to a particular tag class, which provides more context for the type of threat information
that the tag identifies. Special icons indicate whether a tag is associated with a tag class. The icon can be
blue, gray, or orange depending on the Tag Types. For example, the following tag is a public tag linked to
malicious behavior:
Tag Status
On the Tags page, view the status for a specific tag; optionally, select Sort by: Status to sort tags based on
the status of the tag.
Enabled Enabled tags generate alerts when matched to traffic. Alerts based on enabled
tags are displayed in the Alerts Log on the dashboard and, if configured, email
and HTTP alerts are also sent for enabled tags.
Disabled Disabled tags are tags that have been disabled automatically after reaching
100,000 hits. This is a quality control measure; tags that are matched to
large numbers of samples are too general to be useful in identifying targeted
threats. Disabled tags continue to display as a reference—you can continue to
view the samples that were matched to that tag, search based on the disabled
tag, and view the conditions defined for the tag. However, disabled tags are
not applied to future samples.
Removing The tag owner has deleted the tag, but the deletion is not complete. This
status only displays for a short period of time—when the tag deletion
completes, the tag is completely removed from the AutoFocus system.
Rescoping The tag owner has modified the tag visibility to private, public, or
anonymously public. This status only displays for a short period of time—
as the new tag scope is processed and until the update to the tag scope is
complete.
Tag Visibility
There are three types of tag visibility:
• Private—Visible only to your organization (more specifically, only to users associated with same support
account as tag author).
• Public—Visible to all AutoFocus users. Public tag details include the name of the organization that
created the tag.
• Public Anonymously—Visible to all AutoFocus users. However, tags that are anonymously made public
do not reveal the organization name in the tag details.
For tags you create, you can set the visibility of the tag and change it at any time.
Private tags and samples can be made public, with the option to revert the tag or sample back to a private
status at any time.
Tag Group
Tags that are determined by Palo Alto Network’s threat research team, Unit 42, to have connections to
other specific tags are grouped accordingly. These connections can be based on the genre of the malware
family, the attack campaigns they are associated with, and by malware design. If your organization has
private tags that are related to a tag group, you can add them to a group editing the private tag settings.
You can view the individual tag groups by clicking on the Groups tab on the Tag page. You can also perform
searches based on the name of a tag group.
Ransomware Ransomware is a type of malware that prevents users from accessing their system
or personal files and demands ransom payment in order to regain access.
MobileMalware Mobile malware is malicious software that targets mobile phones by causing loss
or leakage of confidential information. This group encompasses all mobile malware,
such as Android malware.
PotentiallyUnwanted PUPs (Potentially Unwanted Programs) are programs that may include adware,
Program advertising, toolbars, and pop-ups that are unrelated to the software you
downloaded. PUPs are often bundled with other software that you install.
Worm A computer worm is a standalone malware family that replicates itself in order
to spread to other computers. It often uses a computer network to spread itself,
relying on security failures to propagate across networks.
PointofSale Point of Sale (POS) malware targets payment terminals with the intent to obtain
credit card and/or debit card information.
BankingTrojan Banking Trojans are a type of malware frequently used to steal sensitive
information such as banking credentials. To do so, attackers normally inject
malicious code into a website or a device; the code is frequently delivered through
phishing emails.
ExploitKit An exploit kit is a utility program that attackers use to launch exploits against
vulnerable applications. Usually done on a mass scale, exploit kits are often
leveraged to distribute additional malware. Exploit kits are commonly packaged
with exploits that target commonly installed software like Adobe Flash, Java, etc.
Rootkit A rootkit is malware that is designed to infect a target machine and allow an
attacker to install a set of tools that grant the attacker persistent remote access
to the computer. The malware typically hides deep within the operating system,
firmware, and/or driver suite and can evade detection by anti-malware applications
and other security tools.
RemoteAccessTrojan Remote Access Trojans are programs that provide the capability to allow covert
surveillance or the ability to gain unauthorized access to a victim machine. Often
packaged to imitate legitimate applications, Remote Access Trojans can mimic
behaviors of keylogger applications by allowing the automated collection of
keystrokes, usernames, passwords, screenshots, browser history, emails, chat logs,
etc.
Wiper The sole intention of the Wiper malware is to destroy data on the target machine.
Unlike other attacks like ransomware, which often seeks financial gain, wipers are
typically employed to destroy data and cover the attacker's tracks.
Backdoor The dropping (or downloading) of a backdoor is often the second stage of an
attack, where the first stage is the infiltration of the dropper or downloader.
The final stage is gaining full control of the affected system and leveraging of a
backdoor. In many cases, a backdoor is a payload as the attacker can build out their
command and control infrastructure once it is functioning.
OSXMalware Malware that specifically relates to Apple's OSX operating system.This group
includes viruses, trojans, worms, and other types of malware that affect the Apple
OSX environment.
LinuxMalware Includes viruses, trojans, worms and other types of malware that affect the Linux
operating system.
HackingTool Hacking tools are commonly leveraged by attackers to infect, maintain, administer
victim machines, and/or perform denial of service attacks. Some examples of
hacking tools are Metasploit and Cobalt Strike. Hacking tools can also include
administration tools that can be benign or malicious, like Microsoft's PSEXEC or
Netcat.
Downloader This type of malware secretly downloads malicious files from a remote server, then
installs and executes the files.
Dropper A dropper is a type of Trojan that has been designed to install malware (virus,
backdoor, etc.) onto a target system. A dropper is often considered one of the first
stages of a compromise, since droppers typically deploy a second stage payload or
tool.
FileInfector File infector malware propagates malicious files on to other systems, removable
devices, and networks. To do this routine, they seek out and copy their malicious
code to certain files (.EXE, .DLL, .SYS, and, .HTML, etc).
InternetofThingsMalware Encompasses and includes malware families and exploits that exhibit behaviors
specifically targeting or infecting IoT software, firmware, or devices.
Webshell A web shell is a script that can be uploaded to a web server to enable remote
administration of the machine. Infected web servers can be either Internet-facing
or internal to the network, where the web shell is used to pivot further to internal
hosts.
InfoStealer Infostealers are malicious software programs that gather confidential information
from the compromised computer to send it to a predetermined location. This can
include information related to the compromised computer, financial data, or user
credentials for various web sites.
Tag Details
(1) Search To open a search based on the tag, click the Search icon.
(3) Delete Permanently delete at a tag. Deleted tags show a Tag Status of removing
after being deleted until the deletion is complete (when the deletion is
complete, the tag is no longer available in AutoFocus).
(4) Tag Visibility (Private Tags Only) Share a tag with other AutoFocus users by making the
tag Public. (You can also revert a tag you previously made public, back to a
private tag).
By default, tags that you make public will list your organization as the
tag Owner in the tag details. To change this default setting so that your
organization is not listed as the owner of public tags, select Settings on the
AutoFocus navigation pane and select Share public tags anonymously.
(5) Vote, Comment, and You can Vote for, Comment on, and Report Tags. Tags with the visibility
Report set to private (tags created by and visible only to your organization) do not
display these options.
(6) Tag Information Tag information is searchable and can include some or all of the following
details:
• Name—AutoFocus enforces unique tag names within an organization.
• Scope—The tag type is either public, private, or Unit 42.
• Tag Class—The Tag Class associated with the tag.
• Source—Organization or individual that discovered the threat defined in
the tag.
• Created—The date and time that the tag was created.
• Updated—The date and time that the tag was most recently modified.
• Owner—Organization that created the tag.
• # Samples—The total number of private and public samples matched to
the tag.
• Last Hit—The time at which the most recent sample matched to the tag
was detected.
• Votes—The number of up-votes the tag has received from the
AutoFocus community.
• Description—Summary of the threat that tag indicates.
• Related Tags—Tags that share certain conditions, or might indicate
similar types of threats.
• Alias—Other names that might refer to threat that the tag defines. You
can search on a tag alias to find all samples matched to tags with that
alias.
(7) Tag Conditions • Lists all the conditions against which samples are evaluated.
Note that a tag can have multiple sets of conditions, but a sample only
has to match one set of conditions for it to be marked with the tag.
• Search based on a single set of tag conditions:
Click the Search icon in the Actions column to the right of the condition
for which you want to open a search.
• Tag a sample.
Create a tag for a sample hash to keep track of a sample that exhibits unique behavior or a sample that
you need to refer back to later. You can then search for the sample by the tag name instead of its hash.
1. Begin a new search.
2. Click a sample hash to view sample details, and click Add Tag.
You can only click the sample hash for a public sample or any of your private samples.
3. Enter a name for the tag in the search field and click create new.
4. Hover over the new tag, and click the tag name.
5. Edit the Tag Details to supply more information about the tagged sample.
• Tag a search.
Create a tag for a search condition (or a set of search conditions). You can use the tag to search for all
samples that match the conditions. Review Tag Visibility for tagging guidelines.
1. Work with the Search Editor to create a set of search conditions.
You cannot create a tag for searches based on tag-related information (Tag, Tag
Alias, Tag Class, Tag Scope, and Tag Source) or the artifact Threat Name.
2. Click the Tag icon to create a tag based on the defined search conditions:
3. Provide a unique tag name and any other information that may be helpful for identifying the tag, and
then Tag Results.
Tag Alias Find samples by the Alias field in the Tag Details. The Tag Alias allows the
tag owner to specify common names for the threat that the tag identifies.
For example, there may be multiple tags related to a single malware family or
campaign. In this case, you can use Tag Alias to look for all samples that are
linked to a particular malware family or campaign by different tags.
Tag Class Find samples associated with a particular Tag Class: a Malware Family, a
Campaign, an Actor, an Exploit, or a type of Malicious Behavior.
Tag Group Find samples that are part of a specified Tag Group. Tag groups are defined
by Unit 42 based on malware classification and cannot be modified by the
user.
Tag Scope Filter samples by the scope of their tags: private, public, Unit 42 (alerting), or
Unit 42 informational (non-alerting).
Tag Source Find samples with tags that are attributed to a particular tag source. The Tag
Source is the individual or organization that discovered the threat that the tag
identifies. The list of tag sources to choose from is based on all tags with a
Tag Visibility that is set to public.
(1) Tag Categories Tags are organized into two categories to simplify manual
browsing of the Tags page.
• All Tags: Displays all available tags and their details based
on the Unified Tag View configuration.
• Groups: Displays all available tag groups with a description
and list of associated tags.
(2) Unified Tag View Tags are displayed collectively in a single view to enable quick
and easy filtering.
• Choose Columns to select which details to display on the
Tags page.
• Select a tag detail to Sort by in ascending or descending
order. Alternatively, you can click the column header for
a tag detail to sort the rows in ascending (up arrow) or
descending (down arrow) order.
(3) Pivot from Tag to Sample Searches Click Search for these tags to determine which samples are
associated with the tags displayed in the tags page.
(4) Quick Search Enter a single value in the quick search field to find matching
tags across all tag types.
(5) Advanced Filter Click on Advanced to find tags based on multiple search
conditions, including tag fields, the number of votes a tag has
received, and the number of sample hits.
STEP 1 | Click Dashboard on the navigation pane, and click the My Organization, My Industry, or All
tab.
STEP 2 | Set the Dashboard Date Range to adjust the displayed Download Sessions. The widgets on the
dashboard (including the Top Tags widget) automatically update based on the new date range.
STEP 3 | On the Top Tags widget, select a tag to view tag details, including a description of the sample
or conditions that the tag identifies.
129
130 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts
© 2020 Palo Alto Networks, Inc.
Find High-Risk Artifacts
To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's
WildFire analysis that link the sample to malware or malicious attacks.
STEP 3 | View artifacts that match your search conditions (even if they’re not high-risk), highlighted in
the search results.
Alternatively, select Add to New Search to launch a new search for the artifact in a separate window, or
add a SHA256, IP address, user agent, filename, or URL artifact to a remote search (see Set Up Remote
Search).
See Export AutoFocus Artifacts for steps to build an AutoFocus export list.
• View PAN-DB categorization, WildFire DNS history, and passive DNS history for an artifact.
Select an IP address, URL, or domain artifact and click Domain and URL info....
Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click
Search:
• Upload Source—The app that forwarded the indicator to AutoFocus.
• Type—The type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact
Types for definitions of each indicator type. In addition to what are considered Threat Indicators in
AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6,
registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
• Indicator—The exact value of the indicator.
• Indicator Fragments—A partial value of the indicator. Use this search criteria if you only know part of
an indicator.
• Time—The date and time that AutoFocus received the indicator.
• IPv4—A criteria for searching for IP addresses in a range.
• Use the filter IPv4 > matches to find an IP address that belongs to a range.
• Use the filter IPv4 > matches list to find multiple IP addresses in a range.
• First Seen—The date and time that the indicator was first seen in the threat feed.
• Last Seen—The date and time that the indicator was most recently seen in the threat feed.
• Feed Source—The name of the threat feed from which an indicator was retrieved.
• Confidence—A confidence rating that the feed owner associates with the indicators in a feed. The
confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been
verified and 100 indicating that the feed contents are confirmed accurate.
• Share Level—The share level that the feed owner associates with the indicator.
• Threat Type—A default value (malicious) that MineMeld assigns to indicators.
• Metadata—Additional information about the indicator that the feed owner provided.
• Expired—If the value is True, the indicator is aged-out, that is, removed from its source feed. If the
value is False, the indicator is active.
• Import Search to paste a query for filtering indicators from another AutoFocus user.
• Export Search to share a query for filtering indicators to another AutoFocus user.
View all indicators (remove any existing filters), and check the percentage of indicator storage currently
in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of
indicators that it can store (180 million indicators).
Check the status of the indicator storage periodically. If you are close to the maximum
limit, Remove indicators from the store.
Click the trash icon to remove all indicators from the store.
To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only
the indicators that match the filter criteria. For example, you can apply the filter Expired > is > True and
click the trash icon to remove only expired indicators from the store.
Create MineMeld Miner to create an AutoFocus indicator store miner that will extract artifacts from the
Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a
filter for the indicators before clicking this button, the miner will be configured to extract only indicators
that match the filter criteria.
• View additional information about the indicator provided by its source (i.e., the feed owner).
139
140 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Content
© 2020 Palo Alto Networks, Inc.
Export AutoFocus Artifacts
AutoFocus™ allows you to export artifacts that WildFire™ has frequently detected with malware, such as
IP addresses, URLs, or domains. To export artifacts, you must first add artifacts found in AutoFocus to an
export list. Then, select some or all of the artifacts in the export list to include them in a comma-separated
value (CSV) file, which you can then import into a security information and event management (SIEM)
solution. You can also use the file to dynamically enforce policy on a Palo Alto Networks® firewall.
• Build an AutoFocus Export List
• Create a CSV File
• Use Export Lists with the Palo Alto Networks Firewall
STEP 1 | Drill down to view the details for WildFire samples returned in an AutoFocus search.
1. Begin a new search.
2. Click a sample hash to view sample details.
3. Select an operating system to view activities and behaviors observed when the sample was executed
in that WildFire analysis environment.
Add all artifacts, all suspicious artifacts, or all highly suspicious artifacts listed for an activity or behavior
category to an export list.
• To view the latest artifacts added, select Sort by: Added Time, and click Sort Descending.
• You can also view artifacts based on the WildFire analysis Section from which the artifact is derived.
For example, a domain in the export list might have been added from the DNS Activity that WildFire
detected for the sample. See the Artifact Types that can appear in each WildFire analysis section.
• You can click any of the column headers to sort the export list in ascending (up arrow) or descending
(down arrow) order.
To quickly export all artifacts from the Exports page, click Export in the Actions column
of the export list.
Export artifacts based on the time period they were added to an export list:
1. Click Export All Items.
2. Set Export Rows to In Date Range.
3. Use the Added Time fields to export artifacts based on the date and time range that the artifact was
added to the export list.
To quickly export artifacts within a date range from the Exports page, click Export in
the Actions column of the export list.
STEP 4 | (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall.
Select Formatted for PAN-OS block list.
You can use the CSV file as a dynamic block list (PAN-OS 7.0 or earlier) or an external dynamic list (PAN-
OS 7.1 or later), but the firewall only supports certain types of artifacts. Learn more about how to Use
Export Lists with the Palo Alto Networks Firewall.
Find IP address, URL, and domain artifacts in the DNS Activity, Connection Activity, and
HTTP Activity detected during the WildFire analysis of a sample.
CSV files that are formatted for a PAN-OS block list might display artifacts in an order that
is different from how they appear in the AutoFocus export list.
STEP 1 | To export the tag page data, you must select an output format (options include Text, CSV,
and JSON) and then the data type. Only one data type can be selected per text-based export,
however the CSV and JSON formats can export all available columns shown on a page.
STEP 2 |
Click ( ), to open the Export Data page.
Sorting and arrangement options are only available depending on the selected data type
and file format.
Depending on the widget configuration and visualization options used, you might not be able
to view the entire data set presented within a widget in the PDF report. Adjust the widget size
by changing the number of columns per row and configuration options to best suit your PDF
report presentation requirements.
STEP 1 | Go to your AutoFocus Dashboard or Reports and open the report you want to export.
• Dashboard—Select the report you want to export from the report tabs.
STEP 2 | (Optional) Configure your widgets with the appropriate data and visualization options, as well
as the date range.
151
152 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Reports
© 2020 Palo Alto Networks, Inc.
Reports Overview
From Reports, you can run, create, and manage your AutoFocus reports.
• New Report—Select Create a new Report. Add a report title and description and then select Create
to add a new report. A new blank report opens in editing mode.
• Existing Report—Select and then Run a report.
• New Report based on an existing report—Click Clone to create and open a duplicate of the selected
report. A new report based on an existing one opens in editing mode. If you do not provide a new
name for the report, AutoFocus creates a name by appending the name on which the report is based
with the word clone. For example, Custom Report 1 Clone.
• Edit Report description—Click on the report description to edit the text. Press enter to save the
change. You can exit without saving changes by pressing Esc or clicking on a different element of the
AutoFocus interface.
STEP 3 | If you are not in editing mode, click the Page Editor (2) to edit the report.
Depending on the widget configuration and visualization options used, you might not
be able to view the entire data set presented within a widget. Adjust the widget size by
changing the number of columns per row and configuration options to best suit your
report presentation requirements.
STEP 5 | Save your changes to the report. When you are finished making your changes, click the Page
Editor (2).
STEP 2 | On the report you want to create an schedule for, click Email Scheduler.
The number of email schedules that are configured for a given report is shown in the
Email Scheduler button.
STEP 4 | Configure your email schedule and click Save to continue. You can define the recipient email
address, the Frequency of the reports, as well as the Days and Time when it is sent. You can
also filter the report contents based on the Verdict, the Time Frame (when the sample was first
forwarded or uploaded to WildFire for analysis), the sample upload Source, and by Tag Group.
Alternatively, you can apply a pre-configured Saved Search setting which uses the verdict, first
seen, source, and tag group settings defined in the specified configuration. On the bottom-left,
you will see the date when the next report is to be sent.
Top Firewalls The top 10 firewalls where WildFire detected the most number of malware
sessions.
Top Upload Sources The top 10 upload sources that submitted your samples to WildFire.
Top Filetypes Per The number of malware sessions for the top 5 most frequently used
Application applications for distributing malware. For each application, the malware
sessions are broken down by filetype.
Top Applications The 10 applications that distributed the most malware samples.
Bottom Applications The 10 applications that distributed the least malware samples.
Top Filetypes The 10 filetypes most frequently associated with malware samples.
Bottom Filetypes The 10 filetypes least frequently associated with malware samples
Top Malware Family The top 10 Unit 42 and private Malware Family tags that AutoFocus matched
Tags to your samples.
Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to
your samples.
Top Malicious Behavior The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus
Tags matched to your samples.
Threats by Source A map of countries from which malware sessions originated (refer to list of
Country Countries and Country Codes). The report highlights the country that sent the
most number of malware sessions.
Threats by Destination A map of countries that malware sessions targeted (refer to list of Countries
Country and Country Codes). The report highlights the country that received the most
number of malware sessions.
STEP 2 | Configure the report settings to choose a time period for filtering the report details, and
Generate the report.
Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a
search.
STEP 4 | For the charts Malware Session Percentage By Day and Top Filetypes Per Application, select
which data to display or hide.
Hide filetypes that are seen in larger quantities to view the counts for filetypes that are
seen in smaller quantities.
163
164 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Feeds
© 2020 Palo Alto Networks, Inc.
Feed Overview
AutoFocus custom feeds are URL lists and EDLs that are generated based on a user-generated query, which
defines the indicator type and associated conditions for items populating a given list. Using this custom
filter, AutoFocus outputs the threat data into a URL list or EDL, which can then be consumed as an EDL by
the firewall or other services that use URL lists to enforce security policies. The threat intelligence data is
sourced from various Palo Alto Networks customers and services to create the Palo Alto Networks Threat
Feed, which includes IP addresses, domains, URLs, and hash indicators. This master list is updated daily and
is the reference source for user-created custom threat feeds. You can view the new, daily additions to the
list by selecting Feed > Palo Alto Networks Daily Threat Feed.
User-defined feeds can retrieve a maximum of 100,000 IPv4 indicators or 5,000 indicators
of all other types, per request. As a best practice, specify a frequency in which the firewall
(or any other third party consumer of threat indicators, such as a TIP or SIEM) retrieves
a feed list at a corresponding rate to which the indicators are produced. If the number of
indicators in a feed list exceed the rate at which they can be retrieved, it is possible that not
all of the indicators will be consumed. Alternatively, consider creating multiple feeds with
more specificity to generate a manageable number of indicators per query. This allows you
to better organize and control the type of threat indicators sent to an EDL or URL list.
STEP 1 | Select Feeds on the navigation pane and then select Create a Feed.
STEP 2 | Select an indicator type and search conditions to define the limits of a search and click Next to
continue. Depending on the indicator type, you might have predefined values or the option to
enter an exact value. You can change the scope of your indicator query by adding or removing
( )conditions. For a preview list, click Search. This displays a list based on the search
conditions you have defined.
1. Provide a Name and Description. The name and description must be at least three and ten characters
in length, respectively.
2. Select the output method:
• URL—Provides a standard custom URL list for use with third-party applications and devices.
• EDL—Provides an external dynamic list to be used with the Palo Alto Networks firewall.
STEP 6 | Verify that all the entries are correct and Save to continue.
STEP 7 | After the custom feed is created, a link to the object appears at the bottom of the page. Click
on the Feed URL to view the results, otherwise click Exit to return to the Custom Feeds
overview page.
STEP 1 | Download the PEM certificate from AutoFocus. This certificate will be used to create a firewall
certificate profile for remote SSL server verification.
You cannot recover a password used in a custom feed. If you do not remember the
password, you must delete and then recreate a custom feed using the same settings.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus custom feed.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.
STEP 1 | Select Feeds on the navigation pane to view the custom feed management page. Each tile
provides a brief overview about the custom feed configuration.
You can only modify the indicator query of a custom feed. The type, output method, and
authentication details cannot be changed.
1.
Click to open the options menu and select Edit.
2.
Click to enter the custom feed edit mode.
3. Update the indicator search conditions as necessary and then click Next to continue. For a preview
list of the threat indicators that the feed generates, click Search. Keep in mind, this preview is limited
to 100 items.
STEP 3 | Disable a custom feed by clicking the toggle switch. Disabled feeds are gray and cannot be
further modified.
STEP 4 |
Delete a custom feed by clicking and then selecting Remove. Click Ok to confirm the
removal.
> MineMeld
173
174 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps
© 2020 Palo Alto Networks, Inc.
MineMeld
MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles
the indicators into multiple formats compatible with AutoFocus, the Palo Alto Networks® next-generation
firewall, and other security and information event management (SIEM) platforms.
• Introduction to MineMeld
• Start, Stop, and Reset MineMeld
• Use AutoFocus-Hosted MineMeld
• Create a Minemeld Node
• Connect MineMeld Nodes
• Delete a MineMeld Node
• AutoFocus Prototypes
• Forward MineMeld Indicators to AutoFocus
• Forward AutoFocus Indicators to MineMeld
• Use AutoFocus Miners with the Palo Alto Networks Firewall
• Troubleshoot MineMeld
Introduction to MineMeld
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators
often place indicators in multiple formats or format them inconsistently. Using indicators from multiple
sources and packaging them into different formats requires a large investment of time and effort, especially
as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator
sources, since they are updated at different times and not always on a regular basis. MineMeld automates
many of these manual processes so you can use indicators to dynamically enforce policy with your firewall
or to investigate threats with AutoFocus.
Three types of MineMeld nodes make it possible to automate the flow of indicators from source to
destination:
• Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat
intelligence service like AutoFocus.
• Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators,
and merge different sets of metadata for the same indicator. For example, a common type of processor
is one that receives only IPv4 indicators.
• Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to
dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators
from external threat feeds to AutoFocus or the firewall).
When you reset MineMeld, this permanently deletes any nodes or customizations you
have made within the app. However, if you reset MineMeld after you Forward MineMeld
Indicators to AutoFocus, AutoFocus will continue to store the forwarded indicators from
the deleted nodes.
If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall
and reset MineMeld, you must update the external dynamic list with a new link from MineMeld.
When using MineMeld for the first time (or after a resetting it), the default configuration
of nodes sends IP addresses, URLs, and domains from a set of block lists to the
Indicator Store, a storage space in AutoFocus for external indicators. Click Indicators
on the navigation pane to view the Indicator Store.
• View a library of miner, processor, and output Prototypes you can clone to Create a Minemeld Node.
• View a complete list of Nodes you’ve created.
• Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to
Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node.
• View the Logs, which is a record of indicators that MineMeld extracted from feed sources.
For more guidance on how to use MineMeld, see MineMeld.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 4 | Select a prototype from the list. If you know the name of the prototype, use the Search field to
quickly find the prototype.
STEP 9 | Find the new node in the list of Nodes to verify that it was saved successfully.
An exclamation point next to the node name notifies you that you must Complete
additional required fields for a node.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 3 | Click Config, and find the node you want to connect to another node.
STEP 6 | View the flow of indicators that the node is part of.
1. View the list of Nodes.
2. Find the node in the list, and view the Graph ( * ) for it. Larger nodes process more indicators than
smaller nodes.
STEP 7 | Share your MineMeld nodes and node connections with another MineMeld user.
Select the Config tab, and click Export. When you share the code that this generates with other
MineMeld users, they can Import it into their MineMeld instance.
Use the MineMeld import feature to quickly load another user’s nodes and node
connections into your MineMeld instance. Importing a configuration replaces any nodes or
node connections you have previously created.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 4 | Find the node you want to delete. If you know the name of the node, use the Search field to
quickly find the node.
Check the node inputs and verify that you can delete the connection to these inputs.
STEP 7 | Check that the node no longer appears in the list of Nodes to verify that it was deleted
successfully.
AutoFocus Prototypes
The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus
and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select
the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The
prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged
out, MineMeld withdraws the indicator from the outputs that received them.
Samples The samples miner extracts Threat • Accepts all indicator types.
Miner Indicators from samples that meet the • Initially extracts indicators from samples
conditions of an AutoFocus search. You that meet the criteria of the search
must set the search conditions when you based on the last 24 hours.
create this miner node. • After the initial poll for indicators,
The samples miner does not extract all extracts indicators from samples every
sample artifacts; it only extracts statistically hour.
important artifacts that AutoFocus has • Each time this miner extracts indicators,
determined to be indicators based on their it only extracts indicators from the first
tendency to be seen with malware. 10,000 samples.
• Only forwards indicators that it has not
seen previously.
• Ages out indicators 24 hours after the
last time they were seen in the sample
search results.
Indicator The indicator store miner extracts • Accepts all indicator types.
Store Miner indicators from external sources that are • Initially extracts indicators that were
currently stored in the AutoFocus Indicator added to the Indicator Store in the last
Store (see Manage Threat Indicators). You 24 hours.
must connect this miner to a processor and • After the initial poll for indicators,
output node to forward the indicators to a extracts indicators from the store every
destination outside of AutoFocus, such as a hour.
Indicator The indicator store output sends indicators • Accepts all indicators types.
Store from external threat intelligence sources • Does not allow you to use the artifacts
Output directly to the AutoFocus Indicators Store miner to send indicators back to the
(see Manage Threat Indicators). AutoFocus Indicator Store.
highlights indicators in your samples that
match the indicators in the store, allowing
you to Find High-Risk Artifacts.
Export List The export list miners sends artifacts from Accepts IPv4, URL, and domain indicators.
Miner an AutoFocus export list to a destination
outside of AutoFocus.
Unlike the other AutoFocus prototypes,
the export list miner can be used in
either AutoFocus-hosted MineMeld or a
MineMeld instance you deployed in your
own environment.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 2 | Create a Minemeld Node that will receive processed indicators and send them to AutoFocus.
Create an output node based on the prototype autofocus.indicatorStoreOutput.
STEP 3 | Connect MineMeld Nodes (miner and processor) to the output node you just created.
• Use an AutoFocus Samples Miner to forward Indicators from sample search results.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Work with the Search Editor to set up a search.
3. Create MineMeld Miner ( ) from the search page.
The node details include:
1. Name—Give the miner a descriptive name.
2. Prototype—The prototype is pre-selected (autofocus.samplesMiner).
3. Query—This field is pre-populated with the conditions of your search.
4. Scope—Select the scope of the search results: global, private, and public.
5. Artifacts—Select which indicators AutoFocus will forward to MineMeld: Any indicators, only
indicators that match MineMeld indicators, or None (MineMeld only extracts hashes from the
sample search results).
6. Connect to Processors—Select processors that will receive indicators from the miner.
If you select a Scope of global, the miner extracts indicators from your private
samples and public samples from you and other AutoFocus users; it does not
extract indicators from other users’ private samples.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
• Use an AutoFocus Indicator Store Miner to forward indicators from external sources stored in
AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Click Indicators on the navigation pane and optionally, Filter the indicators.
3. Create MineMeld Miner ( ).
The node details include:
1. Name—Give the miner a descriptive name.
2. Prototype—The prototype is pre-selected (autofocus.indicatorStoreMiner).
3. Query—If you filtered the indicators, this field is pre-populated with the filter you used.
4. Connect to Processors—Select processors that will receive indicators from the miner.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
• Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list.
You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a
MineMeld instance you deployed in your own environment. The default behavior of the
miner is the same in either version of MineMeld.
STEP 1 | Add the root certificate authority (CA) certificate for MineMeld to the firewall.
1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/
repository/gd-class2-root.crt
2. On the firewall, select Device > Certificate Management > Certificates.
3. Import the certificate to the firewall.
1. Give the certificate a descriptive name.
2. Browse for the certificate file and attach the GoDaddy certificate you downloaded.
3. Click OK.
STEP 3 | Configure the MineMeld nodes that will send indicators to the firewall.
1. Use an AutoFocus sample or indicator store miner to Forward AutoFocus Indicators to MineMeld.
2. In MineMeld, Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed
indicators to an external dynamic list on the firewall.
To find outputs that you can use with an external dynamic list, view the list of
MineMeld Prototypes and search with the keyword EDL.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.
Troubleshoot MineMeld
Refer to the procedures below to troubleshoot issues with MineMeld.
3. Purge Logs.
This deletes logs of internal system processes on MineMeld; this does not delete the record of
indicators that nodes received or indicators that were aged-out in the Logs tab.
1. Compare the counts from different points in the Indicators graph to determine the number of new
indicators that the node processed during a time range. A drop in the graph indicates that some
indicators associated with the node were aged out.
2. View the trend of indicators that the node added, aged out, updated, and withdrew from other
nodes.
• Track indicators that were successfully received by a node and indicators that were aged out.
View the MineMeld logs to determine if an indicator was successfully received by a node or aged out.
1. View the logs for a specific indicator.
1. In MineMeld, click the Logs tab.
2. In the search field, enter indicator:[indicator value] and click the spyglass to launch the
search.
3. Evaluate the logs for the indicator based on the following log messages.
EMIT_UPDATE—A log of a node sending an indicator (or an indicator update) to another node.
ACCEPT_UPDATE—A log of a node successfully receiving an indicator from another node.
EMIT_WITHDRAW—A log of a node aging out an indicator.
ACCEPT_WITHDRAW—A log of a node accepting a request from another node to withdraw an
aged out indicator.