Kro Focus On You

AutoFocus Administrator’s Guide
September 2020
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
September 30, 2020
2 AUTOFOCUS ADMINISTRATOR’S GUIDE |

Table of Contents
Get Started With AutoFocus........................................................................... 7
About AutoFocus.........................................................................................................................................9
Activate AutoFocus Licenses................................................................................................................. 11
First Look at the AutoFocus Portal......................................................................................................14
AutoFocus Concepts................................................................................................................................ 22
Use AutoFocus with the Palo Alto Networks Firewall....................................................................25
AutoFocus Portal Settings...................................................................................................................... 26
AutoFocus Dashboard..................................................................................... 29
Dashboard Overview............................................................................................................................... 31
Set the Dashboard Date Range............................................................................................................ 32
Drill Down on Dashboard Widgets...................................................................................................... 34
Customize the Dashboard...................................................................................................................... 35
DNS Security Dashboard................................................................................ 39

DNS Security Dashboard Overview.....................................................................................................41
DNS Security Dashboard Widgets....................................................................................................... 42
AutoFocus Search.............................................................................................47
Start a Quick Search................................................................................................................................ 49
Work with the Search............................................................................................................................. 51
Drill Down in Search Results................................................................................................................. 63
Sample............................................................................................................................................. 63
Sessions...........................................................................................................................................68
Indicators........................................................................................................................................ 69
Set Up Remote Search............................................................................................................................ 72
Artifact Types.............................................................................................................................................75
General Artifacts...........................................................................................................................75
Sample Artifacts............................................................................................................................76
Session Artifacts........................................................................................................................... 78
Analysis Artifacts.......................................................................................................................... 80
Linux Artifacts............................................................................................................................... 82
Windows Artifacts....................................................................................................................... 83
Mac Artifacts................................................................................................................................. 83
Android Artifacts.......................................................................................................................... 84
Search Operators and Values................................................................................................................ 87
Guidelines for Partial Searches..............................................................................................................91
Contains and Does Not Contain Operators.......................................................................... 91
Proximity Operator...................................................................................................................... 91
AutoFocus Alerts.............................................................................................. 93
Alert Types................................................................................................................................................. 95
Email Alerts.................................................................................................................................... 95
HTTP/HTTPS Alerts.................................................................................................................... 96
Create Alerts.............................................................................................................................................. 98
Define Alert Actions....................................................................................................................98
TABLE OF CONTENTS iii

Enable Alerts by Tag Type...................................................................................................... 102
Create Alert Exceptions........................................................................................................... 103
View Alerts in AutoFocus.....................................................................................................................104
Edit Alerts................................................................................................................................................. 107
AutoFocus Tags.............................................................................................. 109

Tag Concepts........................................................................................................................................... 111
Tag Types.....................................................................................................................................111
Tag Class...................................................................................................................................... 112
Tag Status.................................................................................................................................... 112
Tag Visibility................................................................................................................................ 113
Tag Group.................................................................................................................................... 113
Tag Details................................................................................................................................................117
Create a Tag............................................................................................................................................ 120
Work with Tags...................................................................................................................................... 122
Find Samples by Tag Details...................................................................................................122
Filter and Sort Tags...................................................................................................................123
Find the Top Tags Detected During a Date Range........................................................... 124
Vote for, Comment on, and Report Tags......................................................................................... 126
Assess AutoFocus Artifacts......................................................................... 129

Find High-Risk Artifacts........................................................................................................................131
Add High-Risk Artifacts to a Search or Export List....................................................................... 134
Manage Threat Indicators.................................................................................................................... 136
Export AutoFocus Content.......................................................................... 139

Export AutoFocus Artifacts..................................................................................................................141
Build an AutoFocus Export List............................................................................................. 141
Create a CSV File...................................................................................................................... 144
Use Export Lists with the Palo Alto Networks Firewall................................................... 146
Export AutoFocus Page Content........................................................................................................147
Export AutoFocus Dashboard and Reports..................................................................................... 149
AutoFocus Reports........................................................................................ 151

Reports Overview...................................................................................................................................153
Customize Reports................................................................................................................................. 154
Scheduled Reporting..............................................................................................................................156
Use the Threat Summary Report to Observe Malware Trends.................................................. 158
Threat Summary Report Overview....................................................................................... 158
View Threat Summary Report Details..................................................................................159
AutoFocus Feeds............................................................................................163
Feed Overview........................................................................................................................................ 165
Create Custom Feeds............................................................................................................................ 166
Use AutoFocus Custom Feeds with the Palo Alto Networks Firewall...................................... 169
Manage Custom Feeds......................................................................................................................... 171
AutoFocus Apps..............................................................................................173
iv TABLE OF CONTENTS
MineMeld..................................................................................................................................................175
Introduction to MineMeld....................................................................................................... 175
Start, Stop, and Reset MineMeld...........................................................................................176
Use AutoFocus-Hosted MineMeld........................................................................................177
Create a Minemeld Node........................................................................................................ 178
Connect MineMeld Nodes...................................................................................................... 180
Delete a MineMeld Node........................................................................................................ 181
AutoFocus Prototypes.............................................................................................................. 182
Forward MineMeld Indicators to AutoFocus......................................................................183
Forward AutoFocus Indicators to MineMeld......................................................................184
Use AutoFocus Miners with the Palo Alto Networks Firewall....................................... 185
Troubleshoot MineMeld...........................................................................................................186
TABLE OF CONTENTS v
vi TABLE OF CONTENTS
Get Started With AutoFocus
AutoFocus™ is a threat intelligence service that provides an interactive, graphical interface for
analyzing threats in your network. With AutoFocus, you can compare threats in your network
to threat information collected from other networks in your industry or across the globe,
within specific time frames. AutoFocus statistics are updated to include the most recent threat
samples analyzed by Palo Alto Networks®. Access to this information allows you to keep up
with threat trends and to take a preventive approach to securing your network.
See the following topics to get started with the AutoFocus threat intelligence service. If you
haven’t already, first register and activate AutoFocus.
> About AutoFocus

> Activate AutoFocus Licenses
> First Look at the AutoFocus Portal
> AutoFocus Concepts
> Use AutoFocus with the Palo Alto Networks Firewall
> AutoFocus Portal Settings
7
8 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus
© 2020 Palo Alto Networks, Inc.
About AutoFocus
The AutoFocus threat intelligence portal enables you to quickly identify threats on your network, and to
contextualize such events within an industry, global, and historical context. AutoFocus harnesses data from
WildFire™, the PAN-DB URL Filtering database, Unit 42, and from third-party feeds (including both closed
and open-source intelligence). AutoFocus then makes the data searchable and layers the data with statistics
that both highlight pervasive malware and reveal connections between malware.
Take a look at the following table for an overview of AutoFocus features that allow you to prioritize,
contextualize, and address threats affecting your network.
I want to... How can I do this with AutoFocus?
...prioritize events in my network Look at the dashboard.

environment.
The AutoFocus dashboard visually weights threat
Artifacts and statistics to bring focus to pervasive
events.
Check samples for high-risk artifacts.
When WildFire analyzes a sample, it finds certain
activities, properties, and behaviors to be associated
with that sample. AutoFocus indicates the artifacts
that are most likely to be detected with malware as
Suspicious or Highly Suspicious. You can Find High-
Risk Artifacts in AutoFocus search results.
Create custom alerts.
Create alerts based on Tags to keep track of samples
linked to high-risk artifacts. AutoFocus can send
notifications to your email account or web server.
Distinguish between advanced threats and commodity
malware.
Unit 42 publishes Unit 42 Tag (Alerting) and Unit
42 Informational Tag (Non-Alerting) in AutoFocus
that allow you to distinguish between threats or
campaigns with global impact (Unit 42 alerting tags)
and less impactful threats that do not pose a direct or
immediate security risk (Unit 42 informational tags).
...gain context around an event. Toggle the dashboard.

You can move between views that show the top
activity for your network, for your industry, and on a
global scale. You can also filter any dashboard view to
display data for a specific date range.
Use the search editor.
• Search results provide detailed analysis information
for samples, including all artifacts found to be
associated with a sample during WildFire analysis.
For each artifact, the number of times that WildFire
has detected the artifact with malware, benign, and
grayware samples is listed.
AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 9

I want to... How can I do this with AutoFocus?
• Drill down and pivot through search results to
discover threat variants. You can add high-risk
artifacts to your search as you go.
• You can filter your view of search results to show
only results from your network or from all public
samples.
...leverage AutoFocus data. Enable Unit 42 alerts.

You can enable alerts from Unit 42, the Palo Alto
Networks threat intelligence team. You can also set up
prioritized alerts for your private tags or for public tags
shared by the AutoFocus community.
Export AutoFocus Artifacts
You can add high-risk artifacts to be used with a Palo
Alto Networks firewall block list or external dynamic
list, or to support a security information and event
management (SIEM) solution.
Get Started • Take a First Look at the AutoFocus Portal.

• Set up an AutoFocus Search.

Activate AutoFocus Licenses
Before you can start using AutoFocus to gather and identify threats on your network, you must first
activate the license.
STEP 1 | Locate the activation codes for the licenses you purchased.
When you purchased your subscriptions you should have received an email from Palo Alto Networks
customer service listing the activation code associated with each subscription. If you cannot locate this
email, contact Customer Support to obtain your activation codes before you proceed.
STEP 2 | Go to the Palo Alto Networks Customer Support portal and, if not already logged in, Sign In
now.
STEP 3 | Activate the license.

1. Click Assets and then Site Licenses.

2. On the Site Licenses page, click Add Site License.
3. Enter the AutoFocus Authorization Code Serial Number.

4. Read the End User License Agreement (“EULA”) and the Support Agreement and then click Agree and
Submit.

First Look at the AutoFocus Portal
The AutoFocus dashboard presents a visual landscape of network, industry, and global threat artifacts. A
threat artifact could be a sample hash (identifying a link included in an email or a file, such as a PDF or PE), a
statistic, a file property, or a behavior that shows a correlation with malware.
Set the context of the dashboard to display activity and artifacts for your organization, to view data at an
industry or global level, or as defined in a custom report. You can expand or narrow the date range of the
threat activity data displayed. The Dashboard widgets are interactive—hover over an artifact to view artifact
details or click an artifact to add it to a search.

Not all widgets are displayed in the diagram shown above.

First Look at the Dashboard
Support Account Area
Threat researchers who have access to multiple support accounts can

select a single support account to view data from devices associated
with that account.
Start a Quick Search for threat artifacts.
View the AutoFocus documentation site.

Click on the portal account name and then Logout to exit AutoFocus.
Dashboard Filters
Filter the contents of your dashboard based on the sample verdict,
samples/session source, and the time-frame. You can also apply
your Saved Search configurations and apply them to the Dashboard.
This allows you to create reports with greater specificity based on a
selected criteria.
• Filter by Verdict—Select from Malware, Grayware, Benign,
Phishing, and Any Verdict to filter the data set based on a verdict.
• Filter by First Seen and Time—First configure the data set to include
samples based on when it was First Seen (the time stamp of when
the sample was first forwarded or uploaded to WildFire for analysis)
or by Time (the time stamp of when the session started) and then
set the dashboard to display data for the last 1, 7, 30, 90, or 180
days. You can also set the dashboard to display all data by default,
regardless of the time period that the data was collected, by setting
the time range to Any Time.
The time setting does not filter the scope (My

Samples, (private), Public Samples, or All Samples
(private and public samples)) of the sample data
set.
• Filter by Source—Select from Firewall, Proofpoint, Traps, Magnifier,
Manual API, Traps Android, WF Appliance, Prisma SaaS, Prisma
Access, Cortex XDR, or Any Source to filter the data set based on
the upload source.
• Apply Saved Search—Select a Saved Search setting to filter
the widget contents based on the saved search conditions.
Alternatively, you can save a simplified dashboard filter setting and
apply them to your AutoFocus Dashboard as well.
Dashboard Tabs
Select an AutoFocus Dashboard tab to set the context for the data
displayed: My Organization, My Industry, Threat Summary Report,
or All. You can also Customize the Dashboard by adding your custom
reports to the dashboard tab.

Threat data and activity displayed on the dashboard widgets will
update to reflect the context selected (see the Dashboard Overview for
details). The widgets are interactive and can be used to drill down and
investigate malware or event details. Hover over artifacts displayed on
the dashboard to reveal additional details, or click on an artifact to add
it to the search editor.
Move between the tabs to filter by context. This displays the varying
threat landscapes for your network, your industry, or globally.
Navigation Pane
Use the navigation pane to access the following AutoFocus features:

• Dashboard—Display the AutoFocus Dashboard.
AutoFocus remembers your last dashboard settings

even as you switch between the features on the
navigation pane.
• Search—The search editor allows you to perform free-form searches
using boolean logic. Set up an AutoFocus Search based on threat
artifacts gathered from your environment, or from viewing industry
or global data on the AutoFocus dashboard. To get started, Work
with the Search Editor. You can then Drill Down in Search Results
to find high-risk artifacts, including the number of times that an
artifact, such as an IP address, has been detected with malware,
benign, and grayware samples.
• Tags—A tag is a set of conditions compared against historical and
new samples. You can create your own AutoFocus Tags. Unit 42
also publishes tags in AutoFocus to identify and help you detect
known threats. On the Tags page, you can view your private tags,
public tags shared by other AutoFocus users, and Unit 42 tags.
• Alerts—Set up AutoFocus Alerts based on tags. Depending on your

alert settings, Unit 42, public, and private tags generate alerts when
matched to malware and grayware samples in your network.

Create Alerts for Unit 42 tags. This allows you
to receive prioritized notifications when targeted
attacks or threat campaigns identified by Unit 42 are
matched to samples.
• Indicators—Keep track of threat indicators that you have forwarded
to AutoFocus from external sources and Manage Threat Indicators.
• Exports—Export AutoFocus Artifacts, such as IP addresses, URLs,
and domains, to a CSV file. You can then use the CSV file to enable
a Palo Alto Networks firewall to enforce policy based on AutoFocus
artifacts or to import AutoFocus data to a security information and
event management (SIEM) tool.
• Reports—Use the Threat Summary Report to Observe Malware
Trends in your network. You can also manage and create custom
reports that can be added to the dashboard
• Settings—Update the AutoFocus Portal Settings.
• Apps—Launch the MineMeld app, an open-source app whose
features are integrated into AutoFocus to highlight artifacts on your
network that signal the presence of a potential threat.
You can Customize the Dashboard to add or remove widgets. Click a

Widgets single bar in any widget to Drill Down on Dashboard Widgets to add
the artifact to a search or to tag it.
You can also dynamically filter the dashboard and reports based on
widget data points.
• Add Filter: Shift-click on a widget data point to add a filter based on
that artifact. Filters are highlighted in orange and also appear to the
right of the quick-filters at the top of the page.
• Remove Filter: Shift-click on a previously highlighted filter or,
alternatively, click x from the filter list at the top of the page.
Currently, the following widgets support dynamic

filtering: Custom Aggregation, Top Firewalls, Top
Malware, Top Applications, Bottom Applications,
Upload Sources, Top Filetypes, Bottom Filetypes,
Target Industries, Top Tags, Flexible Map, Sample
Verdicts, and Download Sessions.
Summaries
• Executive Summary—Provides a high-level summary of malware
sessions, malware samples, malware applications, and tagged
malware.
• Daily Malware Summary—Provides a daily breakdown of malware
sessions for your company vs the industry.
• Samples Summary—Provides a breakdown of benign vs malware vs
grayware samples; and which are tagged vs untagged.
• Recent Samples—Provides a list of recent samples matching the
filter settings at the top of the report page.
• Recent Sessions—Provides a list of recent sessions matching the
filter settings at the top of the report page.

• Download Sessions—The Download Sessions histogram displays
the malware sessions for samples detected for the first time in the
selected date range. Use the histogram to observe spikes in new
malware activity.
If you don’t see any malware sessions in the

histogram, there may not be any malware detected
during the selected date range. The histogram does
not include sessions with known malware (malware
that was first seen before the selected date range).
Adjust the histogram sliders to narrow or broaden
the date range. Dashboard widgets automatically
update to reflect the date range you have selected.
For details, see Set the Dashboard Date Range.
An additional day with no populated data is

sometimes displayed on the Malware Download
Sessions histogram, regardless of the date range
selected.
Aggregates
• Custom Aggregation—Build a custom widget populated by data
from user-selectable artifacts.
• Top Firewalls—Displays the ten firewalls with most sessions where
malware samples were detected. Select the Organization tab on the
dashboard to display the top firewalls in your network.
• Top Malware—Displays the ten malware samples with the most hits.
• Top Applications—Displays the ten most used applications.
• Bottom Applications—Displays the ten least used applications.
• Upload Sources—Provides a breakdown of the upload sources of
malware files, typically including your firewall(s), Traps, and the
manual upload API.
• Top Filetypes—Displays the top ten filetypes that contain malware.
• Bottom Filetypes—Displays the bottom ten filestypes that contain
detected malware.
• Top Filetypes Per Application—The number of malware sessions
for the top 5 most frequently used applications for distributing
malware. For each application, the malware sessions are broken
down by filetype.
• Target Industries—Displays the ten industries with the highest
counts of malware detected. Select the All tab on the dashboard to
display target industries on a global scale.
Maps
• Flexible Map—The flexible map can be configured to show either
malware sources or destinations and allows you to view malware
hot spots geographically. Select Source to display countries with
high rates of malware sessions originating from those countries, or
select Destination to display countries with high rates of targeted
attacks. Larger bubbles indicate higher rates of activity. You can also
zoom in to more closely examine the number of malware sessions

by source or destination country. Refer to Countries and Country
Codes for a list of the two-letter country codes used in the map.
• Source Countries Map—Shows a heat map of malware by the
source country, along with a textual summary of the aggregated
data.
• Destination Countries Map—Shows a heat map of malware by
destination country, along with a textual summary of the aggregated
data.
General
• Alerts—The Alerts Log widget displays the latest 20 alerts on
malware and grayware matching enabled public, private, or Unit 42
AutoFocus Tags. For details on enabling the delivery of prioritized
alerts through email or over HTTP, see Create Alerts.
• Recent Research—Browse quick links to the latest research,
news, and resources from Unit 42, the Palo Alto Networks threat
intelligence team.
• Device Verdicts—Shows a breakdown of the number of malware,
grayware, phishing, and benign files detected by each of your
firewall devices during the selected date range. The sample source
lists all the devices configured to upload samples to your AutoFocus
account.
• Sample Verdicts—The sample verdicts chart shows the breakdown
of verdicts based on the total number of samples in the selected
date range.
Tags
• Top Tags—The Top Tags widget lists the AutoFocus Tags matched
to the highest number of samples. You can easily distinguish the
different tag types by color and icon.
The Top Tags list is sorted according to the number of samples
matched to the tag in the date range selected on the malware
sessions histogram (at the top of the dashboard). For each tag,
the list also displays the total number of samples that have been
matched to the tag and the date and time that the most recent
matching sample was detected.
On the Top Tags widget:
• Filter the displayed tags by Tag Class.
• Select from the options under Choose Tag Types to display the
top 20 private tags, public tags, Unit 42 alerting tags, and/or Unit
42 informational tags.
• Select a tag to view tag details, including a description of the
condition or set of conditions that the tag identifies, or to add
the tag to a search.
• Top Malware Family Tags—Shows only the malware family tags
detected within the given time range.
• Top Campaign Tags—Shows only the campaign tags detected within
the given time range.

• Top Malicious Behavior Tags—Shows only the malicious behavior
tags detected within the given time range.
• Top Actor Tags—Shows only the actor tags detected within the
given time range.
• Top Exploit Tags—Shows only the exploit tags detected within the
given time range.
Widget Visualization
Options
Some data-reporting widgets allow you to toggle between different

display options, allowing you to further customize your dashboard
reports.
• Chart—Displays the data in a vertical bar chart format.
• Bar—Displays the data in a horizontal bar chart format.
• Grid—Arranges the data in a table.
• Pie—Displays the data as a pie chart.
• Treemap—Arranges data in a hierarchical area-based visualization
using nested rectangular figures.
Feedback Link
The Give Feedback link provides a quick way to send comments

and requests for new features to the AutoFocus team at Palo Alto
Networks.

AutoFocus Concepts
Familiarize yourself with the following AutoFocus terminology to help you as you use the tool to begin
researching threats.
Concept Description
Samples For both AutoFocus and WildFire, a sample refers to a file (such as
a PDF or PE) or a link included in an email. The Palo Alto Networks
firewall and other sources such as Traps and Proofpoint can forward
unknown samples to the WildFire cloud, where WildFire performs
Static Analysis and Dynamic Analysis of the sample. As WildFire
observes and executes the sample in the analysis environment,
WildFire associates different Artifacts with the sample. AutoFocus
allows you to search for samples based on the sample hash and
other Sample Artifacts. When you perform a search in AutoFocus,
AutoFocus compares all historical and new samples to the search
conditions and filters the search results accordingly.
AutoFocus receives WildFire analysis information for samples
submitted to the WildFire global and regional clouds.
Sessions Sessions in AutoFocus search results provide information about how

a source submitted a sample to WildFire. Each session has a time
stamp that indicates when WildFire received the sample. Sessions
matching a sample are reported in WildFire sample searches even
when the sample verdict is known. For samples forwarded by a
Palo Alto Networks firewall, their associated session information
provide context for the detection of the sample on the network.
For samples submitted by another Upload Source (Traps, Traps for
Android, Proofpoint, WildFire API, WildFire appliance, Magnifier,
Prisma SaaS, Prisma Access, Cortex XDR, or manual upload to the
WildFire public portal), their sessions details are limited to the time
stamp, the hash of the sample that was analyzed, and the upload
source. Session information also indicates if a sample was submitted
to the WildFire global cloud or regional cloud. Use Session Artifacts to
filter AutoFocus search results.
The session data displayed in the search results

include all relevant data submitted to WildFire through
various product integrations. Session data availability
is not contingent on membership to other services,
such as Panorama, Cortex Data Lake, or other Palo
Alto Networks products.
Static Analysis Static analysis is a type of analysis based on properties of a sample

that WildFire can detect and observe in a virtual environment without
executing the sample. For details on the type of static analysis
information that AutoFocus reports for samples, see Artifact Types.
Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis

environment to determine the behaviors and activities that a sample

Concept Description
exhibits when it runs. During dynamic analysis, WildFire also observes
other behaviors and activities that occur in the analysis environment
as a result of executing the sample. For details on the type of dynamic
analysis information that AutoFocus reports for samples, see Artifact
Types.
Artifacts An artifact is a property, activity, or behavior shown to be associated

with a sample or a session through both WildFire analysis of the
sample and through AutoFocus statistics. For example, types of
artifacts include IP addresses, domains, URLs, applications, processes,
hashes, and email addresses.
In AutoFocus, artifacts are highlighted both on the dashboard and
within search results. AutoFocus search results spotlight significant
artifacts that are identified according to risk. The dashboard and
search editor both allow you to add an artifact directly to an ongoing
search or to add it to an export list, which you can use to enforce
policy on a firewall or to analyze artifacts in a SIEM.
For more details on viewing and evaluating artifacts, see also Assess
AutoFocus Artifacts.
Threat Indicators An indicator is an artifact that security experts typically observe to

detect signs that a network has been compromised. Indicators are
crucial for implementing a network defense strategy based on threat
intelligence. The following types of artifacts are considered indicators
in AutoFocus:
• Domain
• IPv4
• Mutex
• URL
• User agent
AutoFocus determines which artifacts are indicators through a
statistical algorithm based on tendency of the artifact to be seen
predominantly in malware samples. With the MineMeld app, you can
forward indicators from external threat feeds into AutoFocus. You
can then Manage Threat Indicators and Find High-Risk Artifacts that
match indicators to check your network for known threats.
Tags A tag is a collection of search criteria that together indicate a known

or possible threat. Both historical and new samples that match the
conditions defined for a tag are associated with that tag. You can
perform searches and create alerts based on tags.
See AutoFocus Tags for details on creating tags and contributing to
tags, including more information on Tag Types, Tag Class, Tag Status,
and Tag Visibility.
Public Tags and Samples Public tags and samples in AutoFocus are visible to all AutoFocus
users.

Concept Description
For tags you create, you can set the status to public, so that the tag
is visible to the AutoFocus community. You can revert the tag to be
private at any time.
Public samples consist of samples from open-source intelligence
(OSINT) and other external public sources, as well as samples that
AutoFocus users have made public. Samples from your organization
can only become public in two ways:
• Open the sample details and manually set the sample to Public, in
order to share it within the AutoFocus community.
• If a private sample from your organization is later received by
WildFire from a public source, the sample will become public at
that time.
Private Tags and Samples Private tags and samples in AutoFocus are visible only to AutoFocus
users associated with the same support account.
Private tags and samples can be made public, with the option to revert
the tag or sample back to private status at any time.
All Tab and All Samples The All tab on the dashboard and the option to view All Samples
in a search include statistics for all samples seen by Wildfire, both
public and private; however, identifying details are obfuscated for
private samples. The All tab on the dashboard displays all malware
(including private samples) with obfuscated hashes. The All Samples
view in a search obfuscates private sample details with the exception
of the WildFire verdict for the sample, the date the sample was first
submitted to WildFire, the file size, and the file type.
Suspicious
Suspicious artifacts:
• Have been widely-detected across large numbers of samples.
• Are most frequently detected with malware. Although suspicious
artifacts can be detected with grayware and benign samples, they
are more often found with malware.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.
Highly Suspicious
Highly suspicious artifacts:
• Have been detected in very few samples. The lack of distribution
of these types of artifacts could indicate an attack crafted to target
a specific organization.
• Are most frequently detected with malware. In some cases, these
artifacts have been exclusively seen with malware and never with
grayware or benign samples.
For more on highly suspicious artifacts in AutoFocus, you can Find
High-Risk Artifacts and Add High-Risk Artifacts to a Search or Export
List.

Use AutoFocus with the Palo Alto Networks
Firewall
Here are ways that you can use AutoFocus with a Palo Alto Networks firewall:
• Use AutoFocus threat intelligence to assess firewall artifacts.

On the firewall, open the AutoFocus Intelligence Summary for artifacts in your firewall logs to view their
pervasiveness and risk. Click on any of the artifacts in the summary window to launch an AutoFocus
search for it.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
• Use AutoFocus to search for artifacts in firewall traffic.

In AutoFocus, Set Up Remote Search to specify which artifacts to look for in your firewall logs. The
firewall web interface opens in a new window in Unified log view. The Unified log entries are filtered
based on the remote search artifacts.
You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus
and/or are running PAN-OS 7.0 and earlier.
• Use AutoFocus indicators to enforce security policy on the firewall.

• Export AutoFocus Artifacts (such as IP addresses, URLs, or domains) to support a dynamic block list
(PAN-OS 7.0 or earlier) or an external dynamic list (PAN-OS 7.1 and later).
• Use AutoFocus Miners with the Palo Alto Networks Firewall to support an external dynamic list
(PAN-OS 9.0).

AutoFocus Portal Settings
Select Settings icon on the upper-right corner of AutoFocus interface to view, modify, or enable the
following settings as needed. The settings for preferred hash, scope, and landing page are unique for each
user in a support account.
The following options are listed in the
General tab of the Settings page:

• Preferred Hash—Select the hash type you would like to use as the default sample or session identifier
for AutoFocus search results: SHA-1, SHA-256, or MD-5.
• Preferred Scope—Select the default scope of your search results: My Samples (private), Public Samples,
or All Samples (private and public samples).
• Landing Page—Select the page that displays by default after logging in to the AutoFocus portal.
• Share public tags anonymously—If you select this option, tags that you share publicly will not list your
organization as the tag owner in the tag details.

• Remote Systems—Label and specify the address of a Palo Alto Networks firewall, Panorama, or third-
party log management system that AutoFocus can search remotely. You can add up to 500 remote
systems. View the complete workflow for how to Set Up Remote Search.
• API—If you have activated an AutoFocus API key in the customer support portal, you can view your key
here. Also view the API key status, the number of license users, points usage, and total points. For more
information on the AutoFocus API, refer to API documentation and examples.
You can view a list and the details of trusted root certificate authorities (CAs) in the Default Trust
Certificate Authorities tab of the Settings page.
For each trusted root CA, the organization, common name, serial number, and the validity dates are
displayed.

AutoFocus Dashboard
The AutoFocus™ dashboard visually weights your network data alongside industry and global
data to provide both a context for your network activity and a window into threats targeting
similar organizations. Focus in on pervasive threat activity and add top artifacts directly to a
search.
After taking a First Look at the Dashboard, refer to the following topics for an overview of the
dashboard and for details on customizing and drilling down on dashboard widgets:
> Dashboard Overview

> Set the Dashboard Date Range
> Drill Down on Dashboard Widgets
> Customize the Dashboard
29
30 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard
Dashboard Overview
Scan the AutoFocus dashboard to view and drill down on pervasive artifacts, including top malware, top
applications, and top firewalls. You can alternate dashboard views to display the threat landscape globally,
for your organization, your industry, and using your customized reports.
As you move between the dashboard tabs, the data displayed is updated to reflect the dashboard context:
• My Organization—View the threat landscape for your network, with the capability to drill down and
search on data for firewalls associated with the selected support account. Top firewalls are only
displayed on the organization tab and are not visible in other contexts.
• My Industry—View the threat landscape across your industry. Explore and examine targeted threats or
trends affecting similar networks and organizations. Industry data is populated according to the industry
associated with the selected support account (for example, high tech or healthcare).
• All—View the global threat landscape to contextualize both threats affecting your network and your
industry. The All tab includes the additional widget Target Industries that allows you to compare
malware rates across industries.
The Industry and All views display statistics for all samples (public and private) but do
not allow access to the details of private samples (unless they are private samples from
firewalls associated with your support account).
• Threat Summary Report—View a summary of all the threats that have been detected within the
specified time frame.
• Customized Reports—Reports that you create can be added to the dashboard view for quick reference.
You can use any of the widgets to formulate your own report; alternatively, you can use an existing
default report as the basis for a new report. The name of the tab indicates the name of the custom
report.
Drill Down on Dashboard Widgets for more details on a threat artifact, with the option to add the artifact to
a search, or tag the artifact as an indicator of compromise (IOC).
For an overview of each of the dashboard widgets, take a First Look at the AutoFocus Portal.
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard 31

Set the Dashboard Date Range
Filter the threat data displayed on the dashboard based on a default time range, a custom time range, or a
single date.
All time stamps in AutoFocus™ are displayed in Pacific Time (PST/PDT).
If you don’t see any malware sessions in the Download Sessions histogram, there may not
be any malware detected during the selected date range. The histogram does not include
sessions with known malware (malware that was first seen before the selected date range).
• Set the default date range.

First configure the data set to include samples based on when it was First Seen (the time stamp of when
the sample was first forwarded or uploaded to WildFire for analysis) or by Time (the time stamp of when
the session started) and then set the dashboard to display data for the last 1, 7, 30, 90, or 180 days. You
can also set the dashboard to display all data by default, regardless of the time period that the data was
collected, by setting the time range to Any Time.
The time setting does not filter the scope (My Samples, (private), Public Samples, or All
Samples (private and public samples)) of the sample data set.
The dashboard default time range is applied to all dashboard views (organization, industry, and all) and
dashboard widgets immediately update to reflect the time range selected.
The default time range is also reapplied when the dashboard is refreshed.
• Select a custom date range.

Adjust the Download Sessions sliders to view sessions for a specific date range:

The dashboard time range is updated automatically as you adjust the sliders.
After modifying the dashboard date range using the Download Sessions histogram, you
can refresh your browser at any time to reapply the default date range.
• Set a single date.

Click a single bar on the Download Sessions histogram to view the number of sessions with newly-
identified malware detected on that date. The dashboard widgets are then filtered to display artifacts for
that date only.
For example, this view of the dashboard shows events and artifacts only for January 15, 2014:
After modifying the dashboard date range using the Download Sessions histogram, you
can refresh your browser at any time to reapply the default date range.

Drill Down on Dashboard Widgets
Use the dashboard widgets to add artifacts of interest to a search. Artifacts added to the search editor
from the dashboard are added as conditions to the existing search—they do not replace existing search
conditions (although you can continue to modify the search from the search editor).
For an overview of each of the dashboard widget, take a First Look at the AutoFocus Portal.
• View artifact details.

Hover over the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets to reveal
statistics. For example, hover over a single bar on the Top Samples widget (where the bar represents a
sample) to view a close-up of the sample hash and the number of times the sample was detected during
the selected date range.
• Add an artifact to the search editor.

Click on a single bar in the Top Applications, Top Samples, Top Firewalls, and Target Industries widgets
to jump to the search editor and perform a search using the data. For example, click on a single bar on
the Top Samples widget to search on the specified file hash.
• For details on interacting with the Top Tags widget, Vote for, Comment on, and Report Tags.
• For details on interacting with the Alerts Log widget, View Alerts in AutoFocus.

Customize the Dashboard
You can customize your organization, industry, global, and custom dashboard reports. Add widgets or
remove them based on your preferences, and pick the order in which they appear on the dashboard.
Dashboard settings are unique and saved for each user in a support account.
STEP 1 | Manage the dashboard view.

1. Click on the configure button to add an existing report to your dashboard view. Selecting a report
adds a new tab with the report name to the dashboard.
2. You can reorder the report tab list by dragging and dropping the report into a new order. The report
at the top of the list corresponds to the leftmost report in the tab.
3. (Optional) For default reports, you can Upgrade Page to sync with the latest version of the report
from Palo Alto Networks. From here, you can also Edit Page to modify the widgets used in the
selected report. If you have made changes to a default report, you can Reset them to return the
report to the default configuration (this option only appears when the report has been modified).
STEP 2 | Edit the contents of a dashboard report.

1. Open the dashboard settings.
Click the Page Editor (1).
2. Edit the widgets and widget placement on the dashboard.
• Edit the name of a widget (2)
• Remove a widget.
Click X to remove a widget (3).
Removing a widget frees up a slot on the dashboard where you can Add a widget.
• Add a new row of widgets.
Choose an area on the dashboard where you would like to insert a new row of widgets, and click
Add Row (4). The newly added row includes two blank slots for widgets by default.
• Add a widget.
Find a blank widget slot, and click Add Widget (5). Then select a widget type.
• Remove a row of widgets.
On the right side of the row you want to remove, click Remove Row (6).
• Change the number of widgets in a row.
Change Columns (7) in the row to show up to 4 widgets.
Depending on the widget configuration and visualization options used, you might
not be able to view the entire data set presented within a widget. Adjust the widget
size by changing the number of columns per row and configuration options to best
suit your report presentation requirements.
3. Save your changes to the dashboard.
When you are finished making your changes, click the Page Editor.
4. (Optional) Restore the default dashboard settings.

Click Reset to return the dashboard to default settings.
The Reset Page to Default option appears only after a report has been upgraded to
the latest version and subsequently edited by a user.

DNS Security Dashboard
The AutoFocus DNS Security dashboard allows users with a DNS Security license to visually
examine their DNS request statistics for context into network activity as well as insights into
how to combat DNS based threats.
Refer to the following topics for an overview of the DNS Security dashboard and details about
using the widgets:
> DNS Security Dashboard Overview

> DNS Security Dashboard Widgets
39
40 AUTOFOCUS ADMINISTRATOR’S GUIDE | DNS Security Dashboard
DNS Security Dashboard Overview
Scroll through the AutoFocus DNS Security dashboard to view and drill down into various DNS trends
discovered in your network by AutoFocus. Each dashboard widget provides a unique view into how
DNS requests are processed and categorized. Clicking on widgets allow you to change the context of the
dashboard or view more information about a specific trend, domain, or statistic.
If you are running DNS Security on PAN-OS 9.x, server response and request data for
cached verdicts and benign domains on the firewall are not uploaded to AutoFocus.
Expanded Data Collection for DNS Security Improvements, which collects and forwards this
data to improve analytics, was added in PAN-OS 10.0.
From the DNS Security dashboard page, you can:

• View DNS request statistics and trends
• View DNS activity associated with malicious domains
• View the breakdown of DNS-based malware and request types
• View your organization's coverage (number of firewalls with a DNS Security license)
Filter the contents of your dashboard based on the DNS category and the time-frame.
• Filter by DNS Category—Select from C2 (DGA, Tunneling, other C2), Malware, Newly Registered
Domain, Phishing, Dynamic DNS, Allow List, Benign/Unknown, or Any Category, to filter the data set
based on a DNS type.
The Allow List category is a list maintained by Palo Alto Networks of explicitly allowable
domains based on metrics from PAN-DB and Alexa. These allow list domains are
frequently accessed and known to be free from malicious content.
• Filter by Period—Select from Last hour, Last 24 hours, Last 7 days, or Last 30 days to display data for a
specific time-frame.
Drill Down on the DNS Security Dashboard Widgets for more details on a specific DNS request trend or
statistic.
For an overview of each of the dashboard widgets, see DNS Security Dashboard Widgets
AUTOFOCUS ADMINISTRATOR’S GUIDE | DNS Security Dashboard 41

DNS Security Dashboard Widgets
The widgets populating the DNS Security dashboard are interactive and allows you to view additional
details or pivot to a list of specific requests, events, and domains.
The following list provides an overview of the DNS Security dashboard widgets:
Widget Name Description
DNS Requests (C2, Malware,

and Total)
Displays the number of C2, malware, and total number of DNS

requests. Click on the widget body to filter the dashboard DNS
category based on the selected type.
Specifying a custom period through the DNS Requests

Trend widget updates the requests shown in the DNS
Requests widgets.
Alternatively, you can use the DNS Category filter at the top of the
page to switch to any of the defined DNS categories. Click See All > to
view a complete list of DNS events.
DNS Requests Trend
Displays a bar chart showing DNS requests based on the Period and
the DNS Category filter settings at the top of the page. You can also

define time a specific period by clicking on a bar representing a specific
date.
• Click on a bar to display a list of DNS requests that were submitted
during a specific time.
• Hover over a bar to view an exact request count for a specific time.
[Malicious] Domains
Displays the number of domains seen in your network, within your

industry, other industries, as well as the total number, based on the
selected DNS category.
• The domains listed on this widget are also dictated by the filters set
at the top of the page, as well as other widgets that include domain
filtering capabilities.
• Click on a statistic to open a detailed domain request listing. The
filters at the top can be used to further refine and explore the
available DNS Security domain data.

DNS Categories
Displays a pie chart showing a breakdown of the DNS requests as

categorized by the DNS Security service. Use the navigation pane to
access the following AutoFocus features:
• Hover over a slice or the label that it represents to open a popup
showing the number of DNS requests for a specific category.
• Click on a label to remove the category from the pie chart
calculation.
Selecting a DNS category within the widget filters the

entire dashboard with the selected category.
Top Domains

Provides a list of the most commonly requested domains from your
network.
• The top domains list is generated based on the filter settings applied
at the top of the dashboard. Widgets that affect the overall page
settings also determine which domains are shown.
• Hover over a bar to view usage statistics.
• Click on a domain to view DNS analysis details.
DNS Security Coverage
Provides a pie chart showing the proportion of firewalls with/without

an active DNS Security license.
Click See all > to view a detailed list of firewalls with identification
specifics and the DNS Security protection status.


AutoFocus Search
Start a simple search for an artifact from any page in AutoFocus™, or use the AutoFocus
search editor to perform complex searches, with conditions that allow you to narrow or
broaden the scope of your search.
> Start a Quick Search

> Work with the Search Editor
> Drill Down in Search Results
> Set Up Remote Search
> Artifact Types
> Search Operators and Values
> Guidelines for Partial Searches
47
48 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search
Start a Quick Search
Start a simple search for an artifact from any page in AutoFocus™, or use the AutoFocus search editor to
perform complex searches, with conditions that allow you to narrow or broaden the scope of your search.
Toggle your view of search results to find:
• The samples matched to your search conditions (WildFire tab).
• The sessions during which the samples were detected (Activity tab).
• The threat indicators found in the returned samples and the DNS history and PAN-DB categorization of
the results (Indicators tab).
After performing a search, you can drill down in sample results to find artifacts seen with that sample. For
each artifact associated with a sample, AutoFocus lists the number of times the artifact has been detected
with benign ( ), grayware ( ), and malware ( ) samples. Artifacts that are seen disproportionately
with malware are indicated to be Suspicious or Highly Suspicious. AutoFocus also makes it easy to view
indicators that are found with your search results.
Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus
portal.
Watch the tutorial.
STEP 1 | Click the spyglass icon in the support account area of the portal.
You can also press Alt+s to open quick search. To close quick search, click the x on the
top right corner of the search box or click anywhere on the dimmed area of the interface.
STEP 2 | Enter an artifact to search.

When an artifact is incomplete, quick search suggests a list of artifact types that it recognizes.
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Search 49

STEP 3 | Select the scope of the search based on the artifact type.
For example, the string ImASampleFile.pl can be a Filename, a Domain, or a URL. To search for the file
ImASampleFile.pl, select an area to search under the category Filename.
The areas to choose from vary depending on the artifact entered.

• PanDB/pDNS—View PAN-DB categorization entries, WildFire™ active DNS history, and passive DNS
history that match the artifact.
• Go to Sample Detail—(SHA256, SHA1, and MD5 artifacts only) View details about the sample, such
as its WildFire verdict (benign, grayware, malware, phishing, or benign) and analysis information.
• Search for My Samples—Search for the artifact in your organization’s private samples.
• Search for Public Samples—Search for the artifact in all samples that are shared to the AutoFocus
community.
• Search for All Samples—Search for the artifact in private and public samples.
• Search for Sessions—Search for the artifact in session information.
• Show Session Stats—View statistics based on sessions that contain the artifact.
STEP 4 | View the search results in the search editor.
STEP 5 | Choose from the following options:

• Work with the Search Editor to perform more complex searches.
• Drill Down in Search Results to explore additional options and information related to the artifact.

Work with the Search
Use the search to perform both simple and complex searches based on threat indicators or identifiers.
The search has a range of features for customizing and executing searches. For details on navigating and
using the search results (including adding identifiers to your search as you go), refer to Drill Down in Search
Results.
• Open the Search editor on the navigation pane and select a search type.
• Indicators—Search based on threat indicators, artifacts that have been ascertained by security
experts as exhibiting signs of a compromised network. These artifacts include: File hashes, domains,
URLS, and IP addresses.
• Sample—Search based on samples sent to WildFire for analysis by various connected appliances
and services. WildFire receives samples from the following sources: Firewalls, WildFire, Traps, Traps
Android, Magnifier, Proofpoint, Prima SaaS, manual uploads, partner integrations, and other industry
sources.
• Session—Search based on the session data provided by samples during sample submission. This
allows you to search based on various context details, such as the time stamp, upload source,
application, file URL, and more. The session data displayed in the search results include all relevant
data submitted to WildFire through your organization's various product integrations.
• See the following topics for details on using the AutoFocus search:
• Start an Indicator Search.
• Start a sample or session simple mode search.
• Start a sample or session advanced mode search.

• Add a search condition to a remote search.
• Use a saved search.
• Import a search.
• Start an indicator search.

1. Select Search > Indicators to begin a new indicator search.
2. Enter a valid threat indicator value. You can select from the following types: Domain, URL, IP
addresses (IPv4 or IPv6), and file hashes.
When switching the search context from Indicators to WildFire or Activity, AutoFocus
reapplies the search term using a valid artifact type into an advanced search mode.
This allows you to quickly pivot for more information about a particular indicator.
• Start a sample or session simple mode search.

To begin a new simple mode search, select Search > Sample or Session (based on the type of search you
with to perform). If the search is in advanced mode, switch to Simple Mode.
AutoFocus defaults to the last search mode used by the user.
Create a simple mode search by selecting the relevant conditions from the drop-down menus. Should
you need to run a search using other variables, you must define the scope and value in the Advanced
search:
1. Configure your search by selecting the desired search variables from the drop-down menus. You can
select from the following categories: Verdict, Seen, Source, Tags, and IOC (indicators of compromise).
AutoFocus automatically refreshes after each variable is selected or modified.

• Search by Verdict—Select from Malware, Grayware, Benign, Phishing, and Any Verdict to search
the data set based on a verdict.
• Search by First Seen and Time—First configure the search to include samples based on when it
was First Seen (the time stamp of when the sample was first forwarded or uploaded to WildFire
for analysis) or by Time (the time stamp of when the session started), then set the search to
display data for the last 1, 7, 30, 90, or 180 days. You can also set the search to display all data by
default by setting the time range to Any Time.
The time setting does not filter the scope (My Samples, (private), Public Samples,
or All Samples (private and public samples)) of the sample data set.
• Search by Source—Select from Firewall, Proofpoint, Traps, Magnifier, Manual API, Traps Android,
WF Appliance, Prisma SaaS, Prisma Access, Cortex XDR, and Any Source to filter the data set
based on the upload source.
• Search by Tag—Select from a list of tags, tag classes, or tag groups. Alternatively, you can filter the
list of tags by entering a keyword to search for samples associated with a tag.
• Search by IOC—Search based on the following indicators of compromise: Hash, IP Address,
Domain, URL, User Agent, Email Address, and Filename.
• Apply a Saved Search—Select a Saved Search setting to quickly execute a search based on
preconfigured saved search conditions.
2. If you want to add other conditions to the search, you can switch to Advanced mode. Switching to
advanced mode retains the condition values selected from the simple search mode. From here, you
can add additional search conditions that are not available in simple search mode. For more details on
using the advanced mode search, refer to Begin a new advanced search.
If you add search conditions that are not available in Simple mode, you will be
prompted to reset your search.
• Start a sample or session advanced mode search.

To begin a new advanced mode search, select Search > Sample or Session (based on the type of search
you with to perform). If the search is in simple mode, switch to Advanced mode.
AutoFocus defaults to the last search mode used by the user.

To create a search condition, choose the type of artifact you want to find and define the scope and
value:
1. Select one of the Artifact Types from the drop-down to perform a search of global threat data based
on that artifact type.
Start typing the name of the artifact type to narrow down the list of options.
2. Select an operator for the search condition.

The operator determines the scope of search results; you can use the operator to limit or expand
potential results, or to return exact match results. Search Operators and Values vary depending on
the type of artifact you select.
You can use the operator to create negative search conditions. Use negative
operators such as is not or is not in the list to return more granular search results that
exclude samples or sessions that match the negative condition.
3. Enter or select a value to define the search condition. Depending on the artifact type and operator
selected, you may be able to choose from predefined values, or you might be required to enter an
exact value to perform the search.
Learn more about Search Operators and Values.
If you are attempting to select a value from a pre-populated drop-down, and the drop-
down appears to be loading for a long period of time, try clearing your browser cache.
• Add more search conditions.

• Add conditions to your search.
You can add up to 300 search conditions to a single search.
•
Remove conditions from your search.
• Narrow or broaden your search.
Match results to all or any of the defined search conditions:

• Narrow search results by selecting All. Search results are only returned for samples that match all
conditions.
• Broaden search results by selecting Any. Search results are returned for samples that match one or
more conditions.
• Add a child query.
A child query is a condition or a set of conditions nested within and used to qualify a parent query. A
child query is evaluated only against the parent query to which it is added. Add a child query to return
more granular search results, where the results must match both the parent query and the child query.
The example search below shows a child query added to the Email Subject condition. Search results will
be returned for samples where the following is true:

• The sample was first seen before March 13, 2015.
• The email subject for the sample file contained the word test and received a WildFire verdict of
either malware or grayware.
You can only add up to 4 levels of child queries nested under parent queries.
• Add a parent query.
Click Add Parent Query to nest a search condition under the preceding condition. AutoFocus then only
evaluates the nested search condition against the parent condition.
In the example below, click Add Parent Query to nest the First Seen condition under the WildFire
Verdict condition. Search results will be returned for samples where any of the following conditions is
true:
• The sample received a WildFire verdict of malware and was first seen before July 1, 2016.
• The sample is an Adobe Flash file.

• Adjust search condition placement.
Move Up or Move Down search conditions to move conditions to or from a child query. Depending on
the placement of a condition, you can move it up or down to include it in a child query. You can also
move a condition up or down to remove it from a child query so that it is no longer a nested condition.
Alternatively, you can move a search condition using the keyboard. Placing the cursor over the left edge
of a condition displays a directional icon. Click on the icon next to the condition or condition group you
want to move and then use the keyboard arrows to change the placement. Depending on the location
of the condition, you can also create child and parent queries by pressing the right arrow key. Exit the
keyboard movement mode by pressing the escape key or by clicking the selected condition.
• Disable a search condition.

Disable a condition to temporarily remove it from a search. This option provides the flexibility to
temporarily adjust your search parameters, and then quickly and easily add the condition back to your
search if necessary.
Disabled search conditions are grayed out:
To enable a search condition that was previously disabled, select the ellipses icon for that condition and
select Enable:
• Start a new search from your current search.

Start a New Search for any of the search conditions of an existing search. The new search launches in a
separate browser window.
This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto
Networks® next-generation firewall, Panorama, or third-party log management system when you Set Up
Remote Search.
This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions.
• Add recent or frequently-used conditions to a search.
Select the Show Search History icon and add Recently used or Most used search conditions to your
search.
• Save a search.

Save searches that you might be performing on a regular basis, or to quickly recreate useful search
settings:
Click the Save Search icon, enter a name and description to identify the saved search when using it later,
and save the search.
• Use a saved search.
Open Saved Search to view an alphabetical list of previously saved searches, and click the spyglass icon
to add a saved search to the search editor.
• Tag a search.
Click Tag Results to create a tag based on search conditions. Tags can be used to define a set of
conditions that indicate an important network event or a possible or known threat.
Tag a search so you can easily identify and track any existing or future samples that match the search.
When you Create a Tag, give the tag a recognizable name and description. Select Tags on the navigation
pane to manage tags you have created and to view all tags.
• Export a search.

You can export a search to share the search between support accounts or with another AutoFocus
security expert.
• After setting up a search and viewing search results, select Export Search.
• Copy the search filters.
• Paste the search filters to a local file send the filters to another user.
• Import a search.
Click Import Search to paste and import a previously exported query or a query shared by another
AutoFocus security expert.
• Start a remote search.
Start a Remote Search to look for artifacts in a Palo Alto Networks firewall, Panorama, or third-party log
management system. View more details on how to Set Up Remote Search.
• Create a MineMeld miner based on the search.
When the MineMeld app is running, Create MineMeld Miner to send artifacts from the sample search
results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld).
• View the API request for a sample or session search.

Click the >_API link in the WildFire or Activity tab of the search editor to view the API request for
initiating the current search. The API request is formatted in Curl URL Request Library (cURL) and
Python (see more information about using the AutoFocus API to perform a search).
• Choose from the following next steps:

• Click Search to view samples matched to your search conditions. Select the Indicators, WildFire, and
Activity tabs to Drill Down in Search Results.
• Assess AutoFocus Artifacts found in your search.
• Export AutoFocus Artifacts found in your search.

Drill Down in Search Results
An AutoFocus search returns all matching samples and their corresponding sessions (Start a Quick Search
or Work with the Search Editor to set up a search). After searching, a progress bar displays as the search
is processing the complete set of results. You can check the cumulative number of samples that meet the
search conditions when the search progress is complete. You can also change the scope of your search from
My Samples (samples found in your network only) to Public Samples or All Samples:
The Samples, Sessions, and Indicators tabs display search results in different contexts. You can drill down
in the results to find correlation among artifacts, to narrow your search by adding artifacts to the search as
you go, and to Export AutoFocus Artifacts that are high-risk.
See the following topics for details on the different search results views:
• Sample
• Sessions
• Indicators
Sample
The Sample tab in the AutoFocus search editor displays all samples that match the conditions of the search.
Click the column headers for the sample details to sort samples in ascending (up arrow) or descending
(down arrow) order. By default, the most recently detected samples are displayed. You can choose to view
only My Samples, only Public Samples, or All Samples. All Samples includes both public and private samples;
however, private samples submitted by firewalls or sample sources other than those associated with your
support account display with an obfuscated hash.
Set a default scope for search results to choose which samples are displayed immediately
when you launch a search. Navigate to the AutoFocus portal Settings and select a Preferred
Scope. You must click Save changes to save the new default scope.
To examine Sample Details, click on a sample hash after initiating a search:

Sample Details
Make a sample Public to share the sample with other AutoFocus security
Sample Visibility experts. You can also revert the status of the sample to Private at any time.
Lists the tags the sample is associated with, and you can also add a new tag. (For
Sample Tags details on tags and how tagging works, see AutoFocus Tags).
Hover over a tag to view more tag information in a popup. You

can click on the linked tag name to Vote for, Comment on, and
Report Tags.
If a sample has Threat Indicators that match indicators forwarded to AutoFocus

from MineMeld, an indicator tag specifies the number of matching indicators.
Click on the indicator tag to view the matching indicators.
Shows the WildFire analysis report sample details based on the virtual
WildFire Report environment(s) used to analyze the file. This includes comprehensive
information about how the sample verdict was determined, including specific
behaviors and system process changes, as well as associated IoCs and causality
chain, to help you visualize how the sample infiltrated your network.
• The WildFire report tab currently only displays samples that

have been analyzed by the WildFire Global cloud, a regional
cloud hosted in the U.S.
• WildFire reports that are larger than 1 MB are not available
to view in AutoFocus. This accounts for 0.001% of all
available reports.
Select a drop down to view specifics for each WildFire report context:
• Summary—Displays general file information as well as an overview of the
sample analysis results as determined by WildFire. This includes the sample
verdict, hash, analysis timestamps, file property details, session information,
malware family, VirusTotal and MultiScanner hits, and the region where the
sample was analyzed.

Sample Details
• Screenshots—Provides a series of screenshots captured during WildFire

sample analysis. You can switch between different analysis platforms using
the selector tab located at the top of the report. The screenshots display
various process milestones to help you validate the operations and detection
reasons used to classify a file.
• Detection Reasons—Lists the reasons why WildFire has reached a specific

verdict for a given sample. Each detected cause has a it’s own verdict; the
combined severity of the detection reasons are used to determine the
overall verdict of the sample.
• IoCs (Indicators of compromise)—Lists Threat Indicators that AutoFocus

detected in the sample’s WildFire analysis details. The list consists only of
artifacts that AutoFocus considers to be an indicator based on the tendency
of the artifact to be seen predominantly in malware samples. AutoFocus uses
a statistical algorithm to determine which artifacts are indicators. Click on an
indicator to view detailed information about it.
• Causality Chain—Displays a visualization of all processes, files, and network
calls and their associated behaviors, actions and detection reasons, that
were shown to be involved in the attack. Additionally, this view illustrates
the causal relationships between these events and the triggers involved in
advancing the attack. Click on a node to view detailed information about the
event.

Sample Details
• Behaviors—Lists the file behavior activities recorded by WildFire during file

analysis. Examples include whether the sample created or modified files,
started a process, spawned new processes, modified the registry, or installed
browser helper objects. Click on an entry to view more information about
each behavior.
• Analyst—Lists the various identifier objects observed during sample analysis.
Filter the list by selecting the category tabs at the top f the table.
Lists the sample details and properties. The nested WildFire Dynamic Analysis
File Analysis section describes the sample’s observed behavior and lists each activity the
sample performed when executed in the WildFire analysis environment.
You can view sample details that WildFire detected in environments running
different operating systems. If you have any reason to believe the verdict is a
false positive or a false negative, click Report as Incorrect to submit the sample
to the Palo Alto Networks threat team. The threat team performs additional
analysis on the sample to determine and verify the verdict.
Select a method of viewing the WildFire dynamic analysis of the sample:
• ( )—Groups sample activities by activity type. This view displays by
default when you open the file analysis of a sample.
• ( )—Lists sample activities based on the order in which they occurred in
the WildFire analysis environment.
• ( )—For any main parent processes that occurred when the sample
executed in the WildFire analysis environment, the child processes and
activities that they spawned are grouped under them. The processes are
indented to display the visual hierarchy of parent and child processes.
Click the minus sign ( - ) next to a parent process to hide the child processes
under it; click the plus sign ( + ) display them.
•
( )—Filters the processes and activities shown under WildFire Dynamic
Analysis. You can configure the analysis filter(s) with the following rule types:
• Line Counts—AutoFocus filters activities that exceed the user specified
artifact limits.

Sample Details
• Regular Expression—AutoFocus filters activities matching with the
specified regular expression. Items in the Parent Process and Parameters
columns are evaluated for matches.
You can display filtered content by clicking on Show filtered lines. Filtered
items can be distinguished by the following icon:
In Sequence and Tree view, you can see the activities that occurred in the
operating system kernel space and user space:
• Kernel Space—The kernel is the core of the operating system; the kernel
space is a memory area where the kernel runs operating system processes
and manages other processes.
• User Space—User space is the memory area outside of the operating system
kernel, where applications and other user processes are executed.
As you drill down in the Wildfire Dynamic Analysis details for a sample, high-risk
artifacts associated with the sample are marked for easy identification. You can
add artifact evidence and observed behavior to a new or existing search.
File Analysis The Observed Behavior section displays the total number of activities that are
(continued) Evidence of a specific behavior. Each behavior has an associated risk level, and
you can expand a single behavior to see the matching sample activities.
You can also expand an activity section to see all of the specific sample
activities that fall under it. For each activity artifact, the total number of times
the artifact has been found with benign ( ), grayware ( ), and malware ( )
samples is listed.
Depending on the artifact, you can:
• Add an artifact to your existing search
• Add an artifact to an export list
• Start a new search for the artifact in a separate browser window
• View more information about domain and URL artifacts
If an artifact is evidence of an observed behavior, the behavior risk level is
indicated with this icon:
A gray icon indicates a low risk behavior, a yellow icon indicates a medium risk
behavior, and a red icon indicates the artifact is evidence of a critical, and high-
risk behavior.
Based on the sample artifacts, AutoFocus highlights high-risk indicators as
Suspicious or Highly Suspicious. Sample indicators that match indicators
forwarded to AutoFocus from MineMeld are highlighted with an indicator icon (
). (Learn more about how to Manage Threat Indicators.)
See Artifact Types for a detailed and expanded description of

the WildFire analysis sections and the artifacts they contain.
Lists all sessions during which samples with the same SHA256 hash were
Network detected. The sessions displayed are all WildFire sessions submitted from
Sessions your Palo Alto Networks firewall or another Upload Source associated with

Sample Details
your support account. Select a single session for session details. Click the File
Analysis tab to navigate back to the sample details.
Lists the WildFire signatures that match to the sample. Check signature
Coverage coverage to assess the level of protection in place against malware. Depending
on the sample, all or some of the following signature types provide coverage:
• WildFire AV Signatures identify malicious files. Examples of malware for
which antivirus signatures provide protection include viruses, trojans, worms,
and spyware downloads.
To find other samples that are covered by the same

signature, set up a search for Threat Name > is and enter
the Signature Name as the search value.
• C2 Domain Signatures identify malicious domains that the sample attempted
to resolve to when executed in the WildFire analysis environment.
• Download Domain Signatures identify domains that host malware (and from
which the sample was downloaded).
• PAN-DB Categorization URLs the sample visited when executed in the
WildFire analysis environment might also be listed, including the PAN-DB
categorization for each URL. This category assignation (up to four) classify
a site’s content, purpose, and safety. An additional security-focused URL
category with an overall risk level indicating how likely it is that the site
will expose you to threats is also present. For more information, see URL
Categories.
For each of these signature types, the date that WildFire created the signature
is listed. You can toggle between daily, 15 minute, and 5 minute content
updates to see the versions that included the signature. The first content
version that included the signature is listed, as well as the last content version to
include an update to the signature. The table also indicates whether a signature
is included in the most current content version.
Lists Threat Indicators that AutoFocus detected in the sample’s WildFire

Indicators analysis details. The list consists of only artifacts that AutoFocus considers
indicators based on the tendency of the artifact to be seen predominantly in
malware samples. AutoFocus uses a statistical algorithm to determine which
artifacts are indicators.
Next Steps... • Assess AutoFocus Artifacts found in your search.

Sessions
The Session tab displays all Sessions information associated with samples from your network. Click the
column headers to sort sessions in ascending (up arrow) or descending (down arrow) order.
The session data displayed in the search results include all relevant data submitted to
WildFire through your organization's various product integrations where available; however,
session data availability is not contingent on membership to other services, such as
Panorama, Cortex Data Lake, or other Palo Alto Networks products.

Session Details
After performing an AutoFocus Search, select Sessions and select a single session to drill down for
session details:
Display sessions based on the Upload Source. Add the search condition Upload
Source > is to your current search and choose a session source. In the example above,
the sessions search results have the Upload Source Firewall, which means that they are
sessions associated with samples submitted to WildFire from your connected firewall.
Activity details include a Session Summary, from which you can add artifacts to
your existing search or launch a new search for an artifact in a separate browser
window.
The File Analysis tab displays artifacts that WildFire found in the sample
detected during the activity session (see Sample Details for information on the
File Analysis tab).
Activity details also include a list of Related Sessions, which are other sessions
during which the same sample was detected.
Next Steps... • View the associated Samples.

• Assess AutoFocus Artifacts found in your search.
Indicators
The Indicators tab provides a summary of threat intelligence data that Palo Alto Networks has on
a particular threat indicator — URLs, domains, IP addresses (IPv4 and IPv6), and hashes. The threat
intelligence summary data, depending on the type of indicator, can include the WildFire verdict, detection
reasons, associated metadata (including the indicator source(s)), WHOIS information, tags, logs of DNS
activity from all samples analyzed with WildFire, active/passive DNS history where AutoFocus detected

instances of the artifact, and other related information. This can help you assess whether a specific hash,
domain, URL, or IP address is associated with suspicious behavior and analyze the nature of a threat.
Indicators List Details
The threat indicator summary provides a breakdown of the properties,

Threat Indicator behaviors, and activities reported by various Palo Alto Networks analytics
Overview services. URL entries can include additional context provided by analysis data
derived from the improved URL analysis capabilities found in the WildFire
global cloud. This content is categorized into three categories: Summary,
Evidence, and Analyst. The summary provides a high level overview of the
URL, including PAN-DB categorization details, detection reasons with verdict,
Whois information, accompanied by a screenshot. Evidence shows details
regarding why and how the verdict was reached. Analyst describes various
insights into the operational details of the web page, including network
traffic and file transfers. For all other indicators, the threat indicator summary
provides a breakdown of the general properties, behaviors, and activities
reported by various Palo Alto Networks analytics services.The following
list shows some of the threat data that can populate the threat indicator
overview.
• WildFire Verdict—The verdict of the sample based on the WildFire analysis
of the file or email link.
• Tags—Lists the tags or tag groups associated with the threat indicator.
• Upload Source—Lists which of your connected Palo Alto Networks
services or appliances uploaded the threat indicator.

Indicators List Details
• First/Last Seen Date—Displays when the threat indicator was first and last
sent to WildFire for analysis.
• WHOIS—Shows general domain information.
• PAN-DB Categorization—View URLs associated with the domain, URL, or
IP address through PAN-DB and the PAN-DB category for each URL.
• WildFire DNS History—View a log of domain to IP address mappings
based on all samples that launched a request to connect to a domain
during Wildfire Analysis.
• DNS Security Results— Domains that have been analyzed by DNS Security
are listed here.
• Passive DNS History—View a passive history of domain to IP address
mappings that contain matches to the artifact your searched for.
• Active DNS History—View active domain to IP address mappings that
contain matches to the artifact your searched for.
A direct link to the VirusTotal analysis of the specified file hash.

VirusTotal
This options is only available for file hashes.
You can pivot to a sample or session search on the specified indicator. This
Sample and Session automatically initiates a search based off of the initial query and can provide a
Details wider context and additional details.

Set Up Remote Search
Remote search enables you to use AutoFocus to find suspicious IP addresses, SHA256 hashes, URLs, user
agents, and filenames in a specific Palo Alto Networks firewall or a set of Panorama-managed firewalls.
AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a
remote search, the firewall or Panorama web interface opens in a new window and displays the search
results in Unified log view.
The remote search feature is supported with firewalls running PAN-OS 7.1 or later release
versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When
you configure your custom system to work with AutoFocus remote search, you can filter log or event
repositories with AutoFocus search conditions.
STEP 1 | Log in to the firewall or Panorama you want to search with your administrator username and
password.
STEP 2 | Configure the settings of the remote system.

Allow HTTP or HTTPS service on the management interface of your firewall or Panorama. Select the
service that matches the address of the remote system you want to search.
STEP 3 | Add a remote system to search with AutoFocus.

1. Select Settings on the navigation pane.
2. Add new remote systems.
3. Enter a descriptive Name for the remote system.
4. Select a System Type:
1. Select PanOS to add a firewall or Panorama.
2. Select Custom to add a custom system that has been configured to integrate with AutoFocus
remote search.
5. Enter the IP Address or URL of the remote system.
6. Click Save changes.
7. Click Save changes on the Settings page to finish adding the remote system. You can add up to 500
remote systems.
STEP 4 | Add conditions to a remote search:

• Add an artifact from a search result.
1. Perform a search, and view Sample Details.
2. Add any SHA256 hash, IP address, user agent, filename, or URL contained in a sample to a remote
search.
For example, add a sample hash:

or add a domain:
3. Click Remote Search to verify that the artifact was added.

Click Remote Search to verify that the search condition was added.
• Create a condition to add to a remote search.
1. On the search editor, click Remote Search.
2. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search.

STEP 5 | (For Panorama Device Group and Template Administrators Only) For Panorama Device Group
and Template administrators (not superusers), an AutoFocus remote search targeted to
Panorama returns results based on the current Panorama Access Domain setting. Panorama
administrators with role-based access control must first open the Panorama web interface,
select Monitor > Logs and set the Access Domain for which to view search results. Return to
the AutoFocus portal to execute your remote search.
STEP 6 | Start a remote search.

1. Click Remote Search.
2. Review the list of search conditions that you added in Step 4. Add or remove conditions as needed.
3. Set the remote search to find Any or All of the artifacts on the targeted system.
4. Select one or more Remote systems to search.
5. Click Search.
STEP 7 | View the search results.
If no browser tabs open when you launch remote search, change the settings on your
browser to allow pop-ups from AutoFocus.
A new browser tab opens for each remote system.

• Search results for a firewall or a Panorama are displayed in Unified log view. The list consists of all log
entries that contain the artifacts specified in the remote search.
Panorama search results include log entries from managed firewalls that are not connected to
AutoFocus and/or are running PAN-OS 7.0 or earlier.
• Each custom system opens in a new tab, with the URL formatted to include the conditions specified
in the remote search.
The maximum length for the URL generated through remote search is 1,024
characters. Performing a remote search with multiple search conditions may create a
URL that exceeds the character limit. As a best practice, check which conditions were
added to the URL after launching a search.
STEP 8 | Learn more about working with Unified logs on the firewall.

Artifact Types
WildFire detects properties, activities, and behaviors when it analyzes samples during static and dynamic
analysis. WildFire forwards this information to AutoFocus, as well as the properties of sessions associated
with the samples. In AutoFocus, these pieces of information are referred to as Artifacts. WildFire detects
some artifacts in samples only, in sessions only, or in both samples and sessions (general artifacts). Other
artifacts are specific to a particular operating system (Windows, Mac, or Android).
You can use the different types of artifacts with Search Operators and Values to find Samples and Sessions.
• General Artifacts
• Sample Artifacts
• Session Artifacts
• Analysis Artifacts
• Linux Artifacts
• Windows Artifacts
• Mac Artifacts
• Android Artifacts
General Artifacts
General artifacts are artifacts that WildFire associates with both samples and sessions. For example, you can
use the artifact type Domain to search based on domains found in samples and sessions.
Some general artifacts are tag-related. If you search with a tag-related artifact, the search results display all
samples that have one or more tags that meet the search criteria, and their related sessions.
The following general artifact types refer to private session information: Domain, Email Address, Filename,
IP Address, and URL. If any of your private tags use these artifact types as tag conditions, you cannot make
these tags public.

Artifact Type Search with this Artifact Type to Find...
Domain A domain detected in the DNS Activity or HTTP Activity of a sample, or the
File URL.
Email Address An Email Recipient Address or Email Sender Address.
Filename The File Name of the sample or a filename that AutoFocus found in the File
Activity of a sample.
Hash The sample’s MD5, SHA1, or SHA256 hash. The search results also include
samples in which AutoFocus found the hash in the File Activity of the sample.
Hash Lookup The sample’s MD5, SHA1, or SHA256 hash. The search results only include
samples based strictly on the primary sample hash value. Samples in which
matching hashes are found in the File Activity of the sample are not included
in the results.
IP Address A File URL, Source IP, or Destination IP in a session, or an IP address detected

in the Connection Activity, DNS Activity, or HTTP Activity of a sample.
Tag Samples with a specific tag.
Tag Alias Samples filtered by Tag Alias.
Tag Class Samples filtered by Tag Class: a malware family, a campaign, an actor, an
exploit, or a type of malicious behavior.
Tag Group Samples filtered by the specified Tag Group.
Tag Scope Samples filtered by Tag Scope: private, public, Unit 42 (alerting), or Unit 42
informational (non-alerting).
Tag Source Samples with tags that are attributed to a particular Tag Source.
Threat Name Samples that match a particular threat signature.
URL A File URL or a URL detected in the HTTP Activity of a sample.
User Agent A user agent header detected in the HTTP Activity or User Agent Fragments
of a sample. The user agent header indicates your browser type and version
and your operating system and version. During a session, your browser sends
this information to the site you are visiting to determine the best way to
deliver the information you requested. Examples of user agent strings include
Mozilla/4.0 and Windows NT 6.1.
Saved Search A user-configured search setting used to quickly apply search conditions.
Sample Artifacts
Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact
types when you view Sample Details, in the File Analysis details of a sample.

Compilation Timestamp The date and time when a Portable Executable (PE) file was created.
Digital Signer The digital signature that identifies the sender of the sample.
File Type The file type of the sample. Examples include Email Link, Adobe Flash File,
and PDF.
File Size The size of the sample in bytes.
Finish Date The date and time when WildFire analysis of the sample completed and the
sample received a WildFire verdict.
First Seen The date and time that the sample was first forwarded or uploaded to
WildFire. You can search for samples based on relative dates and absolute
dates. Using a relative date allows you to select a date range based on the
current time as a reference point, while the absolute date allows you to
specify an exact point in time.
Import Table Hash An import hash, or imphash, is a hash based on the order that API functions
are listed in the import table of a Portable Executable (PE). Imphashes can
be used to identify similar samples that might belong to the same malware
family.
Imphashes are listed for malware and grayware samples only (not benign
samples).
Last Updated The date and time when WildFire changed the verdict for a sample.
MD5 The sample’s unique cryptographic hash generated using the MD5 message-
digest algorithm.
Region Every WildFire cloud (global or regional) to which a sample was submitted for
analysis. The sample details list all of the WildFire clouds to which firewalls
submitted the sample (different firewalls can submit the same sample to
different WildFire clouds).
• US—WildFire global cloud
• EU—WildFire EU cloud
• JP—WildFire Japan cloud
• SG—WildFire Singapore cloud
To find samples that have been submitted to only a single

WildFire cloud (and no other WildFire clouds), set up a search
for a WildFire cloud. Then, add search conditions excluding
samples submitted to the other WildFire clouds from the
search results. For example, to search for samples that users
submitted to the WildFire global cloud only, search with the
condition Region > is > US combined with the condition
Region > is not for each of the other WildFire clouds.

SHA1 The sample’s unique cryptographic hash generated using the Secure Hash
Algorithm 1.
SHA256 The sample’s unique cryptographic hash generated using Secure Hash
Algorithm 256.
Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the
sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a
sample which can be used to identify samples that are very similar but not
exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy
hashes to produce a percentage that indicates how closely the samples match.
In ssdeep, a high percentage indicates a high number of similarities between
the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only
(not benign samples).
WildFire Verdict WildFire assigns a verdict of Malware, Grayware, Benign, or Phishing to the
sample based on properties, behaviors, and activities observed for the file or
email link during static and dynamic analysis.
Session Artifacts
Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following
artifact types when you view Sample Details. Note that you can only view the details of sessions associated
with your support account. For this reason, when you search with artifact types that refer to firewall-related
properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the
properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Observed In,
Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject,
File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as
tag conditions, you cannot make these tags public.
Application The App-ID™ matched to the type of application traffic detected in a session.
For example, a search for the Application web-browsing returns sessions
during which web browsing over HTTP occurred. Visit Applipedia for an
updated list of applications that Palo Alto Networks identifies.
Device Country The country to which the IP address on a firewall is registered.
Device Country Code The two-digit abbreviation for the Device Country. Refer to the complete list
of countries and country codes in AutoFocus.
Device Hostname A name that identifies a Palo Alto Networks firewall. To view the hostname
for a firewall, log in to the firewall web interface, select Device > Setup >
Management, and view the General Settings.

Observed In Displays the serial number of a firewall or the endpoint that the session was
seen in.
Device vsys The name of the virtual system on the firewall associated with the session.
Destination Country The country of the IP address to which the session was destined.
Destination Country The two-digit abbreviation for the Destination Country of the session. Refer
Code to the complete list of countries and country codes in AutoFocus.
Destination IP The destination IP address of the session.
Destination Port The destination port that the session used.
Email Recipient Address For email samples, the email address of the user who received the email.
Email Charset For email samples, the character set used to display the message body of an
email. Examples of character sets are UTF-8 and ISO-8859-1.
Email Sender Address For email samples, the email address of the sender.
Email Subject For email samples, the subject of the email.
File Name The filename of the sample sent during the session.
File URL The URL path for the source that hosts the sample.
IMEI The 15-digit unique International Mobile Equipment Identity number assigned
to a mobile phone.
Industry Industry indicates the field that the source of the session (you or another
AutoFocus support account) is associated with. Examples are Aerospace
and Defense, High Tech, and Education. Industry is a field you
select when you initially set up your AutoFocus account. Contact Palo Alto
Networks Support to change it.
Recipient User ID The username of the user who received an email sample.
Region The WildFire cloud (global or regional) to which a sample is submitted for
analysis. A session in the AutoFocus search results provides information
about how a source submitted a sample to WildFire. Since each session
corresponds to a single WildFire submission, it can only be associated with a
single WildFire cloud.
• US—WildFire global cloud
• EU—WildFire EU cloud
• JP—WildFire Japan cloud
• SG—WildFire Singapore cloud
SHA256 The SHA-256 hash for the sample associated with the session.

Source Country The country to which the IP address that initiated the session is registered.
Source Country Code The two-digit abbreviation of the Source Country that sent the session. Refer
to the complete list of countries and country codes in AutoFocus.
Source IP The IP address of the session source.
Source Port The source port that the session used.
Status All samples that a Palo Alto firewall blocked. The Status for blocked samples
is Blocked, while the status for allowed samples is blank. To find all allowed
samples, search with the condition Status > is not > Blocked.
Time The time and date when the session started.
Upload Source The source that requested a WildFire verdict for a sample or submitted a
sample to WildFire for analysis.
Choose from a list of possible upload sources:
• Firewall—Samples that a Palo Alto Networks firewall forwarded to
WildFire.
• Proofpoint—Samples submitted to WildFire through Proofpoint products.
• Traps—Samples submitted through Traps.
• Magnifier—Samples submitted through Magnifier (Now known as Cortex
XDR).
• Manual API—Samples uploaded manually through the WildFire API or the
WildFire public portal.
• Traps Android—Samples submitted through Traps for Android.
• WF Appliance—Samples that a WildFire appliance submitted to the
WildFire public cloud.
• Prisma SaaS—Samples submitted through Prisma SaaS.
• Prisma Access—Samples submitted through Prisma Access.
• Cortex XDR—Samples submitted through Cortex XDR.
Analysis Artifacts
Analysis artifacts make up the WildFire dynamic and static analysis of a sample. WildFire Dynamic Analysis
information consist of properties, activities, and behaviors that WildFire detects in the sample when it was
executed in an analysis environment. WildFire Static Analysis information consist of artifacts that WildFire
can observe from the sample without executing it in an analysis environment.
To get an idea of the artifacts that appear in a WildFire analysis section, start a search with
an analysis artifact and for the operator, select has any value. View the file analysis details of
the search results, expanding the section you searched for to view the artifacts that WildFire
found for it.

Connection Activity Processes that accessed other hosts on the network when the sample was
executed in the WildFire analysis environment. Artifacts listed for each
connection activity include the process that accessed other hosts on the
network, the port through which the process connected, the protocol used
for the connection, and the IP address and country of the host.
DNS Activity DNS activity observed when the sample was executed in the WildFire
analysis environment. Artifacts listed for each DNS activity include the
hostname that was translated (Query column) the resolved domain name or
IP address (Response column), and the Type of DNS resource record (Type
column) used to resolve the DNS query.
File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).
HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis
environment. Artifacts listed for each HTTP activity include the destination
domain of the HTTP request, the HTTP method that the host used, the URL
for the requested resource, and the string originating the request (User Agent
column).
The domain (Host column) and URL values together are the
URL for the request. For example, the full URL for the first
artifact is althawry.org/images/xs.jpg?8b96=71468.
Java API Activity Java runtime activity seen when the sample was executed in the WildFire
analysis environment.
Observed Behavior Behaviors seen for the sample in the WildFire analysis environment, such
as whether the sample created or modified files, started a process, spawned
new processes, modified the registry, or installed browser help objects
(BHOs). Each behavior is also assigned a risk level of high, medium, low, or
informational.
On the File Analysis tab within the sample details, alternate between
operating system columns to see the list of behaviors observed for each
virtual machine in which the sample was executed.

The Evidence column lists the total number of sample activities that are
evidence of each behavior, and expand a single behavior for the list of
matching activities.
For each activity listed, the Type column indicates the WildFire analysis
section and the Value column includes artifacts that WildFire found for the
section. The artifacts displayed might vary depending on the activity category.
In the example above, the File Activity artifacts provided include the parent
process that showed activity, the action the process performed, and the file
that was altered.
The artifact type Observed Behavior also refers to properties that WildFire
observed in a sample during static analysis. These properties appear under the
WildFire Static Analysis category Suspicious File Properties.
Other API Activity Non-Java API activity seen in the WildFire analysis environment when the
sample was executed. Artifacts listed include the parent process that was
active, the API calls made by the parent process, and the process that was
modified.
PE Metadata Portable Executable (PE) file metadata details extracted during WildFire
analysis. Artifacts listed for each file include the name, virtual address, virtual
size, and raw size.
Process Activity Processes that showed activity when the sample was executed. Artifacts
listed for each process activity include the parent process that was active, the
action that the parent process performed, and the process that was modified.
Service Activity Services that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each service activity include
the process that was active, the action the process performed, and the service
that was created, modified, or deleted.
User Agent Fragments The user agent header for HTTP requests sent when the sample was
executed in the WildFire analysis environment.
Linux Artifacts
Linux artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Linux
Linux Suspicious Suspicious behaviors found in the Linux sample file.

Behavior
Linux Functions Functions contained within the Linux sample file.
Linux Commands Commands contained in the Linux sample file.
Linux File Paths File paths contained within the Linux sample file.

Linux IP Address IP addresses contained within the Linux sample file.
Linux Domains Domains contained within the Linux sample file.
Linux URLs URLs embedded into Linux sample file.
Linux Command Action Command actions embedded into Linux sample file.
Linux File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).
Linux Suspicious Action An action that the Linux file performed with it was executed in the WildFire
analysis environment that may be an indicator of compromise.
Windows Artifacts
Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a
Windows OS analysis environment.
Mutex Activity A mutex (mutual exclusion object) allows programs to share the same
resource, though the resource cannot be used by more than one program
simultaneously. If the sample generates other program threads when
executed in the analysis environment, the mutex created when the programs
start is listed along with the parent process.
Registry Activity Windows Registry settings and options that showed activity when the sample
was executed in the analysis environment. Artifacts listed for each registry
activity include the parent process that was active, the registry method used
by the parent process (Action), and the parameters column lists the registry
key that was set, modified, or deleted.
Mac Artifacts
Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS
Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. Details for an
embedded file can include the SHA256 and name of the installer or bundle,
the file’s SHA1 hash, filename, file format, file location, SHA256 hash, the
signature associated with the file and the name of the signer, the SHA1 hash
for the signature, signature status, and the file size in bytes.

Mac Embedded URL URLs that are part of a Mac file. The Path column contains the path for the
section of the app where the URL is located.
Android Artifacts
Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing
the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or
tablet.
APK App Icon The file path for the app icon that displays in the Android device menu.
APK App Name The name of the app that displays on the interface of an Android device.
APK Certificate The hash value of the public key embedded in the digital certificate of the
APK file.
APK Certificate File The file path for the certificate(s) embedded in the APK file, information
about the certificate owner and issuer such as name and location (if provided
by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign
the certificate. The owner or issuer may provide the following information:
• CN—First name and last name
• OU—Organizational unit
• O—Organization name
• L—City or locality
• ST—State or province
• C—Two-digit country code
APK Defined Activity The class name of activities defined in the APK file. An activity is a component
of the app that provides a screen users can interact with to perform a task.
APK Defined Intent An intent filter, found in an app’s manifest file, lists the type of intents that the
Filter components of the app can respond to. An intent is a request an app sends to
other apps to perform an action. For example, the YouTube app needs to use
a messaging app on your Android device to share videos.
APK Defined Receiver Broadcast receivers for the APK file. Broadcast receivers allow the app to
receive intents broadcast by itself, by the Android device, or by other apps on
the device. An example of a broadcast that an app can receive is an indication
that the device battery is low.
APK Defined Sensor Sensors for motion, orientation, or environmental conditions that the app
uses when it is running. For example, an app might need to receive sensor
readings from the device’s GPS for to perform location-based tasks.
APK Defined Service Services configured for the APK file. Services are operations that run in the
background while the app is running, and do not provide a user interface

screen. An example of a service is a notification service for an email app that
alerts users when they have new messages.
APK Embedded Third-party libraries that are included in the APK file. A third-party library,
Libraries which app developers can reuse across multiple apps, contains files of
code that accomplish a specific task. An example of an embedded library is
Google’s mobile ads software development kit (SDK), AdMob.
APK Embedded URL URLs that are part of an APK file. The Path column contains the path for the
section of the app where the URL is located.
APK Internal File The file format, file path, and SHA256 hash of files included in the APK file.
APK Package Name The unique name that identifies an app on an Android device. The general
format for a package name is domain.company.application (for example,
com.tamapps.learnjapanese).
APK Repackaged An indication of whether an APK file has been repackaged (True) or not
(False). AutoFocus marks a repackaged APK file as suspicious because an
attacker can repackage a benign file to contain malicious functionality.
APK Requested The permissions that the APK file requests from users to perform processes
Permission and to access data on their Android device. Examples include permissions to
access the camera on the device or to change the audio settings of the device.
APK Sensitive API Call API calls embedded in the APK file that access restricted services or
resources.
APK Signer Personal information that the app owner provided when he/she signed the
app certificate:
• CN—First name and last name
• OU—Organizational unit
• O—Organization name
• L—City or locality
• ST—State or province
• C—Two-digit country code
APK Suspicious API Call API calls embedded in the APK file that access restricted services or
resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all
instances of an API call and the location of the files where the API call was
found.
APK Suspicious Action An action that the APK file performed when it was executed in the WildFire
analysis environment that may be an indicator of compromise. The Value
column contains a description of the action and supporting evidence. For
example, if the suspicious action associated with an APK file sends SMS
messages while running in the background, the value includes the text
message content that the file sent. If the action is loading another APK, DEX,
or JAR file, the value includes the path for the file that the APK file loaded.

APK Suspicious A sequence of actions that the APK file exhibits, the target of the actions
Behavior (if there is one), and the location of the files that exhibited the actions. For
example, for the suspicious behavior “APK files sends an SMS to a fixed
number,” the target is the phone number that received the SMS.
APK Suspicious File Suspicious files found in the APK file and their file type. An example of a
suspicious file is one that contains malicious native code or an executable file
in .dex format.
APK Suspicious Pattern A class of patterns observed in the APK file, a description what the pattern
does, and the location of the files where the pattern occurred.
APK Suspicious String Suspicious strings of code found in the APK file. For example, a suspicious
string can indicate that an app contains shell commands that installs or
uninstalls other apps, or the string can be a suspicious phone number. For
each string, you can view the location of the file that contains the string.
APK Version The version number of the app that is visible to users.

Search Operators and Values
Search operators refine the results that are returned to you when you perform a search. Operators
determine which results to display based on the value you select or enter for an artifact type. You can have
up to 10,000 values in a single search with multiple search conditions. Refer to the following table when
you Work with the Search Editor to set up a search.
Operator When to Use It Possible Values
is Find samples or sessions that contain • Number

the exact value you enter. • Option—Select a value from the
drop-down.
• String—Type an exact value (not
case-sensitive).
is not Find samples or sessions that do not • Number

contain the exact value you enter. • Option—Select a value from the
drop-down.
• String—Type an exact value (not
case-sensitive).
has no value Exclude samples or sessions with No value required

reported values for the artifact type
from the search results.
has any value Find samples or sessions that have No value required
reported values for the artifact type,
including values such as 0, unknown, or
Not Found.
is in the list Find samples or sessions with artifacts • Option—Select more than one value
that match at least one of the values from the drop-down.
from a list. • String—Type more than one value
You can have up to 1,000 values in your (not case-sensitive). Press Enter to
list. separate one value from another.
The values must be exact.
is not in the list Exclude samples or sessions that do not • Option—Select more than one value
have at least one value from a list. from the drop-down.
• String—Type more than one value
(not case-sensitive). Press Enter to

You can have up to 1,000 values in your separate one value from another.
list. The values must be exact.
contains Find samples or sessions that contain String—Type a partial value (not case-
the partial value you enter. sensitive).
Learn more about the Guidelines for
Use the contains
Partial Searches.
operator if you don’t
know the exact value of
an artifact.
does not contain Find samples or sessions that do not String—Type a partial value (not case-
have the partial value you enter. sensitive).
Partial Searches.
proximity Perform a single search for two or more String—Type partial values if you
values. don’t know the exact value (not case-
sensitive). You can enter the values in
Use the proximity any order.
operator with Analysis
Artifacts to look for Partial Searches.
multiple artifacts that can
appear in the WildFire
analysis of a sample.
is in the range Find values within a date or numerical • Date and Time Range—Select the
range. earliest and latest possible date and
time that a value can be, or choose
from a drop-down of relative dates,
such as Yesterday, Last Month, or
Last 90 days.

• Number Range—Select a minimum
and maximum number that a value
can be.
greater than Find values that are more than the Number
number you enter.
greater than or equal Find values that are more than or equal Number
to the number you enter.
less than Find values that are less than the Number
number you enter.
less than or equal Find values that are less than or equal to Number
the number you enter.
is after Find date and time values that occur Date and Time—Select a date and time,
after a specific date. or choose from a drop-down of relative
dates such as Yesterday, Last Month, or
Last 90 days.
is before Find date and time values that occur Date and Time—Select a date and time,
before a specific date. or choose from a drop-down of relative
dates such as Yesterday, Last Month, or
Last 90 days.


Guidelines for Partial Searches
The contains, does not contain, and proximity operators allow you to enter partial values in your search
conditions. For more accurate search results, observe the following guidelines for using these operators.
• Contains and Does Not Contain Operators
• Proximity Operator
Contains and Does Not Contain Operators

• Use the contains and does not contain operators if you know part of a value for a single artifact.
Example:
To search for samples or sessions with the network identifier 192.168 in the IP address, perform the
search IP Address > contains 192.168.
Using the does not contain operator will exclude samples or sessions with the network identifier
192.168 from your search results.
• Searches with the contains and does not contain operators are not case-sensitive.
• Any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @ symbol)
break up a value into two separate values. Type the full strings that appear in between special characters
for accurate matches.
Example 1:
To search for all sessions sent from email addresses with the domain yahoo.com, perform the search
Email Sender Address > contains yahoo.com.
The search Email Sender Address > contains ahoo.com will return results from an email address with
the domain ahoo.com, but not yahoo.com.
The search Email Sender Address > contains yahoo.co may return results from an email address with
the domain yahoo.co.uk or yahoo.co.jp, but not yahoo.com.
The search Email Sender Address > contains yahoo will return results from an email address with the
string yahoo in between special characters.
Example 2:
If the File Activity that WildFire has detected for a sample contains the string Windows\ServiceProfiles
\LocalService, you can use any of the following terms as partial strings to search for the sample:
• Windows
• ServiceProfiles
• LocalService
Proximity Operator
• Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis
category of a sample. Enter two or more artifacts in the value field of the search condition.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders\AppData ueepd-a.exereturns a sample that has both values in at
least one of its registry activities:

• The order in which the strings are entered does not affect the search results.
Example:
The search Registry Activity > proximity ueepd-a.exe HKCU\Software\Microsoft\Windows
\CurrentVersion\Explorer\Shell Folders\AppData returns the same results as the previous
example.
• Searches with the proximity operator are not case-sensitive.
• You can enter partial strings in a proximity search, but you must type the full strings that appear
between any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @
symbol) for accurate matches.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
ueepd-a.exe returns the following results:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\Current ueepd-

a.exe will not return the search results above.

AutoFocus Alerts
Prioritized alerts allow you to quickly distinguish targeted, advanced attacks from commodity
malware so that you can triage your network resources accordingly. Set up AutoFocus™ alerts
for samples based on Tag Types: Unit 42 Alerting tags, public tags, or private tags.
Configure AutoFocus to send alerts to an email account or directly to a web server. The Alerts
Log on the dashboard displays alerts depending on the dashboard context. You can also view
the complete set of AutoFocus alerts by selecting Alerts on the navigation pane.
> Alert Types

> Create Alerts
> View Alerts in AutoFocus
> Edit Alerts
93
94 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts
Alert Types
An alert is a notification about samples that match a set of defined criteria. When you Create Alerts in
AutoFocus, you have the option to receive the notifications by email or over HTTP. You can also View
Alerts in AutoFocus for a complete log of alerts that have been sent to you.
AutoFocus generates alerts for grayware and malware samples from all Upload Source as long as they
match the alert criteria.
• Email Alerts
• HTTP/HTTPS Alerts
Email Alerts
AutoFocus can send alerts to your email account. In an email alert, the SHA256 hash displays as a hyperlink
that opens the WildFire™ analysis of the sample in AutoFocus.
An email alert contains the following components:
Name Description
(1) AutoFocus Alerts The date and time that the alert was sent in the following format: Month DD,
YYYY hh:mm [AM/PM] (UTC)
(2) Number of alerts The number of unique samples detected within the alert period
(3) For The name of the support account that created the alert
(4) Date (UTC) The date and time that the sample was detected in the following format: Month
DD, YYYY hh:mm [AM/PM]
(5) Type The tag type that triggered the alert (unit42, public, or private)
(6) Name The specific tag that triggered the alert for the sample
(7) Verdict The WildFire verdict assigned to the sample: malware, grayware, or phishing.
To focus your attention on samples that exhibit malicious behavior,

AutoFocus does not send alerts for benign samples.
(8) Matching Sample The SHA256, SHA1, and MD5 hashes of the sample
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Alerts 95

HTTP/HTTPS Alerts
HTTP and HTTPS alerts are notifications that AutoFocus generates in JavaScript Object Notation (JSON)
data format. In an HTTP/HTTPS alert, information about the samples are formatted as JSON name-value
pairs separated by colons. For example, the name-value pair date: 'March 19, 2016 05:56 PM'
describes the date and time that a sample was detected for the alert. All alerts use the same set of field
names, but their values vary depending on the samples detected in the alert period.
You can configure AutoFocus HTTP/HTTPS alerts to send notifications as plain text to a web server
using standard HTTP requests or within a secure communications channel using HTTPS requests.
Additionally, AutoFocus can authenticate a user on the web server receiving the HTTPS alerts with
basic user authentication, providing another layer of security. All HTTPS requests use TLS 1.2 ciphers to
negotiate security settings.
Use HTTP alerts to publish information about detected samples on a web page or a threat
feed.
When creating an HTTP/HTTPS alert, provide the URL of a server that has been preconfigured to parse the
name-value pairs from the alert. If you are configuring an HTTPS alert with basic authentication, provide
the user credentials of an account on the server receiving the notifications. Refer to the following table
of field names and possible data types for the field values. The data type describes how a value should be
interpreted and stored by the server.
Field Name Description Data Type
(1) num_alerts The number of unique samples detected within the alert number
period
(2) autofocus_alerts The date and time that the alert was sent in the following string
format: Month DD, YYYY hh:mm [AM/PM]
(3) alerts A list of each sample detected and the details associated array
with it

Field Name Description Data Type
(4) date The date and time that the sample was detected in the string
following format: Month DD, YYYY hh:mm [AM/PM]
(5) match_sample The SHA256, SHA1, and MD5 hashes of the sample string
(6) alert_name The specific tag that triggered the alert for the sample string
(7) alert_type The tag type that triggered the alert. The different string
alert_type values that can be displayed are:
• private—private tags owned by you
• public—public tags
• unit42—tags issued by Unit 42
(8) verdict The WildFire verdict assigned to the sample: malware or string
grayware.
To focus your attention on samples that

exhibit malicious behavior, AutoFocus
does not send alerts for benign samples.
(9) for The name of the support account that created the alert string
Supported TLS Ciphers

AutoFocus HTTPS alerts support only TLS 1.2 with the following ciphers:
TLS Ciphers Supported by AutoFocus
• DHE-RSA-AES128-SHA • AES256-GCM-SHA384
• DHE-RSA-AES256-SHA • ECDHE-ECDSA-AES128-SHA
• AES128-SHA • ECDHE-ECDSA-AES256-SHA
• AES256-SHA • ECDHE-ECDSA-AES128-GCM-SHA256
• AES128-SHA256 • ECDHE-ECDSA-AES256-GCM-SHA384
• AES256-SHA256

Create Alerts
Create alerts to monitor samples based on their tags. The following steps walk you through the process of
creating alerts in AutoFocus:
STEP 1 | Select Alerts on the navigation pane, and then select Settings.
STEP 2 | Define Alert Actions. An alert action sets the type, destination, and frequency of the alert.
STEP 3 | Enable Alerts by Tag Type. The Alert on the Tag Type column describes the tag types that
AutoFocus samples must match to trigger an alert: Unit 42, Public, or Private. By default, the
alert action for all tag types is none, and alerts are disabled. Select a different alert action to
enable alerts for each tag type.
STEP 4 | To receive alerts for certain tags and disable them for others, Create Alert Exceptions.
Define Alert Actions

Define alert actions that you can then select to Enable Alerts by Tag Type. Defining alert actions includes
choosing to receive the alert as an email or HTTP/HTTPS notification and setting the alert frequency. You
only receive notifications for samples matching the alert criteria (the tag) in the digest period you select; if
AutoFocus does not detect matching samples during the digest period, it does not send out an alert.
The default alert action none cannot be edited or deleted. Use this alert action to disable alerts for tags.
Create an alert for Unit 42 tags to receive notifications based on new threats and attacks
identified by the Unit 42 threat intelligence research team.
STEP 1 | Select Alerts > Settings.
STEP 2 | Scroll to the bottom of the Settings tab, and click Add Alert Action:

STEP 3 | Give the alert action a descriptive name.
STEP 4 | Define the type of alert you want to receive: Email, HTTP, or HTTPS.
STEP 5 | Set the alert destination (email address or server URL).

For email alerts:

Enter the email address where you would like to receive Email Alerts.
For HTTP/HTTPS alerts:

Enter the URL of your server that you have configured to receive HTTP/HTTPS Alerts. You can test the
connectivity of the server by clicking on Test URL. If the connection is valid, ( ) displays next to
the Test URL button.
Self-signed server certificates are not supported. Server certificates must be signed
by one of the pre-installed root certificate authorities (CAs). Refer to AutoFocus Portal
Settings for more information on viewing trusted AutoFocus CAs.
STEP 6 | Set the alert digest to 5 Minutes or Daily.

Digest sets the frequency with which AutoFocus checks for samples that match the alert criteria.
AutoFocus collects all samples that match the alert criteria during the digest period and sends them in a
single notification.
STEP 7 | (HTTPS alerts only) Define the authentication method.

For HTTPS alerts using basic authentication:
Enter the user credentials of a service account on the server that you configured to receive the
AutoFocus alerts.
STEP 8 | Click Save Changes.

The Action drop-down contains all saved alert actions, which you can apply to samples matched to Unit
42, public, and private tags.

STEP 9 | Enable Alerts by Tag Type.
Enable Alerts by Tag Type

Enable alerts based on Tag Types. You can choose to generate an alert for all samples in your network
matched to a tag type. Additionally, you can Create Alert Exceptions to set up prioritized alerts for specific
tags or to disable alerts for them.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.
STEP 3 | Choose an alert for each tag type.
Use this step at any time to change the alert action for a tag type.
Select an alert Action for samples matched to Unit 42, public, and private tags:
STEP 4 | Enable the alert for a tag type.

For each tag type, select Enabled? to receive alerts when AutoFocus detects samples in your network
that match the tag type.
STEP 5 | If necessary, specify tags to exclude from the alert for the tag type.
Create Alert Exceptions in order to:
• Create and enable custom alerts for specific tags.
• Disable alerts for tags for which you don’t need to receive alerts.
STEP 6 | Choose from the following next steps:

• Both Email Alerts and HTTP/HTTPS Alerts list all the samples matched to the alert criteria in the
digest period.
• View Alerts in AutoFocus.
• You can Edit Alerts or Disable Alerts.

Create Alert Exceptions
You can choose different alert settings for individual tags by adding the tags as alert exceptions. Create
exceptions so that the alerts you receive for threat samples are prioritized by tag.
STEP 2 | If there are no email or HTTP/HTTPS Alert Actions listed, Define Alert Actions.
STEP 3 | Identify the tag type for which you want to create an alert exception, and click Add Exception.
STEP 4 | In the Tag field, start typing the tag name, and select it from the list of tags.
STEP 5 | Select an alert Action for the tag.

• Select one of the email or HTTP/HTTPS alert actions to enable alerts for the tag.
• Select none to disable alerts for the tag.
STEP 6 | Select Enabled? to enable the alert action for samples in your network that match the tag.
STEP 7 | Click Save Exception.
STEP 8 | To change or delete alert exceptions, Edit Alerts.

View Alerts in AutoFocus
The Alerts Log on the dashboard displays alerts that were generated within the selected dashboard date
range, beginning with the most recent alerts. Alternatively, select Alerts on the navigation pane to view the
complete set of alert logs.
Alert logs are available for a month from the period the log was generated.
Alert times are displayed in Pacific Time (PST/PDT).
• Find alerts.
• Select Dashboard to view the Alerts Log widget. The Alerts Log widget displays the most recent
samples that matched your alert criteria.
• Select Alerts > Alerts Log to view all samples that have triggered alerts. Sort the rows according
to Time, Tag Type, SHA256, or Tag. Alternatively, click the column headers to sort the rows in
ascending (up arrow) or descending (down arrow) order.
You can also click the SHA256 link for a sample entry to add the sample to a search:
• Scan tag details.

Hover over the tag on which the alert is based to view tag details, including the latest time and the total
number of times that traffic was matched to the tag.
• Search on the latest sample that triggered an alert.

Click the sample hash on the Alerts Log widget to perform an AutoFocus search:

• Review and/or search on the conditions that triggered an alert.
Select a tag on the Alerts Log widget to view tag details. Tag details include a description of the tag and
a list of the conditions defined for the tag. From the tag details, open a search based on the tag or a
single condition defined for the tag:

• 1—Add the tag to the search editor, to search for all historical and global samples matched to the tag.
• 2—Add a single condition defined for the tag to the search editor, to search for all historical and
global samples matched to that single condition.

Edit Alerts
Alerts are highly customizable and can be changed or deleted anytime. Change the settings of an existing
alert action or alert exception as necessary. Disable an alert to stop receiving notifications for certain tags.
To view all options for editing alerts, select Alerts > Settings.
• Disable Alerts.
Select the action none for a tag type.
To disable alerts for an alert exception, Edit an Alert Exception. Select the action none.
• Edit an Alert Exception.
Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus
detects a sample that matches the tag. Select Enabled? to enable the alert action.
• Delete an Alert Exception.
Delete an alert exception permanently.
• Edit an Alert Action.
Modify the name of the alert action, the alert type (Email, HTTP, or HTTPS), the email address or
server URL that receives the alert, and how frequent the alert is generated.
• Delete an Alert Action.

Delete an alert action permanently.

AutoFocus Tags
AutoFocus tags group a set of conditions that, when found together, indicate certain malicious
behaviors or actors. Tags show you when an individual sample is part of a larger threat—like a
malware family or a threat campaign—or is a trademark of a malicious actor. Tags can help you
gain a larger context surrounding malicious activity, and gives you a way to further investigate
the scope of that activity.
You can create your own tags, and the Unit 42 threat research team shares threat intelligence
with the AutoFocus community through official Unit 42-issued tags. Unit 42 also verifies
threats discovered by third-party individuals and organizations and creates tags for these
threats.
Create Alerts based on a tag to be notified each time AutoFocus™ detects new samples that
match the tag conditions, allowing you to take quick action to remediate possible threats. And
when you search based on tags, you’ll be able to find all samples that match the tag conditions.
See the following topics for details on tags, how to create your own tags, and how to see tags
shared by Unit 42 and other AutoFocus users:
> Tag Concepts

> Tag Details
> Create a Tag
> Work with Tags
> Vote for, Comment on, and Report Tags
109
110 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags
Tag Concepts
Click Tags on the navigation pane to view a complete list of public, private, and Unit 42 tags.
• Tag Types
• Tag Class
• Tag Status
• Tag Visibility
• Tag Group
Tag Types
Tag colors and icons allow you to easily distinguish the different tag types at a glance. When a tag is linked
to a Tag Class, its default icon changes into a tag class icon.
Tag Type Description
Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42, the Palo Alto Networks®
threat intelligence and research team, to detect and identify
threats and campaigns that pose a direct security risk.
Unit 42 tags have an orange outline and a Unit 42 icon. Tags for
threats discovered by an individual or organization outside of Unit
42 have a pointed and marked top right corner.
Enable AutoFocus Alerts for Unit 42 tags to

receive immediate notifications from AutoFocus
when it detects samples in your network that
match Unit 42 tags.
Unit 42 Informational Tag (Non- Unit 42 also publishes informational tags that group and identify
Alerting) commodity threats. Often, threat signatures already exist and
are distributed to identify and enforce the traffic identified with
informational tags.
When you enable AutoFocus Alerts for Unit 42 tags, AutoFocus
does not generate alerts for samples that match Unit 42
informational tags so you can focus your resources on addressing
targeted or pervasive threats.
Informational tags have faded orange outline and a Unit 42 icon.
Tags for threats discovered by an individual or organization
outside of Unit 42 have a pointed and marked top right corner.
My Private Tag Create a Tag that is visible only to your organization. Private tags
allow you to tag a sample hash or a set of search conditions that
might be specific or especially significant to your environment.
You can then Create Alerts for the private tags.
Private tags have a blue outline and a tag icon.
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Tags 111

Tag Type Description
Public Tag Public tags are tags shared with the AutoFocus community by
your organization and other AutoFocus users. They are visible to
all AutoFocus users.
Public tags have a gray outline and a tag icon.
Tag Class
A tag can be linked to a particular tag class, which provides more context for the type of threat information
that the tag identifies. Special icons indicate whether a tag is associated with a tag class. The icon can be
blue, gray, or orange depending on the Tag Types. For example, the following tag is a public tag linked to
malicious behavior:
Tag Class Description
Related malware is grouped into a malware family. Malware might be

considered related based on shared properties or a common function.
Malware Family
Malware within a malware family exhibit similar malicious behaviors to launch
an attack.
A campaign is a targeted attack which might include several incidents or sets

of activities. You can identify a campaign by the malware families that are
Campaign
used to execute an attack.
An actor is an individual or group that instigates one or more campaigns using

malware families.
Actor
An exploit is an attack, usually in the form of a script, that takes advantage

of a software or network weakness, bug, or vulnerability to manipulate the
Exploit
behavior of the system.
Malicious behavior is behavior that is not specific to a malware family or

campaign, but indicates that your system has been compromised. An example
Malicious
of malicious behavior is the unauthorized deletion of disk volumes.
Behavior
Tag samples that exhibit malicious behaviors to flag them for
you and other AutoFocus users. You can receive alerts for
new unique samples that match the conditions of malicious
behavior tags.
Tag Status
On the Tags page, view the status for a specific tag; optionally, select Sort by: Status to sort tags based on
the status of the tag.

Tag Status Description
Enabled Enabled tags generate alerts when matched to traffic. Alerts based on enabled
tags are displayed in the Alerts Log on the dashboard and, if configured, email
and HTTP alerts are also sent for enabled tags.
Disabled Disabled tags are tags that have been disabled automatically after reaching
100,000 hits. This is a quality control measure; tags that are matched to
large numbers of samples are too general to be useful in identifying targeted
threats. Disabled tags continue to display as a reference—you can continue to
view the samples that were matched to that tag, search based on the disabled
tag, and view the conditions defined for the tag. However, disabled tags are
not applied to future samples.
Removing The tag owner has deleted the tag, but the deletion is not complete. This
status only displays for a short period of time—when the tag deletion
completes, the tag is completely removed from the AutoFocus system.
Rescoping The tag owner has modified the tag visibility to private, public, or
anonymously public. This status only displays for a short period of time—
as the new tag scope is processed and until the update to the tag scope is
complete.
Tag Visibility
There are three types of tag visibility:
• Private—Visible only to your organization (more specifically, only to users associated with same support
account as tag author).
• Public—Visible to all AutoFocus users. Public tag details include the name of the organization that
created the tag.
• Public Anonymously—Visible to all AutoFocus users. However, tags that are anonymously made public
do not reveal the organization name in the tag details.
For tags you create, you can set the visibility of the tag and change it at any time.
Private tags and samples can be made public, with the option to revert the tag or sample back to a private
status at any time.
Tag Group
Tags that are determined by Palo Alto Network’s threat research team, Unit 42, to have connections to
other specific tags are grouped accordingly. These connections can be based on the genre of the malware
family, the attack campaigns they are associated with, and by malware design. If your organization has
private tags that are related to a tag group, you can add them to a group editing the private tag settings.
You can view the individual tag groups by clicking on the Groups tab on the Tag page. You can also perform
searches based on the name of a tag group.

Tag Group Description
Ransomware Ransomware is a type of malware that prevents users from accessing their system
or personal files and demands ransom payment in order to regain access.
MobileMalware Mobile malware is malicious software that targets mobile phones by causing loss
or leakage of confidential information. This group encompasses all mobile malware,
such as Android malware.
PotentiallyUnwanted PUPs (Potentially Unwanted Programs) are programs that may include adware,
Program advertising, toolbars, and pop-ups that are unrelated to the software you
downloaded. PUPs are often bundled with other software that you install.
Worm A computer worm is a standalone malware family that replicates itself in order
to spread to other computers. It often uses a computer network to spread itself,
relying on security failures to propagate across networks.
PointofSale Point of Sale (POS) malware targets payment terminals with the intent to obtain
credit card and/or debit card information.
BankingTrojan Banking Trojans are a type of malware frequently used to steal sensitive
information such as banking credentials. To do so, attackers normally inject
malicious code into a website or a device; the code is frequently delivered through
phishing emails.
ExploitKit An exploit kit is a utility program that attackers use to launch exploits against
vulnerable applications. Usually done on a mass scale, exploit kits are often
leveraged to distribute additional malware. Exploit kits are commonly packaged
with exploits that target commonly installed software like Adobe Flash, Java, etc.
Cryptominer Cryptominer hides on computers or mobile devices to surreptitiously use the

machine’s resources to mine cryptocurrencies.
Rootkit A rootkit is malware that is designed to infect a target machine and allow an
attacker to install a set of tools that grant the attacker persistent remote access
to the computer. The malware typically hides deep within the operating system,
firmware, and/or driver suite and can evade detection by anti-malware applications
and other security tools.

RemoteAccessTrojan Remote Access Trojans are programs that provide the capability to allow covert
surveillance or the ability to gain unauthorized access to a victim machine. Often
packaged to imitate legitimate applications, Remote Access Trojans can mimic
behaviors of keylogger applications by allowing the automated collection of
keystrokes, usernames, passwords, screenshots, browser history, emails, chat logs,
etc.
Wiper The sole intention of the Wiper malware is to destroy data on the target machine.
Unlike other attacks like ransomware, which often seeks financial gain, wipers are
typically employed to destroy data and cover the attacker's tracks.
Backdoor The dropping (or downloading) of a backdoor is often the second stage of an
attack, where the first stage is the infiltration of the dropper or downloader.
The final stage is gaining full control of the affected system and leveraging of a
backdoor. In many cases, a backdoor is a payload as the attacker can build out their
command and control infrastructure once it is functioning.
OSXMalware Malware that specifically relates to Apple's OSX operating system.This group
includes viruses, trojans, worms, and other types of malware that affect the Apple
OSX environment.
LinuxMalware Includes viruses, trojans, worms and other types of malware that affect the Linux
operating system.
HackingTool Hacking tools are commonly leveraged by attackers to infect, maintain, administer
victim machines, and/or perform denial of service attacks. Some examples of
hacking tools are Metasploit and Cobalt Strike. Hacking tools can also include
administration tools that can be benign or malicious, like Microsoft's PSEXEC or
Netcat.
SCADA SCADA specific malware is designed to compromise SCADA systems by degrading

system functionality. This includes malware affecting PLC logic to malware
designed to compromise vulnerabilities in HMI software.
Downloader This type of malware secretly downloads malicious files from a remote server, then
installs and executes the files.
Dropper A dropper is a type of Trojan that has been designed to install malware (virus,
backdoor, etc.) onto a target system. A dropper is often considered one of the first
stages of a compromise, since droppers typically deploy a second stage payload or
tool.
FileInfector File infector malware propagates malicious files on to other systems, removable
devices, and networks. To do this routine, they seek out and copy their malicious
code to certain files (.EXE, .DLL, .SYS, and, .HTML, etc).
DDoS Malware that contains denial of service capabilities.
InternetofThingsMalware Encompasses and includes malware families and exploits that exhibit behaviors
specifically targeting or infecting IoT software, firmware, or devices.

Botnet A botnet is a number of Internet-connected devices, each of which is running one

or more bots. Botnets can be used to perform distributed denial-of-service (DDoS)
attacks, steal data, send spam, and allows the attacker to access the device and its
connection.
Webshell A web shell is a script that can be uploaded to a web server to enable remote
administration of the machine. Infected web servers can be either Internet-facing
or internal to the network, where the web shell is used to pivot further to internal
hosts.
InfoStealer Infostealers are malicious software programs that gather confidential information
from the compromised computer to send it to a predetermined location. This can
include information related to the compromised computer, financial data, or user
credentials for various web sites.
Keylogger A keylogger is a function which records keystrokes on a computer.
Loader Loaders retrieve malicious executables or payloads from an attacker-controlled

server.
ATMMalware ATM malware is malicious software designed to compromise automated teller

machines (ATMs) by exploiting vulnerabilities in the machine’s hardware or
software. ATM malware is used to commit a crime known as “jackpotting” in which
attackers install malware that forces ATMs to dispense large amounts of cash on
command.

Tag Details
You can click any tag to reveal details about that tag, including the set of conditions that is matched to
traffic, the last time that set of conditions was detected, and the total number of samples matched to the
tag.
For tags that you have created, you can edit tag details, including setting the visibility of the tag to be
private, public, or anonymously public.
On the Tags page, click any tag to open the Tag Detail.
Tag Details
(1) Search To open a search based on the tag, click the Search icon.
(2) Edit Edit Tag Information.
(3) Delete Permanently delete at a tag. Deleted tags show a Tag Status of removing
after being deleted until the deletion is complete (when the deletion is
complete, the tag is no longer available in AutoFocus).
(4) Tag Visibility (Private Tags Only) Share a tag with other AutoFocus users by making the
tag Public. (You can also revert a tag you previously made public, back to a
private tag).
By default, tags that you make public will list your organization as the
tag Owner in the tag details. To change this default setting so that your
organization is not listed as the owner of public tags, select Settings on the
AutoFocus navigation pane and select Share public tags anonymously.
You cannot make a tag public if it has search conditions

refer to private information about your sessions. The
following Session Artifacts pertain to private information:

Tag Details
• Device Hostname
• Observed In
• Device vsys
• Destination IP
• Email Recipient Address
• Email Charset
• Email Sender Address
• Email Subject
• File Name
• File URL
• Recipient User ID
• Source IP
The following General Artifacts may pertain to private session information:
• Domain
• Email Address
• Filename
• IP Address
• URL
You also cannot make a tag public if it has a search condition that points to
a custom App-ID you created (Application > is [custom App-ID]).
(5) Vote, Comment, and You can Vote for, Comment on, and Report Tags. Tags with the visibility
Report set to private (tags created by and visible only to your organization) do not
display these options.
(6) Tag Information Tag information is searchable and can include some or all of the following
details:
• Name—AutoFocus enforces unique tag names within an organization.
• Scope—The tag type is either public, private, or Unit 42.
• Tag Class—The Tag Class associated with the tag.
• Source—Organization or individual that discovered the threat defined in
the tag.
• Created—The date and time that the tag was created.
• Updated—The date and time that the tag was most recently modified.
• Owner—Organization that created the tag.
• # Samples—The total number of private and public samples matched to
the tag.
• Last Hit—The time at which the most recent sample matched to the tag
was detected.
• Votes—The number of up-votes the tag has received from the
AutoFocus community.
• Description—Summary of the threat that tag indicates.
• Related Tags—Tags that share certain conditions, or might indicate
similar types of threats.
• Alias—Other names that might refer to threat that the tag defines. You
can search on a tag alias to find all samples matched to tags with that
alias.

Tag Details
• References—External references provide more information or context
for the threat that the tag identifies.
• Groups—A list of groups that the selected tag is a part of.
(7) Tag Conditions • Lists all the conditions against which samples are evaluated.
Note that a tag can have multiple sets of conditions, but a sample only
has to match one set of conditions for it to be marked with the tag.
• Search based on a single set of tag conditions:
Click the Search icon in the Actions column to the right of the condition
for which you want to open a search.
Because you cannot edit the conditions defined for an

existing tag, use this option to add conditions from an
existing tag to the search editor, modify the conditions,
and create a new tag.
• Delete a single set of tag conditions:
Click the Trash icon in the Actions column to delete the set.
• Search with all tag conditions:
Click the Search All icon after the last set of tag conditions to add all of
the tag conditions to a new search.
Next Steps... • Create a Tag.

• Vote for, Comment on, and Report Tags.
• Enable Alerts by Tag Type.

Create a Tag
There are two ways to create a new AutoFocus tag: tag a sample or tag a set of search conditions.
The visibility of a new tag is set to Private by default.
• Tag a sample.
Create a tag for a sample hash to keep track of a sample that exhibits unique behavior or a sample that
you need to refer back to later. You can then search for the sample by the tag name instead of its hash.
1. Begin a new search.
2. Click a sample hash to view sample details, and click Add Tag.
You can only click the sample hash for a public sample or any of your private samples.
3. Enter a name for the tag in the search field and click create new.
4. Hover over the new tag, and click the tag name.
5. Edit the Tag Details to supply more information about the tagged sample.
• Tag a search.
Create a tag for a search condition (or a set of search conditions). You can use the tag to search for all
samples that match the conditions. Review Tag Visibility for tagging guidelines.
1. Work with the Search Editor to create a set of search conditions.
You cannot create a tag for searches based on tag-related information (Tag, Tag
Alias, Tag Class, Tag Scope, and Tag Source) or the artifact Threat Name.
2. Click the Tag icon to create a tag based on the defined search conditions:
3. Provide a unique tag name and any other information that may be helpful for identifying the tag, and
then Tag Results.
• Choose from the following next steps.

• When a tag is created, all past and incoming samples that match the search conditions are tagged;
Sample Details display the tags to which the sample is matched.
• Learn more about how to Work with Tags.

• Use the tag to Begin a new search. Search with the tag to view all AutoFocus samples that match the
tag conditions.
• Create Alerts to be notified when new samples match the tag.

Work with Tags
• Find Samples by Tag Details
• Filter and Sort Tags
• Find the Top Tags Detected During a Date Range
Find Samples by Tag Details

On the Search page, you can find and filter samples by different tag-related artifacts.
Artifact Type When To Use It
Tag Find samples matched to a tag.
Tag Alias Find samples by the Alias field in the Tag Details. The Tag Alias allows the
tag owner to specify common names for the threat that the tag identifies.
For example, there may be multiple tags related to a single malware family or
campaign. In this case, you can use Tag Alias to look for all samples that are
linked to a particular malware family or campaign by different tags.
Tag Class Find samples associated with a particular Tag Class: a Malware Family, a
Campaign, an Actor, an Exploit, or a type of Malicious Behavior.
Tag Group Find samples that are part of a specified Tag Group. Tag groups are defined
by Unit 42 based on malware classification and cannot be modified by the
user.
Tag Scope Filter samples by the scope of their tags: private, public, Unit 42 (alerting), or
Unit 42 informational (non-alerting).
Tag Source Find samples with tags that are attributed to a particular tag source. The Tag
Source is the individual or organization that discovered the threat that the tag
identifies. The list of tag sources to choose from is based on all tags with a
Tag Visibility that is set to public.

Filter and Sort Tags
Filter and sort tags on the Tags page based on Tag Details.
(1) Tag Categories Tags are organized into two categories to simplify manual
browsing of the Tags page.
• All Tags: Displays all available tags and their details based
on the Unified Tag View configuration.
• Groups: Displays all available tag groups with a description
and list of associated tags.
(2) Unified Tag View Tags are displayed collectively in a single view to enable quick
and easy filtering.
• Choose Columns to select which details to display on the
Tags page.
• Select a tag detail to Sort by in ascending or descending
order. Alternatively, you can click the column header for
a tag detail to sort the rows in ascending (up arrow) or
descending (down arrow) order.
To find tags with the highest number of

matching samples, Sort by: # Samples
in descending order. To find tags that
have received comments from AutoFocus

users recently, Sort by: Last Comment in
descending order.
(3) Pivot from Tag to Sample Searches Click Search for these tags to determine which samples are
associated with the tags displayed in the tags page.
The number of tags used in the sample search

is based on the number of results shown on
the tag search results page. For example, if
there are 82 tag results but the page is set to
show a maximum of 50 tags, only 50 tags will
be used by the sample search.
(4) Quick Search Enter a single value in the quick search field to find matching
tags across all tag types.
(5) Advanced Filter Click on Advanced to find tags based on multiple search
conditions, including tag fields, the number of votes a tag has
received, and the number of sample hits.
You can start typing the artifact type by which

you want to filter tags to narrow down the
options in the drop-down.
Find the Top Tags Detected During a Date Range

On the AutoFocus dashboard, the Top Tags widget lists the twenty tags with the most sample hits during
the date range set for the dashboard (see Set the Dashboard Date Range). The list of top tags updates
accordingly depending on the context selected (My Organization, My Industry, or All tab). To view all tags,
click Tags on the navigation pane.
STEP 1 | Click Dashboard on the navigation pane, and click the My Organization, My Industry, or All
tab.
STEP 2 | Set the Dashboard Date Range to adjust the displayed Download Sessions. The widgets on the
dashboard (including the Top Tags widget) automatically update based on the new date range.
STEP 3 | On the Top Tags widget, select a tag to view tag details, including a description of the sample
or conditions that the tag identifies.

You can continue to add the tag to a search.
STEP 4 | Choose from the following next steps:

• Enable Alerts by Tag Type.
• Vote for, Comment on, and Report Tags.

Vote for, Comment on, and Report Tags
Though you cannot edit Unit 42 and public tags, you can help to curate the most relevant and useful of
these tags by voting for tags you like and adding comments to tags. You can also alert Unit 42 to a tag that
you think might be offensive or revealing, and Unit 42 will review the tag.
Vote for tags—Give up-votes to tags that provide helpful, accurate information.
Comment on tags—Provide feedback on tags or share additional, relevant information with the
AutoFocus community.
Report tags—Report tags that are misleading, too general to be meaningful, offensive, or reveal sensitive
information. Unit 42 reviews reported tags and finds the tag to either be acceptable or inappropriate:
• Acceptable tags—If Unit 42 determines that the tag is appropriate, the tag status remains public. The
user who reported the tag receives an email notification that the tag will continue to remain publicly
shared.
• Inappropriate tags—If Unit 42 determines that the tag is inappropriate, they can revert the tag scope
to private. The tag will only be visible to the organization that owns the tag and will no longer be
publicly shared. The tag author (the user who created the tag originally) and the user who reported
the tag as inappropriate will receive an email notification that the tag is no longer publicly visible.
Unit 42 can also permanently delete an inappropriate reported tag. The tag owner receives an email
notification when the tag deletion is complete.
The following table describes how to vote for, comment on, and report tags.
STEP 1 | Find tags.

• Click Tags on the navigation pane.
• Click Dashboard and view the Top Tags widget.
STEP 2 | Select a tag to view tag details.

(1) Vote for a Tag—Click Vote Up to give a tag an up-vote. You can deselect Vote Up to withdraw an up-
vote at any time.
To view tags that are highly rated by the AutoFocus community, click Tags and sort tags according to
Sort by: Up Votes. Select Sort Descending to show the tags with the highest votes.

(2) Report a Tag—Report a tag that is misleading, offensive, or displays sensitive information. Include
details as to why you are reporting the tag.
(3) Comment on a Tag—Add a comment to provide feedback on a tag, or to share information regarding
the tag with the AutoFocus community.

Assess AutoFocus Artifacts
WildFire™ classifies previously unknown samples as either malware, grayware, benign, or
phishing, so that you can then block or enforce the newly-identified traffic according to your
security policy needs. When WildFire observes and executes a sample in a WildFire analysis
environment, artifacts (such as file properties, behaviors, and activities) are revealed to be
associated with the sample.
AutoFocus™ provides a new lens through which you can view the artifacts collected by
WildFire. AutoFocus layers statistics over artifacts found to be associated with a sample, to
show the number of times the artifact has been seen with other malware, grayware, or benign
samples. High-risk artifacts seen frequently with malware are labeled Suspicious or Highly
Suspicious, and artifacts associated with high-risk behaviors are indicated. If you Forward
MineMeld Indicators to AutoFocus, AutoFocus calls attention to sample indicators that match
the threat indicators you’ve forwarded.
Find high-risk artifacts in the File Analysis details of a sample. By default, AutoFocus groups
similar artifacts into WildFire static and dynamic analysis sections for easy reference, though
you can also view artifacts based on the sample activity timeline in the WildFire analysis
environment. Add high-risk artifacts to a search, or use them to Build an AutoFocus Export
List.
> Find High-Risk Artifacts

> Add High-Risk Artifacts to a Search or Export List
> Manage Threat Indicators
129
130 AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts
Find High-Risk Artifacts
To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's
WildFire analysis that link the sample to malware or malicious attacks.
STEP 1 | Begin a new search. Check the Tags column for:

• Unit 42 tags—Identify threats and campaigns that pose a direct security risk.
• Indicator tags—Highlight samples with Threat Indicators that match threat indicators that you
forwarded to AutoFocus using MineMeld. The tag specifies the number of matching indicators in
the sample. Not all sample artifacts are indicators; to determine whether an artifact is an indicator,
AutoFocus uses a statistical algorithm based on the tendency of the artifact to be seen predominantly
with malware.
Click on the indicator tag ( ) to view the matching indicators.
AUTOFOCUS ADMINISTRATOR’S GUIDE | Assess AutoFocus Artifacts 131

STEP 2 | Click a sample hash and scan the WildFire analysis details of the sample for signs of
maliciousness.
• For every WildFire static and dynamic analysis artifact listed, compare the number of times the
artifact has been detected with benign ( ), grayware ( ), and malware ( ) samples.
• High-risk artifacts are displayed with icons to designate them as Suspicious or Highly Suspicious.
• If an activity artifact has proven to be evidence of an Observed Behavior, the behavior risk level is
indicated:
• Sample indicators that match threat indicators from MineMeld are highlighted with an indicator icon (
). Learn more about how to Forward MineMeld Indicators to AutoFocus.
STEP 3 | View artifacts that match your search conditions (even if they’re not high-risk), highlighted in
the search results.
STEP 4 | View a summary of Indicators that AutoFocus detected in the sample.

The Indicators tab only lists artifacts that AutoFocus considers indicators based on the tendency of the
artifact to be seen predominantly in malware samples. Any indicators that match indicators forwarded
to AutoFocus from MineMeld are marked with an indicator tag. Click the tag to view the full list of
matches.

STEP 5 | (Optional) Add High-Risk Artifacts to a Search or Export List.

Add High-Risk Artifacts to a Search or Export
List
When you Find High-Risk Artifacts in your search results, you can add these artifacts to your existing search
and/or to an export list. You can also view PAN-DB categorization information, WildFire DNS history, and
passive DNS history for domains, URLs, and IP addresses. The following table describes how to search,
export, and drill down on file analysis artifacts.
• Add an artifact to a search.
Alternatively, select Add to New Search to launch a new search for the artifact in a separate window, or
add a SHA256, IP address, user agent, filename, or URL artifact to a remote search (see Set Up Remote
Search).
• Add an artifact to an export list.
See Export AutoFocus Artifacts for steps to build an AutoFocus export list.
• View PAN-DB categorization, WildFire DNS history, and passive DNS history for an artifact.
Select an IP address, URL, or domain artifact and click Domain and URL info....

Manage Threat Indicators
View and keep track of all Threat Indicators that you have forwarded to AutoFocus using the MineMeld
app. These indicators help you Find High-Risk Artifacts in your AutoFocus search results. AutoFocus can
store up to 180 million indicators, and all dates and times are in Pacific Time (PST/PDT). Filter the indicators
by certain attributes and export them to the firewall or other security and information event management
(SIEM) platforms through MineMeld.
• View all threat indicators forwarded to AutoFocus.

Click Indicators on the navigation pane to access the Indicator Store.
• Filter the indicators.
Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click
Search:
• Upload Source—The app that forwarded the indicator to AutoFocus.
• Type—The type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact
Types for definitions of each indicator type. In addition to what are considered Threat Indicators in
AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6,
registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
• Indicator—The exact value of the indicator.
• Indicator Fragments—A partial value of the indicator. Use this search criteria if you only know part of
an indicator.
• Time—The date and time that AutoFocus received the indicator.
• IPv4—A criteria for searching for IP addresses in a range.
• Use the filter IPv4 > matches to find an IP address that belongs to a range.
• Use the filter IPv4 > matches list to find multiple IP addresses in a range.
• First Seen—The date and time that the indicator was first seen in the threat feed.
• Last Seen—The date and time that the indicator was most recently seen in the threat feed.
• Feed Source—The name of the threat feed from which an indicator was retrieved.
• Confidence—A confidence rating that the feed owner associates with the indicators in a feed. The
confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been
verified and 100 indicating that the feed contents are confirmed accurate.
When constructing an AutoFocus feed query, you are limited to
• Share Level—The share level that the feed owner associates with the indicator.
• Threat Type—A default value (malicious) that MineMeld assigns to indicators.
• Metadata—Additional information about the indicator that the feed owner provided.
• Expired—If the value is True, the indicator is aged-out, that is, removed from its source feed. If the
value is False, the indicator is active.

• Import or export filters for the indicators.
• Import Search to paste a query for filtering indicators from another AutoFocus user.
• Export Search to share a query for filtering indicators to another AutoFocus user.
• Check how much space for storing indicators is remaining.
View all indicators (remove any existing filters), and check the percentage of indicator storage currently
in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of
indicators that it can store (180 million indicators).
Check the status of the indicator storage periodically. If you are close to the maximum
limit, Remove indicators from the store.
• Remove indicators from the store.
Click the trash icon to remove all indicators from the store.
To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only
the indicators that match the filter criteria. For example, you can apply the filter Expired > is > True and
click the trash icon to remove only expired indicators from the store.
• Use the Indicator Store as a source of indicators for MineMeld.
Create MineMeld Miner to create an AutoFocus indicator store miner that will extract artifacts from the
Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a
filter for the indicators before clicking this button, the miner will be configured to extract only indicators
that match the filter criteria.
• View additional information about the indicator provided by its source (i.e., the feed owner).

Expand the entry for an indicator to check if the feed owner provided supplementary attributes or
metadata about the indicator.

Export AutoFocus Content
AutoFocus™ allows you to export artifacts as well as the general contents displayed on tag,
search, and indicator pages. An artifact export list can be used to enable a Palo Alto Networks
firewall to enforce policy based on AutoFocus artifacts or to import AutoFocus data to a
security information and event management (SIEM) tool. Security operations (SecOps) and
threat researchers can also use the export function to generate an output of the current
session for detailed analysis.
> Export AutoFocus Artifacts

> Export AutoFocus Page Content
> Export AutoFocus Dashboard and Reports
139
140 AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Content
Export AutoFocus Artifacts
AutoFocus™ allows you to export artifacts that WildFire™ has frequently detected with malware, such as
IP addresses, URLs, or domains. To export artifacts, you must first add artifacts found in AutoFocus to an
export list. Then, select some or all of the artifacts in the export list to include them in a comma-separated
value (CSV) file, which you can then import into a security information and event management (SIEM)
solution. You can also use the file to dynamically enforce policy on a Palo Alto Networks® firewall.
• Build an AutoFocus Export List
• Create a CSV File
• Use Export Lists with the Palo Alto Networks Firewall
Build an AutoFocus Export List

To Create a CSV File that contains AutoFocus artifacts, first add the artifacts to an export list. You can build
multiple export lists in AutoFocus. Grouping artifacts into different export lists allows you to easily generate
separate CSV files for them.
STEP 1 | Drill down to view the details for WildFire samples returned in an AutoFocus search.
1. Begin a new search.
2. Click a sample hash to view sample details.
3. Select an operating system to view activities and behaviors observed when the sample was executed
in that WildFire analysis environment.
STEP 2 | Add artifacts to an export list:

To add a single artifact to an export list, click the drop-down for the artifact and select Add to Export
List:
AUTOFOCUS ADMINISTRATOR’S GUIDE | Export AutoFocus Content 141

Select multiple artifacts from a WildFire analysis category to add to an export list.
1. Click the drop-down for a WildFire analysis category and select Select for Export List. This turns the
drop-downs next to the artifacts into checkboxes.
2. Select one or more artifacts from the list.

3. Re-open the options for the category and select Add Selected to Export List.
Add all artifacts, all suspicious artifacts, or all highly suspicious artifacts listed for an activity or behavior
category to an export list.

Only artifacts that were observed for the selected operating system are added to the
export list. To add sample artifacts from a different operating system, repeat Step 1.3
using a different OS option and continue.
STEP 3 | Select an export list for the artifacts.

Add artifacts to a new export list:
1. Enter a name for the new export list.
2. Click create new. This adds the artifact to the new export list.
Add an artifact to an existing export list:
STEP 4 | View all artifacts added to an export list.

Click Exports on the navigation pane and select the export list to which the artifacts were added in Step
3.
• To view the latest artifacts added, select Sort by: Added Time, and click Sort Descending.
• You can also view artifacts based on the WildFire analysis Section from which the artifact is derived.
For example, a domain in the export list might have been added from the DNS Activity that WildFire
detected for the sample. See the Artifact Types that can appear in each WildFire analysis section.
• You can click any of the column headers to sort the export list in ascending (up arrow) or descending
(down arrow) order.
STEP 5 | (Optional) Remove artifacts from an export list.

• Select artifacts you want to remove and click Delete Selected Items.
• To remove all artifacts from an export list, you do not have to select all the artifacts; you can simply
click Delete All Items. Deleting all artifacts also automatically deletes the export list.
STEP 6 | Prepare a version of the export list to export out of AutoFocus.

Create a CSV File from the export list.
Create a CSV File

Generate a CSV file from the artifacts that were added to an export list. By default, the CSV file is formatted
to contain a single row for each artifact; the row includes full WildFire analysis details for the artifact, and
commas separate the WildFire analysis details within each row.
You can format the CSV file to support a block list for a Palo Alto Networks firewall and to export additional
artifact metadata.
STEP 1 | Build an AutoFocus Export List.

STEP 2 | Click Exports on the navigation pane.
STEP 3 | Select an export list to open, and choose artifacts to export:

Export all artifacts in an export list:
1. Click Export All Items.
2. Verify that the Export Rows option is set to All.
To quickly export all artifacts from the Exports page, click Export in the Actions column
of the export list.
Export artifacts based on the time period they were added to an export list:
1. Click Export All Items.
2. Set Export Rows to In Date Range.
3. Use the Added Time fields to export artifacts based on the date and time range that the artifact was
added to the export list.
To quickly export artifacts within a date range from the Exports page, click Export in
the Actions column of the export list.
Export selected artifacts:

1. Select one or more artifacts to export:
2. Click Export Selected Items.
STEP 4 | (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall.
Select Formatted for PAN-OS block list.
You can use the CSV file as a dynamic block list (PAN-OS 7.0 or earlier) or an external dynamic list (PAN-
OS 7.1 or later), but the firewall only supports certain types of artifacts. Learn more about how to Use
Export Lists with the Palo Alto Networks Firewall.

STEP 5 | (Optional) Export additional artifact data.
Select Export Metadata.
This option adds the following columns to each artifact row:
• Added Time—The date and time that the artifact was added to the export list.
• Section—The artifact activitycategory.
• Label—The name of the export list.
• Value—The artifact that was added to the export list.
• SHA256—The SHA256 hash of the sample that the artifact was found with.
• SHA1—The SHA1 hash of the sample that the artifact was found with.
• MD5—The MD5 hash of the sample that the artifact was found with.
• Author Email—The email address of the user who added the artifact to the list.
STEP 6 | Select Export to generate the CSV file.

Use the CSV file to import AutoFocus data into a security information and event management (SIEM)
tool, or Use Export Lists with the Palo Alto Networks Firewall.
Use Export Lists with the Palo Alto Networks Firewall

Export lists provide a way to dynamically enforce policy on a Palo Alto Networks firewall based on
AutoFocus artifacts. The following workflow walks you through the process of building an export list
designed specifically for the firewall.
STEP 1 | Build an AutoFocus Export List.

Dynamic block lists and external dynamic lists on the Palo Alto Networks firewall only support certain
artifacts, so you must tailor your export list based on the PAN-OS software version running on the
firewall.
(PAN-OS 7.0 or earlier) Dynamic Block List—Build an export list that only contains IP addresses.
(PAN-OS 7.1 or later) External Dynamic List—Build an export list that contains only IP addresses,
only domains, or only URLs. Learn more about how the firewall supports the three external block list
types.
Find IP address, URL, and domain artifacts in the DNS Activity, Connection Activity, and
HTTP Activity detected during the WildFire analysis of a sample.
STEP 2 | Create a CSV File formatted for the firewall.

Verify that the artifacts you plan to export are supported on the firewall (IP addresses only for a
dynamic block list in PAN-OS 7.0 or earlier; IP addresses only, URLs only, or domains only for an
external dynamic list in PAN-OS 7.1 or later).
Before you export the artifacts, make sure that Formatted for PAN-OS block list is selected.
CSV files that are formatted for a PAN-OS block list might display artifacts in an order that
is different from how they appear in the AutoFocus export list.
STEP 3 | Use the generated CSV file with the firewall.

• Set up a dynamic block list (firewalls running PAN-OS 7.0 or earlier).
• Set up an external dynamic list (firewalls running PAN-OS 7.1 or later).

Export AutoFocus Page Content
AutoFocus™ allows you to export specific content displayed on a given tag, search, or indicator page as
shown on-screen. The exportable elements depend on how you configure the page view. For example, if
you configure your sample search screen to show First Seen, WildFire Verdict, SHA256, and Tags, with
up to 50 results, your data export options are limited to those items. If you want to export additional
information, you must configure the page accordingly.
To export the tag page data, you must select an output format (options include Text, CSV, and JSON) and
then the data type. Only one data type can be selected per text-based export, however the CSV and JSON
formats can export all available columns shown on a page.
STEP 1 | To export the tag page data, you must select an output format (options include Text, CSV,
and JSON) and then the data type. Only one data type can be selected per text-based export,
however the CSV and JSON formats can export all available columns shown on a page.
STEP 2 |
Click ( ), to open the Export Data page.
STEP 3 | Select the export file format.

• Text—AutoFocus exports a single user-selected data type into a text file format.
• CSV—AutoFocus exports all information on a page into a table format using the comma-separated
values (CSV) file format.
• JSON—AutoFocus exports either all information on a page or a single user-selected data type into
the JavaScript Object Notation file format.
STEP 4 | Select the data type and sorting arrangement.

1. Select a data type option from the Data drop-down list.
2. (Optional) Select Sort to rearrange the entries in ascending order except for dates, which are sorted
in descending order.
3. (Optional) Select Unique to remove duplicate entries from the export list.
Sorting and arrangement options are only available depending on the selected data type
and file format.

STEP 5 | Click Download to retrieve the data export file.

Export AutoFocus Dashboard and Reports
AutoFocus™ allows you to export specific content displayed on a selected report or dashboard page as
shown on-screen. Only the content that is displayed on a given dashboard page can be exported. For
example, if the selected dashboard contains the Sample Verdicts, Download Sessions, Top Applications, and
Top Malware widgets, only those items using the selected visualization options are displayed in the PDF.
Depending on the widget configuration and visualization options used, you might not be able
to view the entire data set presented within a widget in the PDF report. Adjust the widget size
by changing the number of columns per row and configuration options to best suit your PDF
report presentation requirements.
STEP 1 | Go to your AutoFocus Dashboard or Reports and open the report you want to export.
• Dashboard—Select the report you want to export from the report tabs.
• Reports—Run the report you want to export.
STEP 2 | (Optional) Configure your widgets with the appropriate data and visualization options, as well
as the date range.
STEP 3 | Download PDF to generate and download the export file.

AutoFocus Reports
AutoFocus™ reports provide a visual overview of threat trends and network activity based on
your network traffic. You can use the default reports from Palo Alto Networks or create your
own using the available widgets. AutoFocus reports are also used by the dashboard as part of a
shared system; as such, edits and updates made from either the reports or the dashboard have
a global effect. Moreover, reports can be added to your dashboard for fast reference. You can
select the time range upon which the report details will be based. You also have the option to
generate a PDF of the report.
> Reports Overview

> Customize Reports
> Scheduled Reporting
> Use the Threat Summary Report to Observe Malware Trends
151
152 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Reports
Reports Overview
From Reports, you can run, create, and manage your AutoFocus reports.
From the AutoFocus reports overview page, you can:

• Create a new report (1)—Add a report title and description and then select Create to add a new report. A
new blank report opens in editing mode.
• Search Reports (2)—Searches reports based on report name.
• Manage Default Reports (3).
• Run—Opens the selected report.
• Email Scheduler—Configure AutoFocus to automatically generate and send reports to specified email
addresses.
• Clone—Creates and opens a duplicate of the selected report. You can edit the report from this page.
If you do not provide a new name for the report, AutoFocus creates a name by appending the name
on which the report is based with the word clone. For example, Custom Report 1 Clone.
• Upgrade—When Palo Alto Networks updates the settings for a default report, select this option
to synchronize the report with the latest version. This option is displayed only when an update is
available.
• Pin—Adds the selected report to the dashboard tabs for quick reference. You can also pin (and unpin)
reports from the dashboard.
• Reset—Returns the page to the default settings. This option is only available after a report has been
upgraded to the latest version and subsequently edited by a user.
• Manage Custom Reports (4)—Manage custom reports (4). Run, Clone, Email scheduler, and pin
operations function as described in Manage default reports, however you cannot upgrade a report as
these reports are not managed by Palo Alto Networks. Additionally, you have the option to delete a
report. Selecting this permanently deletes the report from AutoFocus.
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Reports 153

Customize Reports
You can customize the default reports, such as the Threat Summary Report, or create your own customized
reports using widgets. You can add or remove widgets based on your preferences, and select the order in
which they appear on the report. As reports share the same infrastructure as the dashboard, please refer to
the following for more information on report functions:
• Customize the Dashboard
• Drill Down on Dashboard Widgets
STEP 1 | Open Reports to manage and create new custom reports.
STEP 2 | Create or open a report.
• New Report—Select Create a new Report. Add a report title and description and then select Create
to add a new report. A new blank report opens in editing mode.
• Existing Report—Select and then Run a report.
• New Report based on an existing report—Click Clone to create and open a duplicate of the selected
report. A new report based on an existing one opens in editing mode. If you do not provide a new
name for the report, AutoFocus creates a name by appending the name on which the report is based
with the word clone. For example, Custom Report 1 Clone.
• Edit Report description—Click on the report description to edit the text. Press enter to save the
change. You can exit without saving changes by pressing Esc or clicking on a different element of the
AutoFocus interface.
You can only edit the description for user-defined reports.
STEP 3 | If you are not in editing mode, click the Page Editor (2) to edit the report.

STEP 4 | Edit the widgets and widget placement on the report.
• Update the name of the report (1).
• Edit the name of a widget (3).
• Remove a widget.
Click X to remove a widget (4).
Removing a widget frees up a slot on the dashboard where you can add a widget.
• Add a new row of widgets.
Choose an area on the dashboard where you would like to insert a new row of widgets, and click Add
Row (5). The newly added row includes two blank slots for widgets by default.
• Add a widget.
Find a blank widget slot, and click Add Widget (6). Then select a widget type.
• Remove a row of widgets.
On the right side of the row you want to remove, click Remove Row (7).
• Change the number of widgets in a row.
Change Columns (8) in the row to show up to 4 widgets.
Depending on the widget configuration and visualization options used, you might not
be able to view the entire data set presented within a widget. Adjust the widget size by
changing the number of columns per row and configuration options to best suit your
report presentation requirements.
STEP 5 | Save your changes to the report. When you are finished making your changes, click the Page
Editor (2).

Scheduled Reporting
You can configure AutoFocus to automatically generate and send reports to a series of recipients via
email. You can specify the date and interval at which the reports are sent, as well as the specific coverage
timespan of the report. This eliminates the need for you to manually generate and send the reports to
relevant people in your organization.
STEP 1 | Click Reports on the navigation pane.
STEP 2 | On the report you want to create an schedule for, click Email Scheduler.
The number of email schedules that are configured for a given report is shown in the
Email Scheduler button.
STEP 3 | Add an email schedule profile.
STEP 4 | Configure your email schedule and click Save to continue. You can define the recipient email
address, the Frequency of the reports, as well as the Days and Time when it is sent. You can
also filter the report contents based on the Verdict, the Time Frame (when the sample was first
forwarded or uploaded to WildFire for analysis), the sample upload Source, and by Tag Group.
Alternatively, you can apply a pre-configured Saved Search setting which uses the verdict, first
seen, source, and tag group settings defined in the specified configuration. On the bottom-left,
you will see the date when the next report is to be sent.

STEP 5 | From the email schedule profile window, create additional email schedules as well as
manage existing ones. You can also send a test email to verify the report and configuration is
acceptable for your organization. Click Close when you have finished creating and updating
email schedules. Select Add if you want to configure additional recipients for emailed reports.

Use the Threat Summary Report to Observe
Malware Trends
Generate a threat summary report, which provides a visual overview of threat trends based on your
network traffic. You can select the time range upon which the report details will be based. You also have
the option to generate a PDF of the report.
• Threat Summary Report Overview
• View Threat Summary Report Details
Threat Summary Report Overview

The threat summary report is a rundown of artifacts that AutoFocus and WildFire associate with malware.
You can find the threat summary report in the Reports section of the AutoFocus portal. When you View
Threat Summary Report Details for the first time, the report for your support account displays with a
default time range of 7 days and the industry you selected when you initially set up your AutoFocus support
account.
Report Section Description
Executive Summary The Executive Summary consists of the following highlights:

• Malware Applications—The unique number of applications through which
malware was delivered. (Application is the App-ID™ matched to the type
of application traffic detected in a session.)
• Total Malware Sessions—The total number of sessions in which WildFire
detected a sample with a verdict of malware.
• Tagged Malware Sessions—Out of the total malware sessions, the
percentage of sessions linked to samples that received at least 1 tag.
• Tagged Malware Samples—The number of malware samples that received
at least 1 tag.
Malware Session This chart provides:

Percentage By Day
• A daily count of sessions associated with malware for devices in your
support account.
• The percentage of malware sessions out of the total number of sessions
for devices in your support account.
• The percentage of malware sessions out of the total number of sessions
for all AutoFocus users in an industry.
• A comparison of the average percentage of malware sessions seen with
your account and the average percentage of malware sessions for the
industry.
Samples Summary This chart provides:

• The number of samples grouped by WildFire verdict (malware, grayware,
and benign).
• The number of tagged malware samples versus untagged malware
samples.
• The percentage of malware samples.

Report Section Description
• The percentage of tagged malware samples.
Top Firewalls The top 10 firewalls where WildFire detected the most number of malware
sessions.
Top Upload Sources The top 10 upload sources that submitted your samples to WildFire.
Top Filetypes Per The number of malware sessions for the top 5 most frequently used
Application applications for distributing malware. For each application, the malware
sessions are broken down by filetype.
Top Applications The 10 applications that distributed the most malware samples.
If there are applications in this list that have no legitimate

business purpose in your organization, you may want to
create a rule on your firewall blocking these applications.
Bottom Applications The 10 applications that distributed the least malware samples.
Top Filetypes The 10 filetypes most frequently associated with malware samples.
Bottom Filetypes The 10 filetypes least frequently associated with malware samples
Top Malware Family The top 10 Unit 42 and private Malware Family tags that AutoFocus matched
Tags to your samples.
Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to
your samples.
Top Malicious Behavior The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus
Tags matched to your samples.
Threats by Source A map of countries from which malware sessions originated (refer to list of
Country Countries and Country Codes). The report highlights the country that sent the
most number of malware sessions.
Threats by Destination A map of countries that malware sessions targeted (refer to list of Countries
Country and Country Codes). The report highlights the country that received the most
number of malware sessions.
View Threat Summary Report Details

View the threat summary report on the AutoFocus portal or generate a printable PDF of the report. The
version of the report on the portal is interactive and lets you see the exact figures that make up the chart
data.
STEP 1 | Click Reports on the navigation pane.
STEP 2 | Configure the report settings to choose a time period for filtering the report details, and
Generate the report.

Your Malware Session Percentage By Day is compared with the figures for your industry.
STEP 3 | Hover over chart elements to view exact counts or percentages.
Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a
search.
STEP 4 | For the charts Malware Session Percentage By Day and Top Filetypes Per Application, select
which data to display or hide.
Hide filetypes that are seen in larger quantities to view the counts for filetypes that are
seen in smaller quantities.

STEP 5 | Click on a tag to view Tag Details.
STEP 6 | Click Download PDF to generate a PDF of the report.

AutoFocus Feeds
You can use AutoFocus to export threat intelligence data produced by AutoFocus and
connected services to provide actionable data for the Palo Alto Networks firewall as well as
third party TIP and SIEM solutions. In addition to using the data for investigative purposes
though AutoFocus, this allows you to use it for detection and prevention to better safeguard
your network from malicious activity.
> Feed Overview

> Create Custom Feeds
> Use AutoFocus Custom Feeds with the Palo Alto Networks Firewall
> Manage Custom Feeds
163
164 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Feeds
Feed Overview
AutoFocus custom feeds are URL lists and EDLs that are generated based on a user-generated query, which
defines the indicator type and associated conditions for items populating a given list. Using this custom
filter, AutoFocus outputs the threat data into a URL list or EDL, which can then be consumed as an EDL by
the firewall or other services that use URL lists to enforce security policies. The threat intelligence data is
sourced from various Palo Alto Networks customers and services to create the Palo Alto Networks Threat
Feed, which includes IP addresses, domains, URLs, and hash indicators. This master list is updated daily and
is the reference source for user-created custom threat feeds. You can view the new, daily additions to the
list by selecting Feed > Palo Alto Networks Daily Threat Feed.
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Feeds 165

Create Custom Feeds
To export threat intelligence data generated from AutoFocus and other Palo Alto Networks connected
services, you must create custom feeds, which organize data into a specific, user-defined set that can be
output into URL lists or EDLs.
User-defined feeds can retrieve a maximum of 100,000 IPv4 indicators or 5,000 indicators
of all other types, per request. As a best practice, specify a frequency in which the firewall
(or any other third party consumer of threat indicators, such as a TIP or SIEM) retrieves
a feed list at a corresponding rate to which the indicators are produced. If the number of
indicators in a feed list exceed the rate at which they can be retrieved, it is possible that not
all of the indicators will be consumed. Alternatively, consider creating multiple feeds with
more specificity to generate a manageable number of indicators per query. This allows you
to better organize and control the type of threat indicators sent to an EDL or URL list.
STEP 1 | Select Feeds on the navigation pane and then select Create a Feed.
STEP 2 | Select an indicator type and search conditions to define the limits of a search and click Next to
continue. Depending on the indicator type, you might have predefined values or the option to
enter an exact value. You can change the scope of your indicator query by adding or removing
( )conditions. For a preview list, click Search. This displays a list based on the search
conditions you have defined.

STEP 3 | Configure the custom feed details.
You cannot create a custom feed using duplicate query conditions.
1. Provide a Name and Description. The name and description must be at least three and ten characters
in length, respectively.
2. Select the output method:
• URL—Provides a standard custom URL list for use with third-party applications and devices.
• EDL—Provides an external dynamic list to be used with the Palo Alto Networks firewall.
STEP 4 | (EDL Feeds Only) Select an indicator type.

STEP 5 | (EDL Feeds Only) Specify the EDL Feed Authentication username and password.
STEP 6 | Verify that all the entries are correct and Save to continue.
STEP 7 | After the custom feed is created, a link to the object appears at the bottom of the page. Click
on the Feed URL to view the results, otherwise click Exit to return to the Custom Feeds
overview page.

Use AutoFocus Custom Feeds with the Palo
Alto Networks Firewall
You can use your AutoFocus custom feeds to dynamically send new threat indicator data to an external
dynamic list on a Palo Alto Networks firewall.
STEP 1 | Download the PEM certificate from AutoFocus. This certificate will be used to create a firewall
certificate profile for remote SSL server verification.
STEP 2 | Add the PEM certificate for AutoFocus to the firewall.

1. On the firewall, select Device > Certificate Management > Certificates.
2. Import the certificate to the firewall.
1. Give the certificate a descriptive name.
2. Browse for the certificate file and attach the AutoFocus certificate that you downloaded in the
previous step.
3. Click OK.
STEP 3 | Create a certificate profile for the AutoFocus PEM certificate.

1. On the firewall, select Device > Certificate Management > Certificate Profile.
2. Add a new certificate profile.
1. Give the certificate profile a descriptive name.
2. Click Add, select the certificate name from the PEM Certificate drop-down, and click OK.
3. Click OK.

STEP 4 | Configure the firewall to access an external dynamic list based on the threat indicators from
the AutoFocus custom feed.
Observe the following guidelines when configuring the firewall to access an external dynamic list:
• Add the AutoFocus-generated feed link as the Source of the external dynamic list. To find this link in
AutoFocus, edit the EDL custom feed you want to receive updates from. The feed link is located at
the bottom of the page, which also includes the custom feed details and configuration.
• Select the Certificate Profile you created for the AutoFocus PEM certificate.
• Select Client Authentication, and enter the EDL custom feed username and password used when
creating the feed.
You cannot recover a password used in a custom feed. If you do not remember the
password, you must delete and then recreate a custom feed using the same settings.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus custom feed.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.

Manage Custom Feeds
An overview of your custom feeds are available on the Feed management page. Each custom feed is
represented by a tile with a high-level overview of the configuration. From this page you can add, edit,
delete, enable or disable your custom feeds.
STEP 1 | Select Feeds on the navigation pane to view the custom feed management page. Each tile
provides a brief overview about the custom feed configuration.
STEP 2 | Update the configuration of a custom feed.
You can only modify the indicator query of a custom feed. The type, output method, and
authentication details cannot be changed.
1.
Click to open the options menu and select Edit.
2.
Click to enter the custom feed edit mode.
3. Update the indicator search conditions as necessary and then click Next to continue. For a preview
list of the threat indicators that the feed generates, click Search. Keep in mind, this preview is limited
to 100 items.

4. Update the description of the custom feed as necessary and Save to finalize the changes. The other
fields are read-only and cannot be updated.
STEP 3 | Disable a custom feed by clicking the toggle switch. Disabled feeds are gray and cannot be
further modified.
STEP 4 |
Delete a custom feed by clicking and then selecting Remove. Click Ok to confirm the
removal.

AutoFocus Apps
AutoFocus™ supports MineMeld, an open-source threat intelligence processing tool that
you can run as an app on the AutoFocus portal. With AutoFocus-hosted MineMeld, you can
manage threat indicators from AutoFocus and from external sources of threat intelligence in
one central location. The MineMeld app enriches AutoFocus data, calling attention to samples
with artifacts that match indicators from external sources. The ability to use MineMeld directly
in AutoFocus allows you to expand the scope of your threat research with minimal effort.
> MineMeld
173
174 AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps
MineMeld
MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles
the indicators into multiple formats compatible with AutoFocus, the Palo Alto Networks® next-generation
firewall, and other security and information event management (SIEM) platforms.
• Introduction to MineMeld
• Start, Stop, and Reset MineMeld
• Use AutoFocus-Hosted MineMeld
• Create a Minemeld Node
• Connect MineMeld Nodes
• Delete a MineMeld Node
• AutoFocus Prototypes
• Forward MineMeld Indicators to AutoFocus
• Forward AutoFocus Indicators to MineMeld
• Use AutoFocus Miners with the Palo Alto Networks Firewall
• Troubleshoot MineMeld
Introduction to MineMeld
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators
often place indicators in multiple formats or format them inconsistently. Using indicators from multiple
sources and packaging them into different formats requires a large investment of time and effort, especially
as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator
sources, since they are updated at different times and not always on a regular basis. MineMeld automates
many of these manual processes so you can use indicators to dynamically enforce policy with your firewall
or to investigate threats with AutoFocus.
Three types of MineMeld nodes make it possible to automate the flow of indicators from source to
destination:
• Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat
intelligence service like AutoFocus.
• Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators,
and merge different sets of metadata for the same indicator. For example, a common type of processor
is one that receives only IPv4 indicators.
• Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to
dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators
from external threat feeds to AutoFocus or the firewall).
AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Apps 175

Nodes are the building blocks of MineMeld, and you can create the most basic MineMeld connection by
connecting a single miner node to a processor node and connecting the processor node to an output node.
MineMeld provides pre-built miner, processor, and output prototypes, which are templates you can use
to create a node. There are AutoFocus-specific prototypes, which you can use create miner nodes that
use AutoFocus as a source of threat indicators (see Forward AutoFocus Indicators to MineMeld) or output
nodes that send threat indicators to AutoFocus (see Forward MineMeld Indicators to AutoFocus). For more
information on MineMeld basics, view a Quick Tour of the MineMeld Default Configuration.
Start, Stop, and Reset MineMeld

Before you begin to use MineMeld, learn how to start, stop, or reset the MineMeld app.
STEP 1 | Click Apps on the navigation pane.
STEP 2 | Choose from the following options:

• Start MineMeld.
A progress bar indicates that MineMeld is deploying. You can Use AutoFocus-Hosted MineMeld
when the deployment is complete. The initial MineMeld deployment may take several minutes.

• Stop the running instance of MineMeld.
Stop MineMeld from retrieving, processing, and delivering indicators to output nodes. To re-open the
previously deployed instance of MineMeld, you must Start MineMeld again.
• Reset MineMeld to its default configuration.
When you reset MineMeld, this permanently deletes any nodes or customizations you
have made within the app. However, if you reset MineMeld after you Forward MineMeld
Indicators to AutoFocus, AutoFocus will continue to store the forwarded indicators from
the deleted nodes.
If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall
and reset MineMeld, you must update the external dynamic list with a new link from MineMeld.
Use AutoFocus-Hosted MineMeld

MineMeld is available on a per support account basis. Use MineMeld to Find High-Risk Artifacts and gain
more visibility into threats on your network. When MineMeld is running, it extracts and processes indicators
based on the nodes that are connected.
STEP 1 | Click Apps on the navigation pane, and Start MineMeld.

A link to MineMeld displays on the navigation pane when MineMeld starts deploying.

STEP 2 | Access MineMeld from the navigation pane.
STEP 3 | Choose from the following actions:

• Get an overview of miner, processor, and output nodes currently in use on the Dashboard.
When using MineMeld for the first time (or after a resetting it), the default configuration
of nodes sends IP addresses, URLs, and domains from a set of block lists to the
Indicator Store, a storage space in AutoFocus for external indicators. Click Indicators
on the navigation pane to view the Indicator Store.
• View a library of miner, processor, and output Prototypes you can clone to Create a Minemeld Node.
• View a complete list of Nodes you’ve created.
• Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to
Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node.
• View the Logs, which is a record of indicators that MineMeld extracted from feed sources.
For more guidance on how to use MineMeld, see MineMeld.
Create a Minemeld Node

Evaluate which sources of indicators you want to use and where to forward the indicators after MineMeld
processes them. You can then create miner, processor, and output nodes based on this information.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 2 | Click MineMeld on the navigation pane.

STEP 3 | Click Prototypes.
STEP 4 | Select a prototype from the list. If you know the name of the prototype, use the Search field to
quickly find the prototype.
Create nodes based on AutoFocus Prototypes to Forward MineMeld Indicators to

AutoFocus or to Forward AutoFocus Indicators to MineMeld.
STEP 5 | Clone the prototype to create a new node from it.
STEP 6 | Complete the required fields for the node:

• Give the node a descriptive Name.
• (Processor and output nodes only) Select one or more miner and/or processor nodes that the node
will use as Inputs. The node will receive indicators from the inputs you select.

STEP 7 | Click Ok. MineMeld switches to the Config tab automatically, which lists your newly created
node.
STEP 8 | Commit to save the new node.
STEP 9 | Find the new node in the list of Nodes to verify that it was saved successfully.
An exclamation point next to the node name notifies you that you must Complete
additional required fields for a node.
STEP 10 | Complete additional required fields for a node.

1. Hover over the exclamation point to see which fields are required.
2. Click the node entry to view the node details.
3. Enter or select a value for the required fields, and click Nodes to verify that the exclamation point is
gone.
STEP 11 | Connect MineMeld Nodes to begin sending indicators to a destination.
Connect MineMeld Nodes

After you Create a Minemeld Node, connect miner, processor, and output nodes to each other to set the
direction of the flow of indicators.
STEP 3 | Click Config, and find the node you want to connect to another node.
STEP 4 | Edit the Inputs for the node.

To establish the connection between miner, processor, and output nodes, you must:
• Select one or more miners from which a processor will receive indicators.
• Select which processors will send indicators to an output.

STEP 5 | Commit to save your changes.
STEP 6 | View the flow of indicators that the node is part of.
1. View the list of Nodes.
2. Find the node in the list, and view the Graph ( * ) for it. Larger nodes process more indicators than
smaller nodes.
STEP 7 | Share your MineMeld nodes and node connections with another MineMeld user.
Select the Config tab, and click Export. When you share the code that this generates with other
MineMeld users, they can Import it into their MineMeld instance.
Use the MineMeld import feature to quickly load another user’s nodes and node
connections into your MineMeld instance. Importing a configuration replaces any nodes or
node connections you have previously created.
Delete a MineMeld Node

Delete a node if you Create a Minemeld Node and decide that you no longer need to use it. Before you
delete a node, be mindful of the nodes to which it is connected to ensure that you don’t accidentally cut off
a desired flow of indicators to an output.
STEP 3 | Click Config.
STEP 4 | Find the node you want to delete. If you know the name of the node, use the Search field to
quickly find the node.
Check the node inputs and verify that you can delete the connection to these inputs.

STEP 5 | Click x, and then click Ok to confirm that you want to delete the node.
STEP 6 | Commit to delete the node.
STEP 7 | Check that the node no longer appears in the list of Nodes to verify that it was deleted
successfully.
AutoFocus Prototypes
The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus
and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select
the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The
prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged
out, MineMeld withdraws the indicator from the outputs that received them.
Prototype Description Default Behavior
Samples The samples miner extracts Threat • Accepts all indicator types.
Miner Indicators from samples that meet the • Initially extracts indicators from samples
conditions of an AutoFocus search. You that meet the criteria of the search
must set the search conditions when you based on the last 24 hours.
create this miner node. • After the initial poll for indicators,
The samples miner does not extract all extracts indicators from samples every
sample artifacts; it only extracts statistically hour.
important artifacts that AutoFocus has • Each time this miner extracts indicators,
determined to be indicators based on their it only extracts indicators from the first
tendency to be seen with malware. 10,000 samples.
• Only forwards indicators that it has not
seen previously.
• Ages out indicators 24 hours after the
last time they were seen in the sample
search results.
Indicator The indicator store miner extracts • Accepts all indicator types.
Store Miner indicators from external sources that are • Initially extracts indicators that were
currently stored in the AutoFocus Indicator added to the Indicator Store in the last
Store (see Manage Threat Indicators). You 24 hours.
must connect this miner to a processor and • After the initial poll for indicators,
output node to forward the indicators to a extracts indicators from the store every
destination outside of AutoFocus, such as a hour.

Prototype Description Default Behavior
Palo Alto Networks firewall or other SIEM • Only forwards indicators that it has not
platforms. seen previously.
• Ages out indicators 30 days after the
The indicator store miner is last time they were added or updated
an updated version of the in the Indicator Store, or as soon as an
deprecated artifact miner. indicator is marked as expired in the
store.
Expired indicators are

indicators that have been
removed from the feed
from which they came.
Indicator The indicator store output sends indicators • Accepts all indicators types.
Store from external threat intelligence sources • Does not allow you to use the artifacts
Output directly to the AutoFocus Indicators Store miner to send indicators back to the
(see Manage Threat Indicators). AutoFocus Indicator Store.
highlights indicators in your samples that
match the indicators in the store, allowing
you to Find High-Risk Artifacts.
The indicator store output

is an updated version of the
deprecated artifact output.
Export List The export list miners sends artifacts from Accepts IPv4, URL, and domain indicators.
Miner an AutoFocus export list to a destination
outside of AutoFocus.
Unlike the other AutoFocus prototypes,
the export list miner can be used in
either AutoFocus-hosted MineMeld or a
MineMeld instance you deployed in your
own environment.
Forward MineMeld Indicators to AutoFocus

Use an AutoFocus Indicator Store Output node to store indicators from one or more threat intelligence
sources in AutoFocus. When you view the WildFire analysis details for samples in your search results,
AutoFocus highlights sample indicators matching the indicators that MineMeld forwarded.
STEP 2 | Create a Minemeld Node that will receive processed indicators and send them to AutoFocus.
Create an output node based on the prototype autofocus.indicatorStoreOutput.
STEP 3 | Connect MineMeld Nodes (miner and processor) to the output node you just created.

STEP 4 | Click Indicators on the navigation pane to view the Indicator Store and Manage Threat
Indicators that MineMeld forwarded. The Indicator Store has space for up to 180 million
indicators.
You can now easily spot sample indicators that match MineMeld indicators when you Find High-Risk
Artifacts.
Forward AutoFocus Indicators to MineMeld

Use MineMeld to send indicators from AutoFocus to the firewall and other SIEM platforms. Learn more
about how you can Use AutoFocus Miners with the Palo Alto Networks Firewall.
• Use an AutoFocus Samples Miner to forward Indicators from sample search results.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Work with the Search Editor to set up a search.
3. Create MineMeld Miner ( ) from the search page.
The node details include:
1. Name—Give the miner a descriptive name.
2. Prototype—The prototype is pre-selected (autofocus.samplesMiner).
3. Query—This field is pre-populated with the conditions of your search.
4. Scope—Select the scope of the search results: global, private, and public.
5. Artifacts—Select which indicators AutoFocus will forward to MineMeld: Any indicators, only
indicators that match MineMeld indicators, or None (MineMeld only extracts hashes from the
sample search results).
6. Connect to Processors—Select processors that will receive indicators from the miner.
If you select a Scope of global, the miner extracts indicators from your private
samples and public samples from you and other AutoFocus users; it does not
extract indicators from other users’ private samples.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
• Use an AutoFocus Indicator Store Miner to forward indicators from external sources stored in
AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus.
2. Click Indicators on the navigation pane and optionally, Filter the indicators.
3. Create MineMeld Miner ( ).
The node details include:
1. Name—Give the miner a descriptive name.
2. Prototype—The prototype is pre-selected (autofocus.indicatorStoreMiner).
3. Query—If you filtered the indicators, this field is pre-populated with the filter you used.
4. Connect to Processors—Select processors that will receive indicators from the miner.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
• Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list.
You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a
MineMeld instance you deployed in your own environment. The default behavior of the
miner is the same in either version of MineMeld.

2. Create a Minemeld Node based on the prototype autofocus.exportList.
When completing the additional required fields for the node, provide your AutoFocus API Key and
the Label of the export list from which MineMeld will extract indicators.
Use AutoFocus Miners with the Palo Alto Networks Firewall

Use AutoFocus miners to dynamically send indicators from AutoFocus to an external dynamic list on a PAN-
OS 9.0 firewall.
STEP 1 | Add the root certificate authority (CA) certificate for MineMeld to the firewall.
1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/
repository/gd-class2-root.crt
2. On the firewall, select Device > Certificate Management > Certificates.
3. Import the certificate to the firewall.
1. Give the certificate a descriptive name.
2. Browse for the certificate file and attach the GoDaddy certificate you downloaded.
3. Click OK.
STEP 2 | Create a certificate profile for the MineMeld root CA certificate.

1. On the firewall, select Device > Certificate Management > Certificate Profile.
2. Add a new certificate profile.
1. Give the certificate profile a descriptive name.
2. Click Add, select the certificate name from the CA Certificate drop-down, and click OK.
3. Click OK.
STEP 3 | Configure the MineMeld nodes that will send indicators to the firewall.
This procedure focuses on using AutoFocus miners to forward indicators to an external

dynamic list; however, you can use other MineMeld miners that extract IPv4 addresses,
domains, and URLs to forward indicators to an external dynamic list.
1. Use an AutoFocus sample or indicator store miner to Forward AutoFocus Indicators to MineMeld.
2. In MineMeld, Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed
indicators to an external dynamic list on the firewall.
To find outputs that you can use with an external dynamic list, view the list of
MineMeld Prototypes and search with the keyword EDL.
3. Restrict access to the indicators.

1. Select the output node you plan to use with an external dynamic list from the list of Nodes.
2. Click Tags, enter a tag name to use with the output node, and click OK.
3. Click Admin, and select the Feeds Users tab.
4. Click (+) to add a new user profile for accessing the indicators from the output node.
5. Create a username and password, confirm the password, and click OK.
6. Grant the user you just created access to the output node. In the Access setting for the user,
select the tag for the output node and click OK.

STEP 4 | Configure the firewall to access an external dynamic list based on the indicators from the
AutoFocus miners.
Follow the steps to add a new external dynamic list to the firewall and observe the following guidelines:
• Enter the MineMeld-provided link from the output node as the Source of the external dynamic list.
To find this link in MineMeld, select the output node from the list of Nodes and copy the Feed Base
URL link.
• Select the Certificate Profile you created for the MineMeld root CA certificate.
• Select Client Authentication, and enter the username and password for the user you created from
the previous step.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.
Troubleshoot MineMeld
Refer to the procedures below to troubleshoot issues with MineMeld.
• Free up disk space on MineMeld

A red dot appears on the System tab when there is only 30% of disk space remaining in MineMeld. To
continue using MineMeld with logging enabled, you must free up more disk space.
1. In MineMeld, click the System tab.
2. A warning message notifies you that disk space is low. Verify the disk status.
3. Purge Logs.
This deletes logs of internal system processes on MineMeld; this does not delete the record of
indicators that nodes received or indicators that were aged-out in the Logs tab.
• Force an AutoFocus samples or artifacts miner to retrieve indicators.

For a samples or artifacts miner, the default interval for retrieving and forwarding indicators to a
processor is 1 hour. To trigger the miner to retrieve indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.

2. Click Run Now to start retrieving indicators.
As the node retrieves indicators, the # Indicators count goes up.
3. Track all indicator activity associated with a node.
• Force an AutoFocus samples or artifacts miner to age out indicators.

When a miner node ages out indicators, it withdraws indicators from the outputs that received them.
The samples miner has a default age-out interval of 24 hours, while the artifacts miner has a default
interval of 30 days. To trigger these miners to age out indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.
2. Flush indicators.

3. Track all indicator activity associated with a node.
• Track all indicator activity associated with a node.

1. In MineMeld, select a node from the list of Nodes.
2. View the node Stats. By default, the statistics displayed are based on indicator activity from the last
24 hours.
1. Compare the counts from different points in the Indicators graph to determine the number of new
indicators that the node processed during a time range. A drop in the graph indicates that some
indicators associated with the node were aged out.
2. View the trend of indicators that the node added, aged out, updated, and withdrew from other
nodes.

3. Change the Time Range to view indicator stats for a shorter or longer time period.
• Track indicators that were successfully received by a node and indicators that were aged out.
View the MineMeld logs to determine if an indicator was successfully received by a node or aged out.
1. View the logs for a specific indicator.
1. In MineMeld, click the Logs tab.
2. In the search field, enter indicator:[indicator value] and click the spyglass to launch the
search.
3. Evaluate the logs for the indicator based on the following log messages.
EMIT_UPDATE—A log of a node sending an indicator (or an indicator update) to another node.
ACCEPT_UPDATE—A log of a node successfully receiving an indicator from another node.
EMIT_WITHDRAW—A log of a node aging out an indicator.
ACCEPT_WITHDRAW—A log of a node accepting a request from another node to withdraw an
aged out indicator.

2. View the logs for a specific node.
1. Click the Nodes tab and select a node.
2. View all Logs of indicator activity related to the node.
3. Click on a log message or indicator tag to filter the logs further.

Kro Focus On You

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kro Focus On You

Uploaded by

Copyright:

Available Formats

AutoFocus Administrator’s Guide

About the Documentation

2 AUTOFOCUS ADMINISTRATOR’S GUIDE |

DNS Security Dashboard................................................................................ 39

TABLE OF CONTENTS iii

AutoFocus Tags.............................................................................................. 109

Assess AutoFocus Artifacts......................................................................... 129

Export AutoFocus Content.......................................................................... 139

AutoFocus Reports........................................................................................ 151

> About AutoFocus

I want to... How can I do this with AutoFocus?

...prioritize events in my network Look at the dashboard.

...gain context around an event. Toggle the dashboard.

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 9

...leverage AutoFocus data. Enable Unit 42 alerts.

Get Started • Take a First Look at the AutoFocus Portal.

10 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

STEP 3 | Activate the license.

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 11

3. Enter the AutoFocus Authorization Code Serial Number.

12 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

14 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 15

Support Account Area

Threat researchers who have access to multiple support accounts can

Start a Quick Search for threat artifacts.

View the AutoFocus documentation site.

The time setting does not filter the scope (My

16 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

Use the navigation pane to access the following AutoFocus features:

AutoFocus remembers your last dashboard settings

• Alerts—Set up AutoFocus Alerts based on tags. Depending on your

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 17

You can Customize the Dashboard to add or remove widgets. Click a

Currently, the following widgets support dynamic

18 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

If you don’t see any malware sessions in the

An additional day with no populated data is

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 19

20 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

Some data-reporting widgets allow you to toggle between different

The Give Feedback link provides a quick way to send comments

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 21

Sessions Sessions in AutoFocus search results provide information about how

The session data displayed in the search results

Static Analysis Static analysis is a type of analysis based on properties of a sample

Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis

22 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

Artifacts An artifact is a property, activity, or behavior shown to be associated

Threat Indicators An indicator is an artifact that security experts typically observe to

Tags A tag is a collection of search criteria that together indicate a known

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 23

24 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

• Use AutoFocus threat intelligence to assess firewall artifacts.

• Use AutoFocus to search for artifacts in firewall traffic.

• Use AutoFocus indicators to enforce security policy on the firewall.

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 25

General tab of the Settings page:

26 AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus

AUTOFOCUS ADMINISTRATOR’S GUIDE | Get Started With AutoFocus 27

> Dashboard Overview

AUTOFOCUS ADMINISTRATOR’S GUIDE | AutoFocus Dashboard 31

• Set the default date range.