Beruflich Dokumente
Kultur Dokumente
February 2017
paloaltonetworks.com/documentation
Table of Contents
Get Started With AutoFocus........................................................................... 5
About AutoFocus.........................................................................................................................................7
First Look at the AutoFocus Portal........................................................................................................ 9
AutoFocus Concepts................................................................................................................................ 17
Use AutoFocus with the Palo Alto Networks Firewall....................................................................20
AutoFocus Portal Settings...................................................................................................................... 21
AutoFocus Dashboard..................................................................................... 23
Dashboard Overview............................................................................................................................... 25
Set the Dashboard Date Range............................................................................................................ 26
Drill Down on Dashboard Widgets...................................................................................................... 28
Customize the Dashboard...................................................................................................................... 29
AutoFocus Search.............................................................................................31
Start a Quick Search................................................................................................................................ 33
Work with the Search Editor.................................................................................................................35
Drill Down in Search Results................................................................................................................. 42
Samples........................................................................................................................................... 42
Sessions...........................................................................................................................................47
Statistics..........................................................................................................................................48
Indicators........................................................................................................................................ 50
Domain, URL, and IP Address Information............................................................................ 51
Set Up Remote Search............................................................................................................................ 54
Artifact Types.............................................................................................................................................57
General Artifacts...........................................................................................................................57
Sample Artifacts............................................................................................................................58
Session Artifacts........................................................................................................................... 60
Analysis Artifacts.......................................................................................................................... 62
Windows Artifacts....................................................................................................................... 64
Mac Artifacts................................................................................................................................. 64
Android Artifacts.......................................................................................................................... 65
Search Operators and Values................................................................................................................ 68
Guidelines for Partial Searches..............................................................................................................72
Contains and Does Not Contain Operators.......................................................................... 72
Proximity Operator...................................................................................................................... 72
AutoFocus Alerts.............................................................................................. 75
Alert Types................................................................................................................................................. 77
Email Alerts.................................................................................................................................... 77
HTTP Alerts................................................................................................................................... 78
Create Alerts.............................................................................................................................................. 80
Define Alert Actions....................................................................................................................80
Enable Alerts by Tag Type.........................................................................................................83
Create Alert Exceptions..............................................................................................................83
View Alerts in AutoFocus....................................................................................................................... 85
Edit Alerts................................................................................................................................................... 88
AutoFocus Apps..............................................................................................133
MineMeld..................................................................................................................................................135
Introduction to MineMeld....................................................................................................... 135
Start, Stop, and Reset MineMeld...........................................................................................136
Use AutoFocus-Hosted MineMeld........................................................................................137
Create a Minemeld Node........................................................................................................ 138
Connect MineMeld Nodes...................................................................................................... 140
Delete a MineMeld Node........................................................................................................ 141
AutoFocus Prototypes.............................................................................................................. 142
Forward MineMeld Indicators to AutoFocus......................................................................143
Forward AutoFocus Indicators to MineMeld......................................................................144
Use AutoFocus Miners with the Palo Alto Networks Firewall....................................... 145
Troubleshoot MineMeld...........................................................................................................146
iv TABLE OF CONTENTS
Get Started With AutoFocus
AutoFocus is a threat intelligence service that provides an interactive, graphical interface for
analyzing threats in your network. With AutoFocus, you can compare threats in your network
to threat information collected from other networks in your industry or across the globe,
within specific time frames. AutoFocus statistics are updated to include the most recent threat
samples analyzed by Palo Alto Networks. Access to this information allows you to keep up
with threat trends and to take a preventive approach to securing your network.
See the following topics to get started with the AutoFocus threat intelligence service. If you
havent already, first register and activate AutoFocus.
5
6 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus
About AutoFocus
The AutoFocus threat intelligence portal enables you to quickly identify threats on your network, and to
contextualize such events within an industry, global, and historical context. AutoFocus harnesses data from
WildFire, the PAN-DB URL Filtering database, Unit 42, and from third-party feeds (including both closed
and open-source intelligence). AutoFocus then makes the data searchable and layers the data with statistics
that both highlight pervasive malware and reveal connections between malware.
Take a look at the following table for an overview of AutoFocus features that allow you to prioritize,
contextualize, and address threats affecting your network.
Dashboard
Navigation Pane
Dashboard Widgets
Top Tags
Alerts Log
Feedback Link
Concept Description
Samples For both AutoFocus and WildFire, a sample refers to a file (such as a PDF
or PE) or a link included in an email. The Palo Alto Networks firewall and
other sources such as Traps and Proofpoint can forward unknown samples
to the WildFire cloud, where WildFire performs Static Analysis and Dynamic
Analysis of the sample. As WildFire observes and executes the sample in the
analysis environment, WildFire associates different Artifacts with the sample.
AutoFocus allows you to search for samples based on the sample hash and
other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus
compares all historical and new samples to the search conditions and filters
the search results accordingly.
AutoFocus receives WildFire analysis information for samples submitted to
the WildFire global and regional clouds.
Static Analysis Static analysis is a type of analysis based on properties of a sample that
WildFire can detect and observe in a virtual environment without executing
the sample. For details on the type of static analysis information that
AutoFocus reports for samples, see Artifact Types.
Threat Indicators An indicator is an artifact that security experts typically observe to detect
signs that a network has been compromised. Indicators are crucial for
implementing a network defense strategy based on threat intelligence. The
following types of artifacts are considered indicators in AutoFocus:
Domain
IPv4
Mutex
URL
User agent
AutoFocus determines which artifacts are indicators through a statistical
algorithm based on tendency of the artifact to be seen predominantly in
malware samples. With the MineMeld app, you can forward indicators from
external threat feeds into AutoFocus. You can then Manage Threat Indicators
and Find High-Risk Artifacts that match indicators to check your network for
known threats.
Public Tags and Public tags and samples in AutoFocus are visible to all AutoFocus users.
Samples
For tags you create, you can set the status to public, so that the tag is visible
to the AutoFocus community. You can revert the tag to be private at any
time.
Public samples consist of samples from open-source intelligence (OSINT) and
other external public sources, as well as samples that AutoFocus users have
made public. Samples from your organization can only become public in two
ways:
Open the sample details and manually set the sample to Public, in order to
share it within the AutoFocus community.
If a private sample from your organization is later received by WildFire
from a public source, the sample will become public at that time.
Private Tags and Private tags and samples in AutoFocus are visible only to AutoFocus users
Samples associated with the same support account.
Private tags and samples can be made public, with the option to revert the tag
or sample back to private status at any time.
All Tab and All Samples The All tab on the dashboard and the option to view All Samples in a search
include statistics for all samples seen by Wildfire, both public and private;
however, identifying details are obfuscated for private samples. The All
tab on the dashboard displays all malware (including private samples) with
obfuscated hashes. The All Samples view in a search obfuscates private
sample details with the exception of the WildFire verdict for the sample, the
date the sample was first submitted to WildFire, the file size, and the file type.
Suspicious
Suspicious artifacts:
Have been widely-detected across large numbers of samples.
Are most frequently detected with malware. Although suspicious artifacts
can be detected with grayware and benign samples, they are more often
found with malware.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.
Highly Suspicious
Highly suspicious artifacts:
Have been detected in very few samples. The lack of distribution of these
types of artifacts could indicate an attack crafted to target a specific
organization.
Are most frequently detected with malware. In some cases, these artifacts
have been exclusively seen with malware and never with grayware or
benign samples.
For more on highly suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus
and/or are running PAN-OS 7.0 and earlier.
23
24 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard
Dashboard Overview
Scan the AutoFocus dashboard to view and drill down on pervasive artifacts, including top malware, top
applications, and top firewalls. You can alternate dashboard views to display the threat landscape for your
organization, your industry, or globally.
As you move between the three dashboard tabs, the data displayed is updated to reflect the dashboard
context:
My OrganizationView the threat landscape for your network, with the capability to drill down and
search on data for firewalls associated with the selected support account. Top firewalls are only
displayed on the organization tab and are not visible in other contexts.
My IndustryView the threat landscape across your industry. Explore and examine targeted threats or
trends affecting similar networks and organizations. Industry data is populated according to the industry
associated with the selected support account (for example, high tech or healthcare).
AllView the global threat landscape to contextualize both threats affecting your network and your
industry. The All tab includes the additional widget Target Industries that allows you to compare
malware rates across industries.
The Industry and All views display statistics for all samples (public and private) but do
not allow access to the details of private samples (unless they are private samples from
firewalls associated with your support account).
Drill Down on Dashboard Widgets for more details on a threat artifact, with the option to add the artifact to
a search, or tag the artifact as an indicator of compromise (IOC).
For an overview of each of the dashboard widgets, take a First Look at the AutoFocus Portal.
If you dont see any malware sessions in the Malware Download Sessions histogram, there
may not be any malware detected during the selected date range. The histogram does not
include sessions with known malware (malware that was first seen before the selected date
range).
The dashboard default time range is applied to all dashboard views (organization, industry, and all) and
dashboard widgets immediately update to reflect the time range selected.
The default time range is also reapplied when the dashboard is refreshed.
The dashboard time range is updated automatically as you adjust the sliders.
After modifying the dashboard date range using the Malware Download Sessions
histogram, you can refresh your browser at any time to reapply the default date range.
After modifying the dashboard date range using the Malware Download Sessions
histogram, you can refresh your browser at any time to reapply the default date range.
For an overview of each of the dashboard widget, take a First Look at the AutoFocus Portal.
For details on interacting with the Top Tags widget, Vote for, Comment on, and Report Tags.
For details on interacting with the Alerts Log widget, View Alerts in AutoFocus.
31
32 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Search
Start a Quick Search
Start a simple search for an artifact from any page in AutoFocus, or use the AutoFocus search editor to
perform complex searches, with conditions that allow you to narrow or broaden the scope of your search.
Toggle your view of search results to find:
The samples matched to your search conditions (Samples tab).
The sessions during which the samples were detected (Sessions tab).
The top artifacts associated with the returned samples (Statistics tab).
The threat indicators found in the returned samples (Indicators tab).
And the DNS history and PAN-DB categorization of the results (Domain, URL & IP Address Information
tab).
After performing a search, you can drill down in sample results to find artifacts seen with that sample. For
each artifact associated with a sample, AutoFocus lists the number of times the artifact has been detected
with benign ( ), grayware ( ), and malware ( ) samples. Artifacts that are seen disproportionately
with malware are indicated to be Suspicious or Highly Suspicious. AutoFocus also makes it easy to view
indicators that are found with your search results.
Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus
portal.
STEP 1 | Click the spyglass icon in the support account area of the portal.
You can also press Alt+s to open quick search. To close quick search, click the x on the
top right corner of the search box or click anywhere on the dimmed area of the interface.
STEP 3 | Select the scope of the search based on the artifact type.
For example, the string ImASampleFile.pl can be a Filename, a Domain, or a URL. To search for the file
ImASampleFile.pl, select an area to search under the category Filename.
Select Search on the navigation pane and add criteria directly to the search editor:
Begin a new search.
Use a saved search.
Import a search.
Click on an artifact highlighted on the dashboard. The search editor displays with the artifact listed as
a search condition.
To create a search condition, choose the type of artifact you want to find and define the scope and
value:
1. Select one of the Artifact Types from the drop-down to perform a search of global threat data based
on that artifact type.
Start typing the name of the artifact type to narrow down the list of options.
If you are attempting to select a value from a pre-populated drop-down, and the drop-
down appears to be loading for a long period of time, try clearing your browser cache.
Add conditions to your search.
You can add up to 300 search conditions to a single search.
Remove conditions from your search.
A child query is a condition or a set of conditions nested within and used to qualify a parent query. A
child query is evaluated only against the parent query to which it is added. Add a child query to return
more granular search results, where the results must match both the parent query and the child query.
The example search below shows a child query added to the Email Subject condition. Search results will
be returned for samples where the following is true:
The sample was first seen before March 13, 2015.
The email subject for the sample file contained the word test and received a WildFire verdict of
either malware or grayware.
You can only add up to 4 levels of child queries nested under parent queries.
Click Add Parent Query to nest a search condition under the preceding condition. AutoFocus then only
evaluates the nested search condition against the parent condition.
Move Up or Move Down search conditions to move conditions to or from a child query. Depending on
the placement of a condition, you can move it up or down to include it in a child query. You can also
move a condition up or down to remove it from a child query so that it is no longer a nested condition.
Disable a condition to temporarily remove it from a search. This option provides the flexibility to
temporarily adjust your search parameters, and then quickly and easily add the condition back to your
search if necessary.
Disabled search conditions are grayed out:
Start a New Search for any of the search conditions of an existing search. The new search launches in a
separate browser window.
This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto
Networks next-generation firewall, Panorama, or third-party log management system when you Set Up
Remote Search.
This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions.
Select the Show Search History icon and add Recently used or Most used search conditions to your
search.
Save searches that you might be performing on a regular basis, or to quickly recreate useful search
settings:
Click the Save Search icon, enter a name and description to identify the saved search when using it later,
and save the search.
Open Saved Search to view an alphabetical list of previously saved searches, and click the spyglass icon
to add a saved search to the search editor.
Tag a search.
Click Tag Results to create a tag based on search conditions. Tags can be used to define a set of
conditions that indicate an important network event or a possible or known threat.
Tag a search so you can easily identify and track any existing or future samples that match the search.
When you Create a Tag, give the tag a recognizable name and description. Select Tags on the navigation
pane to manage tags you have created and to view all tags.
Export a search.
You can export a search to share the search between support accounts or with another AutoFocus
security expert.
After setting up a search and viewing search results, select Export Search.
Copy the search filters.
Paste the search filters to a local file send the filters to another user.
Click Import Search to paste and import a previously exported query or a query shared by another
AutoFocus security expert.
Start a Remote Search to look for artifacts in a Palo Alto Networks firewall, Panorama, or third-party log
management system. View more details on how to Set Up Remote Search.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
When the MineMeld app is running, Create MineMeld Miner to send artifacts from the sample search
results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld).
Click the >_API link in the Samples or Sessions tab of the search editor to view the API request for
initiating the current search. The API request is formatted in Curl URL Request Library (cURL) and
Python (see more information about using the AutoFocus API to perform a search).
The Samples, Sessions, Statistics, Indicators, and Domain, URL & IP Address Information tabs display search
results in different contexts. You can drill down in the results to find correlation among artifacts, to narrow
your search by adding artifacts to the search as you go, and to Export AutoFocus Artifacts that are high-risk.
See the following topics for details on the different search results views:
Samples
Sessions
Statistics
Indicators
Domain, URL, and IP Address Information
Samples
The Samples tab in the AutoFocus search editor displays all samples that match the conditions of the
search. Click the column headers for the sample details to sort samples in ascending (up arrow) or
descending (down arrow) order. By default, the most recently detected samples are displayed. You can
choose to view only My Samples, only Public Samples, or All Samples. All Samples includes both public
and private samples; however, private samples submitted by firewalls or sample sources other than those
associated with your support account display with an obfuscated hash.
Set a default scope for search results to choose which samples are displayed immediately
when you launch a search. Navigate to the AutoFocus portal Settings and select a
Preferred Scope. You must click Save changes to save the new default scope.
Lists the tags the sample is associated with, and you can
Sample Tags also add a new tag. (For details on tags and how tagging
works, see AutoFocus Tags).
Sessions
The Sessions tab displays all Sessions associated with samples from your network. Click the column headers
to sort sessions in ascending (up arrow) or descending (down arrow) order.
After performing an AutoFocus Search, select Sessions and select a single session to drill down for
session details:
Display sessions based on the Upload Source. Add the search condition Upload
Source > is to your current search and choose a session source. In the example above,
the sessions search results have the Upload Source Traps, which means that they are
sessions associated with samples submitted to WildFire through Traps.
Session details include a Session Summary, from which you can add artifacts to
your existing search or launch a new search for an artifact in a separate browser
window.
The File Analysis tab displays artifacts that WildFire found in the sample
detected during the session (see Sample Details for information on the File
Analysis tab).
Session details also include a list of Related Sessions, which are other sessions
during which the same sample was detected.
Next Steps... View the associated Samples, Statistics, and Domain, URL, and IP Address
Information.
Assess AutoFocus Artifacts found in your search.
Export AutoFocus Artifacts found in your search.
Statistics
The Statistics tab collects and visually weights the top artifacts associated with samples matched to your
search. You can perform specific searches by clicking on any of the individual artifacts under the Statistics
tab.
The Statistics tab does not display the same statistics as the AutoFocus Dashboard on
page 23. While the dashboard displays an overall picture of the threat landscape in different
contexts (organization-wide, industry-wide, or global), the Statistics tab displays information
that has been filtered based on the current search.
Click on an artifact in the Top Applications, Top Malware, Top Firewalls, and
Target Industries widgets to add it to your search; the Statistics tab widgets are
filtered based on the added search condition(s).
Click ( ) to view the API request to retrieve the artifact data displayed in a
widget. The API request is formatted in cURL and Python.
Example:
To view only samples that are distributed through web pages, click the web-browsing bar on the Top
Applications widget. Web-browsing is added as a search condition and the widgets, including the Top
Countries malware map, are updated to reflect the new web-browsing filter:
Next Steps... View associated Samples on page 42, Sessions on page 47, and
Domain, URL, and IP Address Information on page 51.
Assess AutoFocus Artifacts on page 109 found in your search.
Export AutoFocus Artifacts on page 123 found in your search.
Indicators
The Indicators tab is a summary of Threat Indicators that AutoFocus found in the samples returned as
search results. Not all sample artifacts are indicators; the Indicators tab only lists artifacts that AutoFocus
has determined to be indicators through a statistical algorithm based on the tendency of the artifact to be
seen predominantly in malware samples.
The Indicators tab only displays indicators drawn from the page of sample
search results that you are currently viewing. For example, if your search
returns 5 pages of search results and you are viewing the second page, the
Indicators tab will only display indicators from that second page of samples.
AutoFocus also filters the indicators by the scope you have selected for
viewing the sample search results (view only My Samples, Public Samples, or
All Samples).
For each indicator, you can view the number of global malware, grayware, and
benign samples in which it was detected. AutoFocus highlights indicators that
are Suspicious or Highly Suspicious.
Indicators matching those forwarded to AutoFocus through MineMeld are
marked with an indicator tag ( ), which specifies the number of matching
indicators. Click on the indicator tag to view the full list of matches.
Each indicator lists the SHA256 hash of the sample(s) in which it was
detected. Click on a hash to view sample details.
See Assess AutoFocus Artifacts for details on drilling down in the file analysis details for a sample.
STEP 2 | Review the Domain, URL, and IP Address Details for the artifact.
Find matches to the artifact in the Request and Response columns.
The remote search feature is supported with firewalls running PAN-OS 7.1 or later release
versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When
you configure your custom system to work with AutoFocus remote search, you can filter log or event
repositories with AutoFocus search conditions.
STEP 1 | Log in to the firewall or Panorama you want to search with your administrator username and
password.
STEP 5 | (For Panorama Device Group and Template Administrators Only) For Panorama Device Group
and Template administrators (not superusers), an AutoFocus remote search targeted to
Panorama returns results based on the current Panorama Access Domain setting. Panorama
administrators with role-based access control must first open the Panorama web interface,
select Monitor > Logs and set the Access Domain for which to view search results. Return to
the AutoFocus portal to execute your remote search.
If no browser tabs open when you launch remote search, change the settings on your
browser to allow pop-ups from AutoFocus.
The maximum length for the URL generated through remote search is 1,024
characters. Performing a remote search with multiple search conditions may create a
URL that exceeds the character limit. As a best practice, check which conditions were
added to the URL after launching a search.
STEP 8 | Learn more about working with Unified logs on the firewall.
General Artifacts
Sample Artifacts
Session Artifacts
Analysis Artifacts
Windows Artifacts
Mac Artifacts
Android Artifacts
General Artifacts
General artifacts are artifacts that WildFire associates with both samples and sessions. For example, you can
use the artifact type Domain to search based on domains found in samples and sessions.
Some general artifacts are tag-related. If you search with a tag-related artifact, the search results display all
samples that have one or more tags that meet the search criteria, and their related sessions.
The following general artifact types refer to private session information: Domain, Email Address, Filename,
IP Address, and URL. If any of your private tags use these artifact types as tag conditions, you cannot make
these tags public.
Domain A domain detected in the DNS Activity or HTTP Activity of a sample, or the
File URL.
Filename The File Name of the sample or a filename that AutoFocus found in the File
Activity of a sample.
Hash The samples MD5, SHA1, or SHA256 hash. The search results also include
samples in which AutoFocus found the hash in the File Activity of the sample.
Tag Class Samples filtered by Tag Class: a malware family, a campaign, an actor, an
exploit, or a type of malicious behavior.
Tag Scope Samples filtered by Tag Scope: private, public, Unit 42 (alerting), or Unit 42
informational (non-alerting).
Tag Source Samples with tags that are attributed to a particular Tag Source.
User Agent A user agent header detected in the HTTP Activity or User Agent Fragments
of a sample. The user agent header indicates your browser type and version
and your operating system and version. During a session, your browser sends
this information to the site you are visiting to determine the best way to
deliver the information you requested. Examples of user agent strings include
Mozilla/4.0 and Windows NT 6.1.
Sample Artifacts
Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact
types when you view Sample Details, in the File Analysis details of a sample.
Digital Signer The digital signature that identifies the sender of the sample.
File Type The file type of the sample. Examples include Email Link, Adobe Flash File,
and PDF.
Finish Date The date and time when WildFire analysis of the sample completed and the
sample received a WildFire verdict.
First Seen The date and time that the sample was first forwarded or uploaded to
WildFire.
Import Table Hash An import hash, or imphash, is a hash based on the order that API functions
are listed in the import table of a Portable Executable (PE). Imphashes can
be used to identify similar samples that might belong to the same malware
family.
Imphashes are listed for malware and grayware samples only (not benign
samples).
Last Updated The date and time when WildFire changed the verdict for a sample.
MD5 The samples unique cryptographic hash generated using the MD5 message-
digest algorithm.
Region Every WildFire cloud (global or regional) to which a sample was submitted for
analysis. The sample details list all of the WildFire clouds to which firewalls
submitted the sample (different firewalls can submit the same sample to
different WildFire clouds).
USWildFire global cloud
EUWildFire EU cloud
JPWildFire Japan cloud
SGWildFire Singapore cloud
SHA1 The samples unique cryptographic hash generated using the Secure Hash
Algorithm 1.
SHA256 The samples unique cryptographic hash generated using Secure Hash
Algorithm 256.
Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the
sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a
sample which can be used to identify samples that are very similar but not
exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy
hashes to produce a percentage that indicates how closely the samples match.
In ssdeep, a high percentage indicates a high number of similarities between
the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only
(not benign samples).
WildFire Verdict WildFire assigns a verdict of Malware, Grayware, or Benign to the sample
based on properties, behaviors, and activities observed for the file or email
link during static and dynamic analysis.
Session Artifacts
Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following
artifact types when you view Sample Details. Note that you can only view the details of sessions associated
with your support account. For this reason, when you search with artifact types that refer to firewall-related
properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the
properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Device Serial,
Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject,
File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as
tag conditions, you cannot make these tags public.
Application The App-ID matched to the type of application traffic detected in a session.
For example, a search for the Application web-browsing returns sessions
during which web browsing over HTTP occurred. Visit Applipedia for an
updated list of applications that Palo Alto Networks identifies.
Device Country Code The two-digit abbreviation for the Device Country. Refer to the complete list
of countries and country codes in AutoFocus.
Device Hostname A name that identifies a Palo Alto Networks firewall. To view the hostname
for a firewall, log in to the firewall web interface, select Device > Setup >
Management, and view the General Settings.
Device vsys The name of the virtual system on the firewall associated with the session.
Destination Country The country of the IP address to which the session was destined.
Destination Country The two-digit abbreviation for the Destination Country of the session. Refer
Code to the complete list of countries and country codes in AutoFocus.
Email Recipient Address For email samples, the email address of the user who received the email.
Email Charset For email samples, the character set used to display the message body of an
email. Examples of character sets are UTF-8 and ISO-8859-1.
Email Sender Address For email samples, the email address of the sender.
File Name The filename of the sample sent during the session.
File URL The URL path for the source that hosts the sample.
IMEI The 15-digit unique International Mobile Equipment Identity number assigned
to a mobile phone.
Industry Industry indicates the field that the source of the session (you or another
AutoFocus support account) is associated with. Examples are Aerospace
and Defense, High Tech, and Education. Industry is a field you
select when you initially set up your AutoFocus account. Contact Palo Alto
Networks Support to change it.
Recipient User ID The username of the user who received an email sample.
Region The WildFire cloud (global or regional) to which a sample is submitted for
analysis. A session in the AutoFocus search results provides information
about how a source submitted a sample to WildFire. Since each session
corresponds to a single WildFire submission, it can only be associated with a
single WildFire cloud.
USWildFire global cloud
EUWildFire EU cloud
JPWildFire Japan cloud
SGWildFire Singapore cloud
SHA256 The SHA-256 hash for the sample associated with the session.
Source Country The country to which the IP address that initiated the session is registered.
Source Country Code The two-digit abbreviation of the Source Country that sent the session. Refer
to the complete list of countries and country codes in AutoFocus.
Status All samples that a Palo Alto firewall blocked. The Status for blocked samples
is Blocked, while the status for allowed samples is blank. To find all allowed
samples, search with the condition Status > is not > Blocked.
Upload Source The source that requested a WildFire verdict for a sample or submitted a
sample to WildFire for analysis.
Choose from a list of possible upload sources:
FirewallSamples that a Palo Alto Networks firewall forwarded to
WildFire.
ProofpointSamples submitted to WildFire through Proofpoint products.
TrapsSamples submitted through Traps.
Manual APISamples uploaded manually through the WildFire API or the
WildFire public portal.
WF ApplianceSamples that a WildFire appliance submitted to the
WildFire public cloud.
Analysis Artifacts
Analysis artifacts make up the WildFire dynamic and static analysis of a sample. WildFire Dynamic Analysis
information consist of properties, activities, and behaviors that WildFire detects in the sample when it was
executed in an analysis environment. WildFire Static Analysis information consist of artifacts that WildFire
can observe from the sample without executing it in an analysis environment.
To get an idea of the artifacts that appear in a WildFire analysis section, start a search
with an analysis artifact and for the operator, select has any value. View the file analysis
details of the search results, expanding the section you searched for to view the artifacts that
WildFire found for it.
Connection Activity Processes that accessed other hosts on the network when the sample was
executed in the WildFire analysis environment. Artifacts listed for each
connection activity include the process that accessed other hosts on the
network, the port through which the process connected, the protocol used
for the connection, and the IP address and country of the host.
DNS Activity DNS activity observed when the sample was executed in the WildFire
analysis environment. Artifacts listed for each DNS activity include the
hostname that was translated (Query column) the resolved domain name or
IP address (Response column), and the Type of DNS resource record (Type
column) used to resolve the DNS query.
File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).
HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis
environment. Artifacts listed for each HTTP activity include the destination
domain of the HTTP request, the HTTP method that the host used, the URL
for the requested resource, and the string originating the request (User Agent
column).
The domain (Host column) and URL values together are the
URL for the request. For example, the full URL for the first
artifact is althawry.org/images/xs.jpg?8b96=71468.
Java API Activity Java runtime activity seen when the sample was executed in the WildFire
analysis environment.
Observed Behavior Behaviors seen for the sample in the WildFire analysis environment, such
as whether the sample created or modified files, started a process, spawned
new processes, modified the registry, or installed browser help objects
(BHOs). Each behavior is also assigned a risk level of high, medium, low, or
informational.
On the File Analysis tab within the sample details, alternate between
operating system columns to see the list of behaviors observed for each
virtual machine in which the sample was executed.
The Evidence column lists the total number of sample activities that are
evidence of each behavior, and expand a single behavior for the list of
matching activities.
For each activity listed, the Type column indicates the WildFire analysis
section and the Value column includes artifacts that WildFire found for the
section. The artifacts displayed might vary depending on the activity category.
In the example above, the File Activity artifacts provided include the parent
process that showed activity, the action the process performed, and the file
that was altered.
The artifact type Observed Behavior also refers to properties that WildFire
observed in a sample during static analysis. These properties appear under the
WildFire Static Analysis category Suspicious File Properties.
Other API Activity Non-Java API activity seen in the WildFire analysis environment when the
sample was executed. Artifacts listed include the parent process that was
active, the API calls made by the parent process, and the process that was
modified.
Process Activity Processes that showed activity when the sample was executed. Artifacts
listed for each process activity include the parent process that was active, the
action that the parent process performed, and the process that was modified.
Service Activity Services that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each service activity include
the process that was active, the action the process performed, and the service
that was created, modified, or deleted.
User Agent Fragments The user agent header for HTTP requests sent when the sample was
executed in the WildFire analysis environment.
Windows Artifacts
Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a
Windows OS analysis environment.
Mutex Activity A mutex (mutual exclusion object) allows programs to share the same
resource, though the resource cannot be used by more than one program
simultaneously. If the sample generates other program threads when
executed in the analysis environment, the mutex created when the programs
start is listed along with the parent process.
Registry Activity Windows Registry settings and options that showed activity when the sample
was executed in the analysis environment. Artifacts listed for each registry
activity include the parent process that was active, the registry method used
by the parent process (Action), and the parameters column lists the registry
key that was set, modified, or deleted.
Mac Artifacts
Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS
analysis environment.
Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. Details for an
embedded file can include the SHA256 and name of the installer or bundle,
the files SHA1 hash, filename, file format, file location, SHA256 hash, the
signature associated with the file and the name of the signer, the SHA1 hash
for the signature, signature status, and the file size in bytes.
Mac Embedded URL URLs that are part of a Mac file. The Path column contains the path for the
section of the app where the URL is located.
Android Artifacts
Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing
the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or
tablet.
APK App Icon The file path for the app icon that displays in the Android device menu.
APK App Name The name of the app that displays on the interface of an Android device.
APK Certificate The hash value of the public key embedded in the digital certificate of the
APK file.
APK Certificate File The file path for the certificate(s) embedded in the APK file, information
about the certificate owner and issuer such as name and location (if provided
by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign
the certificate. The owner or issuer may provide the following information:
CNFirst name and last name
OUOrganizational unit
OOrganization name
LCity or locality
STState or province
CTwo-digit country code
APK Defined Activity The class name of activities defined in the APK file. An activity is a component
of the app that provides a screen users can interact with to perform a task.
APK Defined Intent An intent filter, found in an apps manifest file, lists the type of intents that the
Filter components of the app can respond to. An intent is a request an app sends to
other apps to perform an action. For example, the YouTube app needs to use
a messaging app on your Android device to share videos.
APK Defined Receiver Broadcast receivers for the APK file. Broadcast receivers allow the app to
receive intents broadcast by itself, by the Android device, or by other apps on
the device. An example of a broadcast that an app can receive is an indication
that the device battery is low.
APK Defined Sensor Sensors for motion, orientation, or environmental conditions that the app
uses when it is running. For example, an app might need to receive sensor
readings from the devices GPS for to perform location-based tasks.
APK Defined Service Services configured for the APK file. Services are operations that run in the
background while the app is running, and do not provide a user interface
screen. An example of a service is a notification service for an email app that
alerts users when they have new messages.
APK Embedded Third-party libraries that are included in the APK file. A third-party library,
Libraries which app developers can reuse across multiple apps, contains files of
code that accomplish a specific task. An example of an embedded library is
Googles mobile ads software development kit (SDK), AdMob.
APK Embedded URL URLs that are part of an APK file. The Path column contains the path for the
section of the app where the URL is located.
APK Internal File The file format, file path, and SHA256 hash of files included in the APK file.
APK Package Name The unique name that identifies an app on an Android device. The general
format for a package name is domain.company.application (for example,
com.tamapps.learnjapanese).
APK Repackaged An indication of whether an APK file has been repackaged (True) or not
(False). AutoFocus marks a repackaged APK file as suspicious because an
attacker can repackage a benign file to contain malicious functionality.
APK Requested The permissions that the APK file requests from users to perform processes
Permission and to access data on their Android device. Examples include permissions to
access the camera on the device or to change the audio settings of the device.
APK Sensitive API Call API calls embedded in the APK file that access restricted services or
resources.
APK Signer Personal information that the app owner provided when he/she signed the
app certificate:
CNFirst name and last name
OUOrganizational unit
OOrganization name
LCity or locality
STState or province
CTwo-digit country code
APK Suspicious API Call API calls embedded in the APK file that access restricted services or
resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all
instances of an API call and the location of the files where the API call was
found.
APK Suspicious Action An action that the APK file performed when it was executed in the WildFire
analysis environment that may be an indicator of compromise. The Value
column contains a description of the action and supporting evidence. For
example, if the suspicious action associated with an APK file sends SMS
messages while running in the background, the value includes the text
message content that the file sent. If the action is loading another APK, DEX,
or JAR file, the value includes the path for the file that the APK file loaded.
APK Suspicious A sequence of actions that the APK file exhibits, the target of the actions
Behavior (if there is one), and the location of the files that exhibited the actions. For
example, for the suspicious behavior APK files sends an SMS to a fixed
number, the target is the phone number that received the SMS.
APK Suspicious File Suspicious files found in the APK file and their file type. An example of a
suspicious file is one that contains malicious native code or an executable file
in .dex format.
APK Suspicious Pattern A class of patterns observed in the APK file, a description what the pattern
does, and the location of the files where the pattern occurred.
APK Suspicious String Suspicious strings of code found in the APK file. For example, a suspicious
string can indicate that an app contains shell commands that installs or
uninstalls other apps, or the string can be a suspicious phone number. For
each string, you can view the location of the file that contains the string.
APK Version The version number of the app that is visible to users.
has any value Find samples or sessions that have No value required
reported values for the artifact type,
including values such as 0, unknown,
or Not Found.
is in the list Find samples or sessions with OptionSelect more than one
artifacts that match at least one of value from the drop-down.
the values from a list. StringType more than one value
You can have up to 1,000 values in (not case-sensitive). Press Enter to
your list. separate one value from another.
The values must be exact.
is not in the list Exclude samples or sessions that do OptionSelect more than one
not have at least one value from a list. value from the drop-down.
You can have up to 1,000 values in StringType more than one value
your list. (not case-sensitive). Press Enter to
separate one value from another.
The values must be exact.
contains Find samples or sessions that contain StringType a partial value (not case-
the partial value you enter. sensitive).
Learn more about the Guidelines for
Use the contains
Partial Searches.
operator if you dont
know the exact value
of an artifact.
does not contain Find samples or sessions that do not StringType a partial value (not case-
have the partial value you enter. sensitive).
Learn more about the Guidelines for
Partial Searches.
proximity Perform a single search for two or StringType partial values if you
more values. dont know the exact value (not case-
sensitive). You can enter the values in
Use the proximity any order.
operator with Analysis
Learn more about the Guidelines for
Artifacts to look for Partial Searches.
multiple artifacts that
can appear in the
WildFire analysis of a
sample.
is in the range Find values within a date or numerical Date and Time RangeSelect
range. the earliest and latest possible
date and time that a value can be,
or choose from a drop-down of
relative dates, such as Yesterday,
Last Month, or Last 90 days.
Number RangeSelect a minimum
and maximum number that a value
can be.
greater than Find values that are more than the Number
number you enter.
greater than or equal Find values that are more than or Number
equal to the number you enter.
less than Find values that are less than the Number
number you enter.
less than or equal Find values that are less than or equal Number
to the number you enter.
is after Find date and time values that occur Date and TimeSelect a date and
after a specific date. time, or choose from a drop-down of
relative dates such as Yesterday, Last
Month, or Last 90 days.
is before Find date and time values that occur Date and TimeSelect a date and
before a specific date. time, or choose from a drop-down of
relative dates such as Yesterday, Last
Month, or Last 90 days.
Proximity Operator
Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis
category of a sample. Enter two or more artifacts in the value field of the search condition.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders\AppData ueepd-a.exereturns a sample that has both values in at
least one of its registry activities:
75
76 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Alerts
Alert Types
An alert is a notification about samples that match a set of defined criteria. When you Create Alerts on page
80 in AutoFocus, you have the option to receive the notifications by email or over HTTP. You can also
View Alerts in AutoFocus on page 85 for a complete log of alerts that have been sent to you.
AutoFocus generates alerts for grayware and malware samples from all Upload Sources associated with
your support account, as long as they match the alert criteria.
Email Alerts on page 77
HTTP Alerts on page 78
Email Alerts
AutoFocus can send alerts to your email account. In an email alert, the SHA256 hash displays as a hyperlink
that opens the WildFire analysis of the sample in AutoFocus.
Name Description
The date and time that the alert was sent in the following format: Month DD,
AutoFocus Alerts YYYY hh:mm [AM/PM] (UTC)
The date and time that the sample was detected in the following format:
Date (UTC) Month DD, YYYY hh:mm [AM/PM]
The tag type that triggered the alert (unit42, public, or private)
Type
The specific tag that triggered the alert for the sample
Name
HTTP Alerts
HTTP alerts are notifications that AutoFocus generates in JavaScript Object Notation (JSON) data format.
In an HTTP alert, information about the samples are formatted as JSON name-value pairs separated by
colons. For example, the name-value pair date: 'March 19, 2016 05:56 PM' describes the date and
time that a sample was detected for the alert. All alerts use the same set of field names, but their values
vary depending on the samples detected in the alert period.
AutoFocus sends HTTP alerts as plain text to the web server of your choice using standard HTTP requests.
Use HTTP alerts to publish information about detected samples on a web page or a threat
feed.
When creating an HTTP alert, provide the URL of a server that has been preconfigured to parse the name-
value pairs from the alert. Refer to the following table of field names and possible data types for the field
values. The data type describes how a value should be interpreted and stored by the server.
The date and time that the alert was sent in the string
autofocus_alerts following format: Month DD, YYYY hh:mm [AM/PM]
The date and time that the sample was detected in string
date the following format: Month DD, YYYY hh:mm [AM/
PM]
The specific tag that triggered the alert for the sample string
alert_name
The tag type that triggered the alert. The different string
alert_type alert_type values that can be displayed are:
privateprivate tags owned by you
publicpublic tags
unit42tags issued by Unit 42
STEP 1 | Select Alerts on the navigation pane, and then select Settings.
STEP 2 | Define Alert Actions. An alert action sets the type, destination, and frequency of the alert.
STEP 3 | Enable Alerts by Tag Type. The Alert on Tag Type column describes the tag types that samples
in your network must match to trigger an alert: Unit 42, Public, or Private. By default, the alert
action for all tag types is none, and alerts are disabled. Select a different alert action to enable
alerts for each tag type.
STEP 4 | To receive alerts for certain tags and disable them for others, Create Alert Exceptions.
Create an alert for Unit 42 tags to receive notifications based on new threats and attacks
identified by the Unit 42 threat intelligence research team.
STEP 2 | Scroll to the bottom of the Settings tab, and click Add Alert Action:
STEP 4 | Define the type of alert you want to receive: Email or HTTP.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.
Use this step at any time to change the alert action for a tag type.
Select an alert Action for samples matched to Unit 42, public, and private tags:
STEP 5 | If necessary, specify tags to exclude from the alert for the tag type.
Create Alert Exceptions in order to:
Create and enable custom alerts for specific tags.
Disable alerts for tags for which you dont need to receive alerts.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.
STEP 4 | In the Tag field, start typing the tag name, and select it from the list of tags.
STEP 6 | Select Enabled? to enable the alert action for samples in your network that match the tag.
Find alerts.
Select Dashboard to view the Alerts Log widget. The Alerts Log widget displays the most recent
samples that matched your alert criteria.
Select Alerts > Alerts Log to view all samples that have triggered alerts. Sort the rows according
to Time, Tag Type, SHA256, or Tag. Alternatively, click the column headers to sort the rows in
ascending (up arrow) or descending (down arrow) order.
You can also click the SHA256 link for a sample entry to add the sample to a search:
Add the tag to the search editor, to search for all historical and global samples matched to the
tag.
Add a single condition defined for the tag to the search editor, to search for all historical and
global samples matched to that single condition.
Disable Alerts.
Select the action none for a tag type.
To disable alerts for an alert exception, Edit an Alert Exception. Select the action none.
Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus
detects a sample that matches the tag. Select Enabled? to enable the alert action.
Modify the name of the alert action, the alert type (Email or HTTP), the email address or server URL
that receives the alert, and how frequent the alert is generated.
91
92 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Tags
Tag Concepts
Click Tags on the navigation pane to view a complete list of public, private, and Unit 42 tags.
Tag Types
Tag Class
Tag Status
Tag Visibility
Tag Types
Tag colors and icons allow you to easily distinguish the different tag types at a glance. When a tag is linked
to a Tag Class, its default icon changes into a tag class icon.
Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42, the Palo Alto Networks
threat intelligence and research team, to detect and identify
threats and campaigns that pose a direct security risk.
Unit 42 tags have an orange outline and a Unit 42 icon. Tags for
threats discovered by an individual or organization outside of Unit
42 have a pointed and marked top right corner.
Unit 42 Informational Tag (Non- Unit 42 also publishes informational tags that group and identify
Alerting) commodity threats. Often, threat signatures already exist and
are distributed to identify and enforce the traffic identified with
informational tags.
When you enable AutoFocus Alerts for Unit 42 tags, AutoFocus
does not generate alerts for samples that match Unit 42
informational tags so you can focus your resources on addressing
targeted or pervasive threats.
Informational tags have faded orange outline and a Unit 42 icon.
Tags for threats discovered by an individual or organization
outside of Unit 42 have a pointed and marked top right corner.
My Private Tag Create a Tag that is visible only to your organization. Private tags
allow you to tag a sample hash or a set of search conditions that
might be specific or especially significant to your environment.
You can then Create Alerts for the private tags.
Private tags have a blue outline and a tag icon.
Public Tag Public tags are tags shared with the AutoFocus community by
your organization and other AutoFocus users. They are visible to
all AutoFocus users.
Public tags have a gray outline and a tag icon.
Tag Class
A tag can be linked to a particular tag class, which provides more context for the type of threat information
that the tag identifies. Special icons indicate whether a tag is associated with a tag class. The icon can be
blue, gray, or orange depending on the Tag Types. For example, the following tag is a public tag linked to
malicious behavior:
Tag Status
On the Tags page, view the status for a specific tag; optionally, select Sort by: Status to sort tags based on
the status of the tag.
Enabled Enabled tags generate alerts when matched to traffic. Alerts based on enabled
tags are displayed in the Alerts Log on the dashboard and, if configured, email
and HTTP alerts are also sent for enabled tags.
Disabled Disabled tags are tags that have been disabled automatically after reaching
100,000 hits. This is a quality control measure; tags that are matched to
large numbers of samples are too general to be useful in identifying targeted
threats. Disabled tags continue to display as a referenceyou can continue to
view the samples that were matched to that tag, search based on the disabled
tag, and view the conditions defined for the tag. However, disabled tags are
not applied to future samples.
Removing The tag owner has deleted the tag, but the deletion is not complete. This
status only displays for a short period of timewhen the tag deletion
completes, the tag is completely removed from the AutoFocus system.
Rescoping The tag owner has modified the tag visibility to private, public, or
anonymously public. This status only displays for a short period of time
as the new tag scope is processed and until the update to the tag scope is
complete.
Tag Visibility
There are three types of tag visibility:
PrivateVisible only to your organization (more specifically, only to users associated with same support
account as tag author).
PublicVisible to all AutoFocus users. Public tag details include the name of the organization that
created the tag.
Public AnonymouslyVisible to all AutoFocus users. However, tags that are anonymously made public
do not reveal the organization name in the tag details.
For tags you create, you can set the visibility of the tag and change it at any time.
Private tags and samples can be made public, with the option to revert the tag or sample back to a private
status at any time.
Tag Details
(Private Tags Only) Share a tag with other AutoFocus users by making the
Tag Visibility tag Public. (You can also revert a tag you previously made public, back to a
private tag).
By default, tags that you make public will list your organization as the
tag Owner in the tag details. To change this default setting so that your
organization is not listed as the owner of public tags, select Settings on the
AutoFocus navigation pane and select Share public tags anonymously.
Device Hostname
Device Serial
Device vsys
Destination IP
Email Recipient Address
Email Charset
Email Sender Address
Email Subject
File Name
File URL
Recipient User ID
Source IP
The following General Artifacts may pertain to private session information:
Domain
Email Address
Filename
IP Address
URL
You also cannot make a tag public if it has a search condition that points to
a custom App-ID you created (Application > is [custom App-ID]).
You can Vote for, Comment on, and Report Tags. Tags with the visibility
Vote, Comment, and set to private (tags created by and visible only to your organization) do not
Report display these options.
Tag information is searchable and can include some or all of the following
Tag Information details:
NameAutoFocus enforces unique tag names within an organization.
ScopeThe tag type is either public, private, or Unit 42.
Tag ClassThe Tag Class associated with the tag.
SourceOrganization or individual that discovered the threat defined in
the tag.
CreatedThe date and time that the tag was created.
UpdatedThe date and time that the tag was most recently modified.
OwnerOrganization that created the tag.
# SamplesThe total number of private and public samples matched to
the tag.
Last HitThe time at which the most recent sample matched to the tag
was detected.
VotesThe number of up-votes the tag has received from the
AutoFocus community.
DescriptionSummary of the threat that tag indicates.
Related TagsTags that share certain conditions, or might indicate
similar types of threats.
AliasOther names that might refer to threat that the tag defines. You
can search on a tag alias to find all samples matched to tags with that
alias.
ReferencesExternal references provide more information or context
for the threat that the tag identifies.
Tag a sample.
Create a tag for a sample hash to keep track of a sample that exhibits unique behavior or a sample that
you need to refer back to later. You can then search for the sample by the tag name instead of its hash.
1. Begin a new search.
2. Click a sample hash to view sample details, and click Add Tag.
You can only click the sample hash for a public sample or any of your private samples.
3. Enter a name for the tag in the search field and click create new.
4. Hover over the new tag, and click the tag name.
5. Edit the Tag Details to supply more information about the tagged sample.
Tag a search.
Create a tag for a search condition (or a set of search conditions). You can use the tag to search for all
samples that match the conditions. Review Tag Visibility for tagging guidelines.
1. Work with the Search Editor to create a set of search conditions.
You cannot create a tag for searches based on tag-related information (Tag, Tag
Alias, Tag Class, Tag Scope, and Tag Source) or the artifact Threat Name.
2. Click the Tag icon to create a tag based on the defined search conditions:
3. Provide a unique tag name and any other information that may be helpful for identifying the tag, and
then Tag Results.
Tag Alias Find samples by the Alias field in the Tag Details. The Tag Alias allows the
tag owner to specify common names for the threat that the tag identifies.
For example, there may be multiple tags related to a single malware family or
campaign. In this case, you can use Tag Alias to look for all samples that are
linked to a particular malware family or campaign by different tags.
Tag Class Find samples associated with a particular Tag Class: a Malware Family, a
Campaign, an Actor, an Exploit, or a type of Malicious Behavior.
Tag Scope Filter samples by the scope of their tags: private, public, Unit 42 (alerting), or
Unit 42 informational (non-alerting).
Tag Source Find samples with tags that are attributed to a particular tag source. The Tag
Source is the individual or organization that discovered the threat that the tag
identifies. The list of tag sources to choose from is based on all tags with a
Tag Visibility that is set to public.
STEP 1 | Click Dashboard on the navigation pane, and click the My Organization, My Industry, or All
tab.
STEP 2 | Set the Dashboard Date Range on page 26 to adjust the displayed Malware Download
Sessions. The widgets on the dashboard (including the Top Tags widget) automatically update
based on the new date range.
STEP 3 | On the Top Tags widget, select a tag to view tag details, including a description of the sample
or conditions that the tag identifies.
STEP 2 | Click the Statistics tab and find the Top Tags widget.
The Top Tags widget displays the 20 tags that AutoFocus matched with the highest number of samples
based on your search.
Report a TagReport a tag that is misleading, offensive, or displays sensitive information. Include
details as to why you are reporting the tag.
109
110 AUTOFOCUS ADMINISTRATORS GUIDE | Assess AutoFocus Artifacts
Find High-Risk Artifacts
To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's
WildFire analysis that link the sample to malware or malicious attacks.
STEP 3 | View artifacts that match your search conditions (even if theyre not high-risk), highlighted in
the search results.
Alternatively, select Add to New Search to launch a new search for the artifact in a separate window, or
add a SHA256, IP address, user agent, filename, or URL artifact to a remote search (see Set Up Remote
Search on page 54).
See Export AutoFocus Artifacts on page 123 for steps to build an AutoFocus export list.
View PAN-DB categorization, WildFire DNS history, and passive DNS history for an artifact.
Select an IP address, URL, or domain artifact and click Domain and URL info....
Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click
Search:
Upload SourceThe app that forwarded the indicator to AutoFocus.
TypeThe type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact
Types for definitions of each indicator type. In addition to what are considered Threat Indicators in
AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6,
registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
IndicatorThe exact value of the indicator.
Indicator FragmentsA partial value of the indicator. Use this search criteria if you only know part of
an indicator.
TimeThe date and time that AutoFocus received the indicator.
IPv4A criteria for searching for IP addresses in a range.
Use the filter IPv4 > matches to find an IP address that belongs to a range.
Use the filter IPv4 > matches list to find multiple IP addresses in a range.
First SeenThe date and time that the indicator was first seen in the threat feed.
Last SeenThe date and time that the indicator was most recently seen in the threat feed.
Feed SourceThe name of the threat feed from which an indicator was retrieved.
ConfidenceA confidence rating that the feed owner associates with the indicators in a feed. The
confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been
verified and 100 indicating that the feed contents are confirmed accurate.
Share LevelThe share level that the feed owner associates with the indicator.
Threat TypeA default value (malicious) that MineMeld assigns to indicators.
MetadataAdditional information about the indicator that the feed owner provided.
ExpiredIf the value is True, the indicator is aged-out, that is, removed from its source feed. If the
value is False, the indicator is active.
View all indicators (remove any existing filters), and check the percentage of indicator storage currently
in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of
indicators that it can store (180 million indicators).
Check the status of the indicator storage periodically. If you are close to the maximum
limit, Remove indicators from the store.
Click the trash icon to remove all indicators from the store.
To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only
the indicators that match the filter criteria. For example, you can apply the filter Expired > is > True and
click the trash icon to remove only expired indicators from the store.
Create MineMeld Miner to create an AutoFocus artifacts miner that will extract artifacts from the
Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a
filter for the indicators before clicking this button, the miner will be configured to extract only indicators
that match the filter criteria.
View additional information about the indicator provided by its source (i.e., the feed owner).
Expand the entry for an indicator to check if the feed owner provided supplementary attributes or
metadata about the indicator.
Top Firewalls The top 10 firewalls where WildFire detected the most number of malware
sessions.
Top Upload Sources The top 10 upload sources that submitted your samples to WildFire.
Top Filetypes Per The number of malware sessions for the top 5 most frequently used
Application applications for distributing malware. For each application, the malware
sessions are broken down by filetype.
Top Applications The 10 applications that distributed the most malware samples.
Bottom Applications The 10 applications that distributed the least malware samples.
Top Filetypes The 10 filetypes most frequently associated with malware samples.
Bottom Filetypes The 10 filetypes least frequently associated with malware samples
Top Malware Family The top 10 Unit 42 and private Malware Family tags that AutoFocus matched
Tags to your samples.
Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to
your samples.
Top Malicious Behavior The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus
Tags matched to your samples.
Threats by Source A map of countries from which malware sessions originated (refer to list of
Country Countries and Country Codes). The report highlights the country that sent the
most number of malware sessions.
Threats by Destination A map of countries that malware sessions targeted (refer to list of Countries
Country and Country Codes). The report highlights the country that received the most
number of malware sessions.
STEP 2 | Configure the report settings to choose a time period for filtering the report details, and
Generate the report.
Your Malware Session Percentage By Day is compared with the figures for your industry.
Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a
search.
STEP 4 | For the charts Malware Session Percentage By Day and Top Filetypes Per Application, select
which data to display or hide.
Hide filetypes that are seen in larger quantities to view the counts for filetypes that are
seen in smaller quantities.
123
124 AUTOFOCUS ADMINISTRATORS GUIDE | Export AutoFocus Artifacts
Build an AutoFocus Export List
To Create a CSV File that contains AutoFocus artifacts, first add the artifacts to an export list. You can build
multiple export lists in AutoFocus. Grouping artifacts into different export lists allows you to easily generate
separate CSV files for them.
STEP 1 | Drill down to view the details for samples returned in an AutoFocus search.
1. Begin a new search.
2. Click a sample hash to view sample details.
3. Select an operating system to view activities and behaviors observed when the sample was executed
in that WildFire analysis environment.
Select multiple artifacts from a WildFire analysis category to add to an export list.
Add all artifacts, all suspicious artifacts, or all highly suspicious artifacts listed for an activity or behavior
category to an export list.
Only artifacts that were observed for the operating system selected in Step 1 are added
to the export list. To add sample artifacts from a different operating system, repeat Step c
and continue.
To view the latest artifacts added, select Sort by: Added Time, and click Sort Descending.
You can also view artifacts based on the WildFire analysis Section from which the artifact is derived.
For example, a domain in the export list might have been added from the DNS Activity that WildFire
detected for the sample. See the Artifact Types that can appear in each WildFire analysis section.
You can click any of the column headers to sort the export list in ascending (up arrow) or descending
(down arrow) order.
To quickly export all artifacts from the Exports page, click Export in the Actions
column of the export list.
Export artifacts based on the time period they were added to an export list:
1. Click Export All Items.
2. Set Export Rows to In Date Range.
3. Use the Added Time fields to export artifacts based on the date and time range that the artifact was
added to the export list.
To quickly export artifacts within a date range from the Exports page, click Export in
the Actions column of the export list.
STEP 4 | (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall.
Select Formatted for PAN-OS block list.
You can use the CSV file as a dynamic block list (PAN-OS 7.0 or earlier) or an external dynamic list (PAN-
OS 7.1 or later), but the firewall only supports certain types of artifacts. Learn more about how to Use
Export Lists with the Palo Alto Networks Firewall.
Find IP address, URL, and domain artifacts in the DNS Activity, Connection Activity, and
HTTP Activity detected during the WildFire analysis of a sample.
CSV files that are formatted for a PAN-OS block list might display artifacts in an order that
is different from how they appear in the AutoFocus export list.
> MineMeld
133
134 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Apps
MineMeld
MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles
the indicators into multiple formats compatible with AutoFocus, the Palo Alto Networks next-generation
firewall, and other security and information event management (SIEM) platforms.
Introduction to MineMeld
Start, Stop, and Reset MineMeld
Use AutoFocus-Hosted MineMeld
Create a Minemeld Node
Connect MineMeld Nodes
Delete a MineMeld Node
AutoFocus Prototypes
Forward MineMeld Indicators to AutoFocus
Forward AutoFocus Indicators to MineMeld
Use AutoFocus Miners with the Palo Alto Networks Firewall
Troubleshoot MineMeld
Introduction to MineMeld
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators
often place indicators in multiple formats or format them inconsistently. Using indicators from multiple
sources and packaging them into different formats requires a large investment of time and effort, especially
as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator
sources, since they are updated at different times and not always on a regular basis. MineMeld automates
many of these manual processes so you can use indicators to dynamically enforce policy with your firewall
or to investigate threats with AutoFocus.
Three types of MineMeld nodes make it possible to automate the flow of indicators from source to
destination:
Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat
intelligence service like AutoFocus.
Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators,
and merge different sets of metadata for the same indicator. For example, a common type of processor
is one that receives only IPv4 indicators.
Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to
dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators
from external threat feeds to AutoFocus or the firewall).
When you reset MineMeld, this permanently deletes any nodes or customizations you
have made within the app. However, if you reset MineMeld after you Forward MineMeld
Indicators to AutoFocus, AutoFocus will continue to store the forwarded indicators from
the deleted nodes.
If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall
and reset MineMeld, you must update the external dynamic list with a new link from MineMeld.
When using MineMeld for the first time (or after a resetting it), the default configuration
of nodes sends IP addresses, URLs, and domains from a set of block lists to the
Indicator Store, a storage space in AutoFocus for external indicators. Click Indicators
on the navigation pane to view the Indicator Store.
View a library of miner, processor, and output Prototypes you can clone to Create a Minemeld Node.
View a complete list of Nodes youve created.
Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to
Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node.
View the Logs, which is a record of indicators that MineMeld extracted from feed sources.
For more guidance on how to use MineMeld, see MineMeld.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 9 | Find the new node in the list of Nodes to verify that it was saved successfully.
An exclamation point next to the node name notifies you that you must Complete
additional required fields for a node.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 3 | Click Config, and find the node you want to connect to another node.
STEP 6 | View the flow of indicators that the node is part of.
1. View the list of Nodes.
2. Find the node in the list, and view the Graph ( * ) for it. Larger nodes process more indicators than
smaller nodes.
STEP 7 | Share your MineMeld nodes and node connections with another MineMeld user.
Select the Config tab, and click Export. When you share the code that this generates with other
MineMeld users, they can Import it into their MineMeld instance.
Use the MineMeld import feature to quickly load another users nodes and node
connections into your MineMeld instance. Importing a configuration replaces any nodes or
node connections you have previously created.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 4 | Find the node you want to delete. If you know the name of the node, use the Search field to
quickly find the node.
Check the node inputs and verify that you can delete the connection to these inputs.
STEP 7 | Check that the node no longer appears in the list of Nodes to verify that it was deleted
successfully.
AutoFocus Prototypes
The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus
and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select
the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The
prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged
out, MineMeld withdraws the indicator from the outputs that received them.
Samples The samples miner extracts Threat Accepts all indicator types.
Miner Indicators from samples that meet the Initially extracts indicators from samples
conditions of an AutoFocus search. You that meet the criteria of the search
must set the search conditions when you based on the last 24 hours.
create this miner node. After the initial poll for indicators,
The samples miner does not extract all extracts indicators from samples every
sample artifacts; it only extracts statistically hour.
important artifacts that AutoFocus has Each time this miner extracts indicators,
determined to be indicators based on their it only extracts indicators from the first
tendency to be seen with malware. 10,000 samples.
Only forwards indicators that it has not
seen previously.
Ages out indicators 24 hours after the
last time they were seen in the sample
search results.
Artifacts The artifacts miner extracts indicators Accepts all indicator types.
Miner from external sources that are currently Initially extracts indicators that were
stored in the AutoFocus Indicator Store added to the Indicator Store in the last
(see Manage Threat Indicators). You must 24 hours.
connect this miner to a processor and After the initial poll for indicators,
output node to forward the indicators to a extracts indicators from the store every
destination outside of AutoFocus, such as a hour.
Palo Alto Networks firewall or other SIEM Only forwards indicators that it has not
platforms. seen previously.
Ages out indicators 30 days after the
last time they were added or updated
in the Indicator Store, or as soon as an
indicator is marked as expired in the
store.
Artifacts The artifacts output sends indicators from Accepts all indicators types.
Output external threat intelligence sources directly Does not allow you to use the artifacts
to the AutoFocus Indicators Store (see miner to send indicators back to the
Manage Threat Indicators). AutoFocus Indicator Store.
highlights indicators in your samples that
match the indicators in the store, allowing
you to Find High-Risk Artifacts.
Export List The export list miners sends artifacts from Accepts IPv4, URL, and domain indicators.
Miner an AutoFocus export list to a destination
outside of AutoFocus.
Unlike the other AutoFocus prototypes,
the export list miner can be used in
either AutoFocus-hosted MineMeld or a
MineMeld instance you deployed in your
own environment.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 2 | Create a Minemeld Node that will receive processed indicators and send them to AutoFocus.
Create an output node based on the prototype autofocus.artifactsOutput.
STEP 3 | Connect MineMeld Nodes (miner and processor) to the output node you just created.
Use an AutoFocus Samples Miner to forward Indicators from sample search results.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Work with the Search Editor to set up a search.
3. Create MineMeld Miner ( ) from the search page.
The node details include:
1. NameGive the miner a descriptive name.
2. PrototypeThe prototype is pre-selected (autofocus.samplesMiner).
3. QueryThis field is pre-populated with the conditions of your search.
4. ScopeSelect the scope of the search results: global, private, and public.
5. ArtifactsSelect which indicators AutoFocus will forward to MineMeld: Any indicators, only
indicators that match MineMeld indicators, or None (MineMeld only extracts hashes from the
sample search results).
6. Connect to ProcessorsSelect processors that will receive indicators from the miner.
If you select a Scope of global, the miner extracts indicators from your private
samples and public samples from you and other AutoFocus users; it does not
extract indicators from other users private samples.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
Use an AutoFocus Artifacts Miner to forward indicators from external sources stored in
AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Click Indicators on the navigation pane and optionally, Filter the indicators.
3. Create MineMeld Miner ( ).
The node details include:
1. NameGive the miner a descriptive name.
2. PrototypeThe prototype is pre-selected (autofocus.artifactsMiner).
3. QueryIf you filtered the indicators, this field is pre-populated with the filter you used.
4. Connect to ProcessorsSelect processors that will receive indicators from the miner.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list.
You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a
MineMeld instance you deployed in your own environment. The default behavior of the
miner is the same in either version of MineMeld.
STEP 1 | Add the root certificate authority (CA) certificate for MineMeld to the firewall.
1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/
repository/gd-class2-root.crt
2. On the firewall, select Device > Certificate Management > Certificates.
3. Import the certificate to the firewall.
1. Give the certificate a descriptive name.
2. Browse for the certificate file and attach the GoDaddy certificate you downloaded.
3. Click OK.
STEP 3 | Configure the MineMeld nodes that will send indicators to the firewall.
To find outputs that you can use with an external dynamic list, view the list of
MineMeld Prototypes and search with the keyword EDL.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.
Troubleshoot MineMeld
Refer to the procedures below to troubleshoot issues with MineMeld.
3. Purge Logs.
This deletes logs of internal system processes on MineMeld; this does not delete the record of
indicators that nodes received or indicators that were aged-out in the Logs tab.
1. Compare the counts from different points in the Indicators graph to determine the number of new
indicators that the node processed during a time range. A drop in the graph indicates that some
indicators associated with the node were aged out.
2. View the trend of indicators that the node added, aged out, updated, and withdrew from other
nodes.
Track indicators that were successfully received by a node and indicators that were aged out.
View the MineMeld logs to determine if an indicator was successfully received by a node or aged out.
1. View the logs for a specific indicator.
1. In MineMeld, click the Logs tab.
2. In the search field, enter indicator:[indicator value] and click the spyglass to launch the
search.
3. Evaluate the logs for the indicator based on the following log messages.
EMIT_UPDATEA log of a node sending an indicator (or an indicator update) to another node.
ACCEPT_UPDATEA log of a node successfully receiving an indicator from another node.
EMIT_WITHDRAWA log of a node aging out an indicator.
ACCEPT_WITHDRAWA log of a node accepting a request from another node to withdraw an
aged out indicator.