Autofocus Admin Guide

AutoFocus Administrators Guide
February 2017
paloaltonetworks.com/documentation
Table of Contents
Get Started With AutoFocus........................................................................... 5
About AutoFocus.........................................................................................................................................7
First Look at the AutoFocus Portal........................................................................................................ 9
AutoFocus Concepts................................................................................................................................ 17
Use AutoFocus with the Palo Alto Networks Firewall....................................................................20
AutoFocus Portal Settings...................................................................................................................... 21
AutoFocus Dashboard..................................................................................... 23
Dashboard Overview............................................................................................................................... 25
Set the Dashboard Date Range............................................................................................................ 26
Drill Down on Dashboard Widgets...................................................................................................... 28
Customize the Dashboard...................................................................................................................... 29
AutoFocus Search.............................................................................................31
Start a Quick Search................................................................................................................................ 33
Work with the Search Editor.................................................................................................................35
Drill Down in Search Results................................................................................................................. 42
Samples........................................................................................................................................... 42
Sessions...........................................................................................................................................47
Statistics..........................................................................................................................................48
Indicators........................................................................................................................................ 50
Domain, URL, and IP Address Information............................................................................ 51
Set Up Remote Search............................................................................................................................ 54
Artifact Types.............................................................................................................................................57
General Artifacts...........................................................................................................................57
Sample Artifacts............................................................................................................................58
Session Artifacts........................................................................................................................... 60
Analysis Artifacts.......................................................................................................................... 62
Windows Artifacts....................................................................................................................... 64
Mac Artifacts................................................................................................................................. 64
Android Artifacts.......................................................................................................................... 65
Search Operators and Values................................................................................................................ 68
Guidelines for Partial Searches..............................................................................................................72
Contains and Does Not Contain Operators.......................................................................... 72
Proximity Operator...................................................................................................................... 72
AutoFocus Alerts.............................................................................................. 75
Alert Types................................................................................................................................................. 77
Email Alerts.................................................................................................................................... 77
HTTP Alerts................................................................................................................................... 78
Create Alerts.............................................................................................................................................. 80
Define Alert Actions....................................................................................................................80
Enable Alerts by Tag Type.........................................................................................................83
Create Alert Exceptions..............................................................................................................83
View Alerts in AutoFocus....................................................................................................................... 85
Edit Alerts................................................................................................................................................... 88
TABLE OF CONTENTS iii

AutoFocus Tags.................................................................................................91
Tag Concepts............................................................................................................................................. 93
Tag Types....................................................................................................................................... 93
Tag Class.........................................................................................................................................94
Tag Status.......................................................................................................................................94
Tag Visibility.................................................................................................................................. 95
Tag Details.................................................................................................................................................. 96
Create a Tag...............................................................................................................................................99
Work with Tags...................................................................................................................................... 101
Find Samples by Tag Details...................................................................................................101
Filter and Sort Tags...................................................................................................................101
Find the Top Tags Detected During a Date Range........................................................... 103
See the Top Tags Found with Search Results.................................................................... 103
Vote for, Comment on, and Report Tags......................................................................................... 105
Assess AutoFocus Artifacts......................................................................... 109

Find High-Risk Artifacts........................................................................................................................111
Add High-Risk Artifacts to a Search or Export List....................................................................... 114
Manage Threat Indicators.................................................................................................................... 116
Use the Threat Summary Report to Observe Malware Trends.................................................. 118
Threat Summary Report Overview....................................................................................... 118
View Threat Summary Report Details..................................................................................120
Export AutoFocus Artifacts......................................................................... 123

Build an AutoFocus Export List.......................................................................................................... 125
Create a CSV File................................................................................................................................... 129
Use Export Lists with the Palo Alto Networks Firewall................................................................131
AutoFocus Apps..............................................................................................133
MineMeld..................................................................................................................................................135
Introduction to MineMeld....................................................................................................... 135
Start, Stop, and Reset MineMeld...........................................................................................136
Use AutoFocus-Hosted MineMeld........................................................................................137
Create a Minemeld Node........................................................................................................ 138
Connect MineMeld Nodes...................................................................................................... 140
Delete a MineMeld Node........................................................................................................ 141
AutoFocus Prototypes.............................................................................................................. 142
Forward MineMeld Indicators to AutoFocus......................................................................143
Forward AutoFocus Indicators to MineMeld......................................................................144
Use AutoFocus Miners with the Palo Alto Networks Firewall....................................... 145
Troubleshoot MineMeld...........................................................................................................146
iv TABLE OF CONTENTS
Get Started With AutoFocus
AutoFocus is a threat intelligence service that provides an interactive, graphical interface for
analyzing threats in your network. With AutoFocus, you can compare threats in your network
to threat information collected from other networks in your industry or across the globe,
within specific time frames. AutoFocus statistics are updated to include the most recent threat
samples analyzed by Palo Alto Networks. Access to this information allows you to keep up
with threat trends and to take a preventive approach to securing your network.
See the following topics to get started with the AutoFocus threat intelligence service. If you
havent already, first register and activate AutoFocus.
> About AutoFocus

> First Look at the AutoFocus Portal
> AutoFocus Concepts
> Use AutoFocus with the Palo Alto Networks Firewall
> AutoFocus Portal Settings
5
6 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus
About AutoFocus
The AutoFocus threat intelligence portal enables you to quickly identify threats on your network, and to
contextualize such events within an industry, global, and historical context. AutoFocus harnesses data from
WildFire, the PAN-DB URL Filtering database, Unit 42, and from third-party feeds (including both closed
and open-source intelligence). AutoFocus then makes the data searchable and layers the data with statistics
that both highlight pervasive malware and reveal connections between malware.
Take a look at the following table for an overview of AutoFocus features that allow you to prioritize,
contextualize, and address threats affecting your network.
I want to... How can I do this with AutoFocus?
...prioritize events in my network Look at the dashboard.

environment.
The AutoFocus dashboard visually weights threat
Artifacts and statistics to bring focus to pervasive
events.
Check samples for high-risk artifacts.
When WildFire analyzes a sample, it finds certain
activities, properties, and behaviors to be associated
with that sample. AutoFocus indicates the artifacts
that are most likely to be detected with malware as
Suspicious or Highly Suspicious. You can Find High-
Risk Artifacts in AutoFocus search results.
Create custom alerts.
Create alerts based on Tags to keep track of samples
linked to high-risk artifacts. AutoFocus can send
notifications to your email account or web server.
Distinguish between advanced threats and commodity
malware.
Unit 42 publishes Unit 42 Tag (Alerting) and Unit
42 Informational Tag (Non-Alerting) in AutoFocus
that allow you to distinguish between threats or
campaigns with global impact (Unit 42 alerting tags)
and less impactful threats that do not pose a direct or
immediate security risk (Unit 42 informational tags).
AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 7

I want to... How can I do this with AutoFocus?
...gain context around an event. Toggle the dashboard.

You can move between views that show the top
activity for your network, for your industry, and on a
global scale. You can also filter any dashboard view to
display data for a specific date range.
Use the search editor.
Search results provide detailed analysis information
for samples, including all artifacts found to be
associated with a sample during WildFire analysis.
For each artifact, the number of times that WildFire
has detected the artifact with malware, benign, and
grayware samples is listed.
Drill down and pivot through search results to
discover threat variants. You can add high-risk
artifacts to your search as you go.
You can filter your view of search results to show
only results from your network or from all public
samples.
...leverage AutoFocus data. Enable Unit 42 alerts.

You can enable alerts from Unit 42, the Palo Alto
Networks threat intelligence team. You can also set up
prioritized alerts for your private tags or for public tags
shared by the AutoFocus community.
Export AutoFocus Artifacts
You can add high-risk artifacts to be used with a Palo
Alto Networks firewall block list or external dynamic
list, or to support a security information and event
management (SIEM) solution.
Get Started Take a First Look at the AutoFocus Portal.

Set up an AutoFocus Search.

First Look at the AutoFocus Portal
The AutoFocus dashboard presents a visual landscape of network, industry, and global threat artifacts. A
threat artifact could be a sample hash (identifying a link included in an email or a file, such as a PDF or PE), a
statistic, a file property, or a behavior that shows a correlation with malware.
Set the context of the dashboard to display activity and artifacts for your organization, or to view data at an
industry or global level. You can expand or narrow the date range of the threat activity data displayed. The
Dashboard widgets are interactivehover over an artifact to view artifact details or click an artifact to add it
to a search.
First Look at the Dashboard
Support Account Area
Threat researchers who have access to multiple

support accounts can select a single support
account to view data from devices associated with
that account.
Start a Quick Search for threat artifacts.
View the AutoFocus documentation site.
Log out of the portal.

Dashboard
Select an AutoFocus Dashboard tab to set the

context for the data displayed: My Organization,
My Industry, or All.
Threat data and activity displayed on the
dashboard widgets will update to reflect the
context selected (see the Dashboard Overview
for details). The widgets are interactive and can
be used to drill down and investigate malware or
event details. Hover over artifacts displayed on the
dashboard to reveal additional details, or click on
an artifact to add it to the search editor.
By default, the dashboard displays data for the last
seven days.
Filter the data displayed on the dashboard by
context and date:
Filter by contextMove between the tabs
to set the dashboard context, displaying the
varying threat landscapes for your network,
your industry, or globally.
Filter by dateSet the dashboard to display
data for the last 7, 30, 90, or 180 days. You can
also select All time to display all data for the
selected context.

Navigation Pane
Use the navigation pane to access the following

AutoFocus features:
DashboardDisplay the AutoFocus Dashboard.
AutoFocus remembers your last

dashboard settings even as you
switch between the features on
the navigation pane.
SearchThe search editor allows you to
perform free-form searches using boolean
logic. Set up an AutoFocus Search based
on threat artifacts gathered from your
environment, or from viewing industry or global
data on the AutoFocus dashboard. To get
started, Work with the Search Editor. You can
then Drill Down in Search Results to find high-
risk artifacts, including the number of times
that an artifact, such as an IP address, has been
detected with malware, benign, and grayware
samples.
TagsA tag is a set of conditions compared
against historical and new samples. You can
create your own AutoFocus Tags. Unit 42 also
publishes tags in AutoFocus to identify and
help you detect known threats. On the Tags
page, you can view your private tags, public
tags shared by other AutoFocus users, and Unit
42 tags.

AlertsSet up AutoFocus Alerts based on tags.

Depending on your alert settings, Unit 42,
public, and private tags generate alerts when
matched to malware and grayware samples in
your network.
Create Alerts for Unit 42 tags.

This allows you to receive
prioritized notifications when
targeted attacks or threat
campaigns identified by Unit 42
are matched to samples.
IndicatorsKeep track of threat indicators
that you have forwarded to AutoFocus from
external sources and Manage Threat Indicators.
ExportsExport AutoFocus Artifacts, such
as IP addresses, URLs, and domains, to a CSV
file. You can then use the CSV file to enable a
Palo Alto Networks firewall to enforce policy
based on AutoFocus artifacts or to import
AutoFocus data to a security information and
event management (SIEM) tool.
ReportsUse the Threat Summary Report to
Observe Malware Trends in your network.
SettingsUpdate the AutoFocus Portal
Settings.
AppsLaunch the MineMeld app, an open-
source app whose features are integrated
into AutoFocus to highlight artifacts on your
network that signal the presence of a potential
threat.

Malware Download Sessions
The Malware Download Sessions histogram

displays the malware sessions for samples
detected for the first time in the selected date
range. Use the histogram to observe spikes in new
malware activity.
If you dont see any malware

sessions in the histogram, there
may not be any malware detected
during the selected date range.
The histogram does not include
sessions with known malware
(malware that was first seen
before the selected date range).
Adjust the histogram sliders to
narrow or broaden the date range.
Dashboard widgets automatically
update to reflect the date range
you have selected. For details, see
Set the Dashboard Date Range.
An additional day with no

populated data is sometimes
displayed on the Malware
Download Sessions histogram,
regardless of the date range
selected.

Dashboard Widgets
The dashboard widgets highlight the top

ten artifacts depending on the context (my
organization, industry, or all) and time range
selected:
Top ApplicationsDisplays the ten most used
applications.
Top MalwareDisplays the ten malware
samples with the most hits.
Top FirewallsDisplays the ten firewalls with
most sessions where malware samples were
detected. Select the Organization tab on the
dashboard to display the top firewalls in your
network.
Target IndustriesDisplays the ten industries
with the highest counts of malware detected.
Select the All tab on the dashboard to display
target industries on a global scale.
You can Customize the Dashboard to add or
remove widgets. Click a single bar in any widget
to Drill Down on Dashboard Widgets to add the
artifact to a search or to tag it.
Malware Sources and Destinations
The Malware Sources and Destinations map allows

you to view malware hot spots geographically.
Select Source to display countries with high
rates of malware sessions originating from
those countries, or select Destination to display
countries with high rates of targeted attacks.
Larger bubbles indicate higher rates of activity.
You can also zoom in to more closely examine
the number of malware sessions by source or
destination country. Refer to Countries and
Country Codes for a list of the two-letter country
codes used in the map.

Top Tags
The Top Tags widget lists the AutoFocus Tags

matched to the highest number of samples. You
can easily distinguish the different tag types by
color and icon:
The Top Tags list is sorted according to the

number of samples matched to the tag in the date
range selected on the malware sessions histogram
(at the top of the dashboard). For each tag, the
list also displays the total number of samples that
have been matched to the tag and the date and
time that the most recent matching sample was
detected.
On the Top Tags widget:
Filter the displayed tags by Tag Class.
Select from the options under Choose Tag
Types to display the top 20 private tags, public
tags, Unit 42 alerting tags, and/or Unit 42
informational tags.
Select a tag to view tag details, including a
description of the condition or set of conditions
that the tag identifies, or to add the tag to a
search.
Alerts Log
The Alerts Log widget displays the latest 20 alerts

on malware and grayware matching enabled
public, private, or Unit 42 AutoFocus Tags. For
details on enabling the delivery of prioritized alerts
through email or over HTTP, see Create Alerts.

Recent Unit 42 Research
Browse quick links to the latest research, news,

and resources from Unit 42, the Palo Alto
Networks threat intelligence team.
Feedback Link
The Give Feedback link provides a quick way to

send comments and requests for new features to
the AutoFocus team at Palo Alto Networks.

AutoFocus Concepts
Familiarize yourself with the following AutoFocus terminology to help you as you use the tool to begin
researching threats.
Concept Description
Samples For both AutoFocus and WildFire, a sample refers to a file (such as a PDF
or PE) or a link included in an email. The Palo Alto Networks firewall and
other sources such as Traps and Proofpoint can forward unknown samples
to the WildFire cloud, where WildFire performs Static Analysis and Dynamic
Analysis of the sample. As WildFire observes and executes the sample in the
analysis environment, WildFire associates different Artifacts with the sample.
AutoFocus allows you to search for samples based on the sample hash and
other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus
compares all historical and new samples to the search conditions and filters
the search results accordingly.
AutoFocus receives WildFire analysis information for samples submitted to
the WildFire global and regional clouds.
Sessions Sessions in AutoFocus search results provide information about how a

source submitted a sample to WildFire. Each session has a time stamp
that indicates when WildFire received the sample. For samples forwarded
by a Palo Alto Networks firewall, their associated session information
provide context for the detection of the sample on the network. For samples
submitted by other Upload Source (Traps, Proofpoint, WildFire API, WildFire
appliance, or manual upload to the WildFire public portal), their sessions
details are limited to the time stamp, the hash of the sample that was
analyzed, and the upload source. Session information also indicates if a
sample was submitted to the WildFire global cloud or regional cloud. Use
Session Artifacts to filter AutoFocus search results.
Static Analysis Static analysis is a type of analysis based on properties of a sample that
WildFire can detect and observe in a virtual environment without executing
the sample. For details on the type of static analysis information that
AutoFocus reports for samples, see Artifact Types.
Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis

environment to determine the behaviors and activities that a sample exhibits
when it runs. During dynamic analysis, WildFire also observes other behaviors
and activities that occur in the analysis environment as a result of executing
the sample. For details on the type of dynamic analysis information that
AutoFocus reports for samples, see Artifact Types.

Concept Description
Artifacts An artifact is a property, activity, or behavior shown to be associated with a

sample or a session through both WildFire analysis of the sample and through
AutoFocus statistics. For example, types of artifacts include IP addresses,
domains, URLs, applications, processes, hashes, and email addresses.
In AutoFocus, artifacts are highlighted both on the dashboard and within
search results. AutoFocus search results spotlight significant artifacts that are
identified according to risk. The dashboard and search editor both allow you
to add an artifact directly to an ongoing search or to add it to an export list,
which you can use to enforce policy on a firewall or to analyze artifacts in a
SIEM.
For more details on viewing and evaluating artifacts, see also Assess
AutoFocus Artifacts.
Threat Indicators An indicator is an artifact that security experts typically observe to detect
signs that a network has been compromised. Indicators are crucial for
implementing a network defense strategy based on threat intelligence. The
following types of artifacts are considered indicators in AutoFocus:
Domain
IPv4
Mutex
URL
User agent
AutoFocus determines which artifacts are indicators through a statistical
algorithm based on tendency of the artifact to be seen predominantly in
malware samples. With the MineMeld app, you can forward indicators from
external threat feeds into AutoFocus. You can then Manage Threat Indicators
and Find High-Risk Artifacts that match indicators to check your network for
known threats.
Tags A tag is a collection of search criteria that together indicate a known or

possible threat. Both historical and new samples that match the conditions
defined for a tag are associated with that tag. You can perform searches and
create alerts based on tags.
See AutoFocus Tags for details on creating tags and contributing to tags,
including more information on Tag Types, Tag Class, Tag Status, and Tag
Visibility.

Concept Description
Public Tags and Public tags and samples in AutoFocus are visible to all AutoFocus users.
Samples
For tags you create, you can set the status to public, so that the tag is visible
to the AutoFocus community. You can revert the tag to be private at any
time.
Public samples consist of samples from open-source intelligence (OSINT) and
other external public sources, as well as samples that AutoFocus users have
made public. Samples from your organization can only become public in two
ways:
Open the sample details and manually set the sample to Public, in order to
share it within the AutoFocus community.
If a private sample from your organization is later received by WildFire
from a public source, the sample will become public at that time.
Private Tags and Private tags and samples in AutoFocus are visible only to AutoFocus users
Samples associated with the same support account.
Private tags and samples can be made public, with the option to revert the tag
or sample back to private status at any time.
All Tab and All Samples The All tab on the dashboard and the option to view All Samples in a search
include statistics for all samples seen by Wildfire, both public and private;
however, identifying details are obfuscated for private samples. The All
tab on the dashboard displays all malware (including private samples) with
obfuscated hashes. The All Samples view in a search obfuscates private
sample details with the exception of the WildFire verdict for the sample, the
date the sample was first submitted to WildFire, the file size, and the file type.
Suspicious
Suspicious artifacts:
Have been widely-detected across large numbers of samples.
Are most frequently detected with malware. Although suspicious artifacts
can be detected with grayware and benign samples, they are more often
found with malware.
For more on suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.
Highly Suspicious
Highly suspicious artifacts:
Have been detected in very few samples. The lack of distribution of these
types of artifacts could indicate an attack crafted to target a specific
organization.
Are most frequently detected with malware. In some cases, these artifacts
have been exclusively seen with malware and never with grayware or
benign samples.
For more on highly suspicious artifacts in AutoFocus, you can Find High-Risk
Artifacts and Add High-Risk Artifacts to a Search or Export List.

Use AutoFocus with the Palo Alto Networks
Firewall
The following table highlights AutoFocus features that integrate with the Palo Alto Networks firewall:
Use AutoFocus threat intelligence to assess firewall artifacts.

On the firewall, open the AutoFocus Intelligence Summary for artifacts in your firewall logs to view their
pervasiveness and risk. Click on any of the artifacts in the summary window to launch an AutoFocus
search for it.
This feature is supported with firewalls running PAN-OS 7.1 or later release versions.
Use AutoFocus to search for artifacts in firewall traffic.

In AutoFocus, Set Up Remote Search to specify which artifacts to look for in your firewall logs. The
firewall web interface opens in a new window in Unified log view. The Unified log entries are filtered
based on the remote search artifacts.
You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus
and/or are running PAN-OS 7.0 and earlier.
Use AutoFocus indicators to enforce security policy on the firewall.

Export AutoFocus Artifacts (such as IP addresses, URLs, or domains) to support a dynamic block list
(PAN-OS 7.0 or earlier) or an external dynamic list (PAN-OS 7.1 and later).
Use AutoFocus Miners with the Palo Alto Networks Firewall to support external dynamic list (PAN-
OS 8.0).

AutoFocus Portal Settings
Select Settings on the AutoFocus navigation pane to modify or enable the following settings as needed. The
settings for preferred hash, scope, and landing page are unique for each user in a support account.
Preferred HashSelect the hash type you would like to use as the default sample or session identifier
for AutoFocus search results: SHA-1, SHA-256, or MD-5.
Preferred ScopeSelect the default scope of your search results: My Samples (private), Public Samples,
or All Samples (private and public samples).
Landing PageSelect the page that displays by default after logging in to the AutoFocus portal.
Share public tags anonymouslyIf you select this option, tags that you share publicly will not list your
organization as the tag owner in the tag details.
Remote SystemsLabel and specify the address of a Palo Alto Networks firewall, Panorama, or third-
party log management system that AutoFocus can search remotely. You can add up to 500 remote
systems. View the complete workflow for how to Set Up Remote Search.
APIIf you have activated an AutoFocus API key in the customer support portal, you can view your key
here. Also view the API key status, the number of license users, points usage, and total points. For more
information on the AutoFocus API, refer to API documentation and examples.

AutoFocus Dashboard
The AutoFocus dashboard visually weights your network data alongside industry and global
data to provide both a context for your network activity and a window into threats targeting
similar organizations. Focus in on pervasive threat activity and add top artifacts directly to a
search.
After taking a First Look at the Dashboard, refer to the following topics for an overview of the
dashboard and for details on customizing and drilling down on dashboard widgets:
> Dashboard Overview

> Set the Dashboard Date Range
> Drill Down on Dashboard Widgets
> Customize the Dashboard
23
24 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard
Dashboard Overview
Scan the AutoFocus dashboard to view and drill down on pervasive artifacts, including top malware, top
applications, and top firewalls. You can alternate dashboard views to display the threat landscape for your
organization, your industry, or globally.
As you move between the three dashboard tabs, the data displayed is updated to reflect the dashboard
context:
My OrganizationView the threat landscape for your network, with the capability to drill down and
search on data for firewalls associated with the selected support account. Top firewalls are only
displayed on the organization tab and are not visible in other contexts.
My IndustryView the threat landscape across your industry. Explore and examine targeted threats or
trends affecting similar networks and organizations. Industry data is populated according to the industry
associated with the selected support account (for example, high tech or healthcare).
AllView the global threat landscape to contextualize both threats affecting your network and your
industry. The All tab includes the additional widget Target Industries that allows you to compare
malware rates across industries.
The Industry and All views display statistics for all samples (public and private) but do
not allow access to the details of private samples (unless they are private samples from
firewalls associated with your support account).
Drill Down on Dashboard Widgets for more details on a threat artifact, with the option to add the artifact to
a search, or tag the artifact as an indicator of compromise (IOC).
For an overview of each of the dashboard widgets, take a First Look at the AutoFocus Portal.
AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard 25

Set the Dashboard Date Range
Filter the threat data displayed on the dashboard based on a default time range, a custom time range, or a
single date.
All time stamps in AutoFocus are displayed in Pacific Time (PST/PDT).
If you dont see any malware sessions in the Malware Download Sessions histogram, there
may not be any malware detected during the selected date range. The histogram does not
include sessions with known malware (malware that was first seen before the selected date
range).
Set the default date range.

Set the dashboard to display data for the last 7, 30, 90, or 180 days by default. You can also set the
dashboard to display all data by default, regardless of the time period that the data was collected, by
setting the time range to All time.
The dashboard default time range is applied to all dashboard views (organization, industry, and all) and
dashboard widgets immediately update to reflect the time range selected.
The default time range is also reapplied when the dashboard is refreshed.
Select a custom date range.

Adjust the Malware Download Sessions sliders to view sessions for a specific date range:
The dashboard time range is updated automatically as you adjust the sliders.
After modifying the dashboard date range using the Malware Download Sessions
histogram, you can refresh your browser at any time to reapply the default date range.
Set a single date.

Click a single bar on the Malware Download Sessions histogram to view the number of sessions with
newly-identified malware detected on that date. The dashboard widgets are then filtered to display
artifacts for that date only.
For example, this view of the dashboard shows events and artifacts only for January 15, 2014:
After modifying the dashboard date range using the Malware Download Sessions
histogram, you can refresh your browser at any time to reapply the default date range.

Drill Down on Dashboard Widgets
Use the dashboard widgets to add artifacts of interest to a search. Artifacts added to the search editor
from the dashboard are added as conditions to the existing searchthey do not replace existing search
conditions (although you can continue to modify the search from the search editor).
For an overview of each of the dashboard widget, take a First Look at the AutoFocus Portal.
View artifact details.

Hover over the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets to reveal
statistics. For example, hover over a single bar on the Top Malware widget (where the bar represents
a malware sample) to view a close-up of the sample hash and the number of times the sample was
detected during the selected date range.
Add an artifact to the search editor.

Click on a single bar in the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets
to jump to the search editor and perform a search using the data. For example, click on a single bar on
the Top Malware widget to search on the malware sample hash.
For details on interacting with the Top Tags widget, Vote for, Comment on, and Report Tags.
For details on interacting with the Alerts Log widget, View Alerts in AutoFocus.

Customize the Dashboard
You can customize your organization, industry, and global dashboards. Add widgets or remove them based
on your preferences, and pick the order in which they appear on the dashboard.
Dashboard settings are unique and saved for each user in a support account.
STEP 1 | Open the dashboard settings.

Click the Page Editor (1).
STEP 2 | Edit the widgets and widget placement on the dashboard.

Remove a widget.
Click X to remove a widget (2).
Removing a widget frees up a slot on the dashboard where you can Add a widget..
Add a widget.
Find a blank widget slot, and click Add Widget (3). Then select a widget type.
Add a new row of widgets.
Choose an area on the dashboard where you would like to insert a new row of widgets, and click Add
Row (4). The newly added row includes two blank slots for widgets by default.
Remove a row of widgets.
On the right side of the row you want to remove, click Remove Row (5).
Change the number of widgets in a row.
Change Columns (6) in the row to show up to 4 widgets.
STEP 3 | Save your changes to the dashboard.

When you are finished making your changes, click the Page Editor.
STEP 4 | (Optional) Restore the default dashboard settings.

Click the Page Editor drop-down and Reset Page to Default.

AutoFocus Search
Start a simple search for an artifact from any page in AutoFocus, or use the AutoFocus search
editor to perform complex searches, with conditions that allow you to narrow or broaden the
scope of your search.
> Start a Quick Search

> Work with the Search Editor
> Drill Down in Search Results
> Set Up Remote Search
> Artifact Types
> Search Operators and Values
> Guidelines for Partial Searches
31
32 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Search
Start a Quick Search
Start a simple search for an artifact from any page in AutoFocus, or use the AutoFocus search editor to
perform complex searches, with conditions that allow you to narrow or broaden the scope of your search.
Toggle your view of search results to find:
The samples matched to your search conditions (Samples tab).
The sessions during which the samples were detected (Sessions tab).
The top artifacts associated with the returned samples (Statistics tab).
The threat indicators found in the returned samples (Indicators tab).
And the DNS history and PAN-DB categorization of the results (Domain, URL & IP Address Information
tab).
After performing a search, you can drill down in sample results to find artifacts seen with that sample. For
each artifact associated with a sample, AutoFocus lists the number of times the artifact has been detected
with benign ( ), grayware ( ), and malware ( ) samples. Artifacts that are seen disproportionately
with malware are indicated to be Suspicious or Highly Suspicious. AutoFocus also makes it easy to view
indicators that are found with your search results.
Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus
portal.
Watch the tutorial.
STEP 1 | Click the spyglass icon in the support account area of the portal.
You can also press Alt+s to open quick search. To close quick search, click the x on the
top right corner of the search box or click anywhere on the dimmed area of the interface.
STEP 2 | Enter an artifact to search.

When an artifact is incomplete, quick search suggests a list of artifact types that it recognizes.
STEP 3 | Select the scope of the search based on the artifact type.
For example, the string ImASampleFile.pl can be a Filename, a Domain, or a URL. To search for the file
ImASampleFile.pl, select an area to search under the category Filename.
AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Search 33

The areas to choose from vary depending on the artifact entered.
PanDB/pDNSView PAN-DB categorization entries, WildFire active DNS history, and passive DNS
history that match the artifact.
Go to Sample Detail(SHA256, SHA1, and MD5 artifacts only) View details about the sample, such
as its WildFire verdict (benign, grayware, or malware) and analysis information.
Search for My SamplesSearch for the artifact in your organizations private samples.
Search for Public SamplesSearch for the artifact in all samples that are shared to the AutoFocus
community.
Search for All SamplesSearch for the artifact in private and public samples.
Search for SessionsSearch for the artifact in session information.
Show Session StatsView statistics based on sessions that contain the artifact.
STEP 4 | View the search results in the search editor.
STEP 5 | Choose from the following options:

Work with the Search Editor to perform more complex searches.
Drill Down in Search Results to explore additional options and information related to the artifact.

Work with the Search Editor
Use the search editor to perform complex searches based on one or more artifacts. The search editor has
a range of features for customizing and executing searches. For details on navigating and using the search
results (including adding artifacts to your search as you go), Drill Down in Search Results.
Open the search editor.
Select Search on the navigation pane and add criteria directly to the search editor:
Begin a new search.
Use a saved search.
Import a search.
Click on an artifact highlighted on the dashboard. The search editor displays with the artifact listed as
a search condition.
Begin a new search.
To create a search condition, choose the type of artifact you want to find and define the scope and
value:
1. Select one of the Artifact Types from the drop-down to perform a search of global threat data based
on that artifact type.
Start typing the name of the artifact type to narrow down the list of options.
2. Select an operator for the search condition.

The operator determines the scope of search results; you can use the operator to limit or expand
potential results, or to return exact match results. Search Operators and Values vary depending on
the type of artifact you select.

You can use the operator to create negative search conditions. Use negative
operators such as is not or is not in the list to return more granular search results
that exclude samples or sessions that match the negative condition.
3. Enter or select a value to define the search condition. Depending on the artifact type and operator
selected, you may be able to choose from predefined values, or you might be required to enter an
exact value to perform the search.
Learn more about Search Operators and Values.
If you are attempting to select a value from a pre-populated drop-down, and the drop-
down appears to be loading for a long period of time, try clearing your browser cache.
Add more search conditions.

Add conditions to your search.
You can add up to 300 search conditions to a single search.

Remove conditions from your search.
Narrow or broaden your search.
Match results to all or any of the defined search conditions:

Narrow search results by selecting All. Search results are only returned for samples that match all
conditions.

Broaden search results by selecting Any. Search results are returned for samples that match one or
more conditions.
Add a child query.
A child query is a condition or a set of conditions nested within and used to qualify a parent query. A
child query is evaluated only against the parent query to which it is added. Add a child query to return
more granular search results, where the results must match both the parent query and the child query.
The example search below shows a child query added to the Email Subject condition. Search results will
be returned for samples where the following is true:
The sample was first seen before March 13, 2015.
The email subject for the sample file contained the word test and received a WildFire verdict of
either malware or grayware.
You can only add up to 4 levels of child queries nested under parent queries.
Add a parent query.
Click Add Parent Query to nest a search condition under the preceding condition. AutoFocus then only
evaluates the nested search condition against the parent condition.

In the example below, click Add Parent Query to nest the First Seen condition under the WildFire
Verdict condition. Search results will be returned for samples where any of the following conditions is
true:
The sample received a WildFire verdict of malware and was first seen before July 1, 2016.
The sample is an Adobe Flash file.
Adjust search condition placement.
Move Up or Move Down search conditions to move conditions to or from a child query. Depending on
the placement of a condition, you can move it up or down to include it in a child query. You can also
move a condition up or down to remove it from a child query so that it is no longer a nested condition.
Disable a search condition.
Disable a condition to temporarily remove it from a search. This option provides the flexibility to
temporarily adjust your search parameters, and then quickly and easily add the condition back to your
search if necessary.
Disabled search conditions are grayed out:

To enable a search condition that was previously disabled, select the ellipses icon for that condition and
select Enable:
Start a new search from your current search.
Start a New Search for any of the search conditions of an existing search. The new search launches in a
separate browser window.
Add a search condition to a remote search.
This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto
Networks next-generation firewall, Panorama, or third-party log management system when you Set Up
Remote Search.
This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions.
Add recent or frequently-used conditions to a search.
Select the Show Search History icon and add Recently used or Most used search conditions to your
search.

Save a search.
Save searches that you might be performing on a regular basis, or to quickly recreate useful search
settings:
Click the Save Search icon, enter a name and description to identify the saved search when using it later,
and save the search.
Use a saved search.
Open Saved Search to view an alphabetical list of previously saved searches, and click the spyglass icon
to add a saved search to the search editor.
Tag a search.
Click Tag Results to create a tag based on search conditions. Tags can be used to define a set of
conditions that indicate an important network event or a possible or known threat.
Tag a search so you can easily identify and track any existing or future samples that match the search.
When you Create a Tag, give the tag a recognizable name and description. Select Tags on the navigation
pane to manage tags you have created and to view all tags.
Export a search.
You can export a search to share the search between support accounts or with another AutoFocus
security expert.
After setting up a search and viewing search results, select Export Search.
Copy the search filters.
Paste the search filters to a local file send the filters to another user.

Import a search.
Click Import Search to paste and import a previously exported query or a query shared by another
AutoFocus security expert.
Start a remote search.
Start a Remote Search to look for artifacts in a Palo Alto Networks firewall, Panorama, or third-party log
management system. View more details on how to Set Up Remote Search.
Create a MineMeld miner based on the search.
When the MineMeld app is running, Create MineMeld Miner to send artifacts from the sample search
results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld).
View the API request for a sample or session search.
Click the >_API link in the Samples or Sessions tab of the search editor to view the API request for
initiating the current search. The API request is formatted in Curl URL Request Library (cURL) and
Python (see more information about using the AutoFocus API to perform a search).
Choose from the following next steps:

Click Search to view samples matched to your search conditions. Select the Samples, Sessions,
Statistics, and Domain, URL & IP Address Information tabs to Drill Down in Search Results.
Assess AutoFocus Artifacts found in your search.
Export AutoFocus Artifacts found in your search.

Drill Down in Search Results
An AutoFocus search returns all matching samples and their corresponding sessions (Start a Quick Search
or Work with the Search Editor to set up a search). After searching, a progress bar displays as the search
is processing the complete set of results. You can check the cumulative number of samples that meet the
search conditions when the search progress is complete. You can also change the scope of your search from
My Samples (samples found in your network only) to Public Samples or All Samples:
The Samples, Sessions, Statistics, Indicators, and Domain, URL & IP Address Information tabs display search
results in different contexts. You can drill down in the results to find correlation among artifacts, to narrow
your search by adding artifacts to the search as you go, and to Export AutoFocus Artifacts that are high-risk.
See the following topics for details on the different search results views:
Samples
Sessions
Statistics
Indicators
Domain, URL, and IP Address Information
Samples
The Samples tab in the AutoFocus search editor displays all samples that match the conditions of the
search. Click the column headers for the sample details to sort samples in ascending (up arrow) or
descending (down arrow) order. By default, the most recently detected samples are displayed. You can
choose to view only My Samples, only Public Samples, or All Samples. All Samples includes both public
and private samples; however, private samples submitted by firewalls or sample sources other than those
associated with your support account display with an obfuscated hash.
Set a default scope for search results to choose which samples are displayed immediately
when you launch a search. Navigate to the AutoFocus portal Settings and select a
Preferred Scope. You must click Save changes to save the new default scope.
To examine Sample Details, click the sample hash:

Sample Details

Sample Details
Lists the sample details and properties. The nested

File Analysis WildFire Dynamic Analysis section describes the samples
observed behavior and lists each activity the sample
performed when executed in the WildFire analysis
environment. You can view sample details that WildFire
detected in environments running different operating
systems.
Select a method of viewing the WildFire dynamic analysis
of the sample:
SectionsGroups sample activities by activity type.
This view displays by default when you open the file
analysis of a sample.
SequenceLists sample activities based on the
order in which they occurred in the WildFire analysis
environment.
TreeFor any main parent processes that occurred
when the sample executed in the WildFire analysis
environment, the child processes and activities that
they spawned are grouped under them. The processes
are indented to display the visual hierarchy of parent
and child processes.
Click the minus sign ( - ) next to a parent process to
hide the child processes under it; click the plus sign ( + )
display them.
In Sequence and Tree view, you can see the activities that
occurred in the operating system kernel space and user
space:
Kernel SpaceThe kernel is the core of the operating
system; the kernel space is a memory area where the
kernel runs operating system processes and manages
other processes.
User SpaceUser space is the memory area outside of
the operating system kernel, where applications and
other user processes are executed.
As you drill down in the Wildfire Dynamic Analysis details
for a sample, high-risk artifacts associated with the
sample are marked for easy identification and you can add
Observed Behavior evidence and Activity Artifacts to a
new or existing search.

Sample Details
Lists the tags the sample is associated with, and you can
Sample Tags also add a new tag. (For details on tags and how tagging
works, see AutoFocus Tags).
Hover over a tag to view more tag

information in a popup. You can click on
the linked tag name to Vote for, Comment
on, and Report Tags.
If a sample has Threat Indicators that match indicators

forwarded to AutoFocus from MineMeld, an indicator tag
specifies the number of matching indicators. Click on the
indicator tag to view the matching indicators.
Make a sample Public to share the sample with other

Sample Visibility AutoFocus security experts. You can also revert the status
of the sample to Private at any time.
Lists all sessions during which samples with the same

Network Sessions SHA256 hash were detected. The sessions displayed
are all WildFire sessions submitted from your Palo Alto
Networks firewall or another Upload Source associated
with your support account. Select a single session for
session details. Click the File Analysis tab to navigate back
to the sample details.

Sample Details
Lists the WildFire signatures that match to the sample.

Signature Coverage Check signature coverage to assess the level of protection
in place against malware. Depending on the sample, all or
some of the following signature types provide coverage:
WildFire AV Signatures identify malicious files.
Examples of malware for which antivirus signatures
provide protection include viruses, trojans, worms, and
spyware downloads.
To find other samples that are covered

by the same signature, set up a search
for Threat Name > is and enter the
Signature Name as the search value.
C2 Domain Signatures identify malicious domains that
the sample attempted to resolve to when executed in
the WildFire analysis environment.
Download Domain Signatures identify domains
that host malware (and from which the sample was
downloaded).
For each of these signature types, the date that WildFire
created the signature is listed. You can toggle between
daily, 15 minute, and 5 minute content updates to see
the versions that included the signature. The first content
version that included the signature is listed, as well as the
last content version to include an update to the signature.
The table also indicates whether a signature is included in
the most current content version.
URLs the sample visited when executed in the WildFire
analysis environment might also be listed, including the
PAN-DB categorization for each URL.
Lists Threat Indicators that AutoFocus detected in the

Indicators samples WildFire analysis details. The list consists of only
artifacts that AutoFocus considers indicators based on
the tendency of the artifact to be seen predominantly in
malware samples. AutoFocus uses a statistical algorithm to
determine which artifacts are indicators.
Expand the Observed Behavior section to find the total

Observed Behavior number of activities that are Evidence of a specific
behavior. Each behavior has an associated risk level, and
you can expand a single behavior to see the matching
sample activities. For each activity listed, the Type column
indicates the activity category and the Value column
includes activity artifacts, that you can then add to a
search.

Sample Details
Expand an activity section to see all of the sample

Activity Artifacts activities that fall under it. For each activity artifact, the
total number times the artifact has been found with
benign ( ), grayware ( ), and malware ( ) samples is
listed.
Depending on the artifact, you can:
Add an artifact to your existing search
Add an artifact to an export list
Start a new search for the artifact in a separate
browser window
View more information about domain and URL artifacts
If an artifact is evidence of an observed behavior, the
behavior risk level is indicated with this icon:
A gray icon indicates a low risk behavior, a yellow icon
indicates a medium risk behavior, and a red icon indicates
the artifact is evidence of a critical, and high-risk behavior.
Based on the sample artifacts, AutoFocus highlights high-
risk indicators as Suspicious or Highly Suspicious. Sample
indicators that match indicators forwarded to AutoFocus
from MineMeld are highlighted with an indicator icon (
). (Learn more about how to Manage Threat Indicators.)
See Artifact Types for a detailed and

expanded description of the WildFire
analysis sections and the artifacts they
contain.
Next Steps... Assess AutoFocus Artifacts found in your search.

Sessions
The Sessions tab displays all Sessions associated with samples from your network. Click the column headers
to sort sessions in ascending (up arrow) or descending (down arrow) order.

Session Details
After performing an AutoFocus Search, select Sessions and select a single session to drill down for
session details:
Display sessions based on the Upload Source. Add the search condition Upload
Source > is to your current search and choose a session source. In the example above,
the sessions search results have the Upload Source Traps, which means that they are
sessions associated with samples submitted to WildFire through Traps.
Session details include a Session Summary, from which you can add artifacts to
your existing search or launch a new search for an artifact in a separate browser
window.
The File Analysis tab displays artifacts that WildFire found in the sample
detected during the session (see Sample Details for information on the File
Analysis tab).
Session details also include a list of Related Sessions, which are other sessions
during which the same sample was detected.
Next Steps... View the associated Samples, Statistics, and Domain, URL, and IP Address
Information.
Statistics
The Statistics tab collects and visually weights the top artifacts associated with samples matched to your
search. You can perform specific searches by clicking on any of the individual artifacts under the Statistics
tab.
The Statistics tab does not display the same statistics as the AutoFocus Dashboard on
page 23. While the dashboard displays an overall picture of the threat landscape in different
contexts (organization-wide, industry-wide, or global), the Statistics tab displays information
that has been filtered based on the current search.

Sample Statistics
After performing an AutoFocus Search on page 31, select Statistics:
View statistics on artifacts associated with My Samples, Public Samples, or All

Samples.
Click on an artifact in the Top Applications, Top Malware, Top Firewalls, and
Target Industries widgets to add it to your search; the Statistics tab widgets are
filtered based on the added search condition(s).
Click ( ) to view the API request to retrieve the artifact data displayed in a
widget. The API request is formatted in cURL and Python.

Sample Statistics
Example:
To view only samples that are distributed through web pages, click the web-browsing bar on the Top
Applications widget. Web-browsing is added as a search condition and the widgets, including the Top
Countries malware map, are updated to reflect the new web-browsing filter:
Next Steps... View associated Samples on page 42, Sessions on page 47, and
Domain, URL, and IP Address Information on page 51.
Assess AutoFocus Artifacts on page 109 found in your search.
Export AutoFocus Artifacts on page 123 found in your search.
Indicators
The Indicators tab is a summary of Threat Indicators that AutoFocus found in the samples returned as
search results. Not all sample artifacts are indicators; the Indicators tab only lists artifacts that AutoFocus
has determined to be indicators through a statistical algorithm based on the tendency of the artifact to be
seen predominantly in malware samples.

Indicators List Details
The Indicators tab only displays indicators drawn from the page of sample
search results that you are currently viewing. For example, if your search
returns 5 pages of search results and you are viewing the second page, the
Indicators tab will only display indicators from that second page of samples.
AutoFocus also filters the indicators by the scope you have selected for
viewing the sample search results (view only My Samples, Public Samples, or
All Samples).
AutoFocus groups the indicators by type:

Domain
IPv4
Mutex
URL
User agent
For each indicator, you can view the number of global malware, grayware, and
benign samples in which it was detected. AutoFocus highlights indicators that
are Suspicious or Highly Suspicious.
Indicators matching those forwarded to AutoFocus through MineMeld are
marked with an indicator tag ( ), which specifies the number of matching
indicators. Click on the indicator tag to view the full list of matches.
Each indicator lists the SHA256 hash of the sample(s) in which it was
detected. Click on a hash to view sample details.
Domain, URL, and IP Address Information

When searching for a domain, URL, or IP address artifact, the Domain, URL & IP Address Information tab
displays information about the artifact from PAN-DB, the global URL database that Palo Alto Networks

uses for its URL filtering service. The tab also provides logs of DNS activity from all samples analyzed with
WildFire and passive DNS history where AutoFocus detected instances of the artifact. This information can
help you assess whether a specific domain, URL, or IP address is associated with suspicious behavior.
Domain, URL, and IP Address Details
View URLs associated with the domain, URL, or IP address through

PAN-DB Categorization PAN-DB and the PAN-DB category for each URL.
View a log of domain to IP address mappings based on all samples

WildFire DNS History that launched a request to connect to a domain during Wildfire
Analysis.
View a passive history of domain to IP address mappings that

Passive DNS History contain matches to the artifact your searched for.
STEP 1 | Find domain, URL, and IP address information for an artifact.

Find information for a specific domain, URL, or IP address:
1. Work with the Search Editor to set up a search with the following types of artifacts: Domain, URL, IP
Address, DNS Activity, or APK Embedded URL.
2. Click the target icon or expand the search result listed under the Domain, URL & IP Address
Information tab.
Find information from the file analysis details for a sample:

1. Begin a new search.
2. Click a sample hash to view sample details.

3. View the full DNS Activity details for the sample.
4. Click the drop-down for any domains, URLs, or IP addresses, and select Domain and URL info...
See Assess AutoFocus Artifacts for details on drilling down in the file analysis details for a sample.
STEP 2 | Review the Domain, URL, and IP Address Details for the artifact.
Find matches to the artifact in the Request and Response columns.
STEP 3 | Choose from the following next steps.

View associated Samples, Sessions, and Statistics.

Set Up Remote Search
Remote search enables you to use AutoFocus to find suspicious IP addresses, SHA256 hashes, URLs, user
agents, and filenames in a specific Palo Alto Networks firewall or a set of Panorama-managed firewalls.
AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a
remote search, the firewall or Panorama web interface opens in a new window and displays the search
results in Unified log view.
The remote search feature is supported with firewalls running PAN-OS 7.1 or later release
versions.
AutoFocus also now supports the ability to integrate with third-party log management systems. When
you configure your custom system to work with AutoFocus remote search, you can filter log or event
repositories with AutoFocus search conditions.
STEP 1 | Log in to the firewall or Panorama you want to search with your administrator username and
password.
STEP 2 | Configure the settings of the remote system.

Allow HTTP or HTTPS service on the management interface of your firewall or Panorama. Select the
service that matches the address of the remote system you want to search.
STEP 3 | Add a remote system to search with AutoFocus.

1. Select Settings on the navigation pane.
2. Add new remote systems.
3. Enter a descriptive Name for the remote system.
4. Select a System Type:
1. Select PanOS to add a firewall or Panorama.
2. Select Custom to add a custom system that has been configured to integrate with AutoFocus
remote search.
5. Enter the IP Address or URL of the remote system.
6. Click Save changes.
7. Click Save changes on the Settings page to finish adding the remote system. You can add up to 500
remote systems.
STEP 4 | Add conditions to a remote search:

Add an artifact from a search result.
1. Perform a search, and view Sample Details.
2. Add any SHA256 hash, IP address, user agent, filename, or URL contained in a sample to a remote
search.
For example, add a sample hash:

or add a domain:
3. Click Remote Search to verify that the artifact was added.

Add a search condition to a remote search.
Click Remote Search to verify that the search condition was added.
Create a condition to add to a remote search.
1. On the search editor, click Remote Search.
2. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search.
STEP 5 | (For Panorama Device Group and Template Administrators Only) For Panorama Device Group
and Template administrators (not superusers), an AutoFocus remote search targeted to
Panorama returns results based on the current Panorama Access Domain setting. Panorama
administrators with role-based access control must first open the Panorama web interface,
select Monitor > Logs and set the Access Domain for which to view search results. Return to
the AutoFocus portal to execute your remote search.
STEP 6 | Start a remote search.

1. Click Remote Search.
2. Review the list of search conditions that you added in Step Add conditions to a remote search:. Add
or remove conditions as needed.
3. Set the remote search to find Any or All of the artifacts on the targeted system.
4. Select one or more Remote systems to search.

5. Click Search.
STEP 7 | View the search results.
If no browser tabs open when you launch remote search, change the settings on your
browser to allow pop-ups from AutoFocus.
A new browser tab opens for each remote system.

Search results for a firewall or a Panorama are displayed in Unified log view. The list consists of all log
entries that contain the artifacts specified in the remote search.
Panorama search results include log entries from managed firewalls that are not connected to
AutoFocus and/or are running PAN-OS 7.0 or earlier.
Each custom system opens in a new tab, with the URL formatted to include the conditions specified
in the remote search.
The maximum length for the URL generated through remote search is 1,024
characters. Performing a remote search with multiple search conditions may create a
URL that exceeds the character limit. As a best practice, check which conditions were
added to the URL after launching a search.
STEP 8 | Learn more about working with Unified logs on the firewall.

Artifact Types
WildFire detects properties, activities, and behaviors when it analyzes samples during static and dynamic
analysis. WildFire forwards this information to AutoFocus, as well as the properties of sessions associated
with the samples. In AutoFocus, these pieces of information are referred to as Artifacts. WildFire detects
some artifacts in samples only, in sessions only, or in both samples and sessions (general artifacts). Other
artifacts are specific to a particular operating system (Windows, Mac, or Android).
You can use the different types of artifacts with Search Operators and Valuesto find Samples and Sessions.
General Artifacts
Sample Artifacts
Session Artifacts
Analysis Artifacts
Windows Artifacts
Mac Artifacts
Android Artifacts
General Artifacts
General artifacts are artifacts that WildFire associates with both samples and sessions. For example, you can
use the artifact type Domain to search based on domains found in samples and sessions.
Some general artifacts are tag-related. If you search with a tag-related artifact, the search results display all
samples that have one or more tags that meet the search criteria, and their related sessions.
The following general artifact types refer to private session information: Domain, Email Address, Filename,
IP Address, and URL. If any of your private tags use these artifact types as tag conditions, you cannot make
these tags public.
Artifact Type Search with this Artifact Type to Find...
Domain A domain detected in the DNS Activity or HTTP Activity of a sample, or the
File URL.
Email Address An Email Recipient Address or Email Sender Address.
Filename The File Name of the sample or a filename that AutoFocus found in the File
Activity of a sample.

Hash The samples MD5, SHA1, or SHA256 hash. The search results also include
samples in which AutoFocus found the hash in the File Activity of the sample.
IP Address A File URL, Source IP, or Destination IP in a session, or an IP address detected

in the Connection Activity, DNS Activity, or HTTP Activity of a sample.
Tag Samples with a specific tag.
Tag Alias Samples filtered by Tag Alias.
Tag Class Samples filtered by Tag Class: a malware family, a campaign, an actor, an
exploit, or a type of malicious behavior.
Tag Scope Samples filtered by Tag Scope: private, public, Unit 42 (alerting), or Unit 42
informational (non-alerting).
Tag Source Samples with tags that are attributed to a particular Tag Source.
Threat Name Samples that match a particular threat signature.
URL A File URL or a URL detected in the HTTP Activity of a sample.
User Agent A user agent header detected in the HTTP Activity or User Agent Fragments
of a sample. The user agent header indicates your browser type and version
and your operating system and version. During a session, your browser sends
this information to the site you are visiting to determine the best way to
deliver the information you requested. Examples of user agent strings include
Mozilla/4.0 and Windows NT 6.1.
Sample Artifacts
Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact
types when you view Sample Details, in the File Analysis details of a sample.
Digital Signer The digital signature that identifies the sender of the sample.
File Type The file type of the sample. Examples include Email Link, Adobe Flash File,
and PDF.
File Size The size of the sample in bytes.
Finish Date The date and time when WildFire analysis of the sample completed and the
sample received a WildFire verdict.
First Seen The date and time that the sample was first forwarded or uploaded to
WildFire.

Import Table Hash An import hash, or imphash, is a hash based on the order that API functions
are listed in the import table of a Portable Executable (PE). Imphashes can
be used to identify similar samples that might belong to the same malware
family.
Imphashes are listed for malware and grayware samples only (not benign
samples).
Last Updated The date and time when WildFire changed the verdict for a sample.
MD5 The samples unique cryptographic hash generated using the MD5 message-
digest algorithm.
Region Every WildFire cloud (global or regional) to which a sample was submitted for
analysis. The sample details list all of the WildFire clouds to which firewalls
submitted the sample (different firewalls can submit the same sample to
different WildFire clouds).
USWildFire global cloud
EUWildFire EU cloud
JPWildFire Japan cloud
SGWildFire Singapore cloud
To find samples that have been submitted to only a single

WildFire cloud (and no other WildFire clouds), set up a search
for a WildFire cloud. Then, add search conditions excluding
samples submitted to the other WildFire clouds from the
search results. For example, to search for samples that users
submitted to the WildFire global cloud only, search with the
condition Region > is > US combined with the condition
Region > is not for each of the other WildFire clouds.
SHA1 The samples unique cryptographic hash generated using the Secure Hash
Algorithm 1.
SHA256 The samples unique cryptographic hash generated using Secure Hash
Algorithm 256.
Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the
sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a
sample which can be used to identify samples that are very similar but not
exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy
hashes to produce a percentage that indicates how closely the samples match.
In ssdeep, a high percentage indicates a high number of similarities between
the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only
(not benign samples).

WildFire Verdict WildFire assigns a verdict of Malware, Grayware, or Benign to the sample
based on properties, behaviors, and activities observed for the file or email
link during static and dynamic analysis.
Session Artifacts
Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following
artifact types when you view Sample Details. Note that you can only view the details of sessions associated
with your support account. For this reason, when you search with artifact types that refer to firewall-related
properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the
properties of the Palo Alto Networks firewall(s) that initiated the session.
The following session artifact types refer to private session information: Device Hostname, Device Serial,
Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject,
File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as
tag conditions, you cannot make these tags public.
Application The App-ID matched to the type of application traffic detected in a session.
For example, a search for the Application web-browsing returns sessions
during which web browsing over HTTP occurred. Visit Applipedia for an
updated list of applications that Palo Alto Networks identifies.
Device Country The country to which the IP address on a firewall is registered.
Device Country Code The two-digit abbreviation for the Device Country. Refer to the complete list
of countries and country codes in AutoFocus.
Device Hostname A name that identifies a Palo Alto Networks firewall. To view the hostname
for a firewall, log in to the firewall web interface, select Device > Setup >
Management, and view the General Settings.
Device Serial The serial number of a firewall.
Device vsys The name of the virtual system on the firewall associated with the session.
Destination Country The country of the IP address to which the session was destined.
Destination Country The two-digit abbreviation for the Destination Country of the session. Refer
Code to the complete list of countries and country codes in AutoFocus.
Destination IP The destination IP address of the session.
Destination Port The destination port that the session used.
Email Recipient Address For email samples, the email address of the user who received the email.
Email Charset For email samples, the character set used to display the message body of an
email. Examples of character sets are UTF-8 and ISO-8859-1.

Email Sender Address For email samples, the email address of the sender.
Email Subject For email samples, the subject of the email.
File Name The filename of the sample sent during the session.
File URL The URL path for the source that hosts the sample.
IMEI The 15-digit unique International Mobile Equipment Identity number assigned
to a mobile phone.
Industry Industry indicates the field that the source of the session (you or another
AutoFocus support account) is associated with. Examples are Aerospace
and Defense, High Tech, and Education. Industry is a field you
select when you initially set up your AutoFocus account. Contact Palo Alto
Networks Support to change it.
Recipient User ID The username of the user who received an email sample.
Region The WildFire cloud (global or regional) to which a sample is submitted for
analysis. A session in the AutoFocus search results provides information
about how a source submitted a sample to WildFire. Since each session
corresponds to a single WildFire submission, it can only be associated with a
single WildFire cloud.
USWildFire global cloud
EUWildFire EU cloud
JPWildFire Japan cloud
SGWildFire Singapore cloud
SHA256 The SHA-256 hash for the sample associated with the session.
Source Country The country to which the IP address that initiated the session is registered.
Source Country Code The two-digit abbreviation of the Source Country that sent the session. Refer
to the complete list of countries and country codes in AutoFocus.
Source IP The IP address of the session source.
Source Port The source port that the session used.
Status All samples that a Palo Alto firewall blocked. The Status for blocked samples
is Blocked, while the status for allowed samples is blank. To find all allowed
samples, search with the condition Status > is not > Blocked.
Time The time and date when the session started.

Upload Source The source that requested a WildFire verdict for a sample or submitted a
sample to WildFire for analysis.
Choose from a list of possible upload sources:
FirewallSamples that a Palo Alto Networks firewall forwarded to
WildFire.
ProofpointSamples submitted to WildFire through Proofpoint products.
TrapsSamples submitted through Traps.
Manual APISamples uploaded manually through the WildFire API or the
WildFire public portal.
WF ApplianceSamples that a WildFire appliance submitted to the
WildFire public cloud.
Analysis Artifacts
Analysis artifacts make up the WildFire dynamic and static analysis of a sample. WildFire Dynamic Analysis
information consist of properties, activities, and behaviors that WildFire detects in the sample when it was
executed in an analysis environment. WildFire Static Analysis information consist of artifacts that WildFire
can observe from the sample without executing it in an analysis environment.
To get an idea of the artifacts that appear in a WildFire analysis section, start a search
with an analysis artifact and for the operator, select has any value. View the file analysis
details of the search results, expanding the section you searched for to view the artifacts that
WildFire found for it.
Connection Activity Processes that accessed other hosts on the network when the sample was
executed in the WildFire analysis environment. Artifacts listed for each
connection activity include the process that accessed other hosts on the
network, the port through which the process connected, the protocol used
for the connection, and the IP address and country of the host.
DNS Activity DNS activity observed when the sample was executed in the WildFire
analysis environment. Artifacts listed for each DNS activity include the
hostname that was translated (Query column) the resolved domain name or
IP address (Response column), and the Type of DNS resource record (Type
column) used to resolve the DNS query.
File Activity Files that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each file activity include the
parent process that showed activity, the action the parent process performed,
and the file that was altered (created, modified, duplicated, or deleted).

HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis
environment. Artifacts listed for each HTTP activity include the destination
domain of the HTTP request, the HTTP method that the host used, the URL
for the requested resource, and the string originating the request (User Agent
column).
The domain (Host column) and URL values together are the
URL for the request. For example, the full URL for the first
artifact is althawry.org/images/xs.jpg?8b96=71468.
Java API Activity Java runtime activity seen when the sample was executed in the WildFire
analysis environment.
Observed Behavior Behaviors seen for the sample in the WildFire analysis environment, such
as whether the sample created or modified files, started a process, spawned
new processes, modified the registry, or installed browser help objects
(BHOs). Each behavior is also assigned a risk level of high, medium, low, or
informational.
On the File Analysis tab within the sample details, alternate between
operating system columns to see the list of behaviors observed for each
virtual machine in which the sample was executed.
The Evidence column lists the total number of sample activities that are
evidence of each behavior, and expand a single behavior for the list of
matching activities.
For each activity listed, the Type column indicates the WildFire analysis
section and the Value column includes artifacts that WildFire found for the
section. The artifacts displayed might vary depending on the activity category.
In the example above, the File Activity artifacts provided include the parent
process that showed activity, the action the process performed, and the file
that was altered.
The artifact type Observed Behavior also refers to properties that WildFire
observed in a sample during static analysis. These properties appear under the
WildFire Static Analysis category Suspicious File Properties.

Other API Activity Non-Java API activity seen in the WildFire analysis environment when the
sample was executed. Artifacts listed include the parent process that was
active, the API calls made by the parent process, and the process that was
modified.
Process Activity Processes that showed activity when the sample was executed. Artifacts
listed for each process activity include the parent process that was active, the
action that the parent process performed, and the process that was modified.
Service Activity Services that showed activity as a result of the sample being executed in the
WildFire analysis environment. Artifacts listed for each service activity include
the process that was active, the action the process performed, and the service
that was created, modified, or deleted.
User Agent Fragments The user agent header for HTTP requests sent when the sample was
executed in the WildFire analysis environment.
Windows Artifacts
Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a
Windows OS analysis environment.
Mutex Activity A mutex (mutual exclusion object) allows programs to share the same
resource, though the resource cannot be used by more than one program
simultaneously. If the sample generates other program threads when
executed in the analysis environment, the mutex created when the programs
start is listed along with the parent process.
Registry Activity Windows Registry settings and options that showed activity when the sample
was executed in the analysis environment. Artifacts listed for each registry
activity include the parent process that was active, the registry method used
by the parent process (Action), and the parameters column lists the registry
key that was set, modified, or deleted.
Mac Artifacts
Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS
analysis environment.
Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. Details for an
embedded file can include the SHA256 and name of the installer or bundle,
the files SHA1 hash, filename, file format, file location, SHA256 hash, the
signature associated with the file and the name of the signer, the SHA1 hash
for the signature, signature status, and the file size in bytes.

Mac Embedded URL URLs that are part of a Mac file. The Path column contains the path for the
section of the app where the URL is located.
Android Artifacts
Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing
the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or
tablet.
APK App Icon The file path for the app icon that displays in the Android device menu.
APK App Name The name of the app that displays on the interface of an Android device.
APK Certificate The hash value of the public key embedded in the digital certificate of the
APK file.
APK Certificate File The file path for the certificate(s) embedded in the APK file, information
about the certificate owner and issuer such as name and location (if provided
by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign
the certificate. The owner or issuer may provide the following information:
CNFirst name and last name
OUOrganizational unit
OOrganization name
LCity or locality
STState or province
CTwo-digit country code
APK Defined Activity The class name of activities defined in the APK file. An activity is a component
of the app that provides a screen users can interact with to perform a task.
APK Defined Intent An intent filter, found in an apps manifest file, lists the type of intents that the
Filter components of the app can respond to. An intent is a request an app sends to
other apps to perform an action. For example, the YouTube app needs to use
a messaging app on your Android device to share videos.
APK Defined Receiver Broadcast receivers for the APK file. Broadcast receivers allow the app to
receive intents broadcast by itself, by the Android device, or by other apps on
the device. An example of a broadcast that an app can receive is an indication
that the device battery is low.
APK Defined Sensor Sensors for motion, orientation, or environmental conditions that the app
uses when it is running. For example, an app might need to receive sensor
readings from the devices GPS for to perform location-based tasks.

APK Defined Service Services configured for the APK file. Services are operations that run in the
background while the app is running, and do not provide a user interface
screen. An example of a service is a notification service for an email app that
alerts users when they have new messages.
APK Embedded Third-party libraries that are included in the APK file. A third-party library,
Libraries which app developers can reuse across multiple apps, contains files of
code that accomplish a specific task. An example of an embedded library is
Googles mobile ads software development kit (SDK), AdMob.
APK Embedded URL URLs that are part of an APK file. The Path column contains the path for the
section of the app where the URL is located.
APK Internal File The file format, file path, and SHA256 hash of files included in the APK file.
APK Package Name The unique name that identifies an app on an Android device. The general
format for a package name is domain.company.application (for example,
com.tamapps.learnjapanese).
APK Repackaged An indication of whether an APK file has been repackaged (True) or not
(False). AutoFocus marks a repackaged APK file as suspicious because an
attacker can repackage a benign file to contain malicious functionality.
APK Requested The permissions that the APK file requests from users to perform processes
Permission and to access data on their Android device. Examples include permissions to
access the camera on the device or to change the audio settings of the device.
APK Sensitive API Call API calls embedded in the APK file that access restricted services or
resources.
APK Signer Personal information that the app owner provided when he/she signed the
app certificate:
CNFirst name and last name
OUOrganizational unit
OOrganization name
LCity or locality
STState or province
CTwo-digit country code
APK Suspicious API Call API calls embedded in the APK file that access restricted services or
resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all
instances of an API call and the location of the files where the API call was
found.

APK Suspicious Action An action that the APK file performed when it was executed in the WildFire
analysis environment that may be an indicator of compromise. The Value
column contains a description of the action and supporting evidence. For
example, if the suspicious action associated with an APK file sends SMS
messages while running in the background, the value includes the text
message content that the file sent. If the action is loading another APK, DEX,
or JAR file, the value includes the path for the file that the APK file loaded.
APK Suspicious A sequence of actions that the APK file exhibits, the target of the actions
Behavior (if there is one), and the location of the files that exhibited the actions. For
example, for the suspicious behavior APK files sends an SMS to a fixed
number, the target is the phone number that received the SMS.
APK Suspicious File Suspicious files found in the APK file and their file type. An example of a
suspicious file is one that contains malicious native code or an executable file
in .dex format.
APK Suspicious Pattern A class of patterns observed in the APK file, a description what the pattern
does, and the location of the files where the pattern occurred.
APK Suspicious String Suspicious strings of code found in the APK file. For example, a suspicious
string can indicate that an app contains shell commands that installs or
uninstalls other apps, or the string can be a suspicious phone number. For
each string, you can view the location of the file that contains the string.
APK Version The version number of the app that is visible to users.

Search Operators and Values
Search operators refine the results that are returned to you when you perform a search. Operators
determine which results to display based on the value you select or enter for an artifact type. You can have
up to 10,000 values in a single search with multiple search conditions. Refer to the following table when
you Work with the Search Editor to set up a search.
Operator When to Use It Possible Values
is Find samples or sessions that contain Number

the exact value you enter. OptionSelect a value from the
drop-down.
StringType an exact value (not
case-sensitive).
is not Find samples or sessions that do not Number

contain the exact value you enter. OptionSelect a value from the
drop-down.
StringType an exact value (not
case-sensitive).
has no value Exclude samples or sessions with No value required

reported values for the artifact type
from the search results.
has any value Find samples or sessions that have No value required
reported values for the artifact type,
including values such as 0, unknown,
or Not Found.
is in the list Find samples or sessions with OptionSelect more than one
artifacts that match at least one of value from the drop-down.
the values from a list. StringType more than one value
You can have up to 1,000 values in (not case-sensitive). Press Enter to
your list. separate one value from another.
The values must be exact.

is not in the list Exclude samples or sessions that do OptionSelect more than one
not have at least one value from a list. value from the drop-down.
You can have up to 1,000 values in StringType more than one value
your list. (not case-sensitive). Press Enter to
separate one value from another.
The values must be exact.
contains Find samples or sessions that contain StringType a partial value (not case-
the partial value you enter. sensitive).
Learn more about the Guidelines for
Use the contains
Partial Searches.
operator if you dont
know the exact value
of an artifact.
does not contain Find samples or sessions that do not StringType a partial value (not case-
have the partial value you enter. sensitive).
Partial Searches.
proximity Perform a single search for two or StringType partial values if you
more values. dont know the exact value (not case-
sensitive). You can enter the values in
Use the proximity any order.
operator with Analysis
Artifacts to look for Partial Searches.
multiple artifacts that
can appear in the
WildFire analysis of a
sample.

is in the range Find values within a date or numerical Date and Time RangeSelect
range. the earliest and latest possible
date and time that a value can be,
or choose from a drop-down of
relative dates, such as Yesterday,
Last Month, or Last 90 days.
Number RangeSelect a minimum
and maximum number that a value
can be.
greater than Find values that are more than the Number
number you enter.
greater than or equal Find values that are more than or Number
equal to the number you enter.
less than Find values that are less than the Number
number you enter.
less than or equal Find values that are less than or equal Number
to the number you enter.
is after Find date and time values that occur Date and TimeSelect a date and
after a specific date. time, or choose from a drop-down of
relative dates such as Yesterday, Last
Month, or Last 90 days.
is before Find date and time values that occur Date and TimeSelect a date and
before a specific date. time, or choose from a drop-down of
relative dates such as Yesterday, Last
Month, or Last 90 days.


Guidelines for Partial Searches
The contains, does not contain, and proximity operators allow you to enter partial values in your search
conditions. For more accurate search results, observe the following guidelines for using these operators.
Contains and Does Not Contain Operators
Proximity Operator
Contains and Does Not Contain Operators

Use the contains and does not contain operators if you know part of a value for a single artifact.
Example:
To search for samples or sessions with the network identifier 192.168 in the IP address, perform the
search IP Address > contains 192.168.
Using the does not contain operator will exclude samples or sessions with the network identifier
192.168 from your search results.
Searches with the contains and does not contain operators are not case-sensitive.
Any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @ symbol)
break up a value into two separate values. Type the full strings that appear in between special characters
for accurate matches.
Example 1:
To search for all sessions sent from email addresses with the domain yahoo.com, perform the search
Email Sender Address > contains yahoo.com.
The search Email Sender Address > contains ahoo.com will return results from an email address with
the domain ahoo.com, but not yahoo.com.
The search Email Sender Address > contains yahoo.co may return results from an email address with
the domain yahoo.co.uk or yahoo.co.jp, but not yahoo.com.
The search Email Sender Address > contains yahoo will return results from an email address with the
string yahoo in between special characters.
Example 2:
If the File Activity that WildFire has detected for a sample contains the string Windows\ServiceProfiles
\LocalService, you can use any of the following terms as partial strings to search for the sample:
Windows
ServiceProfiles
LocalService
Proximity Operator
Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis
category of a sample. Enter two or more artifacts in the value field of the search condition.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders\AppData ueepd-a.exereturns a sample that has both values in at
least one of its registry activities:

The order in which the strings are entered does not affect the search results.
Example:
The search Registry Activity > proximity ueepd-a.exe HKCU\Software\Microsoft\Windows
\CurrentVersion\Explorer\Shell Folders\AppData returns the same results as the previous
example.
Searches with the proximity operator are not case-sensitive.
You can enter partial strings in a proximity search, but you must type the full strings that appear
between any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @
symbol) for accurate matches.
Example:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\CurrentVersion
ueepd-a.exe returns the following results:
The search Registry Activity > proximity HKCU\Software\Microsoft\Windows\Current ueepd-

a.exe will not return the search results above.

AutoFocus Alerts
Prioritized alerts allow you to quickly distinguish targeted, advanced attacks from commodity
malware so that you can triage your network resources accordingly. Set up AutoFocus alerts
for samples based on Tag Types: Unit 42 Alerting tags, public tags, or private tags.
Configure AutoFocus to send alerts to an email account or directly to a web server. The Alerts
Log on the dashboard displays alerts depending on the dashboard context. You can also view
the complete set of AutoFocus alerts by selecting Alerts on the navigation pane.
> Alert Types

> Create Alerts
> View Alerts in AutoFocus
> Edit Alerts
75
76 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Alerts
Alert Types
An alert is a notification about samples that match a set of defined criteria. When you Create Alerts on page
80 in AutoFocus, you have the option to receive the notifications by email or over HTTP. You can also
View Alerts in AutoFocus on page 85 for a complete log of alerts that have been sent to you.
AutoFocus generates alerts for grayware and malware samples from all Upload Sources associated with
your support account, as long as they match the alert criteria.
Email Alerts on page 77
HTTP Alerts on page 78
Email Alerts
AutoFocus can send alerts to your email account. In an email alert, the SHA256 hash displays as a hyperlink
that opens the WildFire analysis of the sample in AutoFocus.
An email alert contains the following components:
Name Description
The date and time that the alert was sent in the following format: Month DD,
AutoFocus Alerts YYYY hh:mm [AM/PM] (UTC)
The number of unique samples detected within the alert period

Number of alerts
The name of the support account that created the alert

For
The date and time that the sample was detected in the following format:
Date (UTC) Month DD, YYYY hh:mm [AM/PM]
The tag type that triggered the alert (unit42, public, or private)
Type
The specific tag that triggered the alert for the sample
Name
AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Alerts 77

Name Description
The WildFire verdict assigned to the sample: malware or grayware.

Verdict
To focus your attention on samples that exhibit malicious
behavior, AutoFocus does not send alerts for benign
samples.
The SHA256, SHA1, and MD5 hashes of the sample

Matching Sample
HTTP Alerts
HTTP alerts are notifications that AutoFocus generates in JavaScript Object Notation (JSON) data format.
In an HTTP alert, information about the samples are formatted as JSON name-value pairs separated by
colons. For example, the name-value pair date: 'March 19, 2016 05:56 PM' describes the date and
time that a sample was detected for the alert. All alerts use the same set of field names, but their values
vary depending on the samples detected in the alert period.
AutoFocus sends HTTP alerts as plain text to the web server of your choice using standard HTTP requests.
Use HTTP alerts to publish information about detected samples on a web page or a threat
feed.
When creating an HTTP alert, provide the URL of a server that has been preconfigured to parse the name-
value pairs from the alert. Refer to the following table of field names and possible data types for the field
values. The data type describes how a value should be interpreted and stored by the server.

Field Name Description Data Type
The number of unique samples detected within the number

num_alerts alert period
The date and time that the alert was sent in the string
autofocus_alerts following format: Month DD, YYYY hh:mm [AM/PM]
A list of each sample detected and the details array

alerts associated with it
The date and time that the sample was detected in string
date the following format: Month DD, YYYY hh:mm [AM/
PM]
The SHA256, SHA1, and MD5 hashes of the sample string

match_sample
The specific tag that triggered the alert for the sample string
alert_name
The tag type that triggered the alert. The different string
alert_type alert_type values that can be displayed are:
privateprivate tags owned by you
publicpublic tags
unit42tags issued by Unit 42
The WildFire verdict assigned to the sample: string

verdict malware or grayware.
To focus your attention on samples

that exhibit malicious behavior,
AutoFocus does not send alerts for
benign samples.
The name of the support account that created the string

for alert

Create Alerts
Create alerts to monitor samples in your network based on their tags. The following steps walk you through
the process of creating alerts in AutoFocus:
STEP 1 | Select Alerts on the navigation pane, and then select Settings.
STEP 2 | Define Alert Actions. An alert action sets the type, destination, and frequency of the alert.
STEP 3 | Enable Alerts by Tag Type. The Alert on Tag Type column describes the tag types that samples
in your network must match to trigger an alert: Unit 42, Public, or Private. By default, the alert
action for all tag types is none, and alerts are disabled. Select a different alert action to enable
alerts for each tag type.
STEP 4 | To receive alerts for certain tags and disable them for others, Create Alert Exceptions.
Define Alert Actions

Define alert actions that you can then select to Enable Alerts by Tag Type. Defining alert actions includes
choosing to receive the alert as an email or HTTP notification and setting the alert frequency. You only
receive notifications for samples matching the alert criteria (the tag) in the digest period you select; if
AutoFocus does not detect matching samples during the digest period, it does not send out an alert.
The default alert action none cannot be edited or deleted. Use this alert action to disable alerts for tags.
Create an alert for Unit 42 tags to receive notifications based on new threats and attacks
identified by the Unit 42 threat intelligence research team.
STEP 1 | Select Alerts > Settings.
STEP 2 | Scroll to the bottom of the Settings tab, and click Add Alert Action:

STEP 3 | Give the alert action a descriptive name.
STEP 4 | Define the type of alert you want to receive: Email or HTTP.
STEP 5 | Set the alert destination (email address or server URL).

For email alerts:
Enter the email address where you would like to receive Email Alerts.

For HTTP alerts:
Enter the URL of your server that you have configured to receive HTTP Alerts.
STEP 6 | Set the alert digest to 5 Minutes or Daily.

Digest sets the frequency with which AutoFocus checks for samples that match the alert criteria.
AutoFocus collects all samples that match the alert criteria during the digest period and sends them in a
single notification.
STEP 7 | Click Save Changes.

The Action drop-down contains all saved alert actions, which you can apply to samples matched to Unit
42, public, and private tags.
STEP 8 | Enable Alerts by Tag Type.

Enable Alerts by Tag Type
Enable alerts based on Tag Types. You can choose to generate an alert for all samples in your network
matched to a tag type. Additionally, you can Create Alert Exceptions to set up prioritized alerts for specific
tags or to disable alerts for them.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.
STEP 3 | Choose an alert for each tag type.
Use this step at any time to change the alert action for a tag type.
Select an alert Action for samples matched to Unit 42, public, and private tags:
STEP 4 | Enable the alert for a tag type.

For each tag type, select Enabled? to receive alerts when AutoFocus detects samples in your network
that match the tag type.
STEP 5 | If necessary, specify tags to exclude from the alert for the tag type.
Create Alert Exceptions in order to:
Create and enable custom alerts for specific tags.
Disable alerts for tags for which you dont need to receive alerts.
STEP 6 | Choose from the following next steps:

Both Email Alerts and HTTP Alerts list all the samples matched to the alert criteria in the digest
period.
View Alerts in AutoFocus.
You can Edit Alerts or Disable Alerts.
Create Alert Exceptions

You can choose different alert settings for individual tags by adding the tags as alert exceptions. Create
exceptions so that the alerts you receive for threat samples are prioritized by tag.
STEP 2 | If there are no email or HTTP Alert Actions listed, Define Alert Actions.

STEP 3 | Identify the tag type for which you want to create an alert exception, and click Add Exception.
STEP 4 | In the Tag field, start typing the tag name, and select it from the list of tags.
STEP 5 | Select an alert Action for the tag.

Select one of the email or HTTP alert actions to enable alerts for the tag.
Select none to disable alerts for the tag.
STEP 6 | Select Enabled? to enable the alert action for samples in your network that match the tag.
STEP 7 | Click Save Exception.
STEP 8 | To change or delete alert exceptions, Edit Alerts.

View Alerts in AutoFocus
The Alerts Log on the dashboard displays alerts that were generated within the selected dashboard date
range, beginning with the most recent alerts. Alternatively, select Alerts on the navigation pane to view the
complete set of alert logs.
Alert logs are available for a month from the period the log was generated.
Alert times are displayed in Pacific Time (PST/PDT).
Find alerts.
Select Dashboard to view the Alerts Log widget. The Alerts Log widget displays the most recent
samples that matched your alert criteria.
Select Alerts > Alerts Log to view all samples that have triggered alerts. Sort the rows according
to Time, Tag Type, SHA256, or Tag. Alternatively, click the column headers to sort the rows in
ascending (up arrow) or descending (down arrow) order.
You can also click the SHA256 link for a sample entry to add the sample to a search:
Scan tag details.

Hover over the tag on which the alert is based to view tag details, including the latest time and the total
number of times that traffic was matched to the tag.
Search on the latest sample that triggered an alert.

Click the sample hash on the Alerts Log widget to add the sample to an AutoFocus search:

Review and/or search on the conditions that triggered an alert.
Select a tag on the Alerts Log widget to view tag details. Tag details include a description of the tag and
a list of the conditions defined for the tag. From the tag details, open a search based on the tag or a
single condition defined for the tag:

Add the tag to the search editor, to search for all historical and global samples matched to the
tag.
Add a single condition defined for the tag to the search editor, to search for all historical and
global samples matched to that single condition.

Edit Alerts
Alerts are highly customizable and can be changed or deleted anytime. Change the settings of an existing
alert action or alert exception as necessary. Disable an alert to stop receiving notifications for certain tags.
To view all options for editing alerts, select Alerts > Settings.
Disable Alerts.
Select the action none for a tag type.
To disable alerts for an alert exception, Edit an Alert Exception. Select the action none.
Edit an Alert Exception.
Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus
detects a sample that matches the tag. Select Enabled? to enable the alert action.
Delete an Alert Exception.
Delete an alert exception permanently.
Edit an Alert Action.
Modify the name of the alert action, the alert type (Email or HTTP), the email address or server URL
that receives the alert, and how frequent the alert is generated.

Delete an Alert Action.
Delete an alert action permanently.

AutoFocus Tags
Group a set of conditions with a tag. All past and future samples that match the tag conditions
are automatically marked with the tag. Use tags to search for samples to gain context and
insight into surrounding events. Create Alerts on page 80 based on a tag to be notified each
time AutoFocus detects new samples that match the tag conditions, allowing you to take
quick action to remediate possible threats.
The Unit 42 threat research team shares threat intelligence with the AutoFocus community
through official Unit 42-issued tags. Unit 42 also verifies threats discovered by third-party
individuals and organizations and creates tags for these threats.
See the following topics for details on tags, how to create your own tags, and how to see tags
shared by Unit 42 and other AutoFocus users:
> Tag Concepts on page 93

> Tag Details on page 96
> Create a Tag on page 99
> Work with Tags on page 101
> Vote for, Comment on, and Report Tags on page 105
91
92 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Tags
Tag Concepts
Click Tags on the navigation pane to view a complete list of public, private, and Unit 42 tags.
Tag Types
Tag Class
Tag Status
Tag Visibility
Tag Types
Tag colors and icons allow you to easily distinguish the different tag types at a glance. When a tag is linked
to a Tag Class, its default icon changes into a tag class icon.
Tag Type Description
Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42, the Palo Alto Networks
threat intelligence and research team, to detect and identify
threats and campaigns that pose a direct security risk.
Unit 42 tags have an orange outline and a Unit 42 icon. Tags for
threats discovered by an individual or organization outside of Unit
42 have a pointed and marked top right corner.
Enable AutoFocus Alerts for Unit 42 tags to

receive immediate notifications from AutoFocus
when it detects samples in your network that
match Unit 42 tags.
Unit 42 Informational Tag (Non- Unit 42 also publishes informational tags that group and identify
Alerting) commodity threats. Often, threat signatures already exist and
are distributed to identify and enforce the traffic identified with
informational tags.
When you enable AutoFocus Alerts for Unit 42 tags, AutoFocus
does not generate alerts for samples that match Unit 42
informational tags so you can focus your resources on addressing
targeted or pervasive threats.
Informational tags have faded orange outline and a Unit 42 icon.
Tags for threats discovered by an individual or organization
outside of Unit 42 have a pointed and marked top right corner.
My Private Tag Create a Tag that is visible only to your organization. Private tags
allow you to tag a sample hash or a set of search conditions that
might be specific or especially significant to your environment.
You can then Create Alerts for the private tags.
Private tags have a blue outline and a tag icon.
AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Tags 93

Tag Type Description
Public Tag Public tags are tags shared with the AutoFocus community by
your organization and other AutoFocus users. They are visible to
all AutoFocus users.
Public tags have a gray outline and a tag icon.
Tag Class
A tag can be linked to a particular tag class, which provides more context for the type of threat information
that the tag identifies. Special icons indicate whether a tag is associated with a tag class. The icon can be
blue, gray, or orange depending on the Tag Types. For example, the following tag is a public tag linked to
malicious behavior:
Tag Class Description
Related malware is grouped into a malware family. Malware might be

considered related based on shared properties or a common function.
Malware Family
Malware within a malware family exhibit similar malicious behaviors to launch
an attack.
A campaign is a targeted attack which might include several incidents or sets

of activities. You can identify a campaign by the malware families that are
Campaign
used to execute an attack.
An actor is an individual or group that instigates one or more campaigns using

malware families.
Actor
An exploit is an attack, usually in the form of a script, that takes advantage

of a software or network weakness, bug, or vulnerability to manipulate the
Exploit
behavior of the system.
Malicious behavior is behavior that is not specific to a malware family or

campaign, but indicates that your system has been compromised. An example
Malicious
of malicious behavior is the unauthorized deletion of disk volumes.
Behavior
Tag samples that exhibit malicious behaviors to flag them for
you and other AutoFocus users. You can receive alerts for
new unique samples that match the conditions of malicious
behavior tags.
Tag Status
On the Tags page, view the status for a specific tag; optionally, select Sort by: Status to sort tags based on
the status of the tag.

Tag Status Description
Enabled Enabled tags generate alerts when matched to traffic. Alerts based on enabled
tags are displayed in the Alerts Log on the dashboard and, if configured, email
and HTTP alerts are also sent for enabled tags.
Disabled Disabled tags are tags that have been disabled automatically after reaching
100,000 hits. This is a quality control measure; tags that are matched to
large numbers of samples are too general to be useful in identifying targeted
threats. Disabled tags continue to display as a referenceyou can continue to
view the samples that were matched to that tag, search based on the disabled
tag, and view the conditions defined for the tag. However, disabled tags are
not applied to future samples.
Removing The tag owner has deleted the tag, but the deletion is not complete. This
status only displays for a short period of timewhen the tag deletion
completes, the tag is completely removed from the AutoFocus system.
Rescoping The tag owner has modified the tag visibility to private, public, or
anonymously public. This status only displays for a short period of time
as the new tag scope is processed and until the update to the tag scope is
complete.
Tag Visibility
There are three types of tag visibility:
PrivateVisible only to your organization (more specifically, only to users associated with same support
account as tag author).
PublicVisible to all AutoFocus users. Public tag details include the name of the organization that
created the tag.
Public AnonymouslyVisible to all AutoFocus users. However, tags that are anonymously made public
do not reveal the organization name in the tag details.
For tags you create, you can set the visibility of the tag and change it at any time.
Private tags and samples can be made public, with the option to revert the tag or sample back to a private
status at any time.

Tag Details
You can click any tag to reveal details about that tag, including the set of conditions that is matched to
traffic, the last time that set of conditions was detected, and the total number of samples matched to the
tag.
For tags that you have created, you can edit tag details, including setting the visibility of the tag to be
private, public, or anonymously public.
On the Tags page, click any tag to open the Tag Detail.
Tag Details
To open a search based on the tag, click the Search icon.

Search
Edit Tag Information.

Edit
Permanently delete at a tag. Deleted tags show a Tag Status of removing

Delete after being deleted until the deletion is complete (when the deletion is
complete, the tag is no longer available in AutoFocus).

Tag Details
(Private Tags Only) Share a tag with other AutoFocus users by making the
Tag Visibility tag Public. (You can also revert a tag you previously made public, back to a
private tag).
By default, tags that you make public will list your organization as the
tag Owner in the tag details. To change this default setting so that your
organization is not listed as the owner of public tags, select Settings on the
AutoFocus navigation pane and select Share public tags anonymously.
You cannot make a tag public if it has search conditions

refer to private information about your sessions. The
following Session Artifacts pertain to private information:
Device Hostname
Device Serial
Device vsys
Destination IP
Email Recipient Address
Email Charset
Email Sender Address
Email Subject
File Name
File URL
Recipient User ID
Source IP
The following General Artifacts may pertain to private session information:
Domain
Email Address
Filename
IP Address
URL
You also cannot make a tag public if it has a search condition that points to
a custom App-ID you created (Application > is [custom App-ID]).
You can Vote for, Comment on, and Report Tags. Tags with the visibility
Vote, Comment, and set to private (tags created by and visible only to your organization) do not
Report display these options.

Tag Details
Tag information is searchable and can include some or all of the following
Tag Information details:
NameAutoFocus enforces unique tag names within an organization.
ScopeThe tag type is either public, private, or Unit 42.
Tag ClassThe Tag Class associated with the tag.
SourceOrganization or individual that discovered the threat defined in
the tag.
CreatedThe date and time that the tag was created.
UpdatedThe date and time that the tag was most recently modified.
OwnerOrganization that created the tag.
# SamplesThe total number of private and public samples matched to
the tag.
Last HitThe time at which the most recent sample matched to the tag
was detected.
VotesThe number of up-votes the tag has received from the
AutoFocus community.
DescriptionSummary of the threat that tag indicates.
Related TagsTags that share certain conditions, or might indicate
similar types of threats.
AliasOther names that might refer to threat that the tag defines. You
can search on a tag alias to find all samples matched to tags with that
alias.
ReferencesExternal references provide more information or context
for the threat that the tag identifies.
Lists all the conditions against which samples are evaluated.

Tag Conditions
Note that a tag can have multiple sets of conditions, but a sample only
has to match one set of conditions for it to be marked with the tag.
Search based on a single set of tag conditions:
Click the Search icon in the Actions column to the right of the condition
for which you want to open a search.
Because you cannot edit the conditions defined for an

existing tag, use this option to add conditions from an
existing tag to the search editor, modify the conditions,
and create a new tag.
Delete a single set of tag conditions:
Click the Trash icon in the Actions column to delete the set.
Search with all tag conditions:
Click the Search All icon after the last set of tag conditions to add all of
the tag conditions to a new search.
Next Steps... Create a Tag.

Vote for, Comment on, and Report Tags.
Enable Alerts by Tag Type.

Create a Tag
There are two ways to create a new AutoFocus tag: tag a sample or tag a set of search conditions.
The visibility of a new tag is set to Private by default.
Tag a sample.
Create a tag for a sample hash to keep track of a sample that exhibits unique behavior or a sample that
you need to refer back to later. You can then search for the sample by the tag name instead of its hash.
2. Click a sample hash to view sample details, and click Add Tag.
You can only click the sample hash for a public sample or any of your private samples.
3. Enter a name for the tag in the search field and click create new.
4. Hover over the new tag, and click the tag name.
5. Edit the Tag Details to supply more information about the tagged sample.
Tag a search.
Create a tag for a search condition (or a set of search conditions). You can use the tag to search for all
samples that match the conditions. Review Tag Visibility for tagging guidelines.
1. Work with the Search Editor to create a set of search conditions.
You cannot create a tag for searches based on tag-related information (Tag, Tag
Alias, Tag Class, Tag Scope, and Tag Source) or the artifact Threat Name.
2. Click the Tag icon to create a tag based on the defined search conditions:
3. Provide a unique tag name and any other information that may be helpful for identifying the tag, and
then Tag Results.
Choose from the following next steps.

When a tag is created, all past and incoming samples that match the search conditions are tagged;
Sample Details display the tags to which the sample is matched.
Learn more about how to Work with Tags.
Use the tag to Begin a new search. Search with the tag to view all AutoFocus samples that match the
tag conditions.

Create Alerts to be notified when new samples match the tag.

Work with Tags
Find Samples by Tag Details
Filter and Sort Tags
Find the Top Tags Detected During a Date Range
See the Top Tags Found with Search Results
Find Samples by Tag Details

On the Search page, you can find and filter samples by different tag-related artifacts.
Artifact Type When To Use It
Tag Find samples matched to a tag.
Tag Alias Find samples by the Alias field in the Tag Details. The Tag Alias allows the
tag owner to specify common names for the threat that the tag identifies.
For example, there may be multiple tags related to a single malware family or
campaign. In this case, you can use Tag Alias to look for all samples that are
linked to a particular malware family or campaign by different tags.
Tag Class Find samples associated with a particular Tag Class: a Malware Family, a
Campaign, an Actor, an Exploit, or a type of Malicious Behavior.
Tag Scope Filter samples by the scope of their tags: private, public, Unit 42 (alerting), or
Unit 42 informational (non-alerting).
Tag Source Find samples with tags that are attributed to a particular tag source. The Tag
Source is the individual or organization that discovered the threat that the tag
identifies. The list of tag sources to choose from is based on all tags with a
Tag Visibility that is set to public.

Filter and sort tags on the Tags page based on Tag Details.

Tags are displayed collectively in a single view to enable

quick and easy filtering.
Unified Tag View
Choose Columns to select which details to display on
the Tags page.
Select a tag detail to Sort by in ascending or
descending order. Alternatively, you can click the
column header for a tag detail to sort the rows in
ascending (up arrow) or descending (down arrow)
order.
To find tags with the highest number

of matching samples, Sort by: #
Samples in descending order. To find
tags that have received comments
from AutoFocus users recently, Sort
by: Last Comment in descending
order.
Enter a single value in the quick search field to find

matching tags across all tag types.
Quick Search
Click on Advanced to find tags based on multiple search

conditions, including tag fields, the number of votes a tag
Advanced Filter
has received, and the number of sample hits.
You can start typing the artifact type by

which you want to filter tags to narrow
down the options in the drop-down.

Find the Top Tags Detected During a Date Range
On the AutoFocus dashboard, the Top Tags widget lists the twenty tags with the most sample hits during
the date range set for the dashboard (see Set the Dashboard Date Range on page 26). The list of top tags
updates accordingly depending on the context selected (My Organization, My Industry, or All tab). To view
all tags, click Tags on the navigation pane.
STEP 1 | Click Dashboard on the navigation pane, and click the My Organization, My Industry, or All
tab.
STEP 2 | Set the Dashboard Date Range on page 26 to adjust the displayed Malware Download
Sessions. The widgets on the dashboard (including the Top Tags widget) automatically update
based on the new date range.
STEP 3 | On the Top Tags widget, select a tag to view tag details, including a description of the sample
or conditions that the tag identifies.
You can continue to add the tag to a search.
STEP 4 | Choose from the following next steps:

Enable Alerts by Tag Type on page 83.
See the Top Tags Found with Search Results on page 103.
Vote for, Comment on, and Report Tags on page 105.
See the Top Tags Found with Search Results

When performing a search, you can view the top tags that AutoFocus matched with the search results.
STEP 1 | Work with the Search Editor to set up a search.
STEP 2 | Click the Statistics tab and find the Top Tags widget.
The Top Tags widget displays the 20 tags that AutoFocus matched with the highest number of samples
based on your search.
STEP 3 | Filter the top tags by Tag Types.

Vote for, Comment on, and Report Tags
Though you cannot edit Unit 42 and public tags, you can help to curate the most relevant and useful of
these tags by voting for tags you like and adding comments to tags. You can also alert Unit 42 to a tag that
you think might be offensive or revealing, and Unit 42 will review the tag.
Vote for tagsGive up-votes to tags that provide helpful, accurate information.
Comment on tagsProvide feedback on tags or share additional, relevant information with the
AutoFocus community.
Report tagsReport tags that are misleading, too general to be meaningful, offensive, or reveal sensitive
information. Unit 42 reviews reported tags and finds the tag to either be acceptable or inappropriate:
Acceptable tagsIf Unit 42 determines that the tag is appropriate, the tag status remains public. The
user who reported the tag receives an email notification that the tag will continue to remain publicly
shared.
Inappropriate tagsIf Unit 42 determines that the tag is inappropriate, they can revert the tag scope
to private. The tag will only be visible to the organization that owns the tag and will no longer be
publicly shared. The tag author (the user who created the tag originally) and the user who reported
the tag as inappropriate will receive an email notification that the tag is no longer publicly visible.
Unit 42 can also permanently delete an inappropriate reported tag. The tag owner receives an email
notification when the tag deletion is complete.
The following table describes how to vote for, comment on, and report tags.
STEP 1 | Find tags.

Click Tags on the navigation pane.
Click Dashboard and view the Top Tags widget.
STEP 2 | Select a tag to view tag details.

Vote for a TagClick Vote Up to give a tag an up-vote. You can deselect Vote Up to withdraw an
up-vote at any time.
To view tags that are highly rated by the AutoFocus community, click Tags and sort tags according to
Sort by: Up Votes. Select Sort Descending to show the tags with the highest votes.
Report a TagReport a tag that is misleading, offensive, or displays sensitive information. Include
details as to why you are reporting the tag.

Comment on a TagAdd a comment to provide feedback on a tag, or to share information
regarding the tag with the AutoFocus community.

Assess AutoFocus Artifacts
WildFire classifies previously unknown samples as either malware, grayware, or benign, so
that you can then block or enforce the newly-identified traffic according to your security policy
needs. When WildFire observes and executes a sample in a WildFire analysis environment,
artifacts (such as file properties, behaviors, and activities) are revealed to be associated with
the sample.
AutoFocus provides a new lens through which you can view the artifacts collected by
WildFire. AutoFocus layers statistics over artifacts found to be associated with a sample, to
show the number of times the artifact has been seen with other malware, grayware, or benign
samples. High-risk artifacts seen frequently with malware are labeled Suspicious or Highly
Suspicious, and artifacts associated with high-risk behaviors are indicated. If you Forward
MineMeld Indicators to AutoFocus, AutoFocus calls attention to sample indicators that match
the threat indicators youve forwarded.
Find high-risk artifacts in the File Analysis details of a sample. By default, AutoFocus groups
similar artifacts into WildFire static and dynamic analysis sections for easy reference, though
you can also view artifacts based on the sample activity timeline in the WildFire analysis
environment. Add high-risk artifacts to a search, or use them to Build an AutoFocus Export
List. You can also view a threat summary report, which provides a high-level overview of threat
trends in your network.
> Find High-Risk Artifacts

> Add High-Risk Artifacts to a Search or Export List
> Manage Threat Indicators
> Use the Threat Summary Report to Observe Malware Trends
109
110 AUTOFOCUS ADMINISTRATORS GUIDE | Assess AutoFocus Artifacts
Find High-Risk Artifacts
To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's
WildFire analysis that link the sample to malware or malicious attacks.
STEP 1 | Begin a new search. Check the Tags column for:

Unit 42 tagsIdentify threats and campaigns that pose a direct security risk.
Indicator tagsHighlight samples with Threat Indicators that match threat indicators that you
forwarded to AutoFocus using MineMeld. The tag specifies the number of matching indicators in
the sample. Not all sample artifacts are indicators; to determine whether an artifact is an indicator,
AutoFocus uses a statistical algorithm based on the tendency of the artifact to be seen predominantly
with malware.
Click on the indicator tag ( ) to view the matching indicators.
AUTOFOCUS ADMINISTRATORS GUIDE | Assess AutoFocus Artifacts 111

STEP 2 | Click a sample hash and scan the WildFire analysis details of the sample for signs of
maliciousness.
For every WildFire static and dynamic analysis artifact listed, compare the number of times the
artifact has been detected with benign ( ), grayware ( ), and malware ( ) samples.
High-risk artifacts are displayed with icons to designate them as Suspicious or Highly Suspicious.
If an activity artifact has proven to be evidence of an Observed Behavior, the behavior risk level is
indicated:
Sample indicators that match threat indicators from MineMeld are highlighted with an indicator icon (
). Learn more about how to Forward MineMeld Indicators to AutoFocus.
STEP 3 | View artifacts that match your search conditions (even if theyre not high-risk), highlighted in
the search results.

STEP 4 | View a summary of Indicators that AutoFocus detected in the sample.
The Indicators tab only lists artifacts that AutoFocus considers indicators based on the tendency of the
artifact to be seen predominantly in malware samples. Any indicators that match indicators forwarded
to AutoFocus from MineMeld are marked with an indicator tag. Click the tag to view the full list of
matches.
STEP 5 | (Optional) Add High-Risk Artifacts to a Search or Export List.

Add High-Risk Artifacts to a Search or Export
List
When you Find High-Risk Artifacts on page 111 in your search results, you can add these artifacts to your
existing search and/or to an export list. You can also view PAN-DB categorization information, WildFire
DNS history, and passive DNS history for domains, URLs, and IP addresses. The following table describes
how to search, export, and drill down on file analysis artifacts.
Add an artifact to a search.
Alternatively, select Add to New Search to launch a new search for the artifact in a separate window, or
add a SHA256, IP address, user agent, filename, or URL artifact to a remote search (see Set Up Remote
Search on page 54).
Add an artifact to an export list.
See Export AutoFocus Artifacts on page 123 for steps to build an AutoFocus export list.
View PAN-DB categorization, WildFire DNS history, and passive DNS history for an artifact.
Select an IP address, URL, or domain artifact and click Domain and URL info....

See Domain, URL, and IP Address Information on page 51 for details.

Manage Threat Indicators
View and keep track of all Threat Indicators that you have forwarded to AutoFocus using the MineMeld
app. These indicators help you Find High-Risk Artifacts in your AutoFocus search results. AutoFocus can
store up to 180 million indicators, and all dates and times are in Pacific Time (PST/PDT). Filter the indicators
by certain attributes and export them to the firewall or other security and information event management
(SIEM) platforms through MineMeld.
View all threat indicators forwarded to AutoFocus.

Click Indicators on the navigation pane to access the Indicator Store.
Filter the indicators.
Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click
Search:
Upload SourceThe app that forwarded the indicator to AutoFocus.
TypeThe type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact
Types for definitions of each indicator type. In addition to what are considered Threat Indicators in
AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6,
registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
IndicatorThe exact value of the indicator.
Indicator FragmentsA partial value of the indicator. Use this search criteria if you only know part of
an indicator.
TimeThe date and time that AutoFocus received the indicator.
IPv4A criteria for searching for IP addresses in a range.
Use the filter IPv4 > matches to find an IP address that belongs to a range.
Use the filter IPv4 > matches list to find multiple IP addresses in a range.
First SeenThe date and time that the indicator was first seen in the threat feed.
Last SeenThe date and time that the indicator was most recently seen in the threat feed.
Feed SourceThe name of the threat feed from which an indicator was retrieved.
ConfidenceA confidence rating that the feed owner associates with the indicators in a feed. The
confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been
verified and 100 indicating that the feed contents are confirmed accurate.
Share LevelThe share level that the feed owner associates with the indicator.
Threat TypeA default value (malicious) that MineMeld assigns to indicators.
MetadataAdditional information about the indicator that the feed owner provided.
ExpiredIf the value is True, the indicator is aged-out, that is, removed from its source feed. If the
value is False, the indicator is active.
Import or export filters for the indicators.

Import Search to paste a query for filtering indicators from another AutoFocus user.
Export Search to share a query for filtering indicators to another AutoFocus user.
Check how much space for storing indicators is remaining.
View all indicators (remove any existing filters), and check the percentage of indicator storage currently
in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of
indicators that it can store (180 million indicators).
Check the status of the indicator storage periodically. If you are close to the maximum
limit, Remove indicators from the store.
Remove indicators from the store.
Click the trash icon to remove all indicators from the store.
To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only
the indicators that match the filter criteria. For example, you can apply the filter Expired > is > True and
click the trash icon to remove only expired indicators from the store.
Use the Indicator Store as a source of indicators for MineMeld.
Create MineMeld Miner to create an AutoFocus artifacts miner that will extract artifacts from the
Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a
filter for the indicators before clicking this button, the miner will be configured to extract only indicators
that match the filter criteria.
View additional information about the indicator provided by its source (i.e., the feed owner).
Expand the entry for an indicator to check if the feed owner provided supplementary attributes or
metadata about the indicator.

Use the Threat Summary Report to Observe
Malware Trends
Generate a threat summary report, which provides a visual overview of threat trends based on your
network traffic. You can select the time range upon which the report details will be based. You also have
the option to generate a PDF of the report.
Threat Summary Report Overview
View Threat Summary Report Details
Threat Summary Report Overview

The threat summary report is a rundown of artifacts that AutoFocus and WildFire associate with malware.
You can find the threat summary report in the Reports section of the AutoFocus portal. When you View
Threat Summary Report Details for the first time, the report for your support account displays with a
default time range of 7 days and the industry you selected when you initially set up your AutoFocus support
account.
Report Section Description
Executive Summary The Executive Summary consists of the following highlights:

Malware ApplicationsThe unique number of applications through which
malware was delivered. (Application is the App-ID matched to the type
of application traffic detected in a session.)
Total Malware SessionsThe total number of sessions in which WildFire
detected a sample with a verdict of malware.
Tagged Malware SessionsOut of the total malware sessions, the
percentage of sessions linked to samples that received at least 1 tag.
Tagged Malware SamplesThe number of malware samples that received
at least 1 tag.
Malware Session This chart provides:

Percentage By Day
A daily count of sessions associated with malware for devices in your
support account.
The percentage of malware sessions out of the total number of sessions
for devices in your support account.
The percentage of malware sessions out of the total number of sessions
for all AutoFocus users in an industry.
A comparison of the average percentage of malware sessions seen with
your account and the average percentage of malware sessions for the
industry.

Report Section Description
Samples Summary This chart provides:

The number of samples grouped by WildFire verdict (malware, grayware,
and benign).
The number of tagged malware samples versus untagged malware
samples.
The percentage of malware samples.
The percentage of tagged malware samples.
Top Firewalls The top 10 firewalls where WildFire detected the most number of malware
sessions.
Top Upload Sources The top 10 upload sources that submitted your samples to WildFire.
Top Filetypes Per The number of malware sessions for the top 5 most frequently used
Application applications for distributing malware. For each application, the malware
sessions are broken down by filetype.
Top Applications The 10 applications that distributed the most malware samples.
If there are applications in this list that have no legitimate

business purpose in your organization, you may want to
create a rule on your firewall blocking these applications.
Bottom Applications The 10 applications that distributed the least malware samples.
Top Filetypes The 10 filetypes most frequently associated with malware samples.
Bottom Filetypes The 10 filetypes least frequently associated with malware samples
Top Malware Family The top 10 Unit 42 and private Malware Family tags that AutoFocus matched
Tags to your samples.
Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to
your samples.
Top Malicious Behavior The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus
Tags matched to your samples.
Threats by Source A map of countries from which malware sessions originated (refer to list of
Country Countries and Country Codes). The report highlights the country that sent the
most number of malware sessions.
Threats by Destination A map of countries that malware sessions targeted (refer to list of Countries
Country and Country Codes). The report highlights the country that received the most
number of malware sessions.

View Threat Summary Report Details
View the threat summary report on the AutoFocus portal or generate a printable PDF of the report. The
version of the report on the portal is interactive and lets you see the exact figures that make up the chart
data.
STEP 1 | Click Reports on the navigation pane.
STEP 2 | Configure the report settings to choose a time period for filtering the report details, and
Generate the report.
Your Malware Session Percentage By Day is compared with the figures for your industry.
STEP 3 | Hover over chart elements to view exact counts or percentages.
Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a
search.
STEP 4 | For the charts Malware Session Percentage By Day and Top Filetypes Per Application, select
which data to display or hide.
Hide filetypes that are seen in larger quantities to view the counts for filetypes that are
seen in smaller quantities.

STEP 5 | Click on a tag to view Tag Details.
STEP 6 | Click Download PDF to generate a PDF of the report.

Export AutoFocus Artifacts
AutoFocus allows you to export artifacts that WildFire has frequently detected with
malware, such as IP addresses, URLs, or domains. To export artifacts, you must first add
artifacts found in AutoFocus to an export list. Then, select some or all of the artifacts in the
export list to include them in a comma-separated value (CSV) file, which you can then import
into a security information and event management (SIEM) solution. You can also use the file to
dynamically enforce policy on a Palo Alto Networks firewall.
> Build an AutoFocus Export List

> Create a CSV File
> Use Export Lists with the Palo Alto Networks Firewall
123
124 AUTOFOCUS ADMINISTRATORS GUIDE | Export AutoFocus Artifacts
Build an AutoFocus Export List
To Create a CSV File that contains AutoFocus artifacts, first add the artifacts to an export list. You can build
multiple export lists in AutoFocus. Grouping artifacts into different export lists allows you to easily generate
separate CSV files for them.
STEP 1 | Drill down to view the details for samples returned in an AutoFocus search.
2. Click a sample hash to view sample details.
3. Select an operating system to view activities and behaviors observed when the sample was executed
in that WildFire analysis environment.
STEP 2 | Add artifacts to an export list:

To add a single artifact to an export list, click the drop-down for the artifact and select Add to Export
List:
Select multiple artifacts from a WildFire analysis category to add to an export list.
AUTOFOCUS ADMINISTRATORS GUIDE | Export AutoFocus Artifacts 125

1. Click the drop-down for a WildFire analysis category and select Select for Export List. This turns the
drop-downs next to the artifacts into checkboxes.
2. Select one or more artifacts from the list.

3. Re-open the options for the category and select Add Selected to Export List.
Add all artifacts, all suspicious artifacts, or all highly suspicious artifacts listed for an activity or behavior
category to an export list.
Only artifacts that were observed for the operating system selected in Step 1 are added
to the export list. To add sample artifacts from a different operating system, repeat Step c
and continue.
STEP 3 | Select an export list for the artifacts.

Add artifacts to a new export list:
1. Enter a name for the new export list.
2. Click create new. This adds the artifact to the new export list.

Add an artifact to an existing export list:
STEP 4 | View all artifacts added to an export list.

Click Exports on the navigation pane and select the export list to which the artifacts were added in Step
3.
To view the latest artifacts added, select Sort by: Added Time, and click Sort Descending.
You can also view artifacts based on the WildFire analysis Section from which the artifact is derived.
For example, a domain in the export list might have been added from the DNS Activity that WildFire
detected for the sample. See the Artifact Types that can appear in each WildFire analysis section.
You can click any of the column headers to sort the export list in ascending (up arrow) or descending
(down arrow) order.

STEP 5 | (Optional) Remove artifacts from an export list.
Select artifacts you want to remove and click Delete Selected Items.
To remove all artifacts from an export list, you do not have to select all the artifacts; you can simply
click Delete All Items. Deleting all artifacts also automatically deletes the export list.
STEP 6 | Prepare a version of the export list to export out of AutoFocus.

Create a CSV File from the export list.

Create a CSV File
Generate a CSV file from the artifacts that were added to an export list. By default, the CSV file is formatted
to contain a single row for each artifact; the row includes full WildFire analysis details for the artifact, and
commas separate the WildFire analysis details within each row.
You can format the CSV file to support a block list for a Palo Alto Networks firewall and to export additional
artifact metadata.
STEP 1 | Build an AutoFocus Export List.
STEP 2 | Click Exports on the navigation pane.
STEP 3 | Select an export list to open, and choose artifacts to export:

Export all artifacts in an export list:
1. Click Export All Items.
2. Verify that the Export Rows option is set to All.
To quickly export all artifacts from the Exports page, click Export in the Actions
column of the export list.
Export artifacts based on the time period they were added to an export list:
1. Click Export All Items.
2. Set Export Rows to In Date Range.
3. Use the Added Time fields to export artifacts based on the date and time range that the artifact was
added to the export list.
To quickly export artifacts within a date range from the Exports page, click Export in
the Actions column of the export list.
Export selected artifacts:

1. Select one or more artifacts to export:

2. Click Export Selected Items.
STEP 4 | (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall.
Select Formatted for PAN-OS block list.
You can use the CSV file as a dynamic block list (PAN-OS 7.0 or earlier) or an external dynamic list (PAN-
OS 7.1 or later), but the firewall only supports certain types of artifacts. Learn more about how to Use
Export Lists with the Palo Alto Networks Firewall.
STEP 5 | (Optional) Export additional artifact data.

Select Export Metadata.
This option adds the following columns to each artifact row:
Added TimeThe date and time that the artifact was added to the export list.
SectionThe artifact activity category.
LabelThe name of the export list.
ValueThe artifact that was added to the export list.
SHA256The SHA256 hash of the sample that the artifact was found with.
SHA1The SHA1 hash of the sample that the artifact was found with.
MD5The MD5 hash of the sample that the artifact was found with.
Author EmailThe email address of the user who added the artifact to the list.
STEP 6 | Select Export to generate the CSV file.

Use the CSV file to import AutoFocus data into a security information and event management (SIEM)
tool, or Use Export Lists with the Palo Alto Networks Firewall.

Use Export Lists with the Palo Alto Networks
Firewall
Export lists provide a way to dynamically enforce policy on a Palo Alto Networks firewall based on
AutoFocus artifacts. The following workflow walks you through the process of building an export list
designed specifically for the firewall.
STEP 1 | Build an AutoFocus Export List.
Dynamic block lists and external dynamic lists on the Palo Alto Networks firewall only support certain
artifacts, so you must tailor your export list based on the PAN-OS software version running on the
firewall.
(PAN-OS 7.0 or earlier) Dynamic Block ListBuild an export list that only contains IP addresses.
(PAN-OS 7.1 or later) External Dynamic ListBuild an export list that contains only IP addresses,
only domains, or only URLs. Learn more about how the firewall supports the three external block list
types.
Find IP address, URL, and domain artifacts in the DNS Activity, Connection Activity, and
HTTP Activity detected during the WildFire analysis of a sample.
STEP 2 | Create a CSV File formatted for the firewall.

Verify that the artifacts you plan to export are supported on the firewall (IP addresses only for a
dynamic block list in PAN-OS 7.0 or earlier; IP addresses only, URLs only, or domains only for an
external dynamic list in PAN-OS 7.1 or later).
Before you export the artifacts, make sure that Formatted for PAN-OS block list is selected.
CSV files that are formatted for a PAN-OS block list might display artifacts in an order that
is different from how they appear in the AutoFocus export list.
STEP 3 | Use the generated CSV file with the firewall.

Set up a dynamic block list (firewalls running PAN-OS 7.0 or earlier).
Set up an external dynamic list (firewalls running PAN-OS 7.1 or later).

AutoFocus Apps
AutoFocus supports MineMeld, an open-source threat intelligence processing tool that
you can run as an app on the AutoFocus portal. With AutoFocus-hosted MineMeld, you can
manage threat indicators from AutoFocus and from external sources of threat intelligence in
one central location. The MineMeld app enriches AutoFocus data, calling attention to samples
with artifacts that match indicators from external sources. The ability to use MineMeld directly
in AutoFocus allows you to expand the scope of your threat research with minimal effort.
> MineMeld
133
134 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Apps
MineMeld
MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles
the indicators into multiple formats compatible with AutoFocus, the Palo Alto Networks next-generation
firewall, and other security and information event management (SIEM) platforms.
Introduction to MineMeld
Start, Stop, and Reset MineMeld
Use AutoFocus-Hosted MineMeld
Create a Minemeld Node
Connect MineMeld Nodes
Delete a MineMeld Node
AutoFocus Prototypes
Forward MineMeld Indicators to AutoFocus
Forward AutoFocus Indicators to MineMeld
Use AutoFocus Miners with the Palo Alto Networks Firewall
Troubleshoot MineMeld
Introduction to MineMeld
Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators
often place indicators in multiple formats or format them inconsistently. Using indicators from multiple
sources and packaging them into different formats requires a large investment of time and effort, especially
as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator
sources, since they are updated at different times and not always on a regular basis. MineMeld automates
many of these manual processes so you can use indicators to dynamically enforce policy with your firewall
or to investigate threats with AutoFocus.
Three types of MineMeld nodes make it possible to automate the flow of indicators from source to
destination:
Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat
intelligence service like AutoFocus.
Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators,
and merge different sets of metadata for the same indicator. For example, a common type of processor
is one that receives only IPv4 indicators.
Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to
dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators
from external threat feeds to AutoFocus or the firewall).
AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Apps 135

Nodes are the building blocks of MineMeld, and you can create the most basic MineMeld connection by
connecting a single miner node to a processor node and connecting the processor node to an output node.
MineMeld provides pre-built miner, processor, and output prototypes, which are templates you can use
to create a node. There are AutoFocus-specific prototypes, which you can use create miner nodes that
use AutoFocus as a source of threat indicators (see Forward AutoFocus Indicators to MineMeld) or output
nodes that send threat indicators to AutoFocus (see Forward MineMeld Indicators to AutoFocus). For more
information on MineMeld basics, view a Quick Tour of the MineMeld Default Configuration.
Start, Stop, and Reset MineMeld

Before you begin to use MineMeld, learn how to start, stop, or reset the MineMeld app.
STEP 1 | Click Apps on the navigation pane.
STEP 2 | Choose from the following options:

Start MineMeld.
A progress bar indicates that MineMeld is deploying. You can Use AutoFocus-Hosted MineMeld
when the deployment is complete. The initial MineMeld deployment may take several minutes.

Stop the running instance of MineMeld.
Stop MineMeld from retrieving, processing, and delivering indicators to output nodes. To re-open the
previously deployed instance of MineMeld, you must Start MineMeld again.
Reset MineMeld to its default configuration.
When you reset MineMeld, this permanently deletes any nodes or customizations you
have made within the app. However, if you reset MineMeld after you Forward MineMeld
Indicators to AutoFocus, AutoFocus will continue to store the forwarded indicators from
the deleted nodes.
If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall
and reset MineMeld, you must update the external dynamic list with a new link from MineMeld.
Use AutoFocus-Hosted MineMeld

MineMeld is available on a per support account basis. Use MineMeld to Find High-Risk Artifacts and gain
more visibility into threats on your network. When MineMeld is running, it extracts and processes indicators
based on the nodes that are connected.
STEP 1 | Click Apps on the navigation pane, and Start MineMeld.

A link to MineMeld displays on the navigation pane when MineMeld starts deploying.

STEP 2 | Access MineMeld from the navigation pane.
STEP 3 | Choose from the following actions:

Get an overview of miner, processor, and output nodes currently in use on the Dashboard.
When using MineMeld for the first time (or after a resetting it), the default configuration
of nodes sends IP addresses, URLs, and domains from a set of block lists to the
Indicator Store, a storage space in AutoFocus for external indicators. Click Indicators
on the navigation pane to view the Indicator Store.
View a library of miner, processor, and output Prototypes you can clone to Create a Minemeld Node.
View a complete list of Nodes youve created.
Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to
Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node.
View the Logs, which is a record of indicators that MineMeld extracted from feed sources.
For more guidance on how to use MineMeld, see MineMeld.
Create a Minemeld Node

Evaluate which sources of indicators you want to use and where to forward the indicators after MineMeld
processes them. You can then create miner, processor, and output nodes based on this information.
STEP 1 | Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
STEP 2 | Click MineMeld on the navigation pane.
STEP 3 | Click Prototypes.

STEP 4 | Select a prototype from the list. If you know the name of the prototype, use the Search field to
quickly find the prototype.
Create nodes based on AutoFocus Prototypes to Forward MineMeld Indicators to

AutoFocus or to Forward AutoFocus Indicators to MineMeld.
STEP 5 | Clone the prototype to create a new node from it.
STEP 6 | Complete the required fields for the node:

Give the node a descriptive Name.
(Processor and output nodes only) Select one or more miner and/or processor nodes that the node
will use as Inputs. The node will receive indicators from the inputs you select.

STEP 7 | Click Ok. MineMeld switches to the Config tab automatically, which lists your newly created
node.
STEP 8 | Commit to save the new node.
STEP 9 | Find the new node in the list of Nodes to verify that it was saved successfully.
An exclamation point next to the node name notifies you that you must Complete
additional required fields for a node.
STEP 10 | Complete additional required fields for a node.

1. Hover over the exclamation point to see which fields are required.
2. Click the node entry to view the node details.
3. Enter or select a value for the required fields, and click Nodes to verify that the exclamation point is
gone.
STEP 11 | Connect MineMeld Nodes to begin sending indicators to a destination.
Connect MineMeld Nodes

After you Create a Minemeld Node, connect miner, processor, and output nodes to each other to set the
direction of the flow of indicators.
STEP 3 | Click Config, and find the node you want to connect to another node.
STEP 4 | Edit the Inputs for the node.

To establish the connection between miner, processor, and output nodes, you must:
Select one or more miners from which a processor will receive indicators.
Select which processors will send indicators to an output.

STEP 5 | Commit to save your changes.
STEP 6 | View the flow of indicators that the node is part of.
1. View the list of Nodes.
2. Find the node in the list, and view the Graph ( * ) for it. Larger nodes process more indicators than
smaller nodes.
STEP 7 | Share your MineMeld nodes and node connections with another MineMeld user.
Select the Config tab, and click Export. When you share the code that this generates with other
MineMeld users, they can Import it into their MineMeld instance.
Use the MineMeld import feature to quickly load another users nodes and node
connections into your MineMeld instance. Importing a configuration replaces any nodes or
node connections you have previously created.
Delete a MineMeld Node

Delete a node if you Create a Minemeld Node and decide that you no longer need to use it. Before you
delete a node, be mindful of the nodes to which it is connected to ensure that you dont accidentally cut off
a desired flow of indicators to an output.
STEP 3 | Click Config.
STEP 4 | Find the node you want to delete. If you know the name of the node, use the Search field to
quickly find the node.
Check the node inputs and verify that you can delete the connection to these inputs.

STEP 5 | Click x, and then click Ok to confirm that you want to delete the node.
STEP 6 | Commit to delete the node.
STEP 7 | Check that the node no longer appears in the list of Nodes to verify that it was deleted
successfully.
AutoFocus Prototypes
The following AutoFocus-specific prototypes allow you to Forward MineMeld Indicators to AutoFocus
and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select
the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The
prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged
out, MineMeld withdraws the indicator from the outputs that received them.
Prototype Description Default Behavior
Samples The samples miner extracts Threat Accepts all indicator types.
Miner Indicators from samples that meet the Initially extracts indicators from samples
conditions of an AutoFocus search. You that meet the criteria of the search
must set the search conditions when you based on the last 24 hours.
create this miner node. After the initial poll for indicators,
The samples miner does not extract all extracts indicators from samples every
sample artifacts; it only extracts statistically hour.
important artifacts that AutoFocus has Each time this miner extracts indicators,
determined to be indicators based on their it only extracts indicators from the first
tendency to be seen with malware. 10,000 samples.
Only forwards indicators that it has not
seen previously.
Ages out indicators 24 hours after the
last time they were seen in the sample
search results.

Prototype Description Default Behavior
Artifacts The artifacts miner extracts indicators Accepts all indicator types.
Miner from external sources that are currently Initially extracts indicators that were
stored in the AutoFocus Indicator Store added to the Indicator Store in the last
(see Manage Threat Indicators). You must 24 hours.
connect this miner to a processor and After the initial poll for indicators,
output node to forward the indicators to a extracts indicators from the store every
destination outside of AutoFocus, such as a hour.
Palo Alto Networks firewall or other SIEM Only forwards indicators that it has not
platforms. seen previously.
Ages out indicators 30 days after the
last time they were added or updated
in the Indicator Store, or as soon as an
indicator is marked as expired in the
store.
Expired indicators are

indicators that have been
removed from the feed
from which they came.
Artifacts The artifacts output sends indicators from Accepts all indicators types.
Output external threat intelligence sources directly Does not allow you to use the artifacts
to the AutoFocus Indicators Store (see miner to send indicators back to the
Manage Threat Indicators). AutoFocus Indicator Store.
highlights indicators in your samples that
match the indicators in the store, allowing
you to Find High-Risk Artifacts.
Export List The export list miners sends artifacts from Accepts IPv4, URL, and domain indicators.
Miner an AutoFocus export list to a destination
outside of AutoFocus.
Unlike the other AutoFocus prototypes,
the export list miner can be used in
either AutoFocus-hosted MineMeld or a
MineMeld instance you deployed in your
own environment.
Forward MineMeld Indicators to AutoFocus

Use an AutoFocus Artifacts Output node to store indicators from one or more threat intelligence sources
in AutoFocus. When you view the WildFire analysis details for samples in your search results, AutoFocus
highlights sample indicators matching the indicators that MineMeld forwarded.
STEP 2 | Create a Minemeld Node that will receive processed indicators and send them to AutoFocus.
Create an output node based on the prototype autofocus.artifactsOutput.
STEP 3 | Connect MineMeld Nodes (miner and processor) to the output node you just created.

STEP 4 | Click Indicators on the navigation pane to view the Indicator Store and Manage Threat
Indicators that MineMeld forwarded. The Indicator Store has space for up to 180 million
indicators.
You can now easily spot sample indicators that match MineMeld indicators when you Find High-Risk
Artifacts.
Forward AutoFocus Indicators to MineMeld

Use MineMeld to send indicators from AutoFocus to the firewall and other SIEM platforms. Learn more
about how you can Use AutoFocus Miners with the Palo Alto Networks Firewall.
Use an AutoFocus Samples Miner to forward Indicators from sample search results.
1. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld).
2. Work with the Search Editor to set up a search.
3. Create MineMeld Miner ( ) from the search page.
The node details include:
1. NameGive the miner a descriptive name.
2. PrototypeThe prototype is pre-selected (autofocus.samplesMiner).
3. QueryThis field is pre-populated with the conditions of your search.
4. ScopeSelect the scope of the search results: global, private, and public.
5. ArtifactsSelect which indicators AutoFocus will forward to MineMeld: Any indicators, only
indicators that match MineMeld indicators, or None (MineMeld only extracts hashes from the
sample search results).
6. Connect to ProcessorsSelect processors that will receive indicators from the miner.
If you select a Scope of global, the miner extracts indicators from your private
samples and public samples from you and other AutoFocus users; it does not
extract indicators from other users private samples.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
Use an AutoFocus Artifacts Miner to forward indicators from external sources stored in
AutoFocus (see Manage Threat Indicators) to a destination outside of AutoFocus.
2. Click Indicators on the navigation pane and optionally, Filter the indicators.
3. Create MineMeld Miner ( ).
The node details include:
1. NameGive the miner a descriptive name.
2. PrototypeThe prototype is pre-selected (autofocus.artifactsMiner).
3. QueryIf you filtered the indicators, this field is pre-populated with the filter you used.
4. Connect to ProcessorsSelect processors that will receive indicators from the miner.
4. Connect MineMeld Nodes (processor and output) to the miner you just created.
Use an AutoFocus Export List Miner to forward indicators from an AutoFocus export list.
You can use the AutoFocus export list miner in AutoFocus-hosted MineMeld or in a
MineMeld instance you deployed in your own environment. The default behavior of the
miner is the same in either version of MineMeld.

2. Create a Minemeld Node based on the prototype autofocus.exportList.
When completing the additional required fields for the node, provide your AutoFocus API Key and
the Label of the export list from which MineMeld will extract indicators.
Use AutoFocus Miners with the Palo Alto Networks Firewall

Use AutoFocus miners to dynamically send indicators from AutoFocus to an external dynamic list on a PAN-
OS 8.0 firewall.
STEP 1 | Add the root certificate authority (CA) certificate for MineMeld to the firewall.
1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/
repository/gd-class2-root.crt
2. On the firewall, select Device > Certificate Management > Certificates.
3. Import the certificate to the firewall.
1. Give the certificate a descriptive name.
2. Browse for the certificate file and attach the GoDaddy certificate you downloaded.
3. Click OK.
STEP 2 | Create a certificate profile for the MineMeld root CA certificate.

1. On the firewall, select Device > Certificate Management > Certificate Profile.
2. Add a new certificate profile.
1. Give the certificate profile a descriptive name.
2. Click Add, select the certificate name from the CA Certificate drop-down, and click OK.
3. Click OK.
STEP 3 | Configure the MineMeld nodes that will send indicators to the firewall.
This procedure focuses on using AutoFocus miners to forward indicators to an external

dynamic list; however, you can use other MineMeld miners that extract IPv4 addresses,
domains, and URLs to forward indicators to an external dynamic list.
1. Use an AutoFocus sample or artifacts miner to Forward AutoFocus Indicators to MineMeld.

2. In MineMeld, Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed
indicators to an external dynamic list on the firewall.
To find outputs that you can use with an external dynamic list, view the list of
MineMeld Prototypes and search with the keyword EDL.
3. Restrict access to the indicators.

1. Select the output node you plan to use with an external dynamic list from the list of Nodes.
2. Click Tags, enter a tag name to use with the output node, and click OK.
3. Click Admin, and select the Feeds Users tab.
4. Click (+) to add a new user profile for accessing the indicators from the output node.
5. Create a username and password, confirm the password, and click OK.
6. Grant the user you just created access to the output node. In the Access setting for the user,
select the tag for the output node and click OK.

STEP 4 | Configure the firewall to access an external dynamic list based on the indicators from the
AutoFocus miners.
Follow the steps to add a new external dynamic list to the firewall and observe the following guidelines:
Enter the MineMeld-provided link from the output node as the Source of the external dynamic list.
To find this link in MineMeld, select the output node from the list of Nodes and copy the Feed Base
URL link.
Select the Certificate Profile you created for the MineMeld root CA certificate.
Select Client Authentication, and enter the username and password for the user you created from
the previous step.
STEP 5 | Verify that the firewall can receive indicators from the AutoFocus miners.
On the firewall, retrieve entries for the external dynamic list you added and view the list entries.
Troubleshoot MineMeld
Refer to the procedures below to troubleshoot issues with MineMeld.
Free up disk space on MineMeld

A red dot appears on the System tab when there is only 30% of disk space remaining in MineMeld. To
continue using MineMeld with logging enabled, you must free up more disk space.
1. In MineMeld, click the System tab.
2. A warning message notifies you that disk space is low. Verify the disk status.
3. Purge Logs.
This deletes logs of internal system processes on MineMeld; this does not delete the record of
indicators that nodes received or indicators that were aged-out in the Logs tab.
Force an AutoFocus samples or artifacts miner to retrieve indicators.

For a samples or artifacts miner, the default interval for retrieving and forwarding indicators to a
processor is 1 hour. To trigger the miner to retrieve indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.

2. Click Run Now to start retrieving indicators.
As the node retrieves indicators, the # Indicators count goes up.
3. Track all indicator activity associated with a node.
Force an AutoFocus samples or artifacts miner to age out indicators.

When a miner node ages out indicators, it withdraws indicators from the outputs that received them.
The samples miner has a default age-out interval of 24 hours, while the artifacts miner has a default
interval of 30 days. To trigger these miners to age out indicators immediately, follow the steps below.
1. In MineMeld, select the samples or artifacts miner from the list of Nodes.
2. Flush indicators.

3. Track all indicator activity associated with a node.
Track all indicator activity associated with a node.

1. In MineMeld, select a node from the list of Nodes.
2. View the node Stats. By default, the statistics displayed are based on indicator activity from the last
24 hours.
1. Compare the counts from different points in the Indicators graph to determine the number of new
indicators that the node processed during a time range. A drop in the graph indicates that some
indicators associated with the node were aged out.
2. View the trend of indicators that the node added, aged out, updated, and withdrew from other
nodes.

3. Change the Time Range to view indicator stats for a shorter or longer time period.
Track indicators that were successfully received by a node and indicators that were aged out.
View the MineMeld logs to determine if an indicator was successfully received by a node or aged out.
1. View the logs for a specific indicator.
1. In MineMeld, click the Logs tab.
2. In the search field, enter indicator:[indicator value] and click the spyglass to launch the
search.
3. Evaluate the logs for the indicator based on the following log messages.
EMIT_UPDATEA log of a node sending an indicator (or an indicator update) to another node.
ACCEPT_UPDATEA log of a node successfully receiving an indicator from another node.
EMIT_WITHDRAWA log of a node aging out an indicator.
ACCEPT_WITHDRAWA log of a node accepting a request from another node to withdraw an
aged out indicator.

2. View the logs for a specific node.
1. Click the Nodes tab and select a node.
2. View all Logs of indicator activity related to the node.
3. Click on a log message or indicator tag to filter the logs further.

Autofocus Admin Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Autofocus Admin Guide

Hochgeladen von

Copyright:

Verfügbare Formate

AutoFocus Administrators Guide

TABLE OF CONTENTS iii

Assess AutoFocus Artifacts......................................................................... 109

Export AutoFocus Artifacts......................................................................... 123

> About AutoFocus

I want to... How can I do this with AutoFocus?

...prioritize events in my network Look at the dashboard.

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 7

...gain context around an event. Toggle the dashboard.

...leverage AutoFocus data. Enable Unit 42 alerts.

Get Started Take a First Look at the AutoFocus Portal.

8 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

First Look at the Dashboard

Support Account Area

Threat researchers who have access to multiple

Start a Quick Search for threat artifacts.

View the AutoFocus documentation site.

Log out of the portal.

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 9

Select an AutoFocus Dashboard tab to set the

10 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

Use the navigation pane to access the following

AutoFocus remembers your last

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 11

AlertsSet up AutoFocus Alerts based on tags.

Create Alerts for Unit 42 tags.

12 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

Malware Download Sessions

The Malware Download Sessions histogram

If you dont see any malware

An additional day with no

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 13

The dashboard widgets highlight the top

Malware Sources and Destinations

The Malware Sources and Destinations map allows

14 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

The Top Tags widget lists the AutoFocus Tags

The Top Tags list is sorted according to the

The Alerts Log widget displays the latest 20 alerts

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 15

Recent Unit 42 Research

Browse quick links to the latest research, news,

The Give Feedback link provides a quick way to

16 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

Sessions Sessions in AutoFocus search results provide information about how a

Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 17

Artifacts An artifact is a property, activity, or behavior shown to be associated with a

Tags A tag is a collection of search criteria that together indicate a known or

18 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 19

Use AutoFocus threat intelligence to assess firewall artifacts.

Use AutoFocus to search for artifacts in firewall traffic.

Use AutoFocus indicators to enforce security policy on the firewall.

20 AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus

AUTOFOCUS ADMINISTRATORS GUIDE | Get Started With AutoFocus 21

> Dashboard Overview

AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard 25

Set the default date range.

Select a custom date range.

Set a single date.

26 AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard

AUTOFOCUS ADMINISTRATORS GUIDE | AutoFocus Dashboard 27

View artifact details.