AutoFocus™ Administrator’s Guide Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 https://www.paloaltonetworks.com/company/contact‐support About this Guide This guide provides an overview of the AutoFocus threat intelligence portal, and takes you through how to use AutoFocus features that enable you to monitor your threat landscape and gain context surrounding network events. For an introduction to the latest AutoFocus features, including steps to get started quickly, see: https://www.paloaltonetworks.com/documentation/autofocus/autofocus/new‐feature‐guide.html To get started with the AutoFocus API, see https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus_api.html. For information on the additional capabilities and for instructions on configuring the features of Palo Alto Networks devices, refer to https://www.paloaltonetworks.com/documentation For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html. To provide feedback on the documentation, please write to us at: [email protected]. Palo Alto Networks, Inc. www.paloaltonetworks.com © 2015–2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 5, 2017 2 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Table of Contents Get Started With AutoFocus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About AutoFocus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 First Look at the AutoFocus Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 AutoFocus Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Threat Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Public Tags and Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Private Tags and Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 All Tab and All Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Suspicious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Highly Suspicious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Use AutoFocus with the Palo Alto Networks Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 AutoFocus Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 AutoFocus Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Dashboard Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Set the Dashboard Date Range. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Drill Down on Dashboard Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Customize the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 AutoFocus Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Start a Quick Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Work with the Search Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Drill Down in Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Domain, URL, and IP Address Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Set Up Remote Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Artifact Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 General Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Sample Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Session Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Analysis Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Windows Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 3 Table of Contents Mac Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Android Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Search Operators and Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Guidelines for Partial Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Contains and Does Not Contain Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Proximity Operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 AutoFocus Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Alert Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Email Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 HTTP Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Create Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Define Alert Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Enable Alerts by Tag Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Create Alert Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 View Alerts in AutoFocus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Edit Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 AutoFocus Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Tag Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Tag Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Tag Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Tag Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Tag Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Tag Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Create a Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Work with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Find Samples by Tag Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Filter and Sort Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Find the Top Tags Detected During a Date Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 See the Top Tags Found with Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Vote for, Comment on, and Report Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Assess AutoFocus Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Find High‐Risk Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Add High‐Risk Artifacts to a Search or Export List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Manage Threat Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Use the Threat Summary Report to Observe Malware Trends . . . . . . . . . . . . . . . . . . . . . . . . . .113 Threat Summary Report Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 View Threat Summary Report Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Export AutoFocus Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Build an AutoFocus Export List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Create a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 4 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Table of Contents Use Export Lists with the Palo Alto Networks Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 AutoFocus Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 MineMeld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Introduction to MineMeld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Start, Stop, and Reset MineMeld. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Use AutoFocus‐Hosted MineMeld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Create a Minemeld Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Connect MineMeld Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Delete a MineMeld Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 AutoFocus Prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Forward MineMeld Indicators to AutoFocus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Forward AutoFocus Indicators to MineMeld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Use AutoFocus Miners with the Palo Alto Networks Firewall . . . . . . . . . . . . . . . . . . . . . . . 137 Troubleshoot MineMeld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 5 Table of Contents 6 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Get Started With AutoFocus AutoFocus™ is a threat intelligence service that provides an interactive, graphical interface for analyzing threats in your network. With AutoFocus, you can compare threats in your network to threat information collected from other networks in your industry or across the globe, within specific time frames. AutoFocus statistics are updated to include the most recent threat samples analyzed by Palo Alto Networks®. Access to this information allows you to keep up with threat trends and to take a preventive approach to securing your network. See the following topics to get started with the AutoFocus threat intelligence service. If you haven’t already, first register and activate AutoFocus. About AutoFocus First Look at the AutoFocus Portal AutoFocus Concepts Use AutoFocus with the Palo Alto Networks Firewall AutoFocus Portal Settings © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 7 About AutoFocus Get Started With AutoFocus About AutoFocus The AutoFocus threat intelligence portal enables you to quickly identify threats on your network, and to contextualize such events within an industry, global, and historical context. AutoFocus harnesses data from WildFire™, the PAN‐DB URL Filtering database, Unit 42, and from third‐party feeds (including both closed and open‐source intelligence). AutoFocus then makes the data searchable and layers the data with statistics that both highlight pervasive malware and reveal connections between malware. Take a look at the following table for an overview of AutoFocus features that allow you to prioritize, contextualize, and address threats affecting your network. I want to... How can I do this with AutoFocus? ...prioritize events in my network environment. ...gain context around an event. 8 • AutoFocus Administrator’s Guide Look at the dashboard. The AutoFocus dashboard visually weights threat Artifacts and statistics to bring focus to pervasive events. Check samples for high‐risk artifacts. When WildFire analyzes a sample, it finds certain activities, properties, and behaviors to be associated with that sample. AutoFocus indicates the artifacts that are most likely to be detected with malware as Suspicious or Highly Suspicious. You can Find High‐Risk Artifacts in AutoFocus search results. Create custom alerts. Create alerts based on Tags to keep track of samples linked to high‐risk artifacts. AutoFocus can send notifications to your email account or web server. Distinguish between advanced threats and commodity malware. Unit 42 publishes Unit 42 Tag (Alerting) and Unit 42 Informational Tag (Non‐Alerting) in AutoFocus that allow you to distinguish between threats or campaigns with global impact (Unit 42 alerting tags) and less impactful threats that do not pose a direct or immediate security risk (Unit 42 informational tags). Toggle the dashboard. You can move between views that show the top activity for your network, for your industry, and on a global scale. You can also filter any dashboard view to display data for a specific date range. Use the search editor. • Search results provide detailed analysis information for samples, including all artifacts found to be associated with a sample during WildFire analysis. For each artifact, the number of times that WildFire has detected the artifact with malware, benign, and grayware samples is listed. • Drill down and pivot through search results to discover threat variants. You can add high‐risk artifacts to your search as you go. • You can filter your view of search results to show only results from your network or from all public samples. © Palo Alto Networks, Inc. Get Started With AutoFocus About AutoFocus I want to... How can I do this with AutoFocus? ...leverage AutoFocus data. Get Started © Palo Alto Networks, Inc. Enable Unit 42 alerts. You can enable alerts from Unit 42, the Palo Alto Networks threat intelligence team. You can also set up prioritized alerts for your private tags or for public tags shared by the AutoFocus community. Export AutoFocus Artifacts. You can add high‐risk artifacts to be used with a Palo Alto Networks firewall block list or external dynamic list, or to support a security information and event management (SIEM) solution. • Take a First Look at the AutoFocus Portal. • Set up an AutoFocus Search. AutoFocus Administrator’s Guide • 9 First Look at the AutoFocus Portal Get Started With AutoFocus First Look at the AutoFocus Portal The AutoFocus dashboard presents a visual landscape of network, industry, and global threat artifacts. A threat artifact could be a sample hash (identifying a link included in an email or a file, such as a PDF or PE), a statistic, a file property, or a behavior that shows a correlation with malware. Set the context of the dashboard to display activity and artifacts for your organization, or to view data at an industry or global level. You can expand or narrow the date range of the threat activity data displayed. The Dashboard widgets are interactive—hover over an artifact to view artifact details or click an artifact to add it to a search. First Look at the Dashboard Support Account Area 10 • AutoFocus Administrator’s Guide Threat researchers who have access to multiple support accounts can select a single support account to view data from devices associated with that account. • Start a Quick Search for threat artifacts. • View the AutoFocus documentation site. • Log out of the portal. © Palo Alto Networks, Inc. Get Started With AutoFocus First Look at the AutoFocus Portal First Look at the Dashboard (Continued) Dashboard © Palo Alto Networks, Inc. Select an AutoFocus Dashboard tab to set the context for the data displayed: My Organization, My Industry, or All. Threat data and activity displayed on the dashboard widgets will update to reflect the context selected (see the Dashboard Overview for details). The widgets are interactive and can be used to drill down and investigate malware or event details. Hover over artifacts displayed on the dashboard to reveal additional details, or click on an artifact to add it to the search editor. By default, the dashboard displays data for the last seven days. Filter the data displayed on the dashboard by context and date: • Filter by context—Move between the tabs to set the dashboard context, displaying the varying threat landscapes for your network, your industry, or globally. • Filter by date—Set the dashboard to display data for the last 7, 30, 90, or 180 days. You can also select All time to display all data for the selected context. AutoFocus Administrator’s Guide • 11 First Look at the AutoFocus Portal Get Started With AutoFocus First Look at the Dashboard (Continued) Navigation Pane 12 • AutoFocus Administrator’s Guide Use the navigation pane to access the following AutoFocus features: • Dashboard—Display the AutoFocus Dashboard. AutoFocus remembers your last dashboard settings even as you switch between the features on the navigation pane. • Search—The search editor allows you to perform free‐form searches using boolean logic. Set up an AutoFocus Search based on threat artifacts gathered from your environment, or from viewing industry or global data on the AutoFocus dashboard. To get started, Work with the Search Editor. You can then Drill Down in Search Results to find high‐risk artifacts, including the number of times that an artifact, such as an IP address, has been detected with malware, benign, and grayware samples. • Tags—A tag is a set of conditions compared against historical and new samples. You can create your own AutoFocus Tags. Unit 42 also publishes tags in AutoFocus to identify and help you detect known threats. On the Tags page, you can view your private tags, public tags shared by other AutoFocus users, and Unit 42 tags. • Alerts—Set up AutoFocus Alerts based on tags. Depending on your alert settings, Unit 42, public, and private tags generate alerts when matched to malware and grayware samples in your network. Create Alerts for Unit 42 tags. This allows you to receive prioritized notifications when targeted attacks or threat campaigns identified by Unit 42 are matched to samples. • Indicators—Keep track of threat indicators that you have forwarded to AutoFocus from external sources and Manage Threat Indicators. • Exports—Export AutoFocus Artifacts, such as IP addresses, URLs, and domains, to a CSV file. You can then use the CSV file to enable a Palo Alto Networks firewall to enforce policy based on AutoFocus artifacts or to import AutoFocus data to a security information and event management (SIEM) tool. • Reports—Use the Threat Summary Report to Observe Malware Trends in your network. • Settings—Update the AutoFocus Portal Settings. • Apps—Launch the MineMeld app, an open‐source app whose features are integrated into AutoFocus to highlight artifacts on your network that signal the presence of a potential threat. © Palo Alto Networks, Inc. Get Started With AutoFocus First Look at the AutoFocus Portal First Look at the Dashboard (Continued) Malware Download Sessions The Malware Download Sessions histogram displays the malware sessions for samples detected for the first time in the selected date range. Use the histogram to observe spikes in new malware activity. If you don’t see any malware sessions in the histogram, there may not be any malware detected during the selected date range. The histogram does not include sessions with known malware (malware that was first seen before the selected date range). Adjust the histogram sliders to narrow or broaden the date range. Dashboard widgets automatically update to reflect the date range you have selected. For details, see Set the Dashboard Date Range. An additional day with no populated data is sometimes displayed on the Malware Download Sessions histogram, regardless of the date range selected. Dashboard Widgets The dashboard widgets highlight the top ten artifacts depending on the context (my organization, industry, or all) and time range selected: • Top Applications—Displays the ten most used applications. • Top Malware—Displays the ten malware samples with the most hits. • Top Firewalls—Displays the ten firewalls with most sessions where malware samples were detected. Select the Organization tab on the dashboard to display the top firewalls in your network. • Target Industries—Displays the ten industries with the highest counts of malware detected. Select the All tab on the dashboard to display target industries on a global scale. You can Customize the Dashboard to add or remove widgets. Click a single bar in any widget to Drill Down on Dashboard Widgets to add the artifact to a search or to tag it. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 13 First Look at the AutoFocus Portal Get Started With AutoFocus First Look at the Dashboard (Continued) Malware Sources and Destinations The Malware Sources and Destinations map allows you to view malware hot spots geographically. Select Source to display countries with high rates of malware sessions originating from those countries, or select Destination to display countries with high rates of targeted attacks. Larger bubbles indicate higher rates of activity. You can also zoom in to more closely examine the number of malware sessions by source or destination country. Refer to Countries and Country Codes for a list of the two‐letter country codes used in the map. Top Tags The Top Tags widget lists the AutoFocus Tags matched to the highest number of samples. You can easily distinguish the different tag types by color and icon: The Top Tags list is sorted according the number of samples matched to the tag in the date range selected on the malware sessions histogram (at the top of the dashboard). For each tag, the list also displays the total number of samples that have been matched to the tag and the date and time that the most recent matching sample was detected. On the Top Tags widget: • Filter the displayed tags by Tag Class. • Select from the options under Choose Tag Types to display the top 20 private tags, public tags, Unit 42 alerting tags, and/or Unit 42 informational tags. • Select a tag to view tag details, including a description of the condition or set of conditions that the tag identifies, or to add the tag to a search. Alerts Log 14 • AutoFocus Administrator’s Guide The Alerts Log widget displays the latest 20 alerts on malware and grayware matching enabled public, private, or Unit 42 AutoFocus Tags. For details on enabling the delivery of prioritized alerts through email or over HTTP, see Create Alerts. © Palo Alto Networks, Inc. Get Started With AutoFocus First Look at the AutoFocus Portal First Look at the Dashboard (Continued) Recent Unit 42 Research Browse quick links to the latest research, news, and resources from Unit 42, the Palo Alto Networks threat intelligence team. Feedback Link The Give Feedback link provides a quick way to send comments and requests for new features to the AutoFocus team at Palo Alto Networks. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 15 AutoFocus Concepts Get Started With AutoFocus AutoFocus Concepts Samples Sessions Static Analysis Dynamic Analysis Artifacts Threat Indicators Tags Public Tags and Samples Private Tags and Samples All Tab and All Samples Suspicious Highly Suspicious Samples For both AutoFocus and WildFire, a sample refers to a file (such as a PDF or PE) or a link included in an email. The Palo Alto Networks firewall and other sources such as Traps and Proofpoint can forward unknown samples to the WildFire cloud, where WildFire performs Static Analysis and Dynamic Analysis of the sample. As WildFire observes and executes the sample in the analysis environment, WildFire associates different Artifacts with the sample. AutoFocus allows you to search for samples based on the sample hash and other Sample Artifacts. When you perform a search in AutoFocus, AutoFocus compares all historical and new samples to the search conditions and filters the search results accordingly. AutoFocus receives WildFire analysis information for samples submitted to the WildFire global and regional clouds. Sessions Sessions in AutoFocus search results provide information about how a source submitted a sample to WildFire. Each session has a time stamp that indicates when WildFire received the sample. For samples forwarded by a Palo Alto Networks firewall, their associated session information provide context for the detection of the sample on the network. For samples submitted by other Upload Sources (Traps, Proofpoint, WildFire API, WildFire appliance, or manual upload to the WildFire public portal), their sessions details are limited to the time stamp, the hash of the sample that was analyzed, and the upload source. Session information also indicates if a sample was submitted to the WildFire global cloud or regional cloud. Use Session Artifacts to filter AutoFocus search results. 16 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Get Started With AutoFocus AutoFocus Concepts Static Analysis Static analysis is a type of analysis based on properties of a sample that WildFire can detect and observe in a virtual environment without executing the sample. For details on the type of static analysis information that AutoFocus reports for samples, see Artifact Types. Dynamic Analysis Dynamic analysis consists of executing a sample in a WildFire analysis environment to determine the behaviors and activities that a sample exhibits when it runs. During dynamic analysis, WildFire also observes other behaviors and activities that occur in the analysis environment as a result of executing the sample. For details on the type of dynamic analysis information that AutoFocus reports for samples, see Artifact Types. Artifacts An artifact is a property, activity, or behavior shown to be associated with a sample or a session through both WildFire analysis of the sample and through AutoFocus statistics. For example, types of artifacts include IP addresses, domains, URLs, applications, processes, hashes, and email addresses. In AutoFocus, artifacts are highlighted both on the dashboard and within search results. AutoFocus search results spotlight significant artifacts that are identified according to risk. The dashboard and search editor both allow you to add an artifact directly to an ongoing search or to add it to an export list, which you can use to enforce policy on a firewall or to analyze artifacts in a SIEM. For more details on viewing and evaluating artifacts, see also Assess AutoFocus Artifacts. Threat Indicators An indicator is an artifact that security experts typically observe to detect signs that a network has been compromised. Indicators are crucial for implementing a network defense strategy based on threat intelligence. The following types of artifacts are considered indicators in AutoFocus: Domain IPv4 Mutex URL User agent AutoFocus determines which artifacts are indicators through a statistical algorithm based on tendency of the artifact to be seen predominantly in malware samples. With the MineMeld app, you can forward indicators from external threat feeds into AutoFocus. You can then Manage Threat Indicators and Find High‐Risk Artifacts that match indicators to check your network for known threats. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 17 AutoFocus Concepts Get Started With AutoFocus Tags A tag is a collection of search criteria that together indicate a known or possible threat. Both historical and new samples that match the conditions defined for a tag are associated with that tag. You can perform searches and create alerts based on tags. See AutoFocus Tags for details on creating tags and contributing to tags, including more information on Tag Types, Tag Class, Tag Status, and Tag Visibility. Public Tags and Samples Public tags and samples in AutoFocus are visible to all AutoFocus users. For tags you create, you can set the status to public, so that the tag is visible to the AutoFocus community. You can revert the tag to be private at any time. Public samples consist of samples from open‐source intelligence (OSINT) and other external public sources, as well as samples that AutoFocus users have made public. Samples from your organization can only become public in two ways: Open the sample details and manually set the sample to Public, in order to share it within the AutoFocus community. If a private sample from your organization is later received by WildFire from a public source, the sample will become public at that time. Private Tags and Samples Private tags and samples in AutoFocus are visible only to AutoFocus users associated with the same support account. Private tags and samples can be made public, with the option to revert the tag or sample back to private status at any time. All Tab and All Samples The All tab on the dashboard and the option to view All Samples in a search include statistics for all samples seen by Wildfire, both public and private; however, identifying details are obfuscated for private samples. The All tab on the dashboard displays all malware (including private samples) with obfuscated hashes. The All Samples view in a search obfuscates private sample details with the exception of the WildFire verdict for the sample, the date the sample was first submitted to WildFire, the file size, and the file type. 18 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Get Started With AutoFocus AutoFocus Concepts Suspicious Suspicious artifacts: Have been widely‐detected across large numbers of samples. Are most frequently detected with malware. Although suspicious artifacts can be detected with grayware and benign samples, they are more often found with malware. For more on suspicious artifacts in AutoFocus, you can Find High‐Risk Artifacts and Add High‐Risk Artifacts to a Search or Export List. Highly Suspicious Highly suspicious artifacts: Have been detected in very few samples. The lack of distribution of these types of artifacts could indicate an attack crafted to target a specific organization. Are most frequently detected with malware. In some cases, these artifacts have been exclusively seen with malware and never with grayware or benign samples. For more on highly suspicious artifacts in AutoFocus, you can Find High‐Risk Artifacts and Add High‐Risk Artifacts to a Search or Export List. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 19 Use AutoFocus with the Palo Alto Networks Firewall Get Started With AutoFocus Use AutoFocus with the Palo Alto Networks Firewall The following table highlights AutoFocus features that integrate with the Palo Alto Networks firewall: Use AutoFocus with the Palo Alto Networks Firewall • Use AutoFocus threat intelligence to assess firewall artifacts. On the firewall, open the AutoFocus Intelligence Summary for artifacts in your firewall logs to view their pervasiveness and risk. Click on any of the artifacts in the summary window to launch an AutoFocus search for it. This feature is supported with firewalls running PAN‐OS 7.1 or later release versions. • Use AutoFocus to search for artifacts in firewall In AutoFocus, Set Up Remote Search to specify which artifacts to traffic. look for in your firewall logs. The firewall web interface opens in a new window in Unified log view. The Unified log entries are filtered based on the remote search artifacts. This feature is supported with firewalls running PAN‐OS 7.1 or later release versions. You can use Panorama to remotely search for artifacts in firewalls that are not connected to AutoFocus and/or are running PAN‐OS 7.0 and earlier. • Use AutoFocus indicators to enforce security policy on the firewall. 20 • AutoFocus Administrator’s Guide • Export AutoFocus Artifacts (such as IP addresses, URLs, or domains) to support a dynamic block list (PAN‐OS 7.0 or earlier) or an external dynamic list (PAN‐OS 7.1 and later). • Use AutoFocus Miners with the Palo Alto Networks Firewall to support external dynamic list (PAN‐OS 8.0). © Palo Alto Networks, Inc. Get Started With AutoFocus AutoFocus Portal Settings AutoFocus Portal Settings Select Settings on the AutoFocus navigation pane to modify or enable the following settings as needed. The settings for preferred hash, scope, and landing page are unique for each user in a support account. Preferred Hash—Select the hash type you would like to use as the default sample or session identifier for AutoFocus search results: SHA‐1, SHA‐256, or MD‐5. Preferred Scope—Select the default scope of your search results: My Samples (private), Public Samples, or All Samples (private and public samples). Landing Page—Select the page that displays by default after logging in to the AutoFocus portal. Share public tags anonymously—If you select this option, tags that you share publicly will not list your organization as the tag owner in the tag details. Remote Systems—Label and specify the address of a Palo Alto Networks firewall, Panorama, or third‐party log management system that AutoFocus can search remotely. You can add up to 500 remote systems. View the complete workflow for how to Set Up Remote Search. API—If you have activated an AutoFocus API key in the customer support portal, you can view your key here. Also view the API key status, the number of license users, points usage, and total points. For more information on the AutoFocus API, refer to API documentation and examples. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 21 AutoFocus Portal Settings 22 • AutoFocus Administrator’s Guide Get Started With AutoFocus © Palo Alto Networks, Inc. AutoFocus Dashboard The AutoFocus™ dashboard visually weights your network data alongside industry and global data to provide both a context for your network activity and a window into threats targeting similar organizations. Focus in on pervasive threat activity and add top artifacts directly to a search. After taking a First Look at the Dashboard, refer to the following topics for an overview of the dashboard and for details on customizing and drilling down on dashboard widgets: Dashboard Overview Set the Dashboard Date Range Drill Down on Dashboard Widgets Customize the Dashboard © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 23 Dashboard Overview AutoFocus Dashboard Dashboard Overview Scan the AutoFocus dashboard to view and drill down on pervasive artifacts, including top malware, top applications, and top firewalls. You can alternate dashboard views to display the threat landscape for your organization, your industry, or globally. As you move between the three dashboard tabs, the data displayed is updated to reflect the dashboard context: My Organization—View the threat landscape for your network, with the capability to drill down and search on data for firewalls associated with the selected support account. Top firewalls are only displayed on the organization tab and are not visible in other contexts. My Industry—View the threat landscape across your industry. Explore and examine targeted threats or trends affecting similar networks and organizations. Industry data is populated according to the industry associated with the selected support account (for example, high tech or healthcare). All—View the global threat landscape to contextualize both threats affecting your network and your industry. The All tab includes the additional widget Target Industries that allows you to compare malware rates across industries. The Industry and All views display statistics for all samples (public and private) but do not allow access to the details of private samples (unless they are private samples from firewalls associated with your support account). Drill Down on Dashboard Widgets for more details on a threat artifact, with the option to add the artifact to a search, or tag the artifact as an indicator of compromise (IOC). For an overview of each of the dashboard widgets, take a First Look at the AutoFocus Portal. 24 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Dashboard Set the Dashboard Date Range Set the Dashboard Date Range Filter the threat data displayed on the dashboard based on a default time range, a custom time range, or a single date. All time stamps in AutoFocus™ are displayed in Pacific Time (PST/PDT). If you don’t see any malware sessions in the Malware Download Sessions histogram, there may not be any malware detected during the selected date range. The histogram does not include sessions with known malware (malware that was first seen before the selected date range). Filter the Dashboard by Date • Set the default date range. Set the dashboard to display data for the last 7, 30, 90, or 180 days by default. You can also set the dashboard to display all data by default, regardless of the time period that the data was collected, by setting the time range to All time. The dashboard default time range is applied to all dashboard views (organization, industry, and all) and dashboard widgets immediately update to reflect the time range selected. The default time range is also reapplied when the dashboard is refreshed. • Select a custom date range. Adjust the Malware Download Sessions sliders to view sessions for a specific date range: The dashboard time range is updated automatically as you adjust the sliders. After modifying the dashboard date range using the Malware Download Sessions histogram, you can refresh your browser at any time to reapply the default date range. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 25 Set the Dashboard Date Range AutoFocus Dashboard Filter the Dashboard by Date (Continued) • Set a single date. Click a single bar on the Malware Download Sessions histogram to view the number of sessions with newly‐identified malware detected on that date. The dashboard widgets are then filtered to display artifacts for that date only. For example, this view of the dashboard shows events and artifacts only for January 15, 2014: After modifying the dashboard date range using the Malware Download Sessions histogram, you can refresh your browser at any time to reapply the default date range. 26 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Dashboard Drill Down on Dashboard Widgets Drill Down on Dashboard Widgets Use the dashboard widgets to add artifacts of interest to a search. Artifacts added to the search editor from the dashboard are added as conditions to the existing search—they do not replace existing search conditions (although you can continue to modify the search from the search editor). For an overview of each of the dashboard widget, take a First Look at the AutoFocus Portal. Drill Down on Dashboard Widgets • View artifact details. Hover over the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets to reveal statistics. For example, hover over a single bar on the Top Malware widget (where the bar represents a malware sample) to view a close‐up of the sample hash and the number of times the sample was detected during the selected date range. • Add an artifact to the search editor. Click on a single bar in the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets to jump to the search editor and perform a search using the data. For example, click on a single bar on the Top Malware widget to search on the malware sample hash. • For details on interacting with the Top Tags widget, Vote for, Comment on, and Report Tags. • For details on interacting with the Alerts Log widget, View Alerts in AutoFocus. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 27 Customize the Dashboard AutoFocus Dashboard Customize the Dashboard You can customize your organization, industry, and global dashboards. Add widgets or remove them based on your preferences, and pick the order in which they appear on the dashboard. Dashboard settings are unique and saved for each user in a support account. Customize the Dashboard Step 1 Open the dashboard settings. 28 • AutoFocus Administrator’s Guide Click the Page Editor (1). © Palo Alto Networks, Inc. AutoFocus Dashboard Customize the Dashboard Customize the Dashboard (Continued) Step 2 Edit the widgets and widget placement on the dashboard. • Remove a widget. Click X to remove a widget (2). Removing a widget frees up a slot on the dashboard where you can Add a widget. • Add a widget. Find a blank widget slot, and click Add Widget (3). Then select a widget type. • Add a new row of widgets. Choose an area on the dashboard where you would like to insert a new row of widgets, and click Add Row (4). The newly added row includes two blank slots for widgets by default. • Remove a row of widgets. On the right side of the row you want to remove, click Remove Row (5). • Change the number of widgets in a row. Change Columns (6) in the row to show up to 4 widgets. Step 3 Save your changes to the dashboard. When you are finished making your changes, click the Page Editor. Step 4 (Optional) Restore the default dashboard Click the Page Editor drop‐down and Reset Page to Default. settings. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 29 Customize the Dashboard 30 • AutoFocus Administrator’s Guide AutoFocus Dashboard © Palo Alto Networks, Inc. AutoFocus Search Start a simple search for an artifact from any page in AutoFocus™, or use the AutoFocus search editor to perform complex searches, with conditions that allow you to narrow or broaden the scope of your search. Toggle your view of search results to find: The samples matched to your search conditions (Samples tab). The sessions during which the samples were detected (Sessions tab). The top artifacts associated with the returned samples (Statistics tab). The threat indicators found in the returned samples (Indicators tab). And the DNS history and PAN‐DB categorization of the results (Domain, URL & IP Address Information tab). After performing a search, you can drill down in sample results to find artifacts seen with that sample. For each artifact associated with a sample, AutoFocus lists the number of times the artifact has been detected with benign ( ), grayware ( ), and malware ( ) samples. Artifacts that are seen disproportionately with malware are indicated to be Suspicious or Highly Suspicious. AutoFocus also makes it easy to view indicators that are found with your search results. See the following topics to get started with AutoFocus search: Start a Quick Search Work with the Search Editor Drill Down in Search Results Set Up Remote Search Artifact Types Search Operators and Values Guidelines for Partial Searches © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 31 Start a Quick Search AutoFocus Search Start a Quick Search Start searching through samples and sessions for matches to an artifact from any page on the AutoFocus portal. Watch the tutorial. Start a Quick Search Step 1 Click the spyglass icon in the support account area of the portal. You can also press Alt+s to open quick search. To close quick search, click the x on the top right corner of the search box or click anywhere on the dimmed area of the interface. Step 2 Enter an artifact to search. When an artifact is incomplete, quick search suggests a list of artifact types that it recognizes. 32 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Start a Quick Search Start a Quick Search (Continued) Step 3 Select the scope of the search based on the artifact type. For example, the string ImASampleFile.pl can be a Filename, a Domain, or a URL. To search for the file ImASampleFile.pl, select an area to search under the category Filename. The areas to choose from vary depending on the artifact entered. • PanDB/pDNS—View PAN‐DB categorization entries, WildFire™ active DNS history, and passive DNS history that match the artifact. • Go to Sample Detail—(SHA256, SHA1, and MD5 artifacts only) View details about the sample, such as its WildFire verdict (benign, grayware, or malware) and analysis information. • Search for My Samples—Search for the artifact in your organization’s private samples. • Search for Public Samples—Search for the artifact in all samples that are shared to the AutoFocus community. • Search for All Samples—Search for the artifact in private and public samples. • Search for Sessions—Search for the artifact in session information. • Show Session Stats—View statistics based on sessions that contain the artifact. Step 4 View the search results in the search editor. Step 5 Choose from the following options: • Work with the Search Editor to perform more complex searches. • Drill Down in Search Results to explore additional options and information related to the artifact. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 33 Work with the Search Editor AutoFocus Search Work with the Search Editor Use the search editor to perform complex searches based on one or more artifacts. The search editor has a range of features for customizing and executing searches. For details on navigating and using the search results (including adding artifacts to your search as you go), Drill Down in Search Results. Work with the Search Editor • Open the search editor. 34 • AutoFocus Administrator’s Guide • Select Search on the navigation pane and add criteria directly to the search editor: – Begin a new search. – Use a saved search. – Import a search. • Click on an artifact highlighted on the dashboard. The search editor displays with the artifact listed as a search condition. © Palo Alto Networks, Inc. AutoFocus Search Work with the Search Editor Work with the Search Editor (Continued) • Begin a new search. To create a search condition, choose the type of artifact you want to find and define the scope and value: 1. Select one of the Artifact Types from the drop‐down to perform a search of global threat data based on that artifact type. Start typing the name of the artifact type to narrow down the list of options. 2. Select an operator for the search condition. The operator determines the scope of search results; you can use the operator to limit or expand potential results, or to return exact match results. Search Operators and Values vary depending on the type of artifact you select. You can use the operator to create negative search conditions. Use negative operators such as is not or is not in the list to return more granular search results that exclude samples or sessions that match the negative condition. 3. Enter or select a value to define the search condition. Depending on the artifact type and operator selected, you may be able to choose from predefined values, or you might be required to enter an exact value to perform the search. Learn more about Search Operators and Values. If you are attempting to select a value from a pre‐populated drop‐down, and the drop‐down appears to be loading for a long period of time, try clearing your browser cache. • Add more search conditions. • • • Narrow or broaden your search. © Palo Alto Networks, Inc. Add conditions to your search. You can add up to 300 search conditions to a single search. Remove conditions from your search. Match results to all or any of the defined search conditions: • Narrow search results by selecting All. Search results are only returned for samples that match all conditions. • Broaden search results by selecting Any. Search results are returned for samples that match one or more conditions. AutoFocus Administrator’s Guide • 35 Work with the Search Editor AutoFocus Search Work with the Search Editor (Continued) • Add a child query. A child query is a condition or a set of conditions nested within and used to qualify a parent query. A child query is evaluated only against the parent query to which it is added. Add a child query to return more granular search results, where the results must match both the parent query and the child query. The example search below shows a child query added to the Email Subject condition. Search results will be returned for samples where the following is true: • The sample was first seen before March 13, 2015. • The email subject for the sample file contained the word test and received a WildFire verdict of either malware or grayware. You can only add up to 4 levels of child queries nested under parent queries. • Add a parent query. 36 • AutoFocus Administrator’s Guide Click Add Parent Query to nest a search condition under the preceding condition. AutoFocus then only evaluates the nested search condition against the parent condition. In the example below, click Add Parent Query to nest the First Seen condition under the WildFire Verdict condition. Search results will be returned for samples where any of the following conditions is true: • The sample received a WildFire verdict of malware and was first seen before July 1, 2016. • The sample is an Adobe Flash file. © Palo Alto Networks, Inc. AutoFocus Search Work with the Search Editor Work with the Search Editor (Continued) • Adjust search condition placement. Move Up or Move Down search conditions to move conditions to or from a child query. Depending on the placement of a condition, you can move it up or down to include it in a child query. You can also move a condition up or down to remove it from a child query so that it is no longer a nested condition. • Disable a search condition. Disable a condition to temporarily remove it from a search. This option provides the flexibility to temporarily adjust your search parameters, and then quickly and easily add the condition back to your search if necessary. Disabled search conditions are grayed out: To enable a search condition that was previously disabled, select the ellipses icon for that condition and select Enable: • Start a new search from your current search. © Palo Alto Networks, Inc. Start a New Search for any of the search conditions of an existing search. The new search launches in a separate browser window. AutoFocus Administrator’s Guide • 37 Work with the Search Editor AutoFocus Search Work with the Search Editor (Continued) • Add a search condition to a remote search. This is one way to add search conditions that define which artifacts to find remotely in a Palo Alto Networks® next‐generation firewall, Panorama, or third‐party log management system when you Set Up Remote Search. This option is only available for SHA256 hash, IP address, user agent, filename, or URL search conditions. • Add recent or frequently‐used conditions to a search. Select the Show Search History icon and add Recently used or Most used search conditions to your search. • Save a search. Save searches that you might be performing on a regular basis, or to quickly recreate useful search settings: Click the Save Search icon, enter a name and description to identify the saved search when using it later, and save the search. 38 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Work with the Search Editor Work with the Search Editor (Continued) • Use a saved search. Open Saved Search to view an alphabetical list of previously saved searches, and click the spyglass icon to add a saved search to the search editor. • Tag a search. Click Tag Results to create a tag based on search conditions. Tags can be used to define a set of conditions that indicate an important network event or a possible or known threat. Tag a search so you can easily identify and track any existing or future samples that match the search. When you Create a Tag, give the tag a recognizable name and description. Select Tags on the navigation pane to manage tags you have created and to view all tags. • Export a search. You can export a search to share the search between support accounts or with another AutoFocus security expert. • After setting up a search and viewing search results, select Export Search. • Copy the search filters. • Paste the search filters to a local file send the filters to another user. • Import a search. Click Import Search to paste and import a previously exported query or a query shared by another AutoFocus security expert. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 39 Work with the Search Editor AutoFocus Search Work with the Search Editor (Continued) • Start a remote search. Start a Remote Search to look for artifacts in a Palo Alto Networks firewall, Panorama, or third‐party log management system. View more details on how to Set Up Remote Search. This feature is supported with firewalls running PAN‐OS 7.1 or later release versions. • Create a MineMeld miner based on the search. When the MineMeld app is running, Create MineMeld Miner to send artifacts from the sample search results to MineMeld (refer to Forward AutoFocus Indicators to MineMeld). • View the API request for a sample or session search. Click the >_API link in the Samples or Sessions tab of the search editor to view the API request for initiating the current search. The API request is formatted in Curl URL Request Library (cURL) and Python (see more information about using the AutoFocus API to perform a search). • Choose from the following next steps: • Click Search to view samples matched to your search conditions. Select the Samples, Sessions, Statistics, and Domain, URL & IP Address Information tabs to Drill Down in Search Results. • Assess AutoFocus Artifacts found in your search. • Export AutoFocus Artifacts found in your search. 40 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results Drill Down in Search Results An AutoFocus search returns all matching samples and their corresponding sessions (Start a Quick Search or Work with the Search Editor to set up a search). After searching, a progress bar displays as the search is processing the complete set of results. You can check the cumulative number of samples that meet the search conditions when the search progress is complete. You can also change the scope of your search from My Samples (samples found in your network only) to Public Samples or All Samples: The Samples, Sessions, Statistics, Indicators, and Domain, URL & IP Address Information tabs display search results in different contexts. You can drill down in the results to find correlation among artifacts, to narrow your search by adding artifacts to the search as you go, and to Export AutoFocus Artifacts that are high‐risk. See the following topics for details on the different search results views: Samples Sessions Statistics Indicators Domain, URL, and IP Address Information Samples The Samples tab in the AutoFocus search editor displays all samples that match the conditions of the search. Click the column headers for the sample details to sort samples in ascending (up arrow) or descending (down arrow) order. By default, the most recently detected samples are displayed. You can choose to view only My Samples, only Public Samples, or All Samples. All Samples includes both public and private samples; however, private samples submitted by firewalls or sample sources other than those associated with your support account display with an obfuscated hash. Set a default scope for search results to choose which samples are displayed immediately when you launch a search. Navigate to the AutoFocus portal Settings and select a Preferred Scope. You must click Save changes to save the new default scope. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 41 Drill Down in Search Results AutoFocus Search To examine Sample Details, click the sample hash: Sample Details 42 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results Sample Details (Continued) File Analysis Lists the sample details and properties. The nested WildFire Dynamic Analysis section describes the sample’s observed behavior and lists each activity the sample performed when executed in the WildFire analysis environment. You can view sample details that WildFire detected in environments running different operating systems. Select a method of viewing the WildFire dynamic analysis of the sample: • Sections—Groups sample activities by activity type. This view displays by default when you open the file analysis of a sample. • Sequence—Lists sample activities based on the order in which they occurred in the WildFire analysis environment. • Tree—For any main parent processes that occurred when the sample executed in the WildFire analysis environment, the child processes and activities that they spawned are grouped under them. The processes are indented to display the visual hierarchy of parent and child processes. Click the minus sign ( - ) next to a parent process to hide the child processes under it; click the plus sign ( + ) display them. In Sequence and Tree view, you can see the activities that occurred in the operating system kernel space and user space: • Kernel Space—The kernel is the core of the operating system; the kernel space is a memory area where the kernel runs operating system processes and manages other processes. • User Space—User space is the memory area outside of the operating system kernel, where applications and other user processes are executed. As you drill down in the Wildfire Dynamic Analysis details for a sample, high‐risk artifacts associated with the sample are marked for easy identification and you can add Observed Behavior evidence and Activity Artifacts to a new or existing search. Sample Tags Lists the tags the sample is associated with, and you can also add a new tag. (For details on tags and how tagging works, see AutoFocus Tags). Hover over a tag to view more tag information in a popup. You can click on the linked tag name to Vote for, Comment on, and Report Tags. If a sample has Threat Indicators that match indicators forwarded to AutoFocus from MineMeld, an indicator tag specifies the number of matching indicators. Click on the indicator tag to view the matching indicators. Sample Visibility Make a sample Public to share the sample with other AutoFocus security experts. You can also revert the status of the sample to Private at any time. Network Sessions Lists all sessions during which samples with the same SHA256 hash were detected. The sessions displayed are all WildFire sessions submitted from your Palo Alto Networks firewall or another Upload Source associated with your support account. Select a single session for session details. Click the File Analysis tab to navigate back to the sample details. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 43 Drill Down in Search Results AutoFocus Search Sample Details (Continued) Signature Coverage Lists the WildFire signatures that match to the sample. Check signature coverage to assess the level of protection in place against malware. Depending on the sample, all or some of the following signature types provide coverage: • WildFire AV Signatures identify malicious files. Examples of malware for which antivirus signatures provide protection include viruses, trojans, worms, and spyware downloads. To find other samples that are covered by the same signature, set up a search for Threat Name > is and enter the Signature Name as the search value. • C2 Domain Signatures identify malicious domains that the sample attempted to resolve to when executed in the WildFire analysis environment. • Download Domain Signatures identify domains that host malware (and from which the sample was downloaded). For each of these signature types, the date that WildFire created the signature is listed. You can toggle between daily, 15 minute, and 5 minute content updates to see the versions that included the signature. The first content version that included the signature is listed, as well as the last content version to include an update to the signature. The table also indicates whether a signature is included in the most current content version. URLs the sample visited when executed in the WildFire analysis environment might also be listed, including the PAN‐DB categorization for each URL. Indicators Lists Threat Indicators that AutoFocus detected in the sample’s WildFire analysis details. The list consists of only artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples. AutoFocus uses a statistical algorithm to determine which artifacts are indicators. Observed Behavior Expand the Observed Behavior section to find the total number of activities that are Evidence of a specific behavior. Each behavior has an associated risk level, and you can expand a single behavior to see the matching sample activities. For each activity listed, the Type column indicates the activity category and the Value column includes activity artifacts, that you can then add to a search. 44 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results Sample Details (Continued) Activity Artifacts Next Steps... Expand an activity section to see all of the sample activities that fall under it. For each activity artifact, the total number times the artifact has been found with benign ( ), grayware ( ), and malware ( ) samples is listed. Depending on the artifact, you can: • Add an artifact to your existing search • Add an artifact to an export list • Start a new search for the artifact in a separate browser window • View more information about domain and URL artifacts If an artifact is evidence of an observed behavior, the behavior risk level is indicated with this icon: A gray icon indicates a low risk behavior, a yellow icon indicates a medium risk behavior, and a red icon indicates the artifact is evidence of a critical, and high‐risk behavior. Based on the sample artifacts, AutoFocus highlights high‐risk indicators as Suspicious or Highly Suspicious. Sample indicators that match indicators forwarded to AutoFocus from MineMeld are highlighted with an indicator icon ( ). (Learn more about how to Manage Threat Indicators.) See Artifact Types for a detailed and expanded description of the WildFire analysis sections and the artifacts they contain. • Assess AutoFocus Artifacts found in your search. • Export AutoFocus Artifacts found in your search. Sessions The Sessions tab displays all Sessions associated with samples from your network. Click the column headers to sort sessions in ascending (up arrow) or descending (down arrow) order. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 45 Drill Down in Search Results AutoFocus Search Session Details After performing an AutoFocus Search, select Sessions and select a single session to drill down for session details: Display sessions based on the Upload Source. Add the search condition Upload Source > is to your current search and choose a session source. In the example above, the sessions search results have the Upload Source Traps, which means that they are sessions associated with samples submitted to WildFire through Traps. Session details include a Session Summary, from which you can add artifacts to your existing search or launch a new search for an artifact in a separate browser window. The File Analysis tab displays artifacts that WildFire found in the sample detected during the session (see Sample Details for information on the File Analysis tab). Session details also include a list of Related Sessions, which are other sessions during which the same sample was detected. Next Steps... • View the associated Samples, Statistics, and Domain, URL, and IP Address Information. • Assess AutoFocus Artifacts found in your search. • Export AutoFocus Artifacts found in your search. 46 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results Statistics The Statistics tab collects and visually weights the top artifacts associated with samples matched to your search. You can perform specific searches by clicking on any of the individual artifacts under the Statistics tab. The Statistics tab does not display the same statistics as the AutoFocus Dashboard. While the dashboard displays an overall picture of the threat landscape in different contexts (organization‐wide, industry‐wide, or global), the Statistics tab displays information that has been filtered based on the current search. Sample Statistics After performing an AutoFocus Search, select Statistics: View statistics on artifacts associated with My Samples, Public Samples, or All Samples. Click on an artifact in the Top Applications, Top Malware, Top Firewalls, and Target Industries widgets to add it to your search; the Statistics tab widgets are filtered based on the added search condition(s). Click to view the API request to retrieve the artifact data displayed in a widget. The API request is formatted in cURL and Python. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 47 Drill Down in Search Results AutoFocus Search Sample Statistics (Continued) Example: To view only samples that are distributed through web pages, click the web‐browsing bar on the Top Applications widget. Web‐browsing is added as a search condition and the widgets, including the Top Countries malware map, are updated to reflect the new web‐browsing filter: Next Steps... • View associated Samples, Sessions, and Domain, URL, and IP Address Information. • Assess AutoFocus Artifacts found in your search. • Export AutoFocus Artifacts found in your search. Indicators The Indicators tab is a summary of Threat Indicators that AutoFocus found in the samples returned as search results. Not all sample artifacts are indicators; the Indicators tab only lists artifacts that AutoFocus has determined to be indicators through a statistical algorithm based on the tendency of the artifact to be seen predominantly in malware samples. 48 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results Indicators List Details The Indicators tab only displays indicators drawn from the page of sample search results that you are currently viewing. For example, if your search returns 5 pages of search results and you are viewing the second page, the Indicators tab will only display indicators from that second page of samples. AutoFocus also filters the indicators by the scope you have selected for viewing the sample search results (view only My Samples, Public Samples, or All Samples). AutoFocus groups the indicators by type: • Domain • IPv4 • Mutex • URL • User agent For each indicator, you can view the number of global malware, grayware, and benign samples in which it was detected. AutoFocus highlights indicators that are Suspicious or Highly Suspicious. Indicators matching those forwarded to AutoFocus through MineMeld are marked with an indicator tag ( ), which specifies the number of matching indicators. Click on the indicator tag to view the full list of matches. Each indicator lists the SHA256 hash of the sample(s) in which it was detected. Click on a hash to view sample details. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 49 Drill Down in Search Results AutoFocus Search Domain, URL, and IP Address Information When searching for a domain, URL, or IP address artifact, the Domain, URL & IP Address Information tab displays information about the artifact from PAN‐DB, the global URL database that Palo Alto Networks uses for its URL filtering service. The tab also provides logs of DNS activity from all samples analyzed with WildFire and passive DNS history where AutoFocus detected instances of the artifact. This information can help you assess whether a specific domain, URL, or IP address is associated with suspicious behavior. Domain, URL, and IP Address Details View Domain, URL, and IP Address Information Domain, URL, and IP Address Details Domain, URL, and IP Address Details PAN‐DB Categorization View URLs associated with the domain, URL, or IP address through PAN‐DB and the PAN‐DB category for each URL. WildFire DNS History View a log of domain to IP address mappings based on all samples that launched a request to connect to a domain during Wildfire Analysis. Passive DNS History View a passive history of domain to IP address mappings that contain matches to the artifact your searched for. 50 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Drill Down in Search Results View Domain, URL, and IP Address Information View Domain, URL, and IP Address Information for an Artifact Step 1 Find domain, URL and IP address information for an artifact: • Find information for a specific domain, URL, or IP address. • Find information from the file analysis details for a sample. 1. Work with the Search Editor to set up a search with the following types of artifacts: Domain, URL, IP Address, DNS Activity, or APK Embedded URL. 2. Click the target icon or expand the search result listed under the Domain, URL & IP Address Information tab. 1. Begin a new search. 2. Click a sample hash to view sample details. 3. View the full DNS Activity details for the sample. 4. Click the drop‐down for any domains, URLs, or IP addresses, and select Domain and URL info... See Assess AutoFocus Artifacts for details on drilling down in the file analysis details for a sample. Step 2 Review the Domain, URL, and IP Address Details for the artifact. Find matches to the artifact in the Request and Response columns. Step 3 Choose from the following next steps. • View associated Samples, Sessions, and Statistics. • Assess AutoFocus Artifacts found in your search. • Export AutoFocus Artifacts found in your search. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 51 Set Up Remote Search AutoFocus Search Set Up Remote Search Remote search enables you to use AutoFocus to find suspicious IP addresses, SHA256 hashes, URLs, user agents, and filenames in a specific Palo Alto Networks firewall or a set of Panorama‐managed firewalls. AutoFocus looks for matches to the suspicious artifacts in the firewall log entries. When you launch a remote search, the firewall or Panorama web interface opens in a new window and displays the search results in Unified log view. The remote search feature is supported with firewalls running PAN‐OS 7.1 or later release versions. AutoFocus also now supports the ability to integrate with third‐party log management systems. When you configure your custom system to work with AutoFocus remote search, you can filter log or event repositories with AutoFocus search conditions. Search for Artifacts in a Remote System Step 1 Log in to the firewall or Panorama you want to search with your administrator username and password. Step 2 Configure the settings of the remote system. Allow HTTP or HTTPS service on the management interface of your firewall or Panorama. Select the service that matches the address of the remote system you want to search. Step 3 Add a remote system to search with AutoFocus. 1. Select Settings on the navigation pane. 2. Add new remote systems. 3. Enter a descriptive Name for the remote system. 4. Select a System Type: a. Select PanOS to add a firewall or Panorama. b. Select Custom to add a custom system that has been configured to integrate with AutoFocus remote search. 5. Enter the IP Address or URL of the remote system. 6. Click Save changes. 7. Click Save changes on the Settings page to finish adding the remote system. You can add up to 500 remote systems. Step 4 Add conditions to a remote search: 52 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Set Up Remote Search Search for Artifacts in a Remote System (Continued) • Add an artifact from a search result. 1. Perform a search, and view Sample Details. 2. Add any SHA256 hash, IP address, user agent, filename, or URL contained in a sample to a remote search. For example, add a sample hash: or add a domain: 3. Click Remote Search to verify that the artifact was added. • Add a search condition to a remote search. Click Remote Search to verify that the search condition was added. • Create a condition to add to a remote search. Step 5 1. On the search editor, click Remote Search. 2. Add IP addresses, URLs, user agents, SHA256 hashes, or filenames to the remote search. (For Panorama Device Group and Template Administrators Only) For Panorama Device Group and Template administrators (not superusers), an AutoFocus remote search targeted to Panorama returns results based on the current Panorama Access Domain setting. Panorama administrators with role‐based access control must first open the Panorama web interface, select Monitor > Logs and set the Access Domain for which to view search results. Return to the AutoFocus portal to execute your remote search. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 53 Set Up Remote Search AutoFocus Search Search for Artifacts in a Remote System (Continued) Step 6 Start a remote search. 1. Click Remote Search. 2. Review the list of search conditions that you added in Step 4. Add or remove conditions as needed. 3. Set the remote search to find Any or All of the artifacts on the targeted system. 4. Select one or more Remote systems to search. 5. Click Search. Step 7 View the search results. If no browser tabs open when you launch remote search, change the settings on your browser to allow pop‐ups from AutoFocus. Step 8 Learn more about working with Unified logs on the firewall. 54 • AutoFocus Administrator’s Guide A new browser tab opens for each remote system. • Search results for a firewall or a Panorama are displayed in Unified log view. The list consists of all log entries that contain the artifacts specified in the remote search. Panorama search results include log entries from managed firewalls that are not connected to AutoFocus and/or are running PAN‐OS 7.0 or earlier. • Each custom system opens in a new tab, with the URL formatted to include the conditions specified in the remote search. The maximum length for the URL generated through remote search is 1,024 characters. Performing a remote search with multiple search conditions may create a URL that exceeds the character limit. As a best practice, check which conditions were added to the URL after launching a search. © Palo Alto Networks, Inc. AutoFocus Search Artifact Types Artifact Types WildFire detects properties, activities, and behaviors when it analyzes samples during static and dynamic analysis. WildFire forwards this information to AutoFocus, as well as the properties of sessions associated with the samples. In AutoFocus, these pieces of information are referred to as Artifacts. WildFire detects some artifacts in samples only, in sessions only, or in both samples and sessions (general artifacts). Other artifacts are specific to a particular operating system (Windows, Mac, or Android). You can use the different types of artifacts with Search Operators and Values to find Samples and Sessions. General Artifacts Sample Artifacts Session Artifacts Analysis Artifacts Windows Artifacts Mac Artifacts Android Artifacts General Artifacts General artifacts are artifacts that WildFire associates with both samples and sessions. For example, you can use the artifact type Domain to search based on domains found in samples and sessions. Some general artifacts are tag‐related. If you search with a tag‐related artifact, the search results display all samples that have one or more tags that meet the search criteria, and their related sessions. The following general artifact types refer to private session information: Domain, Email Address, Filename, IP Address, and URL. If any of your private tags use these artifact types as tag conditions, you cannot make these tags public. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 55 Artifact Types AutoFocus Search Artifact Type Search with this Artifact Type to Find... Domain A domain detected in the DNS Activity or HTTP Activity of a sample, or the File URL. Email Address An Email Recipient Address or Email Sender Address. Filename The File Name of the sample or a filename that AutoFocus found in the File Activity of a sample. Hash The sample’s MD5, SHA1, or SHA256 hash. The search results also include samples in which AutoFocus found the hash in the File Activity of the sample. IP Address A File URL, Source IP, or Destination IP in a session, or an IP address detected in the Connection Activity, DNS Activity, or HTTP Activity of a sample. Tag Samples with a specific tag. Tag Alias Samples filtered by Tag Alias. Tag Class Samples filtered by Tag Class: a malware family, a campaign, an actor, an exploit, or a type of malicious behavior. Tag Scope Samples filtered by Tag Scope: private, public, Unit 42 (alerting), or Unit 42 informational (non‐alerting). Tag Source Samples with tags that are attributed to a particular Tag Source. Threat Name Samples that match a particular threat signature. URL A File URL or a URL detected in the HTTP Activity of a sample. User Agent A user agent header detected in the HTTP Activity or User Agent Fragments of a sample. The user agent header indicates your browser type and version and your operating system and version. During a session, your browser sends this information to the site you are visiting to determine the best way to deliver the information you requested. Examples of user agent strings include Mozilla/4.0 and Windows NT 6.1. Sample Artifacts Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact types when you view Sample Details, in the File Analysis details of a sample. Artifact Type Search with this Artifact Type to Find... Digital Signer The digital signature that identifies the sender of the sample. File Type The file type of the sample. Examples include Email Link, Adobe Flash File, and PDF. File Size The size of the sample in bytes. Finish Date The date and time when WildFire analysis of the sample completed and the sample received a WildFire verdict. First Seen The date and time that the sample was first forwarded or uploaded to WildFire. 56 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Artifact Types Artifact Type Search with this Artifact Type to Find... Import Table Hash An import hash, or imphash, is a hash based on the order that API functions are listed in the import table of a Portable Executable (PE). Imphashes can be used to identify similar samples that might belong to the same malware family. Imphashes are listed for malware and grayware samples only (not benign samples). Last Updated The date and time when WildFire changed the verdict for a sample. MD5 The sample’s unique cryptographic hash generated using the MD5 message‐digest algorithm. Region Every WildFire cloud (global or regional) to which a sample was submitted for analysis. The sample details list all of the WildFire clouds to which firewalls submitted the sample (different firewalls can submit the same sample to different WildFire clouds). • US—WildFire global cloud • EU—WildFire EU cloud • JP—WildFire Japan cloud • SG—WildFire Singapore cloud To find samples that have been submitted to only a single WildFire cloud (and no other WildFire clouds), set up a search for a WildFire cloud. Then, add search conditions excluding samples submitted to the other WildFire clouds from the search results. For example, to search for samples that users submitted to the WildFire global cloud only, search with the condition Region > is > US combined with the condition Region > is not for each of the other WildFire clouds. SHA1 The sample’s unique cryptographic hash generated using the Secure Hash Algorithm 1. SHA256 The sample’s unique cryptographic hash generated using Secure Hash Algorithm 256. Ssdeep Fuzzy Hash The fuzzy hash (generated by the ssdeep program) associated with the sample. The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a sample which can be used to identify samples that are very similar but not exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy hashes to produce a percentage that indicates how closely the samples match. In ssdeep, a high percentage indicates a high number of similarities between the samples. In AutoFocus, fuzzy hashes are listed for malware and grayware samples only (not benign samples). WildFire Verdict WildFire assigns a verdict of Malware, Grayware, or Benign to the sample based on properties, behaviors, and activities observed for the file or email link during static and dynamic analysis. Session Artifacts Sessions artifacts are artifacts that WildFire associates with sessions only. You can find the following artifact types when you view Session Details. Note that you can only view the details of sessions associated with your support account. For this reason, when you search with artifact types that refer to firewall‐related properties (for example, firewall serial number or hostname), AutoFocus filters the search results by the properties of the Palo Alto Networks firewall(s) that initiated the session. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 57 Artifact Types AutoFocus Search The following session artifact types refer to private session information: Device Hostname, Device Serial, Device vsys, Destination IP, Email Recipient Address, Email Charset, Email Sender Address, Email Subject, File Name, File URL, Recipient User ID, and Source IP. If any of your private tags use these artifact types as tag conditions, you cannot make these tags public. Artifact Type Search with this Artifact Type to Find... Application The App‐ID™ matched to the type of application traffic detected in a session. For example, a search for the Application web-browsing returns sessions during which web browsing over HTTP occurred. Visit Applipedia for an updated list of applications that Palo Alto Networks identifies. Device Country The country to which the IP address on a firewall is registered. Device Country Code The two‐digit abbreviation for the Device Country. Refer to the complete list of countries and country codes in AutoFocus. Device Hostname A name that identifies a Palo Alto Networks firewall. To view the hostname for a firewall, log in to the firewall web interface, select Device > Setup > Management, and view the General Settings. Device Serial The serial number of a firewall. Device vsys The name of the virtual system on the firewall associated with the session. Destination Country The country of the IP address to which the session was destined. Destination Country Code The two‐digit abbreviation for the Destination Country of the session. Refer to the complete list of countries and country codes in AutoFocus. Destination IP The destination IP address of the session. Destination Port The destination port that the session used. Email Recipient Address For email samples, the email address of the user who received the email. Email Charset For email samples, the character set used to display the message body of an email. Examples of character sets are UTF-8 and ISO-8859-1. Email Sender Address For email samples, the email address of the sender. Email Subject For email samples, the subject of the email. File Name The filename of the sample sent during the session. File URL The URL path for the source that hosts the sample. IMEI The 15‐digit unique International Mobile Equipment Identity number assigned to a mobile phone. Industry Industry indicates the field that the source of the session (you or another AutoFocus support account) is associated with. Examples are Aerospace and Defense, High Tech, and Education. Industry is a field you select when you initially set up your AutoFocus account. Contact Palo Alto Networks Support to change it. Recipient User ID The username of the user who received an email sample. 58 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Artifact Types Artifact Type Search with this Artifact Type to Find... Region The WildFire cloud (global or regional) to which a sample is submitted for analysis. A session in the AutoFocus search results provides information about how a source submitted a sample to WildFire. Since each session corresponds to a single WildFire submission, it can only be associated with a single WildFire cloud. • US—WildFire global cloud • EU—WildFire EU cloud • JP—WildFire Japan cloud • SG—WildFire Singapore cloud SHA256 The SHA‐256 hash for the sample associated with the session. Source Country The country to which the IP address that initiated the session is registered. Source Country Code The two‐digit abbreviation of the Source Country that sent the session. Refer to the complete list of countries and country codes in AutoFocus. Source IP The IP address of the session source. Source Port The source port that the session used. Status All samples that a Palo Alto firewall blocked. The Status for blocked samples is Blocked, while the status for allowed samples is blank. To find all allowed samples, search with the condition Status > is not > Blocked. Time The time and date when the session started. Upload Source The source that requested a WildFire verdict for a sample or submitted a sample to WildFire for analysis. Choose from a list of possible upload sources: • Firewall—Samples that a Palo Alto Networks firewall forwarded to WildFire. • Proofpoint—Samples submitted to WildFire through Proofpoint products. • Traps—Samples submitted through Traps. • Manual API—Samples uploaded manually through the WildFire API or the WildFire public portal. • WF Appliance—Samples that a WildFire appliance submitted to the WildFire public cloud. Analysis Artifacts Analysis artifacts make up the WildFire dynamic and static analysis of a sample. WildFire Dynamic Analysis information consist of properties, activities, and behaviors that WildFire detects in the sample when it was executed in an analysis environment. WildFire Static Analysis information consist of artifacts that WildFire can observe from the sample without executing it in an analysis environment. To get an idea of the artifacts that appear in a WildFire analysis section, start a search with an analysis artifact and for the operator, select has any value. View the file analysis details of the search results, expanding the section you searched for to view the artifacts that WildFire found for it. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 59 Artifact Types AutoFocus Search Artifact Type Search with this Artifact Type to Find... Connection Activity Processes that accessed other hosts on the network when the sample was executed in the WildFire analysis environment. Artifacts listed for each connection activity include the process that accessed other hosts on the network, the port through which the process connected, the protocol used for the connection, and the IP address and country of the host. DNS Activity DNS activity observed when the sample was executed in the WildFire analysis environment. Artifacts listed for each DNS activity include the hostname that was translated (Query column) the resolved domain name or IP address (Response column), and the Type of DNS resource record (Type column) used to resolve the DNS query. File Activity Files that showed activity as a result of the sample being executed in the WildFire analysis environment. Artifacts listed for each file activity include the parent process that showed activity, the action the parent process performed, and the file that was altered (created, modified, duplicated, or deleted). HTTP Activity HTTP requests made when the sample was executed in the WildFire analysis environment. Artifacts listed for each HTTP activity include the destination domain of the HTTP request, the HTTP method that the host used, the URL for the requested resource, and the string originating the request (User Agent column). The domain (Host column) and URL values together are the URL for the request. For example, the full URL for the first artifact is althawry.org/images/xs.jpg?8b96=71468. Java API Activity Java runtime activity seen when the sample was executed in the WildFire analysis environment. 60 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Artifact Types Artifact Type Search with this Artifact Type to Find... Observed Behavior Behaviors seen for the sample in the WildFire analysis environment, such as whether the sample created or modified files, started a process, spawned new processes, modified the registry, or installed browser help objects (BHOs). Each behavior is also assigned a risk level of high, medium, low, or informational. On the File Analysis tab within the sample details, alternate between operating system columns to see the list of behaviors observed for each virtual machine in which the sample was executed. . The Evidence column lists the total number of sample activities that are evidence of each behavior, and expand a single behavior for the list of matching activities. For each activity listed, the Type column indicates the WildFire analysis section and the Value column includes artifacts that WildFire found for the section. The artifacts displayed might vary depending on the activity category. In the example above, the File Activity artifacts provided include the parent process that showed activity, the action the process performed, and the file that was altered. The artifact type Observed Behavior also refers to properties that WildFire observed in a sample during static analysis. These properties appear under the WildFire Static Analysis category Suspicious File Properties. Other API Activity Non‐Java API activity seen in the WildFire analysis environment when the sample was executed. Artifacts listed include the parent process that was active, the API calls made by the parent process, and the process that was modified. Process Activity Processes that showed activity when the sample was executed. Artifacts listed for each process activity include the parent process that was active, the action that the parent process performed, and the process that was modified. Service Activity Services that showed activity as a result of the sample being executed in the WildFire analysis environment. Artifacts listed for each service activity include the process that was active, the action the process performed, and the service that was created, modified, or deleted. User Agent Fragments The user agent header for HTTP requests sent when the sample was executed in the WildFire analysis environment. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 61 Artifact Types AutoFocus Search Windows Artifacts Windows artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Windows OS analysis environment. Artifact Type Search with this Artifact Type to Find... Mutex Activity A mutex (mutual exclusion object) allows programs to share the same resource, though the resource cannot be used by more than one program simultaneously. If the sample generates other program threads when executed in the analysis environment, the mutex created when the programs start is listed along with the parent process. Registry Activity Windows Registry settings and options that showed activity when the sample was executed in the analysis environment. Artifacts listed for each registry activity include the parent process that was active, the registry method used by the parent process (Action), and the parameters column lists the registry key that was set, modified, or deleted. Mac Artifacts Mac artifacts are artifacts that WildFire associates with samples after analyzing the samples in a Mac OS analysis environment. Artifact Type Search with this Artifact Type to Find... Mac Embedded File Internal files in a Mac app installer or a Mac app bundle. Details for an embedded file can include the SHA256 and name of the installer or bundle, the file’s SHA1 hash, filename, file format, file location, SHA256 hash, the signature associated with the file and the name of the signer, the SHA1 hash for the signature, signature status, and the file size in bytes. Mac Embedded URL URLs that are part of a Mac file. The Path column contains the path for the section of the app where the URL is located. Android Artifacts Android artifacts are artifacts that WildFire associates with Android Package (APK) samples after analyzing the samples in an Android analysis environment. An APK file installs an app on an Android mobile phone or tablet. Artifact Type Search with this Artifact Type to Find... APK App Icon The file path for the app icon that displays in the Android device menu. APK App Name The name of the app that displays on the interface of an Android device. APK Certificate The hash value of the public key embedded in the digital certificate of the APK file. 62 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Artifact Types Artifact Type Search with this Artifact Type to Find... APK Certificate File The file path for the certificate(s) embedded in the APK file, information about the certificate owner and issuer such as name and location (if provided by the owner/issuer), and the MD5, SHA1, and SHA256 hashes used to sign the certificate. The owner or issuer may provide the following information: • CN—First name and last name • OU—Organizational unit • O—Organization name • L—City or locality • ST—State or province • C—Two‐digit country code APK Defined Activity The class name of activities defined in the APK file. An activity is a component of the app that provides a screen users can interact with to perform a task. APK Defined Intent Filter An intent filter, found in an app’s manifest file, lists the type of intents that the components of the app can respond to. An intent is a request an app sends to other apps to perform an action. For example, the YouTube app needs to use a messaging app on your Android device to share videos. APK Defined Receiver Broadcast receivers for the APK file. Broadcast receivers allow the app to receive intents broadcast by itself, by the Android device, or by other apps on the device. An example of a broadcast that an app can receive is an indication that the device battery is low. APK Defined Sensor Sensors for motion, orientation, or environmental conditions that the app uses when it is running. For example, an app might need to receive sensor readings from the device’s GPS for to perform location‐based tasks. APK Defined Service Services configured for the APK file. Services are operations that run in the background while the app is running, and do not provide a user interface screen. An example of a service is a notification service for an email app that alerts users when they have new messages. APK Embedded Libraries Third‐party libraries that are included in the APK file. A third‐party library, which app developers can reuse across multiple apps, contains files of code that accomplish a specific task. An example of an embedded library is Google’s mobile ads software development kit (SDK), AdMob. APK Embedded URL URLs that are part of an APK file. The Path column contains the path for the section of the app where the URL is located. APK Internal File The file format, file path, and SHA256 hash of files included in the APK file. APK Package Name The unique name that identifies an app on an Android device. The general format for a package name is domain.company.application (for example, com.tamapps.learnjapanese). APK Repackaged An indication of whether an APK file has been repackaged (True) or not (False). AutoFocus marks a repackaged APK file as suspicious because an attacker can repackage a benign file to contain malicious functionality. APK Requested Permission The permissions that the APK file requests from users to perform processes and to access data on their Android device. Examples include permissions to access the camera on the device or to change the audio settings of the device. APK Sensitive API Call © Palo Alto Networks, Inc. API calls embedded in the APK file that access restricted services or resources. AutoFocus Administrator’s Guide • 63 Artifact Types AutoFocus Search Artifact Type Search with this Artifact Type to Find... APK Signer Personal information that the app owner provided when he/she signed the app certificate: • CN—First name and last name • OU—Organizational unit • O—Organization name • L—City or locality • ST—State or province • C—Two‐digit country code APK Suspicious API Call API calls embedded in the APK file that access restricted services or resources. Unlike APK Sensitive API Call, the APK Suspicious API Call lists all instances of an API call and the location of the files where the API call was found. APK Suspicious Action An action that the APK file performed when it was executed in the WildFire analysis environment that may be an indicator of compromise. The Value column contains a description of the action and supporting evidence. For example, if the suspicious action associated with an APK file sends SMS messages while running in the background, the value includes the text message content that the file sent. If the action is loading another APK, DEX, or JAR file, the value includes the path for the file that the APK file loaded. APK Suspicious Behavior A sequence of actions that the APK file exhibits, the target of the actions (if there is one), and the location of the files that exhibited the actions. For example, for the suspicious behavior “APK files sends an SMS to a fixed number,” the target is the phone number that received the SMS. APK Suspicious File Suspicious files found in the APK file and their file type. An example of a suspicious file is one that contains malicious native code or an executable file in .dex format. APK Suspicious Pattern A class of patterns observed in the APK file, a description what the pattern does, and the location of the files where the pattern occurred. APK Suspicious String Suspicious strings of code found in the APK file. For example, a suspicious string can indicate that an app contains shell commands that installs or uninstalls other apps, or the string can be a suspicious phone number. For each string, you can view the location of the file that contains the string. APK Version The version number of the app that is visible to users. 64 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Search Operators and Values Search Operators and Values Search operators refine the results that are returned to you when you perform a search. Operators determine which results to display based on the value you select or enter for an artifact type. You can have up to 10,000 values in a single search with multiple search conditions. Refer to the following table when you Work with the Search Editor to set up a search. Operator When to Use It Possible Values is Find samples or sessions that contain the exact value you enter. • Number • Option—Select a value from the drop‐down. • String—Type an exact value (not case‐sensitive). is not Find samples or sessions that do not contain • Number the exact value you enter. • Option—Select a value from the drop‐down. • String—Type an exact value (not case‐sensitive). has no value Exclude samples or sessions with reported No value required values for the artifact type from the search results. has any value Find samples or sessions that have reported No value required values for the artifact type, including values such as 0, unknown, or Not Found. is in the list Find samples or sessions with artifacts that • Option—Select more than one value from match at least one of the values from a list. the drop‐down. You can have up to 1,000 values in your list. • String—Type more than one value (not case‐sensitive). Press Enter to separate one value from another. The values must be exact. is not in the list Exclude samples or sessions that do not • Option—Select more than one value from have at least one value from a list. the drop‐down. You can have up to 1,000 values in your list. • String—Type more than one value (not case‐sensitive). Press Enter to separate one value from another. The values must be exact. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 65 Search Operators and Values AutoFocus Search Operator When to Use It Possible Values contains Find samples or sessions that contain the partial value you enter. Use the contains operator if you don’t know the exact value of an artifact. String—Type a partial value (not case‐sensitive). Learn more about the Guidelines for Partial Searches. does not contain Find samples or sessions that do not have the partial value you enter. String—Type a partial value (not case‐sensitive). Learn more about the Guidelines for Partial Searches. proximity Perform a single search for two or more values. Use the proximity operator with Analysis Artifacts to look for multiple artifacts that can appear in the WildFire analysis of a sample. String—Type partial values if you don’t know the exact value (not case‐sensitive). You can enter the values in any order. Learn more about the Guidelines for Partial Searches. is in the range Find values within a date or numerical range. • Date and Time Range—Select the earliest and latest possible date and time that a value can be, or choose from a drop‐down of relative dates, such as Yesterday, Last Month, or Last 90 days. • Number Range—Select a minimum and maximum number that a value can be. 66 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Search Search Operators and Values Operator When to Use It greater than Find values that are more than the number Number you enter. greater than or equal Find values that are more than or equal to the number you enter. Number less than Find values that are less than the number you enter. Number less than or equal Find values that are less than or equal to the Number number you enter. is after Find date and time values that occur after a Date and Time—Select a date and time, or specific date. choose from a drop‐down of relative dates such as Yesterday, Last Month, or Last 90 days. is before Find date and time values that occur before Date and Time—Select a date and time, or a specific date. choose from a drop‐down of relative dates such as Yesterday, Last Month, or Last 90 days. © Palo Alto Networks, Inc. Possible Values AutoFocus Administrator’s Guide • 67 Search Operators and Values Operator When to Use It 68 • AutoFocus Administrator’s Guide AutoFocus Search Possible Values © Palo Alto Networks, Inc. AutoFocus Search Guidelines for Partial Searches Guidelines for Partial Searches The contains, does not contain, and proximity operators allow you to enter partial values in your search conditions. For more accurate search results, observe the following guidelines for using these operators. Contains and Does Not Contain Operators Proximity Operator Contains and Does Not Contain Operators Use the contains and does not contain operators if you know part of a value for a single artifact. Example: To search for samples or sessions with the network identifier 192.168 in the IP address, perform the search IP Address > contains > 192.168. Using the does not contain operator will exclude samples or sessions with the network identifier 192.168 from your search results. Searches with the contains and does not contain operators are not case‐sensitive. Any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @ symbol) break up a value into two separate values. Type the full strings that appear in between special characters for accurate matches. Example 1: To search for all sessions sent from email addresses with the domain yahoo.com, perform the search Email Sender Address > contains > yahoo.com. The search Email Sender Address > contains > ahoo.com will return results from an email address with the domain ahoo.com, but not yahoo.com. The search Email Sender Address > contains > yahoo.co may return results from an email address with the domain yahoo.co.uk or yahoo.co.jp, but not yahoo.com. The search Email Sender Address > contains > yahoo will return results from an email address with the string yahoo in between special characters. Example 2: If the File Activity that WildFire has detected for a sample contains the string Windows\ServiceProfiles\LocalService, you can use any of the following terms as partial strings to search for the sample: – – – Windows ServiceProfiles LocalService Proximity Operator Use the proximity operator to search for multiple artifacts that can appear under a WildFire Analysis category of a sample. Enter two or more artifacts in the value field of the search condition. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 69 Guidelines for Partial Searches AutoFocus Search Example: The search Registry Activity > proximity > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData ueepd-a.exe returns a sample that has both values in at least one of its registry activities: The order in which the strings are entered does not affect the search results. Example: The search Registry Activity > proximity > ueepd-a.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData returns the same results as the previous example. Searches with the proximity operator are not case‐sensitive. You can enter partial strings in a proximity search, but you must type the full strings that appear between any special characters that are not letters or numbers (e.g. period, backslash, hyphen, space, @ symbol) for accurate matches. Example: The search Registry Activity > proximity > HKCU\Software\Microsoft\Windows\CurrentVersion ueepd-a.exe returns the following results: The search Registry Activity > proximity > HKCU\Software\Microsoft\Windows\Current ueepd-a.exe will not return the search results above. 70 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts Prioritized alerts allow you to quickly distinguish targeted, advanced attacks from commodity malware so that you can triage your network resources accordingly. Set up AutoFocus™ alerts for samples based on Tag Types: Unit 42 Alerting tags, public tags, or private tags. Configure AutoFocus to send alerts to an email account or directly to a web server. The Alerts Log on the dashboard displays alerts depending on the dashboard context. You can also view the complete set of AutoFocus alerts by selecting Alerts on the navigation pane. Alert Types Create Alerts View Alerts in AutoFocus Edit Alerts © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 71 Alert Types AutoFocus Alerts Alert Types An alert is a notification about samples that match a set of defined criteria. When you Create Alerts in AutoFocus, you have the option to receive the notifications by email or over HTTP. You can also View Alerts in AutoFocus for a complete log of alerts that have been sent to you. AutoFocus generates alerts for grayware and malware samples from all Upload Sources associated with your support account, as long as they match the alert criteria. Email Alerts HTTP Alerts Email Alerts AutoFocus can send alerts to your email account. In an email alert, the SHA256 hash displays as a hyperlink that opens the WildFire™ analysis of the sample in AutoFocus. An email alert contains the following components: Name Description AutoFocus Alerts The date and time that the alert was sent in the following format: Month DD, YYYY hh:mm [AM/PM] (UTC) Number of alerts The number of unique samples detected within the alert period For The name of the support account that created the alert Date (UTC) The date and time that the sample was detected in the following format: Month DD, YYYY hh:mm [AM/PM] Type The tag type that triggered the alert (unit42, public, or private) 72 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts Name Alert Types Description Name The specific tag that triggered the alert for the sample Verdict The WildFire verdict assigned to the sample: malware or grayware. To focus your attention on samples that exhibit malicious behavior, AutoFocus does not send alerts for benign samples. Matching Sample The SHA256, SHA1, and MD5 hashes of the sample HTTP Alerts HTTP alerts are notifications that AutoFocus generates in JavaScript Object Notation (JSON) data format. In an HTTP alert, information about the samples are formatted as JSON name‐value pairs separated by colons. For example, the name‐value pair date: 'March 19, 2016 05:56 PM' describes the date and time that a sample was detected for the alert. All alerts use the same set of field names, but their values vary depending on the samples detected in the alert period. AutoFocus sends HTTP alerts as plain text to the web server of your choice using standard HTTP requests. Use HTTP alerts to publish information about detected samples on a web page or a threat feed. When creating an HTTP alert, provide the URL of a server that has been preconfigured to parse the name‐value pairs from the alert. Refer to the following table of field names and possible data types for the field values. The data type describes how a value should be interpreted and stored by the server. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 73 Alert Types Field Name AutoFocus Alerts Description Data Type num_alerts The number of unique samples detected within the alert period number autofocus_alerts The date and time that the alert was sent in the following format: Month DD, YYYY hh:mm [AM/PM] alerts A list of each sample detected and the details associated with it array date The date and time that the sample was detected in the following format: Month DD, YYYY hh:mm [AM/PM] string match_sample The SHA256, SHA1, and MD5 hashes of the sample string alert_name The specific tag that triggered the alert for the sample string alert_type The tag type that triggered the alert. The different alert_type values that can be displayed are: • private—private tags owned by you • public—public tags • unit42—tags issued by Unit 42 string 74 • AutoFocus Administrator’s Guide string © Palo Alto Networks, Inc. AutoFocus Alerts Field Name Alert Types Description Data Type verdict The WildFire verdict assigned to the sample: malware or string grayware. To focus your attention on samples that exhibit malicious behavior, AutoFocus does not send alerts for benign samples. for The name of the support account that created the alert © Palo Alto Networks, Inc. string AutoFocus Administrator’s Guide • 75 Create Alerts AutoFocus Alerts Create Alerts Create alerts to monitor samples in your network based on their tags. The following steps walk you through the process of creating alerts in AutoFocus: Create Alerts Step 1 Select Alerts on the navigation pane, and then select Settings. Step 2 Define Alert Actions. An alert action sets the type, destination, and frequency of the alert. Step 3 Enable Alerts by Tag Type. The Alert on Tag Type column describes the tag types that samples in your network must match to trigger an alert: Unit 42, Public, or Private. By default, the alert action for all tag types is none, and alerts are disabled. Select a different alert action to enable alerts for each tag type. Step 4 To receive alerts for certain tags and disable them for others, Create Alert Exceptions. Define Alert Actions Define alert actions that you can then select to Enable Alerts by Tag Type. Defining alert actions includes choosing to receive the alert as an email or HTTP notification and setting the alert frequency. You only receive notifications for samples matching the alert criteria (the tag) in the digest period you select; if AutoFocus does not detect matching samples during the digest period, it does not send out an alert. The default alert action none cannot be edited or deleted. Use this alert action to disable alerts for tags. Create an alert for Unit 42 tags to receive notifications based on new threats and attacks identified by the Unit 42 threat intelligence research team. Define Alerts Step 1 Select Alerts > Settings. 76 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts Create Alerts Define Alerts (Continued) Step 2 Scroll to the bottom of the Settings tab, and click Add Alert Action: Step 3 Give the alert action a descriptive name. Step 4 Define the type of alert you want to receive: Email or HTTP. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 77 Create Alerts AutoFocus Alerts Define Alerts (Continued) Step 5 Set the alert destination (email address or server URL). For email alerts: Enter the email address where you would like to receive Email Alerts. For HTTP alerts: Enter the URL of your server that you have configured to receive HTTP Alerts. Step 6 Set the alert digest to 5 Minutes or Daily. Digest sets the frequency with which AutoFocus checks for samples that match the alert criteria. AutoFocus collects all samples that match the alert criteria during the digest period and sends them in a single notification. Step 7 Click Save Changes. The Action drop‐down contains all saved alert actions, which you can apply to samples matched to Unit 42, public, and private tags. Step 8 Enable Alerts by Tag Type. 78 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts Create Alerts Enable Alerts by Tag Type Enable alerts based on Tag Types. You can choose to generate an alert for all samples in your network matched to a tag type. Additionally, you can Create Alert Exceptions to set up prioritized alerts for specific tags or to disable alerts for them. Enable Alerts Step 1 Select Alerts > Settings. Step 2 If there are no email or HTTP Alert Actions listed, Define Alert Actions. Step 3 Choose an alert for each tag type. Select an alert Action for samples matched to Unit 42, public, and private tags: Use this step at any time to change the alert action for a tag type. Step 4 Enable the alert for a tag type. Step 5 If necessary, specify tags to exclude from Create Alert Exceptions in order to: the alert for the tag type. • Create and enable custom alerts for specific tags. • Disable alerts for tags for which you don’t need to receive alerts. Step 6 Choose from the following next steps: • Both Email Alerts and HTTP Alerts list all the samples matched to the alert criteria in the digest period. • View Alerts in AutoFocus. • You can Edit Alerts or Disable Alerts. For each tag type, select Enabled? to receive alerts when AutoFocus detects samples in your network that match the tag type. Create Alert Exceptions You can choose different alert settings for individual tags by adding the tags as alert exceptions. Create exceptions so that the alerts you receive for threat samples are prioritized by tag. Create Alert Exceptions Step 1 Select Alerts > Settings. Step 2 If there are no email or HTTP Alert Actions listed, Define Alert Actions. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 79 Create Alerts AutoFocus Alerts Create Alert Exceptions (Continued) Step 3 Identify the tag type for which you want to create an alert exception, and click Add Exception. Step 4 In the Tag field, start typing the tag name, and select it from the list of tags. Step 5 Select an alert Action for the tag. • Select one of the email or HTTP alert actions to enable alerts for the tag. • Select none to disable alerts for the tag. Step 6 Select Enabled? to enable the alert action for samples in your network that match the tag. Step 7 Click Save Exception. Step 8 To change or delete alert exceptions, Edit Alerts. 80 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts View Alerts in AutoFocus View Alerts in AutoFocus The Alerts Log on the dashboard displays alerts that were generated within the selected dashboard date range, beginning with the most recent alerts. Alternatively, select Alerts on the navigation pane to view the complete set of alert logs. Alert logs are available for a month from the period the log was generated. Alert times are displayed in Pacific Time (PST/PDT). Drill Down on Alerts • Find alerts. • Select Dashboard to view the Alerts Log widget. The Alerts Log widget displays the most recent samples that matched your alert criteria. • Select Alerts > Alerts Log to view all samples that have triggered alerts. Sort the rows according to Time, Tag Type, SHA256, or Tag. Alternatively, click the column headers to sort the rows in ascending (up arrow) or descending (down arrow) order. You can also click the SHA256 link for a sample entry to add the sample to a search: • Scan tag details. Hover over the tag on which the alert is based to view tag details, including the latest time and the total number of times that traffic was matched to the tag. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 81 View Alerts in AutoFocus AutoFocus Alerts Drill Down on Alerts (Continued) • Search on the latest sample that triggered an alert. Click the sample hash on the Alerts Log widget to add the sample to an AutoFocus search: 82 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts View Alerts in AutoFocus Drill Down on Alerts (Continued) • Review and/or search on the conditions that triggered an alert. Select a tag on the Alerts Log widget to view tag details. Tag details include a description of the tag and a list of the conditions defined for the tag. From the tag details, open a search based on the tag or a single condition defined for the tag: Add the tag to the search editor, to search for all historical and global samples matched to the tag. Add a single condition defined for the tag to the search editor, to search for all historical and global samples matched to that single condition. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 83 Edit Alerts AutoFocus Alerts Edit Alerts Alerts are highly customizable and can be changed or deleted anytime. Change the settings of an existing alert action or alert exception as necessary. Disable an alert to stop receiving notifications for certain tags. To view all options for editing alerts, select Alerts > Settings. Edit Alerts • Disable Alerts. Select the action none for a tag type. To disable alerts for an alert exception, Edit an Alert Exception. Select the action none. • Edit an Alert Exception. Modify the tag chosen as an alert exception and the alert action that occurs when AutoFocus detects a sample that matches the tag. Select Enabled? to enable the alert action. • Delete an Alert Exception. Delete an alert exception permanently. 84 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Alerts Edit Alerts Edit Alerts (Continued) • Edit an Alert Action. Modify the name of the alert action, the alert type (Email or HTTP), the email address or server URL that receives the alert, and how frequent the alert is generated. • Delete an Alert Action. Delete an alert action permanently. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 85 Edit Alerts 86 • AutoFocus Administrator’s Guide AutoFocus Alerts © Palo Alto Networks, Inc. AutoFocus Tags Group a set of conditions with a tag. All past and future samples that match the tag conditions are automatically marked with the tag. Use tags to search for samples to gain context and insight into surrounding events. Create Alerts based on a tag to be notified each time AutoFocus™ detects new samples that match the tag conditions, allowing you to take quick action to remediate possible threats. The Unit 42 threat research team shares threat intelligence with the AutoFocus community through official Unit 42‐issued tags. Unit 42 also verifies threats discovered by third‐party individuals and organizations and creates tags for these threats. See the following topics for details on tags, how to create your own tags, and how to see tags shared by Unit 42 and other AutoFocus users: Tag Concepts Tag Details Create a Tag Work with Tags Vote for, Comment on, and Report Tags © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 87 Tag Concepts AutoFocus Tags Tag Concepts Click Tags on the navigation pane to view a complete list of public, private, and Unit 42 tags. Tag Types Tag Class Tag Status Tag Visibility Tag Types Tag colors and icons allow you to easily distinguish the different tag types at a glance. When a tag is linked to a Tag Class, its default icon changes into a tag class icon. Tag Type Description Unit 42 Tag (Alerting) Unit 42 tags are created by Unit 42, the Palo Alto Networks® threat intelligence and research team, to detect and identify threats and campaigns that pose a direct security risk. Unit 42 tags have an orange outline and a Unit 42 icon. Tags for threats discovered by an individual or organization outside of Unit 42 have a pointed and marked top right corner. Enable AutoFocus Alerts for Unit 42 tags to receive immediate notifications from AutoFocus when it detects samples in your network that match Unit 42 tags. Unit 42 Informational Tag (Non‐Alerting) Unit 42 also publishes informational tags that group and identify commodity threats. Often, threat signatures already exist and are distributed to identify and enforce the traffic identified with informational tags. When you enable AutoFocus Alerts for Unit 42 tags, AutoFocus does not generate alerts for samples that match Unit 42 informational tags so you can focus your resources on addressing targeted or pervasive threats. Informational tags have faded orange outline and a Unit 42 icon. Tags for threats discovered by an individual or organization outside of Unit 42 have a pointed and marked top right corner. My Private Tag Create a Tag that is visible only to your organization. Private tags allow you to tag a sample hash or a set of search conditions that might be specific or especially significant to your environment. You can then Create Alerts for the private tags. Private tags have a blue outline and a tag icon. Public Tag Public tags are tags shared with the AutoFocus community by your organization and other AutoFocus users. They are visible to all AutoFocus users. Public tags have a gray outline and a tag icon. 88 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Tag Concepts Tag Class A tag can be linked to a particular tag class, which provides more context for the type of threat information that the tag identifies. Special icons indicate whether a tag is associated with a tag class. The icon can be blue, gray, or orange depending on the Tag Type. For example, the following tag is a public tag linked to malicious behavior: Tag Class Description Malware Family Related malware is grouped into a malware family. Malware might be considered related based on shared properties or a common function. Malware within a malware family exhibit similar malicious behaviors to launch an attack. Campaign A campaign is a targeted attack which might include several incidents or sets of activities. You can identify a campaign by the malware families that are used to execute an attack. Actor An actor is an individual or group that instigates one or more campaigns using malware families. Exploit An exploit is an attack, usually in the form of a script, that takes advantage of a software or network weakness, bug, or vulnerability to manipulate the behavior of the system. Malicious Behavior Malicious behavior is behavior that is not specific to a malware family or campaign, but indicates that your system has been compromised. An example of malicious behavior is the unauthorized deletion of disk volumes. Tag samples that exhibit malicious behaviors to flag them for you and other AutoFocus users. You can receive alerts for new unique samples that match the conditions of malicious behavior tags. Tag Status On the Tags page, view the status for a specific tag; optionally, select Sort by: Status to sort tags based on the status of the tag. Tag Status Description Enabled Enabled tags generate alerts when matched to traffic. Alerts based on enabled tags are displayed in the Alerts Log on the dashboard and, if configured, email and HTTP alerts are also sent for enabled tags. Disabled Disabled tags are tags that have been disabled automatically after reaching 100,000 hits. This is a quality control measure; tags that are matched to large numbers of samples are too general to be useful in identifying targeted threats. Disabled tags continue to display as a reference—you can continue to view the samples that were matched to that tag, search based on the disabled tag, and view the conditions defined for the tag. However, disabled tags are not applied to future samples. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 89 Tag Concepts AutoFocus Tags Tag Status Description Removing The tag owner has deleted the tag, but the deletion is not complete. This status only displays for a short period of time—when the tag deletion completes, the tag is completely removed from the AutoFocus system. Rescoping The tag owner has modified the tag visibility to private, public, or anonymously public. This status only displays for a short period of time—as the new tag scope is processed and until the update to the tag scope is complete. Tag Visibility There are three types of tag visibility: Private—Visible only to your organization (more specifically, only to users associated with same support account as tag author). Public—Visible to all AutoFocus users. Public tag details include the name of the organization that created the tag. Public Anonymously—Visible to all AutoFocus users. However, tags that are anonymously made public do not reveal the organization name in the tag details. For tags you create, you can set the visibility of the tag and change it at any time. Private tags and samples can be made public, with the option to revert the tag or sample back to a private status at any time. 90 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Tag Details Tag Details You can click any tag to reveal details about that tag, including the set of conditions that is matched to traffic, the last time that set of conditions was detected, and the total number of samples matched to the tag. For tags that you have created, you can edit tag details, including setting the visibility of the tag to be private, public, or anonymously public. On the Tags page, click any tag to open the Tag Detail. Tag Details Search To open a search based on the tag, click the Search icon. Edit Edit Tag Information. Delete Permanently delete at a tag. Deleted tags show a Tag Status of removing after being deleted until the deletion is complete (when the deletion is complete, the tag is no longer available in AutoFocus). © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 91 Tag Details AutoFocus Tags Tag Details (Continued) Tag Visibility (Private Tags Only) Share a tag with other AutoFocus users by making the tag Public. (You can also revert a tag you previously made public, back to a private tag). By default, tags that you make public will list your organization as the tag Owner in the tag details. To change this default setting so that your organization is not listed as the owner of public tags, select Settings on the AutoFocus navigation pane and select Share public tags anonymously. You cannot make a tag public if it has search conditions refer to private information about your sessions. The following Session Artifacts pertain to private information: • Device Hostname • Device Serial • Device vsys • Destination IP • Email Recipient Address • Email Charset • Email Sender Address • Email Subject • File Name • File URL • Recipient User ID • Source IP The following General Artifacts may pertain to private session information: • Domain • Email Address • Filename • IP Address • URL You also cannot make a tag public if it has a search condition that points to a custom App‐ID you created (Application > is > [custom App‐ID]). Vote, Comment, and Report You can Vote for, Comment on, and Report Tags. Tags with the visibility set to private (tags created by and visible only to your organization) do not display these options. 92 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Tag Details Tag Details (Continued) Tag Information Tag information is searchable and can include some or all of the following details: • Name—AutoFocus enforces unique tag names within an organization. • Scope—The tag type is either public, private, or Unit 42. • Tag Class—The Tag Class associated with the tag. • Source—Organization or individual that discovered the threat defined in the tag. • Created—The date and time that the tag was created. • Updated—The date and time that the tag was most recently modified. • Owner—Organization that created the tag. • # Samples—The total number of private and public samples matched to the tag. • Last Hit—The time at which the most recent sample matched to the tag was detected. • Votes—The number of up‐votes the tag has received from the AutoFocus community. • Description—Summary of the threat that tag indicates. • Related Tags—Tags that share certain conditions, or might indicate similar types of threats. • Alias—Other names that might refer to threat that the tag defines. You can search on a tag alias to find all samples matched to tags with that alias. • References—External references provide more information or context for the threat that the tag identifies. Tag Conditions • Lists all the conditions against which samples are evaluated. Note that a tag can have multiple sets of conditions, but a sample only has to match one set of conditions for it to be marked with the tag. • Search based on a single set of tag conditions: Click the Search icon in the Actions column to the right of the condition for which you want to open a search. Because you cannot edit the conditions defined for an existing tag, use this option to add conditions from an existing tag to the search editor, modify the conditions, and create a new tag. • Delete a single set of tag conditions: Click the Trash icon in the Actions column to delete the set. • Search with all tag conditions: Click the Search All icon after the last set of tag conditions to add all of the tag conditions to a new search. Next Steps... © Palo Alto Networks, Inc. • Create a Tag. • Vote for, Comment on, and Report Tags. • Enable Alerts by Tag Type. AutoFocus Administrator’s Guide • 93 Create a Tag AutoFocus Tags Create a Tag There are two ways to create a new AutoFocus tag: tag a sample or tag a set of search conditions. The visibility of a new tag is set to Private by default. Create a New Tag • Tag a sample. 1. Create a tag for a sample hash to keep track of a 2. sample that exhibits unique behavior or a sample that you need to refer back to later. You can then search for the sample by the tag name instead of its hash. 3. Begin a new search. Click a sample hash to view sample details, and click Add Tag. You can only click the sample hash for a public sample or any of your private samples. Enter a name for the tag in the search field and click create new. 4. Hover over the new tag, and click the tag name. 5. Edit the Tag Details to supply more information about the tagged sample. 1. • Tag a search. Create a tag for a search condition (or a set of search conditions). You can use the tag to search for all samples that match the conditions. Review Tag Visibility for tagging guidelines. Work with the Search Editor to create a set of search conditions. You cannot create a tag for searches based on tag‐related information (Tag, Tag Alias, Tag Class, Tag Scope, and Tag Source) or the artifact Threat Name. 2. Click the Tag icon to create a tag based on the defined search conditions: 3. Provide a unique tag name and any other information that may be helpful for identifying the tag, and then Tag Results. 94 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Create a Tag Create a New Tag (Continued) • Choose from the following next steps. © Palo Alto Networks, Inc. • When a tag is created, all past and incoming samples that match the search conditions are tagged; Sample Details display the tags to which the sample is matched. • Learn more about how to Work with Tags. • Use the tag to Begin a new search. Search with the tag to view all AutoFocus samples that match the tag conditions. • Create Alerts to be notified when new samples match the tag. AutoFocus Administrator’s Guide • 95 Work with Tags AutoFocus Tags Work with Tags Find Samples by Tag Details Filter and Sort Tags Find the Top Tags Detected During a Date Range See the Top Tags Found with Search Results Find Samples by Tag Details On the Search page, you can find and filter samples by different tag‐related artifacts. Artifact Type When To Use It Tag Find samples matched to a tag. Tag Alias Find samples by the Alias field in the Tag Details. The Tag Alias allows the tag owner to specify common names for the threat that the tag identifies. For example, there may be multiple tags related to a single malware family or campaign. In this case, you can use Tag Alias to look for all samples that are linked to a particular malware family or campaign by different tags. Tag Class Find samples associated with a particular Tag Class: a Malware Family, a Campaign, an Actor, an Exploit, or a type of Malicious Behavior. Tag Scope Filter samples by the scope of their tags: private, public, Unit 42 (alerting), or Unit 42 informational (non‐alerting). Tag Source Find samples with tags that are attributed to a particular tag source. The Tag Source is the individual or organization that discovered the threat that the tag identifies. The list of tag sources to choose from is based on all tags with a Tag Visibility that is set to public. 96 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Work with Tags Filter and Sort Tags Filter and sort tags on the Tags page based on Tag Details. Filter and Sort Tags Unified Tag View Tags are displayed collectively in a single view to enable quick and easy filtering. • Choose Columns to select which details to display on the Tags page. • Select a tag detail to Sort by in ascending or descending order. Alternatively, you can click the column header for a tag detail to sort the rows in ascending (up arrow) or descending (down arrow) order. To find tags with the highest number of matching samples, Sort by: # Samples in descending order. To find tags that have received comments from AutoFocus users recently, Sort by: Last Comment in descending order. Quick Search Enter a single value in the quick search field to find matching tags across all tag types. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 97 Work with Tags AutoFocus Tags Filter and Sort Tags (Continued) Advanced Filter Click on Advanced to find tags based on multiple search conditions, including tag fields, the number of votes a tag has received, and the number of sample hits. You can start typing the artifact type by which you want to filter tags to narrow down the options in the drop‐down. Find the Top Tags Detected During a Date Range On the AutoFocus dashboard, the Top Tags widget lists the twenty tags with the most sample hits during the date range set for the dashboard (see Set the Dashboard Date Range). The list of top tags updates accordingly depending on the context selected (My Organization, My Industry, or All tab). To view all tags, click Tags on the navigation pane. Find Top Tags Detected During a Date Range Step 1 Click Dashboard on the navigation pane, and click the My Organization, My Industry, or All tab. Step 2 Set the Dashboard Date Range to adjust the displayed Malware Download Sessions. The widgets on the dashboard (including the Top Tags widget) automatically update based on the new date range. 98 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Work with Tags Find Top Tags Detected During a Date Range (Continued) Step 3 On the Top Tags widget, select a tag to view tag details, including a description of the sample or conditions that the tag identifies. You can continue to add the tag to a search. Step 4 Choose from the following next steps: • Enable Alerts by Tag Type. • See the Top Tags Found with Search Results. • Vote for, Comment on, and Report Tags. See the Top Tags Found with Search Results When performing a search, you can view the top tags that AutoFocus matched with the search results. See the Top Tags Found with Search Results Step 1 Work with the Search Editor to set up a search. Step 2 Click the Statistics tab and find the Top Tags widget. The Top Tags widget displays the 20 tags that AutoFocus matched with the highest number of samples based on your search. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 99 Work with Tags AutoFocus Tags See the Top Tags Found with Search Results (Continued) Step 3 Filter the top tags by Tag Types. 100 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Tags Vote for, Comment on, and Report Tags Vote for, Comment on, and Report Tags Though you cannot edit Unit 42 and public tags, you can help to curate the most relevant and useful of these tags by voting for tags you like and adding comments to tags. You can also alert Unit 42 to a tag that you think might be offensive or revealing, and Unit 42 will review the tag. Vote for tags—Give up‐votes to tags that provide helpful, accurate information. Comment on tags—Provide feedback on tags or share additional, relevant information with the AutoFocus community. Report tags—Report tags that are misleading, too general to be meaningful, offensive, or reveal sensitive information. Unit 42 reviews reported tags and finds the tag to either be acceptable or inappropriate: – – Acceptable tags—If Unit 42 determines that the tag is appropriate, the tag status remains public. The user who reported the tag receives an email notification that the tag will continue to remain publicly shared. Inappropriate tags—If Unit 42 determines that the tag is inappropriate, they can revert the tag scope to private. The tag will only be visible to the organization that owns the tag and will no longer be publicly shared. The tag author (the user who created the tag originally) and the user who reported the tag as inappropriate will receive an email notification that the tag is no longer publicly visible. Unit 42 can also permanently delete an inappropriate reported tag. The tag owner receives an email notification when the tag deletion is complete. The following table describes how to vote for, comment on, and report tags. Vote for, Comment on, and Report Tags Step 1 Find tags. © Palo Alto Networks, Inc. • Click Tags on the navigation pane. • Click Dashboard and view the Top Tags widget. AutoFocus Administrator’s Guide • 101 Vote for, Comment on, and Report Tags AutoFocus Tags Vote for, Comment on, and Report Tags (Continued) Step 2 Select a tag to view tag details. Vote for a Tag 102 • AutoFocus Administrator’s Guide Click Vote Up to give a tag an up‐vote. You can deselect Vote Up to withdraw an up‐vote at any time. To view tags that are highly rated by the AutoFocus community, click Tags and sort tags according to Sort by: Up Votes. Select Sort Descending to show the tags with the highest votes: © Palo Alto Networks, Inc. AutoFocus Tags Vote for, Comment on, and Report Tags Vote for, Comment on, and Report Tags (Continued) Report a Tag Report a tag that is misleading, offensive, or displays sensitive information. Include details as to why you are reporting the tag. Comment on a Tag Add a comment to provide feedback on a tag, or to share information regarding the tag with the AutoFocus community. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 103 Vote for, Comment on, and Report Tags 104 • AutoFocus Administrator’s Guide AutoFocus Tags © Palo Alto Networks, Inc. Assess AutoFocus Artifacts WildFire™ classifies previously unknown samples as either malware, grayware, or benign, so that you can then block or enforce the newly‐identified traffic according to your security policy needs. When WildFire observes and executes a sample in a WildFire analysis environment, artifacts (such as file properties, behaviors, and activities) are revealed to be associated with the sample. AutoFocus™ provides a new lens through which you can view the artifacts collected by WildFire. AutoFocus layers statistics over artifacts found to be associated with a sample, to show the number of times the artifact has been seen with other malware, grayware, or benign samples. High‐risk artifacts seen frequently with malware are labeled Suspicious or Highly Suspicious, and artifacts associated with high‐risk behaviors are indicated. If you Forward MineMeld Indicators to AutoFocus, AutoFocus calls attention to sample indicators that match the threat indicators you’ve forwarded. Find high‐risk artifacts in the File Analysis details of a sample. By default, AutoFocus groups similar artifacts into WildFire static and dynamic analysis sections for easy reference, though you can also view artifacts based on the sample activity timeline in the WildFire analysis environment. Add high‐risk artifacts to a search, or use them to Build an AutoFocus Export List. You can also view a threat summary report, which provides a high‐level overview of threat trends in your network. Find High‐Risk Artifacts Add High‐Risk Artifacts to a Search or Export List Manage Threat Indicators Use the Threat Summary Report to Observe Malware Trends © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 105 Find High‐Risk Artifacts Assess AutoFocus Artifacts Find High‐Risk Artifacts To bring your attention to potential threats in your network, AutoFocus provides clues in a sample's WildFire analysis that link the sample to malware or malicious attacks. Find High‐Risk Artifacts Step 1 Begin a new search. Check the Tags column for: • Unit 42 tags—Identify threats and campaigns that pose a direct security risk. • Indicator tags—Highlight samples with Threat Indicators that match threat indicators that you forwarded to AutoFocus using MineMeld. The tag specifies the number of matching indicators in the sample. Not all sample artifacts are indicators; to determine whether an artifact is an indicator, AutoFocus uses a statistical algorithm based on the tendency of the artifact to be seen predominantly with malware. Click on the indicator tag ( 106 • AutoFocus Administrator’s Guide ) to view the matching indicators. © Palo Alto Networks, Inc. Assess AutoFocus Artifacts Find High‐Risk Artifacts Find High‐Risk Artifacts (Continued) Step 2 Click a sample hash and scan the WildFire analysis details of the sample for signs of maliciousness. • For every WildFire static and dynamic analysis artifact listed, compare the number of times the artifact has been detected with benign ( ), grayware ( ), and malware ( ) samples. • High‐risk artifacts are displayed with icons to designate them as Suspicious or Highly Suspicious. • If an activity artifact has proven to be evidence of an Observed Behavior, the behavior risk level is indicated: • Sample indicators that match threat indicators from MineMeld are highlighted with an indicator icon ( ). Learn more about how to Forward MineMeld Indicators to AutoFocus. Step 3 View artifacts that match your search conditions (even if they’re not high‐risk), highlighted in the search results. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 107 Find High‐Risk Artifacts Assess AutoFocus Artifacts Find High‐Risk Artifacts (Continued) Step 4 View a summary of Indicators that AutoFocus detected in the sample. The Indicators tab only lists artifacts that AutoFocus considers indicators based on the tendency of the artifact to be seen predominantly in malware samples. Any indicators that match indicators forwarded to AutoFocus from MineMeld are marked with an indicator tag. Click the tag to view the full list of matches. Step 5 (Optional) Add High‐Risk Artifacts to a Search or Export List. 108 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Assess AutoFocus Artifacts Add High‐Risk Artifacts to a Search or Export List Add High‐Risk Artifacts to a Search or Export List When you Find High‐Risk Artifacts in your search results, you can add these artifacts to your existing search and/or to an export list. You can also view PAN‐DB categorization information, WildFire DNS history, and passive DNS history for domains, URLs, and IP addresses. The following table describes how to search, export, and drill down on file analysis artifacts. Act on Artifacts • Add an artifact to a search. Alternatively, select Add to New Search to launch a new search for the artifact in a separate window, or add a SHA256, IP address, user agent, filename, or URL artifact to a remote search (see Set Up Remote Search). • Add an artifact to an export list. See Export AutoFocus Artifacts for steps to build an AutoFocus export list. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 109 Add High‐Risk Artifacts to a Search or Export List Assess AutoFocus Artifacts Act on Artifacts (Continued) • View PAN‐DB categorization, WildFire DNS history, and passive DNS history for an artifact. Select an IP address, URL, or domain artifact and click Domain and URL info.... See Domain, URL, and IP Address Information for details. 110 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Assess AutoFocus Artifacts Manage Threat Indicators Manage Threat Indicators View and keep track of all Threat Indicators that you have forwarded to AutoFocus using the MineMeld app. These indicators help you Find High‐Risk Artifacts in your AutoFocus search results. AutoFocus can store up to 180 million indicators, and all dates and times are in Pacific Time (PST/PDT). Filter the indicators by certain attributes and export them to the firewall or other security and information event management (SIEM) platforms through MineMeld. Manage Threat Indicators Forwarded to AutoFocus • View all threat indicators forwarded to AutoFocus. Click Indicators on the navigation pane to access the Indicator Store. • Filter the indicators. Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click Search: • Upload Source—The app that forwarded the indicator to AutoFocus. • Type—The type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact Types for definitions of each indicator type. In addition to what are considered Threat Indicators in AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6, registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash. • Indicator—The exact value of the indicator. • Indicator Fragments—A partial value of the indicator. Use this search criteria if you only know part of an indicator. • Time—The date and time that AutoFocus received the indicator. • IPv4 > matches—Find an IP address that belongs to a range. • IPv4 > matches list—Find multiple IP addresses in a range. • First Seen—The date and time that the indicator was first seen in the threat feed. • Last Seen—The date and time that the indicator was most recently seen in the threat feed. • Feed Source—The name of the threat feed from which an indicator was retrieved. • Confidence—A confidence rating that the feed owner associates with the indicators in a feed. The confidence level is measured on a 0‐100 scale, with 0 indicating that feed contents have not been verified and 100 indicating that the feed contents are confirmed accurate. • Share Level—The share level that the feed owner associates with the indicator. • Threat Type—A default value (malicious) that MineMeld assigns to indicators. • Metadata—Additional information about the indicator that the feed owner provided. • Expired—If the value is True, the indicator is aged‐out, that is, removed from its source feed. If the value is False, the indicator is active. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 111 Manage Threat Indicators Assess AutoFocus Artifacts Manage Threat Indicators Forwarded to AutoFocus (Continued) • Import or export filters for the indicators. • Import Search to paste a query for filtering indicators from another AutoFocus user. • Export Search to share a query for filtering indicators to another AutoFocus user. • Check how much space for storing indicators is View all indicators (remove any existing filters), and check the remaining. percentage of indicator storage currently in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of indicators that it can store (180 million indicators). Check the status of the indicator storage periodically. If you are close to the maximum limit, Remove indicators from the store. • Remove indicators from the store. Click the trash icon to remove all indicators from the store. To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only the indicators that match the filter criteria. For example, you can apply the filter Expired > is > True and click the trash icon to remove only expired indicators from the store. • Use the Indicator Store as a source of indicators Create MineMeld Miner to create an AutoFocus artifacts miner for MineMeld. that will extract artifacts from the Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a filter for the indicators before clicking this button, the miner will be configured to extract only indicators that match the filter criteria. • View additional information about the indicator Expand the entry for an indicator to check if the feed owner provided supplementary attributes or metadata about the provided by its source (i.e., the feed owner). indicator. 112 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Assess AutoFocus Artifacts Use the Threat Summary Report to Observe Malware Trends Use the Threat Summary Report to Observe Malware Trends Generate a threat summary report, which provides a visual overview of threat trends based on your network traffic. You can select the time range upon which the report details will be based. You also have the option to generate a PDF of the report. Threat Summary Report Overview View Threat Summary Report Details Threat Summary Report Overview The threat summary report is a rundown of artifacts that AutoFocus and WildFire associate with malware. You can find the threat summary report in the Reports section of the AutoFocus portal. When you View Threat Summary Report Details for the first time, the report for your support account displays with a default time range of 7 days and the industry you selected when you initially set up your AutoFocus support account. Report Section Description Executive Summary The Executive Summary consists of the following highlights: • Malware Applications—The unique number of applications through which malware was delivered. (Application is the App‐ID™ matched to the type of application traffic detected in a session.) • Total Malware Sessions—The total number of sessions in which WildFire detected a sample with a verdict of malware. • Tagged Malware Sessions—Out of the total malware sessions, the percentage of sessions linked to samples that received at least 1 tag. • Tagged Malware Samples—The number of malware samples that received at least 1 tag. Malware Session Percentage By Day This chart provides: • A daily count of sessions associated with malware for devices in your support account. • The percentage of malware sessions out of the total number of sessions for devices in your support account. • The percentage of malware sessions out of the total number of sessions for all AutoFocus users in an industry. • A comparison of the average percentage of malware sessions seen with your account and the average percentage of malware sessions for the industry. Samples Summary This chart provides: • The number of samples grouped by WildFire verdict (malware, grayware, and benign). • The number of tagged malware samples versus untagged malware samples. • The percentage of malware samples. • The percentage of tagged malware samples. Top Firewalls The top 10 firewalls where WildFire detected the most number of malware sessions. Top Upload Sources The top 10 upload sources that submitted your samples to WildFire. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 113 Use the Threat Summary Report to Observe Malware Trends Assess AutoFocus Artifacts Report Section Description Top Filetypes Per Application The number of malware sessions for the top 5 most frequently used applications for distributing malware. For each application, the malware sessions are broken down by filetype. Top Applications The 10 applications that distributed the most malware samples. If there are applications in this list that have no legitimate business purpose in your organization, you may want to create a rule on your firewall blocking these applications. Bottom Applications The 10 applications that distributed the least malware samples. Top Filetypes The 10 filetypes most frequently associated with malware samples. Bottom Filetypes The 10 filetypes least frequently associated with malware samples Top Malware Family Tags The top 10 Unit 42 and private Malware Family tags that AutoFocus matched to your samples. Top Campaign Tags The top 10 Unit 42 and private Campaign tags that AutoFocus matched to your samples. Top Malicious Behavior Tags The top 10 Unit 42 and private Malicious Behavior tags that AutoFocus matched to your samples. Threats by Source Country A map of countries from which malware sessions originated (refer to list of Countries and Country Codes). The report highlights the country that sent the most number of malware sessions. Threats by Destination Country A map of countries that malware sessions targeted (refer to list of Countries and Country Codes). The report highlights the country that received the most number of malware sessions. View Threat Summary Report Details View the threat summary report on the AutoFocus portal or generate a printable PDF of the report. The version of the report on the portal is interactive and lets you see the exact figures that make up the chart data. View Threat Summary Report Details Step 1 Click Reports on the navigation pane. Step 2 Configure the report settings to choose a time period for filtering the report details, and Generate the report. Your Malware Session Percentage By Day is compared with the figures for your industry. 114 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Assess AutoFocus Artifacts Use the Threat Summary Report to Observe Malware Trends View Threat Summary Report Details (Continued) Step 3 Hover over chart elements to view exact counts or percentages. Click on a bar in the Top Firewalls or Top Upload Sources chart to add the value to a search. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 115 Use the Threat Summary Report to Observe Malware Trends Assess AutoFocus Artifacts View Threat Summary Report Details (Continued) Step 4 For the charts Malware Session Percentage By Day and Top Filetypes Per Application, select which data to display or hide. Hide filetypes that are seen in larger quantities to view the counts for filetypes that are seen in smaller quantities. Step 5 Click on a tag to view Tag Details. Step 6 Click Download PDF to generate a PDF of the report. 116 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Export AutoFocus Artifacts AutoFocus™ allows you to export artifacts that WildFire™ has frequently detected with malware, such as IP addresses, URLs, or domains. To export artifacts, you must first add artifacts found in AutoFocus to an export list. Then, select some or all of the artifacts in the export list to include them in a comma‐separated value (CSV) file, which you can then import into a security information and event management (SIEM) solution. You can also use the file to dynamically enforce policy on a Palo Alto Networks® firewall. Build an AutoFocus Export List Create a CSV File Use Export Lists with the Palo Alto Networks Firewall © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 117 Build an AutoFocus Export List Export AutoFocus Artifacts Build an AutoFocus Export List To Create a CSV File that contains AutoFocus artifacts, first add the artifacts to an export list. You can build multiple export lists in AutoFocus. Grouping artifacts into different export lists allows you to easily generate separate CSV files for them. Build an AutoFocus Export List Step 1 Step 2 Drill down to view the details for samples returned in an AutoFocus search. 1. Begin a new search. 2. Click a sample hash to view sample details. 3. Select an operating system to view activities and behaviors observed when the sample was executed in that WildFire analysis environment. Add artifacts to an export list: • To add a single artifact to an export list, click the drop‐down for the artifact and select Add to Export List: 118 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Export AutoFocus Artifacts Build an AutoFocus Export List Build an AutoFocus Export List (Continued) • Select multiple artifacts from a WildFire analysis category to add to an export list. 1. Click the drop‐down for a WildFire analysis category and select Select for Export List. This turns the drop‐downs next to the artifacts into checkboxes. 2. Select one or more artifacts from the list. 3. Re‐open the options for the category and select Add Selected to Export List. • Add all artifacts, all suspicious artifacts, or all highly suspicious artifacts listed for an activity or behavior category to an export list. Only artifacts that were observed for the operating system selected in Step 1 are added to the export list. To add sample artifacts from a different operating system, repeat Step 1, part 3 and continue. Step 3 Select an export list for the artifacts: © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 119 Build an AutoFocus Export List Export AutoFocus Artifacts Build an AutoFocus Export List (Continued) • Add artifacts to a new export list. 1. Enter a name for the new export list. 2. Click create new. This adds the artifact to the new export list. • Add an artifact to an existing export list. 120 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. Export AutoFocus Artifacts Build an AutoFocus Export List Build an AutoFocus Export List (Continued) Step 4 View all artifacts added to an export list. Click Exports on the navigation pane and select the export list to which the artifacts were added in Step 3. • To view the latest artifacts added, select Sort by: Added Time, and click Sort Descending. • You can also view artifacts based on the WildFire analysis Section from which the artifact is derived. For example, a domain in the export list might have been added from the DNS Activity that WildFire detected for the sample. See the Artifact Types that can appear in each WildFire analysis section. • You can click any of the column headers to sort the export list in ascending (up arrow) or descending (down arrow) order. Step 5 (Optional) Remove artifacts from an export list. • Select artifacts you want to remove and click Delete Selected Items. • To remove all artifacts from an export list, you do not have to select all the artifacts; you can simply click Delete All Items. Deleting all artifacts also automatically deletes the export list. Step 6 Prepare a version of the export list to export out of AutoFocus. Create a CSV File from the export list. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 121 Create a CSV File Export AutoFocus Artifacts Create a CSV File Generate a CSV file from the artifacts that were added to an export list. By default, the CSV file is formatted to contain a single row for each artifact; the row includes full WildFire analysis details for the artifact, and commas separate the WildFire analysis details within each row. You can format the CSV file to support a block list for a Palo Alto Networks firewall and to export additional artifact metadata. Create a CSV File Containing AutoFocus Artifacts Step 1 Build an AutoFocus Export List. Step 2 Click Exports on the navigation pane. Step 3 Select an export list to open, and choose artifacts to export: • Export all artifacts in an export list. 1. Click Export All Items. 2. Verify that the Export Rows option is set to All. To quickly export all artifacts from the Exports page, click Export in the Actions column of the export list. • Export artifacts based on the time period 1. they were added to an export list. 2. • Export selected artifacts. 122 • AutoFocus Administrator’s Guide Click Export All Items. Set Export Rows to In Date Range. 3. Use the Added Time fields to export artifacts based on the date and time range that the artifact was added to the export list. To quickly export artifacts within a date range from the Exports page, click Export in the Actions column of the export list. 1. Select one or more artifacts to export: 2. Click Export Selected Items. © Palo Alto Networks, Inc. Export AutoFocus Artifacts Create a CSV File Create a CSV File Containing AutoFocus Artifacts (Continued) Step 4 (Optional) Format the CSV file to be compatible with a Palo Alto Networks firewall. Step 5 (Optional) Export additional artifact data. Select Export Metadata. This option adds the following columns to each artifact row: • Added Time—The date and time that the artifact was added to the export list. • Section—The artifact activity category. • Label—The name of the export list. • Value—The artifact that was added to the export list. • SHA256—The SHA256 hash of the sample that the artifact was found with. • SHA1—The SHA1 hash of the sample that the artifact was found with. • MD5—The MD5 hash of the sample that the artifact was found with. • Author Email—The email address of the user who added the artifact to the list. Step 6 Select Export to generate the CSV file. Use the CSV file to import AutoFocus data into a security information and event management (SIEM) tool, or Use Export Lists with the Palo Alto Networks Firewall. © Palo Alto Networks, Inc. Select Formatted for PAN-OS block list. You can use the CSV file as a dynamic block list (PAN‐OS 7.0 or earlier) or an external dynamic list (PAN‐OS 7.1 or later), but the firewall only supports certain types of artifacts. Learn more about how to Use Export Lists with the Palo Alto Networks Firewall. AutoFocus Administrator’s Guide • 123 Use Export Lists with the Palo Alto Networks Firewall Export AutoFocus Artifacts Use Export Lists with the Palo Alto Networks Firewall Export lists provide a way to dynamically enforce policy on a Palo Alto Networks firewall based on AutoFocus artifacts. The following workflow walks you through the process of building an export list designed specifically for the firewall. Use an AutoFocus Export List with the Firewall Step 1 Build an AutoFocus Export List. Dynamic block lists and external dynamic lists on the Palo Alto Networks firewall only support certain artifacts, so you must tailor your export list based on the PAN‐OS software version running on the firewall. (PAN‐OS 7.0 or earlier) Dynamic Block List—Build an export list that only contains IP addresses. (PAN‐OS 7.1 or later) External Dynamic List—Build an export list that contains only IP addresses, only domains, or only URLs. Learn more about how the firewall supports the three external block list types. Find IP address, URL, and domain artifacts in the DNS Activity, Connection Activity, and HTTP Activity detected during the WildFire analysis of a sample. Step 2 Create a CSV File formatted for the firewall. Step 3 Use the generated CSV file with the firewall. 124 • AutoFocus Administrator’s Guide Verify that the artifacts you plan to export are supported on the firewall (IP addresses only for a dynamic block list in PAN‐OS 7.0 or earlier; IP addresses only, URLs only, or domains only for an external dynamic list in PAN‐OS 7.1 or later). Before you export the artifacts, make sure that Formatted for PAN-OS block list is selected. CSV files that are formatted for a PAN‐OS block list might display artifacts in an order that is different from how they appear in the AutoFocus export list. • Set up a dynamic block list (firewalls running PAN‐OS 7.0 or earlier). • Set up an external dynamic list (firewalls running PAN‐OS 7.1 or later). © Palo Alto Networks, Inc. AutoFocus Apps AutoFocus™ supports MineMeld, an open‐source threat intelligence processing tool that you can run as an app on the AutoFocus portal. With AutoFocus‐hosted MineMeld, you can manage threat indicators from AutoFocus and from external sources of threat intelligence in one central location. The MineMeld app enriches AutoFocus data, calling attention to samples with artifacts that match indicators from external sources. The ability to use MineMeld directly in AutoFocus allows you to expand the scope of your threat research with minimal effort. MineMeld © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 125 MineMeld AutoFocus Apps MineMeld MineMeld is a threat intelligence processing tool that extracts indicators from various sources and compiles the indicators into multiple formats compatible with AutoFocus, the Palo Alto Networks® next‐generation firewall, and other security and information event management (SIEM) platforms. Introduction to MineMeld Start, Stop, and Reset MineMeld Use AutoFocus‐Hosted MineMeld Create a Minemeld Node Connect MineMeld Nodes Delete a MineMeld Node AutoFocus Prototypes Forward MineMeld Indicators to AutoFocus Forward AutoFocus Indicators to MineMeld Use AutoFocus Miners with the Palo Alto Networks Firewall Troubleshoot MineMeld Introduction to MineMeld Using threat intelligence to enforce security policy poses several challenges. Sources of threat indicators often place indicators in multiple formats or format them inconsistently. Using indicators from multiple sources and packaging them into different formats requires a large investment of time and effort, especially as you discover new sources of indicators. It is also difficult to keep track of updates to threat indicator sources, since they are updated at different times and not always on a regular basis. MineMeld automates many of these manual processes so you can use indicators to dynamically enforce policy with your firewall or to investigate threats with AutoFocus. Three types of MineMeld nodes make it possible to automate the flow of indicators from source to destination: Miners extract indicators from sources of threat intelligence, such as a threat indicator feed or a threat intelligence service like AutoFocus. Processors receive indicators from miners and can aggregate indicators, eliminate duplicated indicators, and merge different sets of metadata for the same indicator. For example, a common type of processor is one that receives only IPv4 indicators. Outputs receive indicators from processors. Output nodes format the indicators and allow MineMeld to dynamically send the indicators to one or more destinations (for example, MineMeld can send indicators from external threat feeds to AutoFocus or the firewall). 126 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Nodes are the building blocks of MineMeld, and you can create the most basic MineMeld connection by connecting a single miner node to a processor node and connecting the processor node to an output node. MineMeld provides pre‐built miner, processor, and output prototypes, which are templates you can use to create a node. There are AutoFocus‐specific prototypes, which you can use create miner nodes that use AutoFocus as a source of threat indicators (see Forward AutoFocus Indicators to MineMeld) or output nodes that send threat indicators to AutoFocus (see Forward MineMeld Indicators to AutoFocus). For more information on MineMeld basics, view a Quick Tour of the MineMeld Default Configuration. Start, Stop, and Reset MineMeld Before you begin to use MineMeld, learn how to start, stop, or reset the MineMeld app. Start, Stop, and Reset MineMeld Step 1 Click Apps on the navigation pane. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 127 MineMeld AutoFocus Apps Start, Stop, and Reset MineMeld (Continued) Step 2 Choose from the following options: • Start MineMeld. A progress bar indicates that MineMeld is deploying. You can Use AutoFocus‐Hosted MineMeld when the deployment is complete. The initial MineMeld deployment may take several minutes. • Stop the running instance of MineMeld. Stop MineMeld from retrieving, processing, and delivering indicators to output nodes. To re‐open the previously deployed instance of MineMeld, you must Start MineMeld again. • Reset MineMeld to its default configuration. When you reset MineMeld, you permanently delete any nodes or customizations you made within the app. However, if you reset MineMeld after you Forward MineMeld Indicators to AutoFocus, AutoFocus continues to store the forwarded indicators from deleted nodes. If you use MineMeld to forward indicators to an external dynamic list on a Palo Alto Networks firewall and reset MineMeld, you must update the external dynamic list with a new link from MineMeld. 128 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Use AutoFocus‐Hosted MineMeld MineMeld is available on a per support account basis. Use MineMeld to Find High‐Risk Artifacts and gain more visibility into threats on your network. When MineMeld is running, it extracts and processes indicators based on the nodes that are connected. Use AutoFocus‐Hosted MineMeld Step 1 Click Apps on the navigation pane, and Start MineMeld. A link to MineMeld displays on the navigation pane when MineMeld starts deploying. Step 2 Access MineMeld from the navigation pane. Step 3 Choose from the following actions: • Get an overview of miner, processor, and output nodes currently in use on the Dashboard. When using MineMeld for the first time (or after a resetting it), the default configuration of nodes sends IP addresses, URLs, and domains from a set of block lists to the Indicator Store, a storage space in AutoFocus for external indicators. Click Indicators on the navigation pane to view the Indicator Store. • View a library of miner, processor, and output Prototypes you can clone to Create a Minemeld Node. • View a complete list of Nodes you’ve created. • Choose other nodes from which a node will receive indicators. Edit the inputs of the node Config to Connect MineMeld Nodes. The Config tab also allows you to Delete a MineMeld Node. • View the Logs, which is a record of indicators that MineMeld extracted from feed sources. For more guidance on how to use MineMeld, see MineMeld. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 129 MineMeld AutoFocus Apps Create a Minemeld Node Evaluate which sources of indicators you want to use and where to forward the indicators after MineMeld processes them. You can then create miner, processor, and output nodes based on this information. Create a MineMeld Node Step 1 Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Step 2 Click MineMeld on the navigation pane. Step 3 Click Prototypes. Step 4 Select a prototype from the list. If you know the name of the prototype, use the Search field to quickly find the prototype. Create nodes based on AutoFocus Prototypes to Forward MineMeld Indicators to AutoFocus or to Forward AutoFocus Indicators to MineMeld. 130 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Create a MineMeld Node (Continued) Step 5 Clone the prototype to create a new node from it. Step 6 Complete the required fields for the node: • Give the node a descriptive Name. • (Processor and output nodes only) Select one or more miner and/or processor nodes that the node will use as Inputs. The node will receive indicators from the inputs you select. Step 7 Click Ok. MineMeld switches to the Config tab automatically, which lists your newly created node. Step 8 Commit to save the new node. Step 9 Find the new node in the list of Nodes to verify that it was saved successfully. An exclamation point ( ‘!’ ) next to the node name indicates that you must Complete additional required fields for a node. Step 10 Complete additional required fields for a node. 1. Hover over the exclamation point to see which fields are required. 2. Click the node entry to view the node details. 3. Enter or select a value for the required fields, and click Nodes to verify that the exclamation point is gone. Step 11 Connect MineMeld Nodes to begin sending indicators to a destination. Connect MineMeld Nodes After you Create a Minemeld Node, connect miner, processor, and output nodes to each other to set the direction of the flow of indicators. Connect MineMeld Nodes Step 1 Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Step 2 Click MineMeld on the navigation pane. Step 3 Click Config, and find the node you want to connect to another node. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 131 MineMeld AutoFocus Apps Connect MineMeld Nodes (Continued) Step 4 Edit the Inputs for the node. To establish the connection between miner, processor, and output nodes, you must: • Select one or more miners from which a processor will receive indicators. • Select which processors will send indicators to an output. Step 5 Commit to save your changes. Step 6 View the flow of indicators that the node is part of. 1. View the list of Nodes. 2. Find the node in the list, and view the Graph ( * ) for it. Larger nodes process more indicators than smaller nodes. 132 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Connect MineMeld Nodes (Continued) Step 7 Share your MineMeld nodes and node connections with another MineMeld user. Select the Config tab, and click Export. When you share the code that this generates with other MineMeld users, they can Import it into their MineMeld instance. Use the MineMeld import feature to quickly load another user’s nodes and node connections into your MineMeld instance. Importing a configuration replaces any nodes or node connections you have previously created. Delete a MineMeld Node Delete a node if you Create a Minemeld Node and decide that you no longer need to use it. Before you delete a node, be mindful of the nodes to which it is connected to ensure that you don’t accidentally cut off a desired flow of indicators to an output. Delete a MineMeld Node Step 1 Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Step 2 Click MineMeld on the navigation pane. Step 3 Click Config. Step 4 Find the node you want to delete. If you know the name of the node, use the Search field to quickly find the node. Check the node inputs and verify that you can delete the connection to these inputs. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 133 MineMeld AutoFocus Apps Delete a MineMeld Node (Continued) Step 5 Click x, and then click Ok to confirm that you want to delete the node. Step 6 Commit to delete the node. Step 7 Check that the node no longer appears in the list of Nodes to verify that it was deleted successfully. AutoFocus Prototypes The following AutoFocus‐specific prototypes allow you to Forward MineMeld Indicators to AutoFocus and Forward AutoFocus Indicators to MineMeld. To view the default behavior for a prototype, select the prototype from the Prototypes tab in MineMeld and view the configuration (Config) details. The prototypes below have default intervals for extracting and aging out indicators. When an indicator is aged out, MineMeld withdraws the indicator from the outputs that received them. Prototype Description Samples Miner The samples miner extracts Threat Indicators from samples that meet the conditions of an AutoFocus search. You must set the search conditions when you create this miner node. The samples miner does not extract all sample artifacts; it only extracts statistically important artifacts that AutoFocus has determined to be indicators based on their tendency to be seen with malware. 134 • AutoFocus Administrator’s Guide Default Behavior • Accepts all indicator types. • Initially extracts indicators from samples that meet the criteria of the search based on the last 24 hours. • After the initial poll for indicators, extracts indicators from samples every hour. • Each time this miner extracts indicators, it only extracts indicators from the first 10,000 samples. • Only forwards indicators that it has not seen previously. • Ages out indicators 24 hours after the last time they were seen in the sample search results. © Palo Alto Networks, Inc. AutoFocus Apps Prototype MineMeld Description Artifacts Miner The artifacts miner extracts indicators from external sources that are currently stored in the AutoFocus Indicator Store (see Manage Threat Indicators). You must connect this miner to a processor and output node to forward the indicators to a destination outside of AutoFocus, such as a Palo Alto Networks firewall or other SIEM platforms. Default Behavior • Accepts all indicator types. • Initially extracts indicators that were added to the Indicator Store in the last 24 hours. • After the initial poll for indicators, extracts indicators from the store every hour. • Only forwards indicators that it has not seen previously. • Ages out indicators 30 days after the last time they were added or updated in the Indicator Store, or as soon as an indicator is marked as expired in the store. Expired indicators are indicators that have been removed from the feed from which they came. Artifacts Output • Accepts all indicators types. The artifacts output sends indicators from external threat intelligence sources directly to the • Does not allow you to use the artifacts miner to AutoFocus Indicators Store (see Manage Threat send indicators back to the Indicator Store. Indicators). AutoFocus highlights indicators in your samples that match the indicators in the store, allowing you to Find High‐Risk Artifacts. Export List Miner The export list miners sends artifacts from an Accepts IPv4, URL, and domain indicators. AutoFocus export list to a destination outside of AutoFocus. Unlike the other AutoFocus prototypes, the export list miner can be used in either AutoFocus‐hosted MineMeld or a MineMeld instance you deployed in your own environment. Forward MineMeld Indicators to AutoFocus Use an AutoFocus Artifacts Output node to store indicators from one or more threat intelligence sources in AutoFocus. When you view the WildFire analysis details for samples in your search results, AutoFocus highlights sample indicators matching the indicators that MineMeld forwarded. Forward Indicators from MineMeld into AutoFocus Step 1 Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Step 2 Create a Minemeld Node that will receive processed indicators and send them to AutoFocus. Create an output node based on the prototype autofocus.artifactsOutput. Step 3 Connect MineMeld Nodes (miner and processor) to the output node you just created. Step 4 Click Indicators on the navigation pane to view the Indicator Store and Manage Threat Indicators that MineMeld forwarded. The Indicator Store has space for up to 180 million indicators. You can now easily spot sample indicators that match MineMeld indicators when you Find High‐Risk Artifacts. © Palo Alto Networks, Inc. AutoFocus Administrator’s Guide • 135 MineMeld AutoFocus Apps Forward AutoFocus Indicators to MineMeld Use MineMeld to send indicators from AutoFocus to the firewall and other SIEM platforms. Learn more about how you can Use AutoFocus Miners with the Palo Alto Networks Firewall. Forward AutoFocus Artifacts to MineMeld • Use an AutoFocus Samples Miner to forward Indicators from sample search results. 1. 2. Work with the Search Editor to set up a search. 3. Create MineMeld Miner ( ) from the search page. The node details include: a. Name—Give the miner a descriptive name. b. Prototype—The prototype is pre‐selected (autofocus.samplesMiner). c. Query—This field is pre‐populated with the conditions of your search. d. Scope—Select the scope of the search results: global, private, and public. e. Artifacts—Select which indicators AutoFocus will forward to MineMeld: Any indicators, only indicators that match MineMeld indicators, or None (MineMeld only extracts hashes from the sample search results). f. Connect to Processors—Select processors that will receive indicators from the miner. If you select a Scope of global, the miner extracts indicators from your private samples and public samples from you and other AutoFocus users; it does not extract indicators from other users’ private samples. 4. Connect MineMeld Nodes (processor and output) to the miner you just created. • Use an AutoFocus Artifacts Miner to forward 1. indicators from external sources stored in AutoFocus (see Manage Threat Indicators) to a 2. destination outside of AutoFocus. 136 • AutoFocus Administrator’s Guide Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Click Indicators on the navigation pane and optionally, Filter the indicators. 3. Create MineMeld Miner ( ). The node details include: a. Name—Give the miner a descriptive name. b. Prototype—The prototype is pre‐selected (autofocus.artifactsMiner). c. Query—If you filtered the indicators, this field is pre‐populated with the filter you used. d. Connect to Processors—Select processors that will receive indicators from the miner. 4. Connect MineMeld Nodes (processor and output) to the miner you just created. © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Forward AutoFocus Artifacts to MineMeld (Continued) • Use an AutoFocus Export List Miner to forward 1. indicators from an AutoFocus export list. You can use the AutoFocus export list 2. miner in AutoFocus‐hosted MineMeld or in a MineMeld instance you deployed in your own environment. The default behavior of the miner is the same in either version of MineMeld. Verify that MineMeld is running (see Start, Stop, and Reset MineMeld). Create a Minemeld Node based on the prototype autofocus.exportList. When completing the additional required fields for the node, provide your AutoFocus API Key and the Label of the export list from which MineMeld will extract indicators. Use AutoFocus Miners with the Palo Alto Networks Firewall Use AutoFocus miners to dynamically send indicators from AutoFocus to an external dynamic list on a PAN‐OS 8.0 firewall. Use MineMeld to Forward AutoFocus Indicators to the Firewall Step 1 Step 2 Add the root certificate authority (CA) certificate for MineMeld to the firewall. Create a certificate profile for the MineMeld root CA certificate. © Palo Alto Networks, Inc. 1. Download the GoDaddy Class 2 Certification Authority Root Certificate: https://certs.godaddy.com/repository/gd‐class2‐root.crt 2. On the firewall, select Device > Certificate Management > Certificates. 3. Import the certificate to the firewall. a. Give the certificate a descriptive name. b. Browse for the certificate file and attach the GoDaddy certificate you downloaded. c. Click OK. 1. On the firewall, select Device > Certificate Management > Certificate Profile. 2. Add a new certificate profile. a. Give the certificate profile a descriptive name. b. Click Add, select the certificate name from the CA Certificate drop‐down, and click OK. c. Click OK. AutoFocus Administrator’s Guide • 137 MineMeld AutoFocus Apps Use MineMeld to Forward AutoFocus Indicators to the Firewall (Continued) Step 3 Configure the MineMeld nodes that will 1. send indicators to the firewall. This procedure focuses on using 2. AutoFocus miners to forward indicators to an external dynamic list; however, you can use other MineMeld miners that extract IPv4 addresses, domains, and URLs to forward indicators to an 3. external dynamic list. Use an AutoFocus samples or artifacts miner to Forward AutoFocus Indicators to MineMeld. In MineMeld, Connect MineMeld Nodes (AutoFocus miner and processor) to an output that can feed indicators to an external dynamic list on the firewall. To find outputs that you can use with an external dynamic list, view the list of MineMeld Prototypes and search with the keyword EDL. Restrict access to the indicators. a. Select the output node you plan to use with an external dynamic list from the list of Nodes. b. Click Tags, enter a tag name to use with the output node, and click OK. c. Click Admin, and select the Feeds Users tab. d. Click (+) to add a new user profile for accessing the indicators from the output node. e. Create a username and password, confirm the password, and click OK. f. Grant the user you just created access to the output node. In the Access setting for the user, select the tag for the output node and click OK. Step 4 Configure the firewall to access an external dynamic list based on the indicators from the AutoFocus miners. Follow the steps to add a new external dynamic list to the firewall and observe the following guidelines: • Enter the MineMeld‐provided link from the output node as the Source of the external dynamic list. To find this link in MineMeld, select the output node from the list of Nodes and copy the Feed Base URL link. • Select the Certificate Profile you created for the MineMeld root CA certificate. • Select Client Authentication, and enter the username and password for the user you created from the previous step. Step 5 Verify that the firewall can receive indicators from the AutoFocus miners. On the firewall, retrieve entries for the external dynamic list you added and view the list entries. Troubleshoot MineMeld Refer to the procedures below to troubleshoot issues with MineMeld. 138 • AutoFocus Administrator’s Guide © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Troubleshoot MineMeld Issues • Free up disk space on MineMeld © Palo Alto Networks, Inc. A red dot appears on the System tab when there is only 30% of disk space remaining in MineMeld. To continue using MineMeld with logging enabled, you must free up more disk space. 1. In MineMeld, click the System tab. 2. A warning message notifies you that disk space is low. Verify the disk status. 3. Purge Logs. This deletes logs of internal system processes on MineMeld; this does not delete the record of indicators that nodes received or indicators that were aged‐out in the Logs tab. AutoFocus Administrator’s Guide • 139 MineMeld AutoFocus Apps Troubleshoot MineMeld Issues (Continued) • Force an AutoFocus samples or artifacts miner For a samples or artifacts miner, the default interval for retrieving to retrieve indicators. and forwarding indicators to a processor is 1 hour. To trigger the miner to retrieve indicators immediately, follow the steps below. 1. In MineMeld, select the samples or artifacts miner from the list of Nodes. 2. Click Run Now to start retrieving indicators. As the node retrieves indicators, the # Indicators count goes up. 3. 140 • AutoFocus Administrator’s Guide Track all indicator activity associated with a node. © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Troubleshoot MineMeld Issues (Continued) • Force an AutoFocus samples or artifacts miner When a miner node ages out indicators, it withdraws indicators to age out indicators. from the outputs that received them. The samples miner has a default age‐out interval of 24 hours, while the artifacts miner has a default interval of 30 days. To trigger these miners to age out indicators immediately, follow the steps below. © Palo Alto Networks, Inc. 1. In MineMeld, select the samples or artifacts miner from the list of Nodes. 2. Flush indicators. 3. Track all indicator activity associated with a node. AutoFocus Administrator’s Guide • 141 MineMeld AutoFocus Apps Troubleshoot MineMeld Issues (Continued) • Track all indicator activity associated with a node. 1. In MineMeld, select a node from the list of Nodes. 2. View the node Stats. By default, the statistics displayed are based on indicator activity from the last 24 hours. a. Compare the counts from different points in the Indicators graph to determine the number of new indicators that the node processed during a time range. A drop in the graph indicates that some indicators associated with the node were aged out. b. View the trend of indicators that the node added, aged out, updated, and withdrew from other nodes. 3. 142 • AutoFocus Administrator’s Guide Change the Time Range to view indicator stats for a shorter or longer time period. © Palo Alto Networks, Inc. AutoFocus Apps MineMeld Troubleshoot MineMeld Issues (Continued) • Track indicators that were successfully received View the MineMeld logs to determine if an indicator was by a node and indicators that were aged out. successfully received by a node or aged out. © Palo Alto Networks, Inc. 1. View the logs for a specific indicator. a. In MineMeld, click the Logs tab. b. In the search field, enter indicator:[indicator value] and click the spyglass to launch the search. c. Evaluate the logs for the indicator based on the following log messages. EMIT_UPDATE—A log of a node sending an indicator (or an indicator update) to another node. ACCEPT_UPDATE—A log of a node successfully receiving an indicator from another node. EMIT_WITHDRAW—A log of a node aging out an indicator. ACCEPT_WITHDRAW—A log of a node accepting a request from another node to withdraw an aged out indicator. 2. View the logs for a specific node. a. Click the Nodes tab and select a node. b. View all Logs of indicator activity related to the node. c. Click on a log message or indicator tag to filter the logs further. AutoFocus Administrator’s Guide • 143 MineMeld 144 • AutoFocus Administrator’s Guide AutoFocus Apps © Palo Alto Networks, Inc.
© Copyright 2026 Paperzz