AutoFocus Intelligence Summary
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
AutoFocus Intelligence Summary
You can view a graphical overview of threat intelligence
that AutoFocus compiles to help you assess the pervasiveness and
risk of the following firewall artifacts:
- IP Address
- URL
- Domain
- User agent (found in the User Agent column of Data Filtering logs)
- Threat name (only for threats of the subtypes virus and wildfire-virus)
- Filename
- SHA-256 hash (found in the File Digest column of WildFire Submissions logs)
To view the AutoFocus Intelligence Summary window, you must first
have an active AutoFocus subscription and enable AutoFocus threat
intelligence (select DeviceSetupManagement and
edit the AutoFocus settings).
After you’ve enabled AutoFocus intelligence, hover over a log
or external dynamic list artifact to open the drop-down (
) and
then click AutoFocus:
- View Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs (MonitorLogs).
You can also launch an AutoFocus search from the firewall, to
further investigate interesting or suspicious artifacts that you
find.
Field/Button | Description |
---|---|
Search AutoFocus for... | Click to launch an AutoFocus search for
the artifact. |
Analysis Information Tab | |
Sessions | The number of private sessions in which
WildFire detected the artifact. Private sessions are sessions running
only on firewalls associated with your support account. Hover over
a session bar to view the number of sessions per month. |
Samples | Organization and global samples (files and
email links) associated with the artifact and grouped by WildFire
verdict (benign, grayware, malware, phishing). Global refers
to samples from all WildFire submissions, while organization refers
only to samples submitted to WildFire by your organization. Click
on a WildFire verdict to launch an AutoFocus search for the artifact
filtered by scope (organization or global) and WildFire verdict. |
Matching Tags | AutoFocus tags
Hover over a tag to view the tag description
and other tag details. Click a tag to launch an AutoFocus
search for that tag. To view more matching tags for an artifact,
click the ellipsis ( ... ) to launch an AutoFocus search for that
artifact. The Tags column in the AutoFocus search results displays
more matching tags for the artifact. |
Passive DNS Tab The Passive
DNS tab displays passive DNS history associated with the artifact.
This tab only displays matching information if the artifact is an
IP address, domain, or URL. | |
Request | The domain that submitted a DNS request.
Click the domain to launch an AutoFocus search for it. |
Type | The DNS request type (example: A, NS, CNAME). |
Response | The IP address or domain to which the DNS
request resolved. Click the IP address or domain to launch an AutoFocus
search. The Response column does not display private
IP addresses. |
Count | The number of times the request was made. |
First Seen | The date and time that the Request, Response,
and Type combination was first seen based on passive DNS history. |
Last Seen | The date and time that the Request, Response,
and Type combination was most recently seen based on passive DNS
history. |
Matching Hashes Tab The
Matching Hashes tab displays the five most recent private samples
where WildFire detected the artifact. Private samples are samples
detected only on firewalls associated with your support account. | |
SHA256 | The SHA-256 hash for a sample. Click the
hash to launch an AutoFocus search for that hash. |
File Type | The file type of the sample. |
Create Date | The date and time that WildFire analyzed
a sample and assigned a WildFire verdict to it. |
Update Date | The date and time that WildFire updated
the WildFire verdict for a sample. |
Verdict | The WildFire verdict for a sample: benign,
grayware, malware, or phishing. |