Palo Alto Networks Knowledgebase: AutoFocus just got better - find out how!

AutoFocus just got better - find out how!

Created On 02/07/19 23:35 PM - Last Updated 02/07/19 23:36 PM

Welcome! You’ve found a Live Community first look article focused on PAN-OS 8.0. This article highlights a cool new capability or feature, personally selected by one of our very own Live Community engineers. It’s just the start, though. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

For those of you who are unfamiliar with AutoFocus.  Simply put, the service allows you to prioritize advanced, targeted cyber attacks and will help security teams to take a more strategic approach to secure their organizations.


If you need more information on AutoFocus, then you really need to check out our Products Page, or check out the existing articles and videos here on the Live Community.


Sounds pretty awesome, right? So how could we possibly make this better?


  • Say, for example, that you would like to compare the data received from external IOC (Indicators Of Compromise) seeds to the data you have already available in AutoFocus and correlate this data.
  • Or say you would like to create a custom IOC list for use within your network (for example, to enrich a third-party SIEM software product).


Until today, MineMeld existed as an independent solution, but now we've integrated the awesomeness of MineMeld into AutoFocus, removing the need to deploy a separate host for it in your environment.


For those who don't know MineMeld, it's a threat intelligence processing framework that can be used to collect, aggregate and generate IOCs and make them available for consumption.  It is a Palo Alto Networks open source application available on GitHub and support is provided via the Live Community MineMeld Forum by Palo Alto Networks experts and independent contributors.


For a general overview of MineMeld ,you can go here.


If you are familiar with AutoFocus, you will notice a couple of new menu items on the left side of the portal page:


2017-01-26_09-28-08.jpgAutoFocus menu


The new items are Indicators, Reports, Apps & MineMeld (this last one will only be visible if the service is started).


  • Apps: For now, MineMeld is the only hosted app you will find here. From here, you can Start, Stop or Reset the MineMeld service.  Once the service is started ,you will see the MineMeld menu on the left.  Reset will return the default configuration.

2017-01-26_09-35-25.jpgApps menu

  • MineMeld: This will look very familiar for those of you who already worked with MineMeld.  The dashboard will present you with a summary about all your nodes and the # of indicators that were collected.  You can also navigate to get more node information, output prototypes you can clone to create a MineMeld node, edit nodes, view the logs.


2017-01-26_09-47-06.jpgMineMeld menu

For guidance on how to use MineMeld check out this Live Community section dedicated to MineMeld.


  • Indicators : This is where all the MineMeld collected IOCs will be stored.  Predominantly you will find IP's, domains and URLs here.

2017-01-26_10-41-52.jpgIndicator menu


What is truly awesome here is that you can easily create a new MineMeld miner based on selected criteria using the  MineMeld button.  This will automatically navigate you to the "Add AutoFocus Artifacs Miner" and will have the query already preconfigured for you :


2017-01-26_10-50-25.jpgCreate Miner


The indicators are managed through the MineMeld application. They will be highlighted throughout AutoFocus with the icon.  This gives you high confidence that the sample is indeed bad because it is confirmed by 2 different datasets (AutoFocus & MineMeld).


2017-01-26_11-22-04.jpgAutoFocus - MineMeld correlation


Also new is the Indicators tab in Search result.  This page will give you a consolidated view of all the indicators from the current Samples page.  Here also the  icon will indicate that there is a correlation found between the Indicator store and the samples found within the search.


2017-01-26_11-57-17.jpgIndicators in Search


Similar to the Indicator store, using the MineMeld button, you can easily create a new miner with your matching conditions already preconfigured.   Clicking the MineMeld button will navigate you to the "Add AutoFocus Samples Miner".


2017-01-26_12-16-19.jpgCreate miner


  • Reports : From here you can configure, generate and download a threat summary report which will show you the malware trends in your network.  It also allows you to compare it to other AutoFocus customers in an industry.


2017-01-26_12-32-54.jpgGenerate your report


Below are just a few of many use cases for which you might find this useful:


  • Use miners to get indicators from the SPAMHAUS  Drop feed (which is basically a list of bad IP addresses maintained by SPAMHAUS) and transform it for enforcement by your Palo Alto Networks EDL (External Dynamic List) objects.
  • Use miners to get Office 365 IP addresses provided by Microsoft and dynamically created an EDL list for usage in a security policy.
  • Extract messages from syslog messages and aggregate them with indicators coming from 3rd party.
  • Provide users the ability to create a custom IOC list from the data as collected by AutoFocus (to enrich their own SIEM or enforce). 
  • Import 3rd party indicators to AutoFocus and compare or correlate them with the IOCs from AutoFocus.




  • Print
  • Copy Link

Choose Language