How to Use AutoFocus
We have an FAQ on AutoFocus, but the FAQ doesn't show you how to actually use the tool or show you what AutoFocus looks like.
We already know that AutoFocus is a great threat intelligence service that can be used by security operators and first responders to discover important threats on their network and quickly distinguish commodity threats from targeted attacks.
How to use AutoFocus:
Now, let's focus on how to use this great tool.
To access the AutoFocus dashboard page, please visit and sign into:
This dashboard has been designed to be an Ultra-Fast Searching Threat Analysis tool.
The first thing that you will see in the dashboard is the Malware Download Sessions.
This information is broken into 3 tabs: My Organization, My Industry, and All.
It is important to have this distinction to help you understand how threats affect different companies.
By default, you will see My Organization.
If you are just startng out, or have not set up WildFire in your environment, then you may not see anything here.
If that is the case, you may want to switch the view to My Industry or All.
Inside the Malware Download Session area, you will see the time period in the upper right:
This time period is selectable, and you can see the following:
- Last 7 days
- Last 30 days
- Last 90 days
- Last 6 months
- All time
The more information you're looking for, the more you're able to see historically, helping you troubleshoot and issue or at least just to determine how long has something been on your network, or seen in the wild.
Inside the dashboard you will also see more categories, depending on what you have selected at the top:
Select My Organization to see Top Applications, Target Industries, and Top Malware.
Select My Industry to see Top Applications and Top Malware.
Select All to see Top Applications, Target Industries, and Top Malware.
These areas can help indicate what applications are being used for threats, the industries, top firewalls seeing the threats, and the Top Malware that has been seen.
Continuing, you will also see Source/Destination Countries (which is selectable), and Top Tags that are in the wild. You can also choose different Tag Types by selecting Choose Tag Types for selectable options: Unit42, Public, Private and Informational.
Last on the dashboard you will see the Alerts Log and the Recent Unit 42 Research news feed.
The alerts are configurable by selecting "Alerts" on the left hand side of the screen. More details below.
Under Recent Unit 42 Research, you can click on any of the headlines, which will link off to Palo Alto's Unit 42 blog page.
To the left of the dashboard, under Search, you will see Alerts.
Inside the Alerts Log, you will see all of the alerts available.
You will see the time, the SHA256 hash, the Tag associated with it, the Tag Scope and the Send Status (to WildFire).
You can perform a quick search in the upper right, where you can search on every aspect of the logs, name, tag, hash, etc. Almost everything is clickable to provide more detailed information.
For any tags in the Alerts area, hover your mouse over the tag name to see more information on this threat, number of hits, scope, last hit number of votes, as well as have the ability to "vote up" this tag, and to report this threat on your network.
Inside Alerts is the Settings tab.
Inside, you see the Alerts options on Tag Types, the Action you would like (by using the drop down), as well as the Alert Actions you can configure (to be emailed or a web page).
How can AutoFocus help?
Now that you know all of the parts to AutoFocus, how does it help you? How do you use all of this information at your fingertips?
Let's pretend you are a first responder, starting an investigation into one of the latest threats recently talked about by our very own Unit 42 group.
As an example, let's take a look at Unit 42's blog discussing Operation Lotus Blossom:
According to the article, a characteristic of these attacks is:
"They use a custom Trojan backdoor named “Elise” to gain a foothold"
If you want more information about this trojan, then inside AutoFocus, go to the Tags section on the left, and perform a quick search for Elise. Alternitively, there might be a section with tags and a link directly to AutoFocus.
If you click on the tag, Elise, you then see a new window showing tag detail.
Inside the new window, you see the tag owner, # of samples seen, last hit, Tag Class, source, last updated, and the number of votes. It also contains all the process names, DLL calls and its behavior. Also included are actions to search on the specific behavior, and options to vote up and report.
If you wantto read more, go to the "References" section with links to articles about this threat.
Digging even deeper into AutoFocus
To get more information and dig even deeper, click on the magnifying glass at the top of the detail to add this tag to a search window.
My Samples should be highlighed, showing samples that have been supplied from your networks to WildFire. (If you see no results, then that means a particular threat has not been seen inside your network, which is a good thing.)
To continue digging for information on this threat, click the SHA256 hash to one of the artifacts.
This sample screen shows so much great information.
To start off, we have the WildFire verdict, which shows Malware.
Next are all of the hashes available, as well as file details.
There is even a link to VirusTotal, for more information from VirusTotal on this file.
Next is the WildFire Dynamic Analysis area, where you see all of the Windows 7 and Windows XP virtual sandbox results.
All the file behaviors are documented here. They are broken into 3 categories:
- Uninteresting Items (Grey),
- Suspect Items (Orange)
- Highly Suspect Items (Red)
You can click on each of the activity categories to get more information, but for this example, we will choose DNS Activity to see more info.
In this screen. you see the detail of the DNS activity.
It is broken into the number of: Benign (#B), Malicious (#M) and Greyware (#G), as well as the DNS Query, Response and Type. Notice how the Red Triangle and Exclamaition point are on the first line?
This one URL, www.vienclp.com, for NXDOMAIN lookup has not seen a lot of activity in WildFire. In fact, this has only been seen 4 times, but in all of those cases, deemed Malicious. There were no benign or greyware results.
If you want to see more information on this one URL, click the dropdown to the right (that appears when you mouse over the domain), and select "Domain and URL info..." A new window will appear with all the domain and URL info gathered in reference to this URL.
In the new window, you will see different info.
In the top area (truncated for simplicity), you see a URL categorized as Malware.
Further down, in the Passive DNS History area, you see www.vienclp.com show up with a response as 22.214.171.124, for 21 counts. This type of activity normally is command and control activity. This type of activity is worth searching inside your firewall logs to see if there has been any traffic to this IP address, possibly showing unwanted traffic from your network.
Click close to close that window.
Another option you have is adding this domain to an export list.
Click the dropdown to the left of the URL, then click Add to Export List, then type in a name or select an export name if you have already created a new Export List. Press enter. You'll get a green confirmation that the item was added successfully to the export list.
I will cover more in Exports near the end of this article.
If you are performing more of a researcher role, and want to gather more information, scroll down to the Connection Activity section and expand.
If you look inside the Connection Activity area, it can help you understand what process was trying to gain access to a specific location.
You will see that the highly suspect activity connecting via TCP to 126.96.36.199:80 in HK (Hong Kong). There were 5 connections, all deemed Malware. This would be a great IP address to also search your logs for similar connections.
In this example, there is no Parent Process listed, but if there was, you could add the process name to another search and search for that process performing any other fuction.
Exports to create security policies
As previously stated, you can gather a list of exportable items to be exported, then imported into the Palo Alto Networks firewall for use in security policies to block traffic.
To do this, go to the Exports sections to the left of AutoFocus.
I created export-1, as a label earlier, which it has 1 entry listed.
To see what is in the list, click the label name - export-1.
You can see the section and the value of the data to export.
If all the information appears good to export, click to Export all 1 items, and a new window will pop up.
The Export to File window shows options to export.
If you are want this for a block list, be sure to choose Formatted for PAN-OS block list.
If you also want metadata, then be sure to select Export Metadata.
Then click Export to export the data. A .CSV file will be saved to the browser.
You also have an option to delete items in the list.
Thanks for reading! I hope this has helped you understand how to use AutoFocus as a first responder or as a researcher to gather more information.
We welcome all comments, feedback and suggestions in the comments section below.