AutoFocus Log Data Integration

While investigating signs of malicious activity using the security logs on a firewall or endpoint, it is sometimes important to have additional context for a log entry artifact. This context can be provided by AutoFocus, but in order to get to this information, you must manually copy the artifact from the firewall and use it to search AutoFocus. This process can be time-consuming and error prone.

A new feature lets you launch queries from the firewall/Panorama log monitor page to AutoFocus for a selected log element, such as a destination IP address, URL, or threat name and receive information from AutoFocus, in the firewall/Panorama UI.

AutoFocus device license:

• AutoFocus Device license is introduced in PAN-OS 7.1 to determine if the device can use the feature. Devices / Panorama can retrieve the license from updates.paloaltonetworks.com
• The license application process is automated upon successful application of the AutoFocus 'site' license on the Customer Support Portal (CSP) account under site licenses.
  • The license server in the backend will generate AutoFocus Device licenses for all the devices / Panorama attached to the CSP account.
  • The license key is then sent down to the devices during daily check-in automatically, or license keys are retrievable from the licensing server.

Configuration (WebUI):

• Panorama/Device > license:

• If an Autofocus Device License is present on the device, then Panorama/Device > Setup > Management tab will have an 'AutoFocus' pane to configure the details:
  • Enable : Check to enable this feature
  • Address URL : https://autofocus.paloaltonetworks.com:10443
  • Query Timeout (sec) : Specify the query timeout value 

AutoFocus query:

• There is no visible change at first--the traffic log looks the same as it did in previous PAN-OS versions:

• Hover over the right end of the supported column (source and destination address for Traffic log), a black down-pointing triangle button appears:

• Click the arrow, the AutoFocus button appears :

• Click it again to display the AutoFocus Intelligence Summary pop-up :
  1. AutoFocus Search Link: Click this link to open an AutoFocus search from the firewall.  The AutoFocus search editor opens in a new tab, with the firewall artifact added as a search condition. You can add other artifacts included in the threat summary to an AutoFocus search as well.
  2. Passive DNS: For IP addresses, domains and URLs, any recent passive DNS history for the artifact is listed.
  3. Matching Tags: AutoFocus tags matched to the artifact.
  4. Associated Sessions: The number of sessions where samples associated with the artifact were found.
  5. WildFire Verdicts: The number of greyware, benign and malware samples that contain the artifact.
  6. Recent WildFire Results: The latest samples with which WildFire detected the artifact.

Service route for AutoFocus:

• AutoFocus service route is newly introduced
• Device > Setup > Services > Service Route Configuration
• AutoFocus query is sent from the specified Interface
• Management interface is set by default

CLI

• The following CLI command is added in PAN-OS 7.1 : 

# set deviceconfig setting autofocus
+ autofocus-url   URL for AutoFocus server
+ enabled         Enable AutoFocus service
+ query-timeout   Query time out in seconds
  <Enter>         Finish input