Palo Alto AutoFocus

AutoFocus contextual threat intelligence brings speed, consistency and precision to threat investigation.

Configure Autofocus on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Autofocus.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL
    • Version
    • API Key
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Search for samples


Search for samples in Palo Alto Networks AutoFocus.

Base Command

autofocus-search-samples

Input
Argument Name Description Required
scope The scope for the search Optional
size Number of results Optional
from Sample number to start from Optional
sort Sort field Optional
order Order of sort Optional
query The query to retrieve samples Required
sleep Time to sleep between checking for results Optional
checks Number of checks before giving up on the query Optional
cookie The af_cookie for retrieving previous search results Optional

Context Output
Path Type Description
Autofocus.Cookie string The cookie for the results
Autofocus.Samples.id string The ID of the sample.
Autofocus.Samples.md5 string The MD5 hash of the sample.
Autofocus.Samples.sha1 string The SHA-1 of the sample.
Autofocus.Samples.sha256 string The SHA-256 of the sample.
Autofocus.Samples.app_name string The application name (if exists).
Autofocus.Samples.size number The size of the sample.
Autofocus.Samples.ssdeep string The SSDeep of the sample.
Autofocus.Samples.create_date string The create date for the sample.
Autofocus.Samples.finish_date string The finish date for the sample.
Autofocus.Samples.malware string Is this malware (0 or 1).
Autofocus.Samples.app_packagename string The sample package name (if exists).
Autofocus.Samples.filetype string The sample type.
Autofocus.Samples.region number Where this sample was seen.
Autofocus.Samples.tag string The tags of the sample.

Command Example

!autofocus-search-samples scope="public" size="10" sort="create_date" order="desc" query="{\"operator\": \"all\", \"children\": [{\"field\": \"sample.malware\", \"operator\": \"is\", \"value\": 1}]}"

Human Readable Output

autof_search_samples

2. Search for sessions


Search for sessions in Palo Alto Networks AutoFocus.

Base Command

autofocus-search-sessions

Input
Argument Name Description Required
size The number of results to return. Optional
from The sample number to start from. Optional
sort The sort field. Optional
order The sort order. Optional
query The query to retrieve samples. Required
sleep The time to sleep between checking for results. Optional
checks The number of checks before stopping the query. Optional
cookie The af_cookie for retrieving previous search results. Optional

Context Output
Path Type Description
Autofocus.Cookie string The cookie for the results.
Autofocus.Sessions.id string The ID of the session.
Autofocus.Sessions.device_industry string The device industry.
Autofocus.Sessions.filename string The name of the file.
Autofocus.Sessions.region string The region for the session.
Autofocus.Sessions.sha256 string The SHA-256 of the file.
Autofocus.Sessions.tstamp string The timestamp for the session.
Autofocus.Sessions.upload_src string Where did we get the file

Command Example

!autofocus-search-sessions size="10" sort="tstamp" order="desc" query="{\"operator\": \"all\", \"children\": [{\"field\": \"session.region\", \"operator\": \"is\", \"value\": \"us\"}]}"

Human Readable Output

autof_search_sessios

3. Get details of a session


Returns details of a specific session.

Base Command

autofocus-session

Input
Argument Name Description Required
id The session ID to retrieve details for. Required

Context Output
Path Type Description
Autofocus.Sessions.id string The ID of the session.
Autofocus.Sessions.device_industry string The device industry.
Autofocus.Sessions.filename string The name of the file.
Autofocus.Sessions.region string The region for the session.
Autofocus.Sessions.sha256 string The SHA-256 of the file.
Autofocus.Sessions.tstamp string The timestamp for session.
Autofocus.Sessions.upload_src string The origin of the file.

4. Get a sample analysis


Retrieves the sample analysis.

Base Command

autofocus-sample-analysis

Input
Argument Name Description Required
id The ID of the sample. Required
coverage Whether coverage should be displayed. Optional
sections A CSV list of sections to display: apk_app_icon, apk_app_name, apk_cert_file, apk_certificate_id, apk_defined_activity, apk_defined_intent_filter, apk_defined_receiver, apk_defined_sensor, apk_defined_service, apk_digital_signer, apk_embedded_library, apk_embeded_url, apk_internal_file, apk_isrepackaged, apk_packagename, apk_requested_permission, apk_sensitive_api_call, apk_suspicious_behavior, apk_suspicious_file, apk_suspicious_pattern, apk_suspicious_action_monitored, apk_suspicious_file, apk_suspicious_string, apk_version_num, behavior_type, connection, coverage, dns, file, http, japi, mac_embedded_url, misc, mutex, process, registry, service, user_agent Optional
platforms A CSV list of platforms: win7, winxp, android, staticAnalyzer, mac Optional

Context Output

There is no context output for this command.

Command Example

!autofocus-sample-analysis id="7ebf30b8f908ce574fda70af1f94ebcb071c2e5f0e22f2ec349a2290f243a036" coverage=true sections=file

Human Readable Output

autof_sample_analysis

5. Get the reputation of a file


Checks the file reputation of the given hash.

Base Command

file

Input
Argument Name Description Required
file The hash of the file to query. Supports MD5, SHA-1, and SHA-256. Required

Context Output
Path Type Description
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
File.SHA256 string The SHA-256 hash of the file.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The vendor used to calculate the score.
DBotScore.Score number The actual score.
DBotScore.Description string The reason for the score (if any).

Command Example

!file file="75779e62f9790bd4c2ed449bd20be741f78811fb5ce848a2c5a516af17cdeccf" using-brand="Autofocus"

Human Readable Output

autof_file