Palo Alto AutoFocus
AutoFocus contextual threat intelligence brings speed, consistency and precision to threat investigation.
Configure Autofocus on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Autofocus.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL
- Version
- API Key
- Use system proxy settings
- Trust any certificate (not secure)
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Search for samples
Search for samples in Palo Alto Networks AutoFocus.
Base Command
autofocus-search-samples
Input
| Argument Name | Description | Required |
|---|---|---|
| scope | The scope for the search | Optional |
| size | Number of results | Optional |
| from | Sample number to start from | Optional |
| sort | Sort field | Optional |
| order | Order of sort | Optional |
| query | The query to retrieve samples | Required |
| sleep | Time to sleep between checking for results | Optional |
| checks | Number of checks before giving up on the query | Optional |
| cookie | The af_cookie for retrieving previous search results | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Autofocus.Cookie | string | The cookie for the results |
| Autofocus.Samples.id | string | The ID of the sample. |
| Autofocus.Samples.md5 | string | The MD5 hash of the sample. |
| Autofocus.Samples.sha1 | string | The SHA-1 of the sample. |
| Autofocus.Samples.sha256 | string | The SHA-256 of the sample. |
| Autofocus.Samples.app_name | string | The application name (if exists). |
| Autofocus.Samples.size | number | The size of the sample. |
| Autofocus.Samples.ssdeep | string | The SSDeep of the sample. |
| Autofocus.Samples.create_date | string | The create date for the sample. |
| Autofocus.Samples.finish_date | string | The finish date for the sample. |
| Autofocus.Samples.malware | string | Is this malware (0 or 1). |
| Autofocus.Samples.app_packagename | string | The sample package name (if exists). |
| Autofocus.Samples.filetype | string | The sample type. |
| Autofocus.Samples.region | number | Where this sample was seen. |
| Autofocus.Samples.tag | string | The tags of the sample. |
Command Example
!autofocus-search-samples scope="public" size="10" sort="create_date" order="desc" query="{\"operator\": \"all\", \"children\": [{\"field\": \"sample.malware\", \"operator\": \"is\", \"value\": 1}]}"
Human Readable Output
2. Search for sessions
Search for sessions in Palo Alto Networks AutoFocus.
Base Command
autofocus-search-sessions
Input
| Argument Name | Description | Required |
|---|---|---|
| size | The number of results to return. | Optional |
| from | The sample number to start from. | Optional |
| sort | The sort field. | Optional |
| order | The sort order. | Optional |
| query | The query to retrieve samples. | Required |
| sleep | The time to sleep between checking for results. | Optional |
| checks | The number of checks before stopping the query. | Optional |
| cookie | The af_cookie for retrieving previous search results. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Autofocus.Cookie | string | The cookie for the results. |
| Autofocus.Sessions.id | string | The ID of the session. |
| Autofocus.Sessions.device_industry | string | The device industry. |
| Autofocus.Sessions.filename | string | The name of the file. |
| Autofocus.Sessions.region | string | The region for the session. |
| Autofocus.Sessions.sha256 | string | The SHA-256 of the file. |
| Autofocus.Sessions.tstamp | string | The timestamp for the session. |
| Autofocus.Sessions.upload_src | string | Where did we get the file |
Command Example
!autofocus-search-sessions size="10" sort="tstamp" order="desc" query="{\"operator\": \"all\", \"children\": [{\"field\": \"session.region\", \"operator\": \"is\", \"value\": \"us\"}]}"
Human Readable Output
3. Get details of a session
Returns details of a specific session.
Base Command
autofocus-session
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The session ID to retrieve details for. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Autofocus.Sessions.id | string | The ID of the session. |
| Autofocus.Sessions.device_industry | string | The device industry. |
| Autofocus.Sessions.filename | string | The name of the file. |
| Autofocus.Sessions.region | string | The region for the session. |
| Autofocus.Sessions.sha256 | string | The SHA-256 of the file. |
| Autofocus.Sessions.tstamp | string | The timestamp for session. |
| Autofocus.Sessions.upload_src | string | The origin of the file. |
4. Get a sample analysis
Retrieves the sample analysis.
Base Command
autofocus-sample-analysis
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the sample. | Required |
| coverage | Whether coverage should be displayed. | Optional |
| sections | A CSV list of sections to display: apk_app_icon, apk_app_name, apk_cert_file, apk_certificate_id, apk_defined_activity, apk_defined_intent_filter, apk_defined_receiver, apk_defined_sensor, apk_defined_service, apk_digital_signer, apk_embedded_library, apk_embeded_url, apk_internal_file, apk_isrepackaged, apk_packagename, apk_requested_permission, apk_sensitive_api_call, apk_suspicious_behavior, apk_suspicious_file, apk_suspicious_pattern, apk_suspicious_action_monitored, apk_suspicious_file, apk_suspicious_string, apk_version_num, behavior_type, connection, coverage, dns, file, http, japi, mac_embedded_url, misc, mutex, process, registry, service, user_agent | Optional |
| platforms | A CSV list of platforms: win7, winxp, android, staticAnalyzer, mac | Optional |
Context Output
There is no context output for this command.
Command Example
!autofocus-sample-analysis id="7ebf30b8f908ce574fda70af1f94ebcb071c2e5f0e22f2ec349a2290f243a036" coverage=true sections=file
Human Readable Output
5. Get the reputation of a file
Checks the file reputation of the given hash.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The hash of the file to query. Supports MD5, SHA-1, and SHA-256. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
| DBotScore.Description | string | The reason for the score (if any). |
Command Example
!file file="75779e62f9790bd4c2ed449bd20be741f78811fb5ce848a2c5a516af17cdeccf" using-brand="Autofocus"
Human Readable Output
