Palo Alto Networks AutoFocus v2

Use the AutoFocus v2 integration to contextualize threat intelligence and bring speed, consistency, and precision to threat investigation.

Use Cases

  • Query samples / sessions
  • Get sample analysis
  • Get session details
  • Get tag details
  • Get top tags

Get Your API Key

To get your API key, you need to add an authorization code, and then activate the API.

Add your authorization code

  1. Go to the Palo Alto Networks support site.
  2. Select Assets > Site Licenses tab.
  3. Select Add Site License.
  4. Enter the authorization code.

Activate the API

  1. in Site Licenses, select Enable.
  2. Click the API Key link.

Use the API key when configuring the integration. For more information on activating the license see Activating AutoFocus Licenses.

Configure AutoFocus V2 on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AutoFocus V2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionExample
    NameA meaningful name for the integration instance.AutoFocus V2_instance_2
    API KeyAccount's private token.N/A
    Trust any certificate (not secure)When selected, certificates are not checked.N/A
    Use System Proxy SettingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://www.markdownguide.org
    Additional Malicious VerdictsA comma-separated list of Palo Alto Networks verdicts to consider as malicious when calculating the DBot score.malware,phishing,c2
  1. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Search for samples


Searches for samples. To view results run the autofocus-samples-search-results command with the returned Af Cookie. The AF Cookie expires 120 seconds after the search completes. Use the query that was created in AutoFocus within playbooks "as-is". To run the command with the query in Demisto, wrap the query in backticks ``. For example:

!autofocus-search-samples query=`{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}` scope=Global sort="First Seen (Create Date)" order=Ascending
Base Command

autofocus-search-samples

Input
Argument NameDescriptionRequired
queryThe query for which to retrieve samples. For additional information on how to build your query using the AF GUI, see the detailed description.Optional
max_resultsThe number of results to return.Optional
sortThe field by which to sort the results.Optional
orderThe order of the results. Can be "Ascending" or "Descending".Optional
scopeThe scope of the search. Can be "Private", "Public", or "Global".Required
file_hashThe MD5, SHA1 or SHA256 hash of the file.Optional
domainThe domain to search.Optional
ipThe IP address to search.Optional
urlThe URL to search.Optional
artifactWhether to return artifacts of samples.Optional
wildfire_verdictThe WildFire verdict. Can be "Malware", "Grayware", "Benign", or "Phishing".Optional
first_seenThe date range of the creation date. Format: YYY Y-MM-DDTHH:MM:SS,YYYY-MM-DDTHH:MM:SS where the first date is the beginning and the second is the end. Example: 2019-09-09T00:00:00,2019-09-09T23:01:59Optional
last_updatedThe date range of the last updated date. Format: YYY Y-MM-DDTHH:MM:SS,YYYY-MM-DDTHH:MM:SS where the first date is the beginning and the second is the end. Example: 2019-09-09T00:00:00,2019-09-09T23:01:59Optional

How to Build a Query

  1. Go to the AutoFocus platform search screen.
  2. Click the Advanced... button on the top right.
  3. Build a query by selecting the fields operators and relevant values. To add another condition, click the + button. For more information on how to use the search editor, see Work with the Search Editor.
  4. To get the query, open the API syntax, and click the >_API button. Copy the query value from the opening curly bracket { until the ,"scope" parameter, and paste it as the value for the query argument for both search commands. For example:
{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1},{"field":"sample.create_date","operator":"is after","value":["2019-06-13","2019-06-13"]}]}
Context Output
PathTypeDescription
AutoFocus.SamplesSearch.AFCookieStringThe ID of the search. Use this ID to get search results. The AF Cookie expires 120 seconds after the search completes.
AutoFocus.SamplesSearch.StatusStringThe search status. Can be "in progress" or "complete".
Command Example
!autofocus-search-samples query=`{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]}` scope=Global sort="First Seen (Create Date)" order=Ascending
Context Example
{
"AutoFocus.SamplesSearch": {
"Status": "in progress",
"AFCookie": "2-78049b80-9c18-47e7-835e-d31ca8bd48aa+0"
}
}
Human Readable Output
Search Samples Info:
AFCookieStatus
2-78049b80-9c18-47e7-835e-d31ca8bd48aa+0in progress

Search for sessions


Searches for sessions. To view the results, run the autofocus-sessions-search-results command with the returned AF Cookie. The AF Cookie expires 120 seconds after the search completes.

Base Command

autofocus-search-sessions

Input
Argument NameDescriptionRequired
queryThe query for which to retrieve samples. For additional information on how to build your query using the AF GUI, see the detailed description section.Optional
max_resultsThe maximum number of results to return. The default is 30.Optional
sortThe field by which to sort the results.Optional
orderThe order of the results. Can be "Ascending" or "Descending".Optional
file_hashThe MD5, SHA1 or SHA256 hash of the file.Optional
domainThe domain to search.Optional
ipThe IP address to search.Optional
urlThe URL to search.Optional
time_rangeThe date range in which to search for sessions. Format: YYY Y-MM-DDTHH:MM:SS,YYYY-MM-DDTHH:MM:SS where the first date is the beginning and the second is the end. Example: 2019-09-09T00:00:00,2019-09-09T23:01:59Optional
time_afterThe date after which to search for sessions. Format: YYYY-MM-DDTHH:MM:SS Example: 2019-09-09T23:01:59Optional
time_beforeThe date before which to search for sessions. Format: YYYY-MM-DDTHH:MM:SS Example: 2019-09-09T23:01:59Optional

How to Build a Query

  1. Go to the AutoFocus platform search screen.
  2. Select the Advanced... button on the top right.
  3. Build a query by selecting fields operators and relevant values. To add another condition, click the + button. For more information on how to use the search editor, see Work with the Search Editor.
  4. To get the query you built, open the API syntax, and click the >_API button.
  5. Copy the query value from the opening curly bracket { until the ,"scope" parameter, and paste it as the value for the query argument for both search commands. For example:
{"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1},{"field":"sample.create_date","operator":"is after","value":["2019-06-13","2019-06-13"]}]}
Context Output
PathTypeDescription
AutoFocus.SessionsSearch.AFCookieStringThe ID of the search. Use the ID to get search results. The AF Cookie expires 120 seconds after the search completes.
AutoFocus.SessionsSearch.StatusStringThe status of the search. Can be "in progress" or "complete".
Command Example
!autofocus-search-sessions query={"operator":"all","children":[{"field":"sample.malware","operator":"is","value":1}]} max_results="30" sort="Application" order="Ascending"
Context Example
{
"AutoFocus.SessionsSearch": {
"Status": "in progress",
"AFCookie": "2-2d70539d-26af-40d2-b80b-16be60dabbaf+0"
}
}
Human Readable Output
Search Sessions Info:
AFCookieStatus
2-2d70539d-26af-40d2-b80b-16be60dabbaf+0in progress

Get results of a samples search


Returns the results of a previous samples search.

Base Command

autofocus-samples-search-results

Input
Argument NameDescriptionRequired
af_cookieThe AF Cookie for retrieving results of previous searches. The AF Cookie expires 120 seconds after the search completes.Required
Context Output
PathTypeDescription
AutoFocus.SamplesResults.SizeStringThe file size in bytes.
AutoFocus.SamplesResults.SHA1StringThe SHA1 hash of the file.
AutoFocus.SamplesResults.SHA256StringThe SHA256 hash of the file.
AutoFocus.SamplesResults.CreatedDateThe date that the file was created.
AutoFocus.SamplesResults.FinishedDateThe date the file was finished.
AutoFocus.SamplesResults.RegionStringThe region of the sample.
AutoFocus.SamplesResults.FileTypeStringThe file type.
AutoFocus.SamplesResults.TagsStringThe tags attached to the sample.
AutoFocus.SamplesResults.VerdictNumberThe verdict of the sample.
AutoFocus.SamplesResults.TagGroupsStringThe groups of relevant tags.
AutoFocus.SamplesSearch.StatusStringThe search status. Can be "in progress" or "complete".
AutoFocus.SamplesSearch.Artifact.bNumberHow many set the artifact as benign.
AutoFocus.SamplesSearch.Artifact.gNumberHow many set the artifact as grayware.
AutoFocus.SamplesSearch.Artifact.mNumberHow many set the artifact as malicious.
AutoFocus.SamplesSearch.Artifact.confidenceStringHow confident the decision.
AutoFocus.SamplesSearch.Artifact.indicatorStringThe indicator that was tested.
AutoFocus.SamplesSearch.Artifact.indicator_typeStringThe indicator type, for example: Mutex, User agent, IPv4, Domain.
File.SizeNumberThe size of the file in bytes.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.TypeStringThe file type, as determined by libmagic (same as displayed in file entries).
File.TagsStringThe tags of the file.
Command Example
!autofocus-samples-search-results af_cookie=2-c0a49ebb-2fee-4423-9bd3-76004d5878ba+1
Context Example
{
"File": [
{
"SHA256": "55f66d613414b35d46e48b952541403a5b2a5d1a1e3c0bef2bd76607b41400b9",
"Type": "PE",
"Size": 28832
},
],
"AutoFocus.SamplesResults": [
{
"Artifact": [
{
"b": 914,
"confidence": "interesting",
"g": 25,
"indicator": "1048576",
"indicator_type": "Mutex",
"m": 292
},
{
"b": 120,
"confidence": "interesting",
"g": 0,
"indicator": "1048577",
"indicator_type": "Mutex",
"m": 179
},
{
"b": 64605,
"confidence": "suspect",
"g": 7095,
"indicator": "ZonesCacheCounterMutex",
"indicator_type": "Mutex",
"m": 512566
}
],
"Created": "2020-04-03T00:35:53",
"FileType": "PE",
"Finished": "2020-04-03T00:43:33",
"ID": "2dfb6b0cb24d745fa412479ea3b0cabe9d2b57e008016656af55a6d3832c2091",
"MD5": "ef05777192cccc6502609dbdf0dc6149",
"Region": [
"us"
],
"SHA1": "c23fe9ce9c9f6260c5eb385cbb71fa1f6817cca5",
"SHA256": "2dfb6b0cb24d745fa412479ea3b0cabe9d2b57e008016656af55a6d3832c2091",
"Size": 234505,
"Tags": [
"Unit42.InitialSystemDataEnumeration",
"Unit42.RunOnce",
"Unit42.GandCrab"
],
"Verdict": 1,
"imphash": "af2a98692b8b30d8401f26d24a673b23",
"ssdeep": "3072:kKogwq8P3Nm0ZSLPjerAg0FuD5HibZ6nEdMmgcUUcNS7FY+qTtwuz0f8TpIe8OuW:CvqqAOF+640UcSFNuzokpIx95K3",
"tag_groups": [
"Ransomware"
],
"tasks": [
{
"metadata_compilation_ts": "2018-05-14T22:05:59"
}
]
}
],
"AutoFocus.SamplesSearch": {
"Status": "complete",
"AFCookie": "2-c0a49ebb-2fee-4423-9bd3-76004d5878ba+1"
}
}
Human Readable Output

Search Samples Result is in progress

CreatedFileTypeFinishedIDMD5RegionSHA1SHA256SizeTagsVerdictimphashssdeeptag_groupstasks
2020-04-05T00:03:49PE2020-04-05T00:11:59d455abd39edc7a2f03fa43b4d0f9194a11e73fce9c794021b5ca050dd0bc156d77c94c76214c7069b7fc5e7634b7e225us1460b6a9a0955f0d5c011edba569786c13b6d8a6d455abd39edc7a2f03fa43b4d0f9194a11e73fce9c794021b5ca050dd0bc156d362331Unit42.IPAddressLookup,Unit42.InitialSystemDataEnumeration,Unit42.RunOnce,Unit42.GandCrab1f456e8b8fd5e0768c2e3120e086c8ebc6144Ransomware{'metadata_compilation_ts': '2018-06-11T11:15:25'}

Artifacts for Sample:

bgmindicator_typeconfidenceindicator
10145006Domainsuspectcarder.bit
10208393Domainsuspectransomware.bit
37367317773IPv4suspect66.171.248.178

Get results of a sessions search


Returns the results of a previous session's search.

Base Command

autofocus-sessions-search-results

Input
Argument NameDescriptionRequired
af_cookieThe AF Cookie for retrieving the results of a previous search. The AF Cookie expires 120 seconds after the search completes.Required
Context Output
PathTypeDescription
AutoFocus.SessionsResults.FileNameStringThe name of the file..
AutoFocus.SessionsResults.IDStringThe ID of the session. Used to get session details.
AutoFocus.SessionsResults.IndustryStringThe related industry.
AutoFocus.SessionsResults.RegionStringThe regions of the sessions.
AutoFocus.SessionsResults.SHA256StringThe SHA256 hash of the file.
AutoFocus.SessionsResults.SeenDateThe seen date.
AutoFocus.SessionsResults.UploadSourceStringThe source of the uploaded sample.
AutoFocus.SessionsResults.FileURLStringThe URL of the file.
AutoFocus.SessionsResults.TagsStringThe relevant tags.
AutoFocus.SessionsSearch.StatusStringThe search status. Can be "in progress" or "complete".
File.NameStringThe full file name (including file extension).
File.SHA256StringThe SHA256 hash of the file.
File.TagsStringThe tags of the file.
Command Example
!autofocus-sessions-search-results af_cookie=2-f2c742b6-a363-4eb9-a313-63a99c376081+0
Context Example
{
"AutoFocus.SessionsSearch": {
"Status": "complete",
"AFCookie": "2-f2c742b6-a363-4eb9-a313-63a99c376081+0"
},
"File": [
{
"SHA256": "2eb355b54855c7531a811d435b2ff4dc74d377bfed98fd1ad03caa591f5555bd",
"Name": "wildfire-test-pe-file.exe",
"Tags": [
"Commodity.WildFireTest"
]
},
{
"SHA256": "f29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab38",
"Name": "wildfire-test-pe-file (4).exe",
"Tags": [
"Commodity.WildFireTest"
]
}
],
"AutoFocus.SessionsResults": [
{
"tag_groups": [],
"Tags": [
"Commodity.WildFireTest"
],
"Industry": "High Tech",
"FileName": "wildfire-test-pe-file.exe",
"ID": "u_56095401643",
"UploadSource": "Manual API",
"Seen": "2019-12-11T08:52:16",
"SHA256": "2eb355b54855c7531a811d435b2ff4dc74d377bfed98fd1ad03caa591f5555bd",
"Region": "us"
}
]
}
Human Readable Output
Search Sessions Results is complete
FileNameIDIndustryRegionSHA256SeenTagsUploadSourcetag_groups
wildfire-test-pe-file.exeu_56095401643High Techus2eb355b54855c7531a811d435b2ff4dc74d377bfed98fd1ad03caa591f5555bd2019-12-11T08:52:16Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49158137853High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T11:04:05Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49159945553High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T11:19:21Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_48980717523High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-09-30T23:58:00Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_48980935123High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-01T00:02:36Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_48980770253High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-09-30T23:59:18Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_48980686453High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-09-30T23:57:10Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49128586383High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T08:44:04Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49129503223High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T08:49:24Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49122514613High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T07:39:45Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49145687573High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T09:52:36Commodity.WildFireTestManual API
wildfire-test-pe-file (4).exeu_49158441703High Techusf29192fba1064d582cddc85ef3bcf37fa8e9b7d5faddb3e67d241d472e66ab382019-10-02T11:06:29Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47517508773High Techuscafa7f3adaace43042e5f85328ddf1d6f0d8109e65f7e6c0b87676a9a74797332019-09-17T01:59:31Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47515984893High Techus4851a140be5af4acf3d85621d99c177fd6e1403e8e93c9cba6037459c802382f2019-09-17T01:32:11Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47517298263High Techus5d3725fe649e3a1244fe50cd23b2e558594753d7579c30214da293566d6afa3b2019-09-17T01:56:51Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47541182333High Techus51a93620c2c1456081f91bad64e537724a0d93dcf55face4f1d33df9a91486f12019-09-17T06:05:21Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47518135653High Techusb39a6bf99de8dd7e55d22ee0732ea3582536a0615dab86e3d36010fe0d4ecf2a2019-09-17T02:04:56Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47516600663High Techus7078f4e2c5d8038bd875e3a6dfd09c9014573c5d3c155f27c3acd1073c05d16f2019-09-17T01:46:01Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47561050553High Techusc14646114c390027d373cbd5af7d31d952ab6acd86d5157bb174b19792e557f22019-09-17T08:14:5641453.TestElena,Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47517909453High Techus2499501bebcc6ff59d3f0028f760e0433ee3a9415e916d1278a70c474690869d2019-09-17T02:02:46Commodity.WildFireTestManual API
wildfire-test-pe-file.exeu_47559447933High Techus12f198c65cbdf49972b7432291dad4d2fae7cbb77a35cda1cc28ab2b83d1e2b52019-09-17T08:08:39Commodity.WildFireTestManual API
https://wildfire.paloaltonetworks.com/publicapi/test/peu_46060032683High Techus2e40edcf77d95173463ca4bfaf833a6a1860ffa4e7b03c3fded8de08ee2be27f2019-09-01T04:34:48Commodity.WildFireTestManual API
wildfire-test-pe-file (2).exeu_45811064553High Techusf27069e200ed14c56b1b91285ea3c061aa0e4ca53d9056fed9cc0c9c3e98e9612019-08-28T21:17:33Commodity.WildFireTestManual API
wildfire-test-pe-file (2).exeu_45810946733High Techusf27069e200ed14c56b1b91285ea3c061aa0e4ca53d9056fed9cc0c9c3e98e9612019-08-28T21:14:17Commodity.WildFireTestManual API
wildfire-test-pe-file (2).exeu_45810992703High Techusf27069e200ed14c56b1b91285ea3c061aa0e4ca53d9056fed9cc0c9c3e98e9612019-08-28T21:15:31Commodity.WildFireTestManual API
wildfire-test-pe-file (2).exeu_45811012343High Techusf27069e200ed14c56b1b91285ea3c061aa0e4ca53d9056fed9cc0c9c3e98e9612019-08-28T21:16:06Commodity.WildFireTestManual API
https://wildfire.paloaltonetworks.com/publicapi/test/peu_45835887733High Techusbfdc97ecc0d1e19d17cffe856b33c41883520d7b38daa77af03bb42ef83bc6802019-08-29T05:19:21Commodity.WildFireTestManual API
wildfire-test-pe-file (3).exeu_45811604063High Techus409eb2fa745b4bd804bb3ebdd48f0107bd9c6471a9447a61f68c1a32c480f0f92019-08-28T21:32:05Commodity.WildFireTestManual API
wildfire-test-pe-file (3).exeu_45811375593High Techus409eb2fa745b4bd804bb3ebdd48f0107bd9c6471a9447a61f68c1a32c480f0f92019-08-28T21:25:36Commodity.WildFireTestManual API
wildfire-test-pe-file (3).exeu_45811208463High Techus409eb2fa745b4bd804bb3ebdd48f0107bd9c6471a9447a61f68c1a32c480f0f92019-08-28T21:20:56Commodity.WildFireTestManual API

Get session details


Returns session details by session ID.

Base Command

autofocus-get-session-details

Input
Argument NameDescriptionRequired
session_idThe ID of the session.Required
Context Output
PathTypeDescription
AutoFocus.Sessions.FileNameStringThe name of the file.
AutoFocus.Sessions.IDStringThe ID of the session.
AutoFocus.Sessions.IndustryStringThe related industry.
AutoFocus.Sessions.RegionStringThe session's regions.
AutoFocus.Sessions.SHA256StringThe SHA256 hash of the file.
AutoFocus.Sessions.SeenDateThe seen date.
AutoFocus.Sessions.UploadSourceStringThe source that uploaded the sample.
File.NameStringThe full file name (including file extension).
File.SHA256StringThe SHA256 hash of the file.
Command Example
!autofocus-get-session-details session_id="u_39605858263"
Context Example
{
"File": [
{
"SHA256": "8d4241654449c63f70dabd83483f8ca8bd8e8e6a8d0679639eb061b3b6dbcfec",
"Name": "wildfire-test-apk-file.apk"
}
],
"AutoFocus.Sessions": [
{
"Industry": "High Tech",
"FileName": "wildfire-test-apk-file.apk",
"ID": "u_39605858263",
"UploadSource": "Manual API",
"Seen": "2019-05-29T15:25:26",
"SHA256": "8d4241654449c63f70dabd83483f8ca8bd8e8e6a8d0679639eb061b3b6dbcfec",
"Region": "us"
}
]
}
Human Readable Output
Session u_39605858263:
FileNameIDIndustryRegionSHA256SeenUploadSource
wildfire-test-apk-file.apku_39605858263High Techus8d4241654449c63f70dabd83483f8ca8bd8e8e6a8d0679639eb061b3b6dbcfec2019-05-29T15:25:26Manual API

Get analysis details


Returns properties, behaviors, and activities observed for a sample. Runs the command a single time to get the fields and operating systems under HTTP, Coverage, Behavior, Registry, Files, Processes, Connections, and DNS.

Base Command

autofocus-sample-analysis

Input
Argument NameDescriptionRequired
sample_idThe SHA256 hash of the sample to analyze.Required
osThe analysis environment. Can be "win7", "winxp", "android", "static_analyzer", "mac", or "bare_metal".Optional
filter_dataWhether to smartly filter the data. If "False", the data returned will not be smartly filtered, and will significantly reduce integration performance. The recommended setting is "True".Optional
Context Output
PathTypeDescription
AutoFocus.SampleAnalysis.Analysis.HttpUnknownThe HTTP requests made when the sample was executed.
AutoFocus.SampleAnalysis.Analysis.CoverageUnknownThe WildFire signatures that matched the sample.
AutoFocus.SampleAnalysis.Analysis.BehaviorUnknownThe sample behavior: created or modified files, started a process, spawned new processes, modified the registry, or installed browser help objects.
AutoFocus.SampleAnalysis.Analysis.RegistryUnknownThe registry settings and options that showed activity when the sample was executed in the analysis environment.
AutoFocus.SampleAnalysis.Analysis.FilesUnknownThe files that showed activity as a result of the sample being executed.
AutoFocus.SampleAnalysis.Analysis.ProcessesUnknownThe processes that showed activity when the sample was executed.
AutoFocus.SampleAnalysis.Analysis.ConnectionsUnknownThe connections to other hosts on the network when the sample was executed.
AutoFocus.SampleAnalysis.Analysis.DnsUnknownThe DNS activity observed when the sample was executed.
AutoFocus.SampleAnalysis.Analysis.MutexUnknownThe mutex created when the program's start is listed with the parent process if the sample generates other program threads when executed in the analysis environment.
Command Example
!autofocus-sample-analysis sample_id=dd0d26ceea034b3ae32a4f6a477466ac598ee17f811f88cf14b2c708240fb993
Context Example
{
"AutoFocus.SampleAnalysis": {
"ID": "dd0d26ceea034b3ae32a4f6a477466ac598ee17f811f88cf14b2c708240fb993",
"Analysis": {
"Files": {
"win7": [
{
"action": " Create ",
"parent_process": "svchost.exe "
},
{
"action": " Create ",
"parent_process": "na.exe "
},
{
"action": " Create ",
"parent_process": "svchost.exe "
},
{
"action": " Create ",
"parent_process": "users\\administrator\\sample.dll:DllInstall "
},
{
"action": " Create ",
"parent_process": "users\\administrator\\sample.dll:DllInstall "
}
],
"winxp": []
},
"Processes": {
"win7": [
{
"action": " created ",
"parent_process": "svchost.exe "
},
{
"action": " created ",
"parent_process": "services.exe "
},
{
"action": " created ",
"parent_process": "TrustedInstaller.exe "
},
{
"action": " CreateProcessInternalW ",
"parent_process": "<null> "
}
],
"winxp": [
{
"action": " created ",
"parent_process": "explorer.exe "
},
{
"action": " created ",
"parent_process": "svchost.exe "
},
{
"action": " created ",
"parent_process": "winlogon.exe "
}
]
},
"Http": {
"win7": [
{
"url": " / ",
"host": "sp1.eventincoandhar.info ",
"method": " POST "
},
{
"url": " / ",
"host": "sc1.eventincoandhar.info ",
"method": " POST "
},
{
"url": " / ",
"host": "www.bbc.com ",
"method": " HEAD "
}
]
},
"Coverage": {
"url_categories": [
{
"url": "ns-154-b.gandi.net",
"cat": "Computer and Internet Info"
},
{
"url": "ns3.fastly.net",
"cat": "Computer and Internet Info"
},
{
"url": "aiden.ns.cloudflare.com",
"cat": "Computer and Internet Info"
},
{
"url": "b.iana-servers.net",
"cat": "Unknown"
},
{
"url": "aningtofrebri.info",
"cat": "Unknown"
}
],
"fileurl_signatures": [],
"wildfire_signatures": [],
"dns_signatures": [
{
"create_date": "2016-03-30 07:32:49",
"name": "generic:a.iana-servers.net"
},
{
"create_date": "2016-03-30 07:53:34",
"name": "generic:b.iana-servers.net"
},
{
"create_date": "2017-12-13 22:55:29",
"name": "Trojan-Downloader.adload:housandry.info"
},
{
"create_date": "2017-12-13 22:55:29",
"name": "Trojan-Downloader.adload:whereason.info"
},
{
"create_date": "2018-04-07 10:05:16",
"name": "Virus.ramnit:mrsewic.com"
},
{
"create_date": "2018-04-07 10:05:16",
"name": "generic:ylsuest.com"
},
{
"create_date": "2018-04-07 10:15:23",
"name": "generic:knsemis.com"
},
{
"create_date": "2019-02-07 09:00:08",
"name": "Trojan.bsymem:inf2.aningtofrebri.info"
}
]
},
"Mutex": {
"win7": [
{
"action": " CreateMutexW ",
"process": "msiexec.exe ",
"parameters": " Global\\_MSIExecute"
}
]
},
"Registry": {
"win7": [
{
"action": " CreateKey ",
"parameters": " HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters"
},
{
"action": " RegSetValueEx ",
"parameters": " HKLM\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{FF885F56-91B0-47CA-837A-F293CA541A1F} "
},
{
"action": " RegSetValueEx ",
"parameters": " HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall "
},
{
"action": " RegSetValueEx ",
"parameters": " HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{5129CAA8-E24B-2AEE-652F-C652FBF1E9BB} "
},
{
"action": " RegSetValueEx ",
"parameters": " HKLM\\SOFTWARE\\Wow6432Node\\$(brand_name) "
}
],
"winxp": [
{
"action": " SetValueKey ",
"parameters": " HKCU\\SessionInformation\\ProgramCount "
},
{
"action": " SetValueKey ",
"parameters": " HKLM\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces "
},
{
"action": " SetValueKey ",
"parameters": " HKLM\\SOFTWARE\\Microsoft\\WZCSVC\\Parameters\\Interfaces\\ControlFlags "
},
{
"action": " SetValueKey ",
"parameters": " HKLM\\SOFTWARE\\Microsoft\\WZCSVC\\Parameters\\Interfaces\\ActiveSettings "
}
]
},
"Behavior": {
"static_analyzer": [],
"win7": [
{
"risk": "high ",
"behavior": " Connected to a non-standard HTTP port"
},
{
"risk": "medium ",
"behavior": " Created or modified a file in the Windows system folder"
},
{
"risk": "high ",
"behavior": " Connected to a malicious IP"
},
{
"risk": "high ",
"behavior": " Connected to a malicious URL"
}
],
"winxp": [
{
"risk": "medium ",
"behavior": " Created or modified a file in the Windows system folder"
},
{
"risk": "low ",
"behavior": " Started a process from a user folder"
}
]
}
}
}
}
Human Readable Output
Sample Analysis results for dd0d26ceea034b3ae32a4f6a477466ac598ee17f811f88cf14b2c708240fb993:### Behavior Static Analyzer:

No entries

Behavior Win7:
BehaviorRisk
Connected to a non-standard HTTP porthigh
Created or modified a file in the Windows system foldermedium
Generated unknown TCP or UDP trafficmedium
Downloaded an executablehigh
Used a short HTTP headerhigh
Used the HTTP POST methodmedium
Initiated a failed HTTP connectionlow
Sent an HTTP response before receiving a requesthigh
Generated unknown HTTP traffichigh
Connected to a malicious domainhigh
Created an executable file in a user folderlow
Started a process from a user folderlow
Deleted itselfhigh
Registered an OLE control with regsvr32.exemedium
Started or stopped a Windows system servicehigh
Attempted to determine public IP address via IP-checking websitehigh
Connected to a malicious IPhigh
Connected to a malicious URLhigh
Behavior Winxp:
BehaviorRisk
Created or modified a file in the Windows system foldermedium
Started a process from a user folderlow
Processes Win7:
ActionParent Process
createdsvchost.exe
createdservices.exe
createdTrustedInstaller.exe
createdcsrss.exe
createdTrustedInstaller.exe
createdservices.exe
createdsvchost.exe
createdservices.exe
Processes Winxp:
ActionParent Process
createdexplorer.exe
createdsvchost.exe
createdwinlogon.exe
Files Win7:
ActionParent Process
Createsvchost.exe
Createna.exe
Createsvchost.exe
Createna.exe
Createna.exe
Createna.exe
Createusers\administrator\sample.dll:DllInstall
Createusers\administrator\sample.dll:DllInstall
Files Winxp:

No entries

33 Registry Win7:

ActionParameters
CreateKeyHKLM\System\CurrentControlSet\Services\Tcpip\Parameters
SetValueKeyHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{5129CAA8-E24B-2AEE-652F-C652FBF1E9BB}\cd77f991
CreateKey\Registry\Machine\System\CurrentControlSet\Services\RdyBoost\Parameters
CreateKey\Registry\Machine\System\CurrentControlSet\Services\RdyBoost\AttachState
SetValueKeyHKLM\COMPONENTS\ServicingStackVersions\6.1.7601.17514 (win7sp1_rtm.101119-1850)
SetValueKeyHKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths\ProgramData\1560740575
SetValueKeyHKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths\Users\ADMINI~1\AppData\Local\Temp{F5743266-6DFF-3433-4CE4-56028389CD67}
RegSetValueExHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
RegSetValueExHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{5129CAA8-E24B-2AEE-652F-C652FBF1E9BB}
RegSetValueExHKLM\SOFTWARE\Wow6432Node\$(brand_name)
Registry Winxp:
ActionParameters
SetValueKeyHKCU\SessionInformation\ProgramCount
SetValueKeyHKLM\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
SetValueKeyHKCU\SessionInformation\ProgramCount
SetValueKeyHKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\ActiveSettings
Mutex Win7:
ActionParametersProcess
CreateMutexWGlobal_MSIExecutemsiexec.exe
Http Win7:
HostMethodUrl
sp1.eventincoandhar.infoPOST/
ip-api.comGET/json
knsemis.comPOST/tickets
www.cnn.comHEAD/
www.bbc.comHEAD/

Get tag details


Returns details about the given tag.

Base Command

autofocus-tag-details

Input
Argument NameDescriptionRequired
tag_nameThe public tag name. Can be retrieved from the top-tags command.Required
Context Output
PathTypeDescription
AutoFocus.Tag.TagNameStringThe simple name of the tag.
AutoFocus.Tag.PublicTagNameStringThe public name of the tag. This is used as an ID of the tag.
AutoFocus.Tag.CountNumberThe number of samples that matched this tag.
AutoFocus.Tag.LasthitDateThe date that the tag was last encountered.
AutoFocus.Tag.TagDefinitionScopeStringThe scope of the tag. Can be "public", "private", or "Unit42".
AutoFocus.Tag.CustomerNameStringThe organization that created the tag.
AutoFocus.Tag.SourceStringThe organization or individual that discovered the threat that is defined in the tag.
AutoFocus.Tag.TagClassStringThe classification of the tag.
AutoFocus.Tag.TagDefinitionStatusStringThe status of the tag definition. Can be "enabled", "disabled", "removing", or "rescoping".
AutoFocus.Tag.TagGroupStringThe tag group of the tag.
AutoFocus.Tag.DescriptionStringThe tag description.
Command Example
!autofocus-tag-details tag_name=490082.Pastebin_Raw
Context Example
{
"AutoFocus.Tag": {
"Count": 84674,
"Lasthit": "2020-01-02 05:22:18",
"CustomerName": "Squadra Solutions",
"PublicTagName": "490082.Pastebin_Raw",
"TagDefinitionScope": "public",
"Source": "Squadra Solutions",
"TagDefinitionStatus": "enabled",
"TagName": "Pastebin_Raw",
"TagClass": "malicious_behavior",
"Description": "Malicious actors may post raw code to Pastebin which can then be downloaded for further use or as a C2 channel. Some code are also encoded in base64 for further obfuscation"
}
}
Human Readable Output
Tag 490082.Pastebin_Raw details:
CountCustomer NameDescriptionLasthitPublic Tag NameSourceTag ClassTag Definition ScopeTag Definition StatusTag Name
84674Squadra SolutionsMalicious actors may post raw code to Pastebin which can then be downloaded for further use or as a C2 channel. Some code are also encoded in base64 for further obfuscation2020-01-02 05:22:18490082.Pastebin_RawSquadra Solutionsmalicious_behaviorpublicenabledPastebin_Raw

Search for the most popular tags


Performs a search to identify the most popular tags.

Base Command

autofocus-top-tags-search

Input
Argument NameDescriptionRequired
scopeThe scope of the search. Can be "industry", "organization", "all", or "global".Required
classThe tag class. Can be "Malware Family", "Campaign", "Actor", "Exploit", or Malicious Behavior". See Tag Classes below for more information.Required
privateWhether the tag scope is "private". If "True", the tag scope is private. The default is "False".Optional
publicWhether the tag scope is "public". If "True", the tag scope is public. The default is "False".Optional
commodityWhether the tag scope is "commodity". If "True", the tag scope is commodity. The default is "False".Optional
unit42Whether the tag scope is "Unit42". If "True", the tag scope is unit42. The default is "False".Optional
Tag Classes
  • Malware Family: group of malware that have shared properties or common functions.
  • Campaign: targeted attack, which might include several incidents or sets of activities.
  • Actor: individual or group that initiates a campaign using malware families.
  • Exploit: an attack, which takes advantage of a software or network weakness, bug, or vulnerability to manipulate the behavior of the system.
  • Malicious Behavior: behavior that is not specific to a malware family or campaign, but indicates that your system has been compromised.
Context Output
PathTypeDescription
AutoFocus.TopTagsSearch.AFCookieStringThe ID of the search. Use this ID to get search results. The AF Cookie expires 120 seconds after the search completes.
AutoFocus.TopTagsSearch.StatusStringThe status of the search. Can be "in progress" or "complete".
Command Example
!autofocus-top-tags-search scope="all" class="Malicious Behavior" private="True" public="True" commodity="False" unit42="False"
Context Example
{
"AutoFocus.TopTagsSearch": {
"Status": "in progress",
"AFCookie": "2-1caadf19-2e94-4742-b9cf-da8b2d90988c+0"
}
}
Human Readable Output
Top tags search Info:
AFCookieStatus
2-1caadf19-2e94-4742-b9cf-da8b2d90988c+0in progress

Get results of a top tags search


Returns the results of a previous top tags search.

Base Command

autofocus-top-tags-results

Input
Argument NameDescriptionRequired
af_cookieThe AF Cookie for retrieving results of the previous search. The AF Cookie expires 120 seconds after the search completes.Required
Context Output
PathTypeDescription
AutoFocus.TopTagsResults.CountNumberThe number of samples that matched this tag.
AutoFocus.TopTagsResults.PublicTagNameStringThe public name of the tag. This is used as an ID of the tag.
AutoFocus.TopTagsResults.TagNameStringThe simple name of the tag.
AutoFocus.TopTagsResults.LasthitDateThe last encounter date of the tag.
AutoFocus.TopTagsSearch.StatusStringThe search status. Can be "in progress" or "complete".
Command Example
!autofocus-top-tags-results af_cookie=2-2190f844-7c0a-42e7-b4be-5f7d83c9b05c+0
Context Example
{
"AutoFocus.TopTagsSearch": {
"Status": "in progress",
"AFCookie": "2-2190f844-7c0a-42e7-b4be-5f7d83c9b05c+0"
},
"AutoFocus.TopTagsResults": [
{
"Count": 84674,
"Lasthit": "2020-01-02 05:22:18",
"TagName": "Pastebin_Raw",
"PublicTagName": "490082.Pastebin_Raw"
},
{
"Count": 25288,
"Lasthit": "2020-01-01 18:36:12",
"TagName": "ServiceDllUnloadOnStop",
"PublicTagName": "46640.ServiceDllUnloadOnStop"
},
{
"Count": 20912,
"Lasthit": "2020-01-01 16:09:10",
"TagName": "hupigon_mutex",
"PublicTagName": "104.hupigon_mutex"
},
{
"Count": 68694,
"Lasthit": "2020-01-01 19:18:09",
"TagName": "Modify_ComputerName",
"PublicTagName": "490082.Modify_ComputerName"
},
{
"Count": 18740,
"Lasthit": "2020-01-01 07:09:55",
"TagName": "Modify_TermServ_RDP",
"PublicTagName": "490082.Modify_TermServ_RDP"
},
{
"Count": 53921,
"Lasthit": "2020-01-02 00:02:21",
"TagName": "Modify_Permission",
"PublicTagName": "46640.Modify_Permission"
},
{
"Count": 11078,
"Lasthit": "2020-01-02 07:40:39",
"TagName": "MSOfficeResiliency",
"PublicTagName": "490082.MSOfficeResiliency"
},
{
"Count": 18857,
"Lasthit": "2020-01-01 10:06:58",
"TagName": "SecurityProviders_Persistence_LoadDLL",
"PublicTagName": "490082.SecurityProviders_Persistence_LoadDLL"
},
{
"Count": 100001,
"Lasthit": "2019-06-20 12:59:58",
"TagName": "Modify_AttachmentManager",
"PublicTagName": "490082.Modify_AttachmentManager"
},
{
"Count": 15820,
"Lasthit": "2020-01-02 07:22:46",
"TagName": "Cygwin",
"PublicTagName": "490082.Cygwin"
},
{
"Count": 7233,
"Lasthit": "2019-12-30 12:31:47",
"TagName": "SecureCRT",
"PublicTagName": "490082.SecureCRT"
},
{
"Count": 13855,
"Lasthit": "2020-01-02 05:55:01",
"TagName": "Add_PKI_Cert_or_CA",
"PublicTagName": "490082.Add_PKI_Cert_or_CA"
},
{
"Count": 40197,
"Lasthit": "2020-01-01 09:17:34",
"TagName": "Add_IE_EnhancedSecurityConfig",
"PublicTagName": "46640.Add_IE_EnhancedSecurityConfig"
},
{
"Count": 35839,
"Lasthit": "2020-01-01 06:11:35",
"TagName": "WiresharkPCAP_DLL",
"PublicTagName": "490082.WiresharkPCAP_DLL"
},
{
"Count": 6582,
"Lasthit": "2019-12-30 06:28:59",
"TagName": "ArdamaxKeyLogger",
"PublicTagName": "46640.ArdamaxKeyLogger"
},
{
"Count": 26159,
"Lasthit": "2019-12-30 15:18:59",
"TagName": "Pastebin_Dropper",
"PublicTagName": "490082.Pastebin_Dropper"
},
{
"Count": 24331,
"Lasthit": "2020-01-02 01:04:47",
"TagName": "Sandboxie",
"PublicTagName": "490082.Sandboxie"
},
{
"Count": 6137,
"Lasthit": "2020-01-01 17:50:37",
"TagName": "FTP_Suspicious",
"PublicTagName": "490082.FTP_Suspicious"
},
{
"Count": 9793,
"Lasthit": "2020-01-02 05:02:33",
"TagName": "AppCertDLL_Persistence_LoadDLL",
"PublicTagName": "490082.AppCertDLL_Persistence_LoadDLL"
},
{
"Count": 2578,
"Lasthit": "2020-01-01 21:28:20",
"TagName": "MSIEXEC_Web_Install",
"PublicTagName": "46640.MSIEXEC_Web_Install"
}
]
}
Human Readable Output
Search Top Tags Results is in progress:
CountLasthitPublic Tag NameTag Name
846742020-01-02 05:22:18490082.Pastebin_RawPastebin_Raw
252882020-01-01 18:36:1246640.ServiceDllUnloadOnStopServiceDllUnloadOnStop
209122020-01-01 16:09:10104.hupigon_mutexhupigon_mutex
686942020-01-01 19:18:09490082.Modify_ComputerNameModify_ComputerName
187402020-01-01 07:09:55490082.Modify_TermServ_RDPModify_TermServ_RDP
539212020-01-02 00:02:2146640.Modify_PermissionModify_Permission
110782020-01-02 07:40:39490082.MSOfficeResiliencyMSOfficeResiliency
188572020-01-01 10:06:58490082.SecurityProviders_Persistence_LoadDLLSecurityProviders_Persistence_LoadDLL
1000012019-06-20 12:59:58490082.Modify_AttachmentManagerModify_AttachmentManager
158202020-01-02 07:22:46490082.CygwinCygwin
72332019-12-30 12:31:47490082.SecureCRTSecureCRT
138552020-01-02 05:55:01490082.Add_PKI_Cert_or_CAAdd_PKI_Cert_or_CA
401972020-01-01 09:17:3446640.Add_IE_EnhancedSecurityConfigAdd_IE_EnhancedSecurityConfig
358392020-01-01 06:11:35490082.WiresharkPCAP_DLLWiresharkPCAP_DLL
65822019-12-30 06:28:5946640.ArdamaxKeyLoggerArdamaxKeyLogger
261592019-12-30 15:18:59490082.Pastebin_DropperPastebin_Dropper
243312020-01-02 01:04:47490082.SandboxieSandboxie
61372020-01-01 17:50:37490082.FTP_SuspiciousFTP_Suspicious
97932020-01-02 05:02:33490082.AppCertDLL_Persistence_LoadDLLAppCertDLL_Persistence_LoadDLL
25782020-01-01 21:28:2046640.MSIEXEC_Web_InstallMSIEXEC_Web_Install

Get the reputation for an IP address


Returns the reputation of an IP address.

Base Command

ip

Input
Argument NameDescriptionRequired
ipThe IP address to check.Required
Context Output
PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
IP.AddressStringThe IP address.
AutoFocus.IP.IndicatorValueStringThe IP address value.
AutoFocus.IP.IndicatorTypeStringThe indicator type.
AutoFocus.IP.LatestPanVerdictsUnknownThe latest verdicts from Palo Alto Networks products. Can be either "PAN_DB" or "WF_SAMPLE"(WildFire).
IP.Malicious.VendorStringThe vendor that decided the file is malicious.
AutoFocus.IP.Tags.PublicTagNameStringThe public name of the tag. This is used as the tag ID.
AutoFocus.IP.Tags.TagNameStringThe simple name of the tag.
AutoFocus.IP.Tags.CustomerNameStringThe organization that created the tag.
AutoFocus.IP.Tags.SourceStringThe organization or individual that discovered the threat that is defined in the tag.
AutoFocus.IP.Tags.TagDefinitionScopeIDNumberThe scope ID of the tag.
AutoFocus.IP.Tags.TagDefinitionStatusIDNumberThe definition status ID of the tag.
AutoFocus.IP.Tags.TagClassIDNumberThe classification ID of the tag.
AutoFocus.IP.Tags.CountNumberThe number of samples that matched this tag.
AutoFocus.IP.Tags.LasthitDateThe date that the tag was last encountered.
AutoFocus.IP.Tags.DescriptionStringThe description of the tag.
Command Example
!ip ip=127.0.0.1 using-brand="AutoFocus V2"
Context Example
{
"AutoFocus.IP": [
{
"SeenBy": [],
"LatestPanVerdicts": {
"PAN_DB": "BENIGN"
},
"WildfireRelatedSampleVerdictCounts": {},
"IndicatorValue": "127.0.0.1",
"IndicatorType": "IPV4_ADDRESS"
}
],
"IP": [
{
"Address": "127.0.0.1"
}
],
"DBotScore": [
{
"Vendor": "AutoFocus V2",
"Indicator": "127.0.0.1",
"Score": 1,
"Type": "ip"
}
]
}
Human Readable Output
AutoFocus V2 IP reputation for: 127.0.0.1
IndicatortypeIndicatorvalueLatestpanverdictsSeenbyWildfirerelatedsampleverdictcounts
IPV4_ADDRESS127.0.0.1PAN_DB: BENIGN

Get the reputation of a URL


Returns the reputation of a URL.

Base Command

url

Input
Argument NameDescriptionRequired
urlThe URL to check.Required
Context Output
PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
URL.DataStringThe URL address.
AutoFocus.URL.IndicatorValueStringThe URL value.
AutoFocus.URL.IndicatorTypeStringThe indicator type.
AutoFocus.URL.LatestPanVerdictsUnknownThe latest verdicts from Palo Alto Networks products. Can be either "PAN_DB" or "WF_SAMPLE"(WildFire).
URL.Malicious.VendorStringThe vendor that decided the file is malicious.
AutoFocus.URL.Tags.PublicTagNameStringThe public name of the tag. This is used as an ID of the tag.
AutoFocus.URL.Tags.TagNameStringThe simple name of the tag.
AutoFocus.URL.Tags.CustomerNameStringThe organization that created the tag.
AutoFocus.URL.Tags.SourceStringThe organization or individual that discovered the threat that is defined in the tag.
AutoFocus.URL.Tags.TagDefinitionScopeIDNumberThe scope ID of the tag.
AutoFocus.URL.Tags.TagDefinitionStatusIDNumberThe definition status ID of the tag.
AutoFocus.URL.Tags.TagClassIDNumberThe classification ID of the tag.
AutoFocus.URL.Tags.CountNumberThe number of samples that matched this tag.
AutoFocus.URL.Tags.LasthitDateThe date that the tag was last encountered.
AutoFocus.URL.Tags.DescriptionStringThe description of the tag.
Command Example
!url url=www.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/ using-brand="AutoFocus V2"
Context Example
{
"URL": [
{
"Malicious": {
"Vendor": "AutoFocus V2"
},
"Data": "www.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/"
}
],
"DBotScore": [
{
"Vendor": "AutoFocus V2",
"Indicator": "www.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/",
"Score": 3,
"Type": "url"
}
],
"AutoFocus.URL": [
{
"SeenBy": [],
"LatestPanVerdicts": {
"PAN_DB": "MALWARE"
},
"WildfireRelatedSampleVerdictCounts": {},
"IndicatorValue": "www.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/",
"IndicatorType": "URL"
}
]
}
Human Readable Output
AutoFocus V2 URL reputation for: www.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/
IndicatortypeIndicatorvalueLatestpanverdictsSeenbyWildfirerelatedsampleverdictcounts
URLwww.andromedaa.ir/ir/andromedaa/likebegir/ap.smali/PAN_DB: MALWARE

Get the reputation of a file


Returns the reputation of a file.

Base Command

file

Input
Argument NameDescriptionRequired
fileThe SHA256 hash of the file.Required
Context Output
PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
File.SHA256StringThe SHA256 hash of the file.
AutoFocus.File.IndicatorValueStringThe SHA256 hash value of the file.
AutoFocus.File.IndicatorTypeStringThe indicator type.
AutoFocus.File.LatestPanVerdictsUnknownThe latest verdicts from Palo Alto Networks products. Can be either "PAN_DB" or "WF_SAMPLE"(WildFire).
File.Malicious.VendorStringThe vendor that decided the file is malicious.
AutoFocus.File.Tags.PublicTagNameStringThe public name of the tag. This is used as an ID of the tag.
AutoFocus.File.Tags.TagNameStringThe simple name of the tag.
AutoFocus.File.Tags.CustomerNameStringThe organization that created the tag.
AutoFocus.File.Tags.SourceStringThe organization or individual that discovered the threat that is defined in the tag.
AutoFocus.File.Tags.TagDefinitionScopeIDNumberThe scope ID of the tag.
AutoFocus.File.Tags.TagDefinitionStatusIDNumberThe definition status ID of the tag.
AutoFocus.File.Tags.TagClassIDNumberThe classification ID of the tag.
AutoFocus.File.Tags.CountNumberThe number of samples that matched this tag.
AutoFocus.File.Tags.LasthitDateThe date that the tag was last encountered.
AutoFocus.File.Tags.DescriptionStringThe description of the tag.
Command Example
!file file=9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac using-brand="AutoFocus V2"
Context Example
{
"DBotScore": [
{
"Vendor": "AutoFocus V2",
"Indicator": "9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac",
"Score": 3,
"Type": "file"
}
],
"File": [
{
"Malicious": {
"Vendor": "AutoFocus V2"
},
"SHA256": "9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac"
}
],
"AutoFocus.File": [
{
"SeenBy": [
"WF_SAMPLE"
],
"LatestPanVerdicts": {
"WF_SAMPLE": "MALWARE"
},
"WildfireRelatedSampleVerdictCounts": "",
"IndicatorType": "FILEHASH",
"IndicatorValue": "9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac",
"LastSeen": "2019-12-29T08:52:27.000Z",
"FirstSeen": "2019-09-24T06:46:21.000Z"
}
]
}
Human Readable Output
AutoFocus V2 File reputation for: 9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac
FirstseenIndicatortypeIndicatorvalueLastseenLatestpanverdictsSeenbyWildfirerelatedsampleverdictcounts
2019-09-24T06:46:21.000ZFILEHASH9040e9fda52931c9472c90ecad5b74295cdb9cf7b68e2b89219700f6a8bff5ac2019-12-29T08:52:27.000ZWF_SAMPLE: MALWAREWF_SAMPLE

Get the reputation of a domain name


Returns the reputation of a domain.

Base Command

domain

Input
Argument NameDescriptionRequired
domainThe domain to check.Required
Context Output
PathTypeDescription
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
Domain.NameStringThe name of the domain.
AutoFocus.Domain.IndicatorValueStringThe value of the domain.
AutoFocus.Domain.IndicatorTypeStringThe indicator type.
AutoFocus.Domain.LatestPanVerdictsUnknownThe latest verdicts from Palo Alto Networks products. Can be either "PAN_DB" or "WF_SAMPLE"(WildFire).
Domain.Malicious.VendorStringThe vendor that decided the file is malicious.
AutoFocus.Domain.Tags.PublicTagNameStringThe public name of the tag. This is used as an ID of the tag.
AutoFocus.Domain.Tags.TagNameStringThe simple name of the tag.
AutoFocus.Domain.Tags.CustomerNameStringThe organization that created the tag.
AutoFocus.Domain.Tags.SourceStringThe organization or individual that discovered the threat that is defined in the tag.
AutoFocus.Domain.Tags.TagDefinitionScopeIDNumberThe scope ID of the tag.
AutoFocus.Domain.Tags.TagDefinitionStatusIDNumberThe definition status ID of the tag.
AutoFocus.Domain.Tags.TagClassIDNumberThe classification ID of the tag.
AutoFocus.Domain.Tags.CountNumberThe number of samples that matched this tag.
AutoFocus.Domain.Tags.LasthitDateThe date that the tag was last encountered.
AutoFocus.Domain.Tags.DescriptionStringThe description of the tag.
AutoFocus.Domain.WhoisAdminCountryStringThe country of the domain administrator.
AutoFocus.Domain.WhoisAdminEmailStringThe email address of the domain administrator.
AutoFocus.Domain.WhoisAdminNameStringThe name of the domain administrator.
AutoFocus.Domain.WhoisDomainCreationDateDateThe date that the domain was created.
AutoFocus.Domain.WhoisDomainExpireDateDateThe date that the domain expires.
AutoFocus.Domain.WhoisDomainUpdateDateDateThe date that the domain was last updated.
AutoFocus.Domain.WhoisRegistrarStringThe name of the registrar.
AutoFocus.Domain.WhoisRegistrarUrlStringThe email address of the registrar.
AutoFocus.Domain.WhoisRegistrantStringThe name of the registrant.
Command Example
!domain domain=google.com using-brand="AutoFocus V2"
Context Example
{
"Domain": [
{
"Name": "google.com",
"WHOIS": {
"Admin": {
"Email": null,
"Name": null
},
"UpdatedDate": "2018-02-21",
"Registrar": {
"Name": "markdownguide Inc."
},
"ExpirationDate": "2020-09-14",
"CreationDate": "1997-09-15",
"Registrant": {
"Name": null
}
}
}
],
"AutoFocus.Domain": [
{
"SeenBy": [],
"LatestPanVerdicts": {
"PAN_DB": "BENIGN"
},
"WhoisAdminName": null,
"WhoisDomainExpireDate": "2020-09-14",
"WhoisRegistrarUrl": "www.markdownguide.org",
"WildfireRelatedSampleVerdictCounts": {},
"IndicatorType": "DOMAIN",
"WhoisRegistrant": null,
"WhoisRegistrar": "markdownguide Inc.",
"IndicatorValue": "google.com",
"WhoisAdminEmail": null,
"WhoisDomainCreationDate": "1997-09-15",
"WhoisAdminCountry": null,
"WhoisDomainUpdateDate": "2018-02-21"
}
],
"DBotScore": [
{
"Vendor": "AutoFocus V2",
"Indicator": "google.com",
"Score": 1,
"Type": "domain"
}
]
}
Human Readable Output
AutoFocus V2 Domain reputation for: google.com
IndicatortypeIndicatorvalueLatestpanverdictsSeenbyWhoisadmincountryWhoisadminemailWhoisadminnameWhoisdomaincreationdateWhoisdomainexpiredateWhoisdomainupdatedateWhoisregistrantWhoisregistrarWhoisregistrarurlWildfirerelatedsampleverdictcounts
DOMAINgoogle.comPAN_DB: BENIGN1997-09-152020-09-142018-02-21markdownguide Inc.http://www.markdownguide.org