AutoFocus by Palo Alto Networks

Deprecated. No available replacement.

Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks.

Deprecated. Use Unit 42 Intel Objects Feed instead. Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags.

Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks.

Use the AutoFocus Feeds integration to fetch indicators from AutoFocus.

This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input.

The playbook supports searching both the Samples API and the sessions API.

Use this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context.

This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

The playbook queries the PANW Autofocus session and samples log data for traffic indicators such as URLs, IP addresses, and domains.

A simple search mode queries Autofocus based on the traffic indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

The playbook queries the PANW Autofocus session and samples log data for file indicators such as MD5, SHA256, and SHA1 hashes.

A simple search mode is used to query Autofocus based on the file indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

The playbook queries the PANW Autofocus session and samples log data for file and traffic indicators, such as SHA256, SHA1, MD5, IP addresses, URLs, and domains.

A simple search mode queries Autofocus based on the indicators specified in the playbook inputs. Advanced queries can also use with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Deprecated. No available replacement.

Use the Palo Alto Networks AutoFocus integration to distinguish the most important threats from everyday commodity attacks.

Use the AutoFocus Feeds integration to fetch indicators from AutoFocus.

Deprecated. Use the Palo Alto Networks AutoFocus v2 integration instead. Palo Alto Networks AutoFocus enables you to distinguish the most important threats from everyday commodity attacks.

Deprecated. Use Unit 42 Intel Objects Feed instead. Use the AutoFocus Tags Feed integration to fetch indicators from AutoFocus Tags.

Use this playbook as a sub-playbook to query PANW Autofocus Threat intelligence system. This sub-playbook is the same as the generic polling sub-playbook besides that it provides outputs in the playbook. The reason for that is that in Autofocus its impossible to query the results of the same query more than once so the outputs have to be in the polling context.

This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

The playbook queries the PANW Autofocus session and samples log data for file and traffic indicators, such as SHA256, SHA1, MD5, IP addresses, URLs, and domains.

A simple search mode queries Autofocus based on the indicators specified in the playbook inputs. Advanced queries can also use with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

The playbook queries the PANW Autofocus session and samples log data for file indicators such as MD5, SHA256, and SHA1 hashes.

A simple search mode is used to query Autofocus based on the file indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

The playbook queries the PANW Autofocus session and samples log data for traffic indicators such as URLs, IP addresses, and domains.

A simple search mode queries Autofocus based on the traffic indicators specified in the playbook inputs. Advanced search mode queries can also be used with multiple query parameters, but require all field names, parameters, and operators (JSON format) to be specified.
We recommended using the Autofocus UI to create an advanced query, exporting it, and pasting it into the relevant playbook inputs.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

This playbook is used for querying the PANW threat intelligence Autofocus system. The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. In order to run the more advanced queries its recommended to use the Autofocus UI https://autofocus.paloaltonetworks.com/#/dashboard/organization to created a query and than use the export search button. The result can be used as a playbook input.

The playbook supports searching both the Samples API and the sessions API.