AutoFocus: Actionable Threat Intelligence Leads to Shorter Response Times

Stephen Perciballi

Category: Cybersecurity

Following up on my initial post, AutoFocus: Your Answer to Actionable Threat Intelligence, this second post in the series provides another daily use case.

Searching From Firewalls

Something that happens from time to time is administrators will see remnants of malware coming from hosts inside the network but not the actual malware itself. This is a prime example of when administration teams should use actionable threat intelligence so they can arm themselves with information about what and whom they are up against, leading to shorter response times to an attack.

In this example we can see that there are beacon detections identified by the user “janet.fink.” In the ACC she is identified as having a compromised host. The beacon detection correlation object indicates that we are seeing known command-and-control traffic coming from this host; however, we did not see any of the associated malware. The probable cause is that the user had her device outside of the corporate network, was infected with something, and then brought it back into the network. This makes a good case for always-on VPN for corporate devices.


Drilling down into the correlation object and navigating to the source logs, we can see that Janet’s computer visited a known malicious domain over 100 times.

From here we can hover over any of these relevant attributes and query AutoFocus remotely.


When AutoFocus is queried, a new results window opens. From here we can:

  • Click the link to bring us directly to these results in AutoFocus to continue pivoting on the data.
  • See that there is passive DNS information on this URL. The URL Janet visited does not actually match the previously identified URLs for this IP address, indicating that the attacker is maintaining the infrastructure and changing domains.
  • See that the name of the malware family is Allaple. We are provided a description of the tag by Unit 42.
  • See how many samples were identified in our network (0) and how many are globally viewable in AutoFocus (1).


This validates our initial suspicion that the user was likely infected outside of the network; otherwise, we would have data in WildFire to examine. Instead we are relying on the WildFire data from other organizations to determine from which malware this artifact comes.

Learn more about how AutoFocus threat intelligence service can help you accelerate analysis, threat hunting, and response workflows.


2 Reader Comments

  1. Hi All,

    I liked this product but i think Autofocus is seeding it’s threat intelligence list from somewhere. Does it have dynamic list (updating real-time) or static list (current blacklist)? Could you please help me about this issue?

    Thanks in advance.

    Best Regards,

    Irem Demir

  2. Stephen Perciballi

    The majority of the data in AutoFocus comes from WildFire. WildFire is where we perform static and dynamic analysis on never seen before malware. All of the indicators from that malware are available in AutoFocus. We also ingest third party data sources include that of the Cyber Threat Alliance,

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

© 2018 Palo Alto Networks, Inc. All rights reserved.