AutoFocus 1.3.2
- 22 May 2022
- 2 Minutes to read
- DarkLight
- PDF
AutoFocus 1.3.2
- Updated on 22 May 2022
- 2 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
tags: python | AutoFocus | Enrichment | Threat Intelligence
Description
Integration with AutoFocus supports CDC users by providing the ability to query the threat intelligence data provided by Palo Alto Networks’ massive repository of high-fidelity threat intelligence cloud, using AutoFocus’ Rest API. The Rest API enables CDC users to make informed decisions regarding incident response.
AutoFocus provides threat intelligence services with unrivaled context from Palo Alto Networks Unit 42 threat researchers, which ensures that best in industry intelligence is provided to customers.
The Autofocus API provides CyberProof with access to samples, file analysis, and aggregate data via the Rest API framework. This framework allows Security teams to enrich their existing tools in real time, to enable fast analysis and automate responses.
We use custom adaptive cards to display large amounts of complex threat intelligence data in a meaningful and intuitive GUI, to facilitate easy understanding of that data.
With the help of command line/automated enrichments, the detailed Indicators of Compromise, and other threat indicators information about Hash (MD5/SHA1/SHA256)/Threat Name/Filename/Malware Name/Threat Indicator Feed will be obtained based on the provided individual query parameters. The Threat Indicator Feed option provides a complete threat analysis report for the provided feed value.
| Integration Type: | Threat Intelligence Enrichment |
| Information read: | Threat Intelligence information based on the provided input parameters |
| API Supported: | API v1.0 |
| Input: | Hash (MD5/SHA1/SHA256)/Threat Name/File Name/Malware Name |
| Output: | Detailed enrichment consisting of IOCs and other threat indicator-related information of provided input parameters. |
Customer Configuration
No customer configuration
CDC Command Lines
* **get_artifact_by_filetype_cli**
Get information from AutoFocus about files with a specific type.
| Option | Type | Description | Required |
|---|---|---|---|
| file_type | string | The type of files that we want to query. | True |
* **get_artifact_by_malware_cli**
Get information from AutoFocus about MD5 hash.
| Option | Type | Description | Required |
|---|---|---|---|
| malware_type | string | The malware type. | True |
* **get_artifact_by_md5_cli**
Get information from AutoFocus about MD5 hash.
| Option | Type | Description | Required |
|---|---|---|---|
| hash_value | string | MD5 value. | True |
* **get_artifact_by_threat_name_cli**
Get information from AutoFocus about threats.
| Option | Type | Description | Required |
|---|---|---|---|
| threat_name | string | The name of the threats that we want to query. | True |
* **get_sample_analysis_by_md5_cli**
Executes a query and returns analysis results.
| Option | Type | Description | Required |
|---|---|---|---|
| coverage | boolean | Entity coverage bool. | True |
| hash_value | string | The md5 hash of the sample to analyze. | True |
| sections | string | Analysis sections, comma-separated. | True |
* **get_sample_analysis_by_sha256_cli**
Executes a query and returns analysis results.
| Option | Type | Description | Required |
|---|---|---|---|
| coverage | boolean | Entity coverage bool. | True |
| hash_value | string | The sha256 hash of the sample to analyze. | True |
| sections | string | Analysis sections, comma-separated. | True |
Workflows
* **post_get_artifact_by_filetype**
Post get-artifact-by-filetype in the CDC, by the ID of the incident/message/channel.
* **post_get_artifact_by_malware**
Post get-artifact-by-malware in the CDC, by the ID of the incident/message/channel.
* **post_get_artifact_by_md5**
Post get-artifact-by-md5 in the CDC, by the ID of the incident/message/channel.
* **post_get_artifact_by_threat_name**
Post get-artifact-by-threat-name in the CDC, by the ID of the incident/message/channel.
* **post_get_sample_analysis_by_md5**
Post get-sample-analysis-by-md5 in the CDC, by the ID of the incident/message/channel.
* **post_get_sample_analysis_by_sha256**
Post get-sample-analysis-by-sha256 in the CDC, by the ID of the incident/message/channel.
Rules
No rules
Sensors
No sensors
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?