Palo Alto AutoFocus
Integration version: 9.0
Configure Palo Alto AutoFocus to work with Google Security Operations SOAR
Credentials
In order to obtain your personal API Key, please sign in to your Palo Alto AutoFocus Account.
Fill the required fields, and the authorization code in, and then select submit.
Select the Enable action in Site Licenses, then Select the API Key link. Please copy API key to the clipboard, which will be later used in this integration configuration with Google Security Operations SOAR.
Network
| Function | Default Port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Configure Palo Alto AutoFocus integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Hunt Domain
Description
Hunt a domain and retrieve a list of associated tags.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed the limit. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| AutoFocus_Status | the state of the scan. 0 - running, 1 - completed |
| AutoFocus_Percentage | If scan is completed then list of hits, otherwise, the percentage of the scan. |
| AutoFocus_Cookie | Hunt's cookie (to fetch info about a running scan). |
| visible | Returns if it exists in JSON result. |
| id | Returns if it exists in JSON result. |
| source | Returns if it exists in JSON result. |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched entity. The insight will be created when the number of detected engines equals or exceeds the limit set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult": [{
"visible": true,
"_id": "8002b33fdf1caec503a25ee39297005e84c6af169df65d8be82e2465baa9b2b0",
"_source": {
"malware": 1,
"sha1": "d2884e3655ce4ba167f0083054d2a9ed02669241",
"create_date": "2019-09-20T01:57:15",
"finish_date": "2019-09-20T02:03:48",
"imphash": "ca6f8d49909b618c106e9274d41caec8",
"filetype": "DLL64",
"ispublic": 1,
"tag": [],
"tag_groups": [],
"tasks": [{
"metadata_compilation_ts": "2019-09-20T07:31:06"
}],
"ssdeep": "3072:656zgKIvACBkQTQzhH6ejYF9aIRQkfGRLe0oaf:JtIvNTKhakYF9lRQKPaf",
"sha256":
"8002b33fdf1caec503a25ee39297005e84c6af169df65d8be82e2465baa9b2b0",
"region": ["us"],
"md5": "0e1e960c1de792f71b70eb8c8ab47a00",
"size": 131072
}}],
"Entity": "example.com"
}]
Hunt File
Description
Hunt a file and retrieve a list of associated tags.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- Filehash
- Filename
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed the limit. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| AutoFocus_Status | the state of the scan. 0 - running, 1 - completed |
| AutoFocus_Percentage | If scan is completed then list of hits, otherwise, the percentage of the scan. |
| AutoFocus_Cookie | Hunt's cookie (to fetch info about a running scan). |
| visible | Returns if it exists in JSON result. |
| id | Returns if it exists in JSON result. |
| source | Returns if it exists in JSON result. |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched entity. The insight will be created when the number of detected engines equals or exceeds the limit set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult": [{
"visible": true,
"_id": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"_source": {
"size": 165888,
"malware": 0,
"sha1": "81bb895a833594013bc74b429fb1f24f9ec9df26",
"create_date": "2019-08-14T23:01:24",
"finish_date": "2019-08-14T23:07:40",
"imphash": "0a38e850afb4bc720ee47a34e25f5b35",
"filetype": "DLL64",
"ispublic": 1,
"tasks": [{
"metadata_compilation_ts": "2019-07-30T14:47:02"
}],
"region": ["us"],
"ssdeep": "3072:JYS22GGzr5yt8XBlkWj/ld/4Pq+HZk/4mQp39pXdxRvA6ppg+ea:ZIWRd/4PqI41QpTFpg+e",
"sha256": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"tag_groups": [],
"tag": [],
"md5": "385eab250b3164ef84bb71efca8e305d"
}}],
"Entity": "81bb895a833594013bc74b429fb1f24f9ec9df26"
}]
Hunt IP
Description
Hunt an IP address and retrieve a list of associated tags.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed the limit. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| AutoFocus_Status | the state of the scan. 0 - running, 1 - completed |
| AutoFocus_Percentage | if scan is completed then list of hits, otherwise, the percentage of the scan |
| AutoFocus_Cookie | Hunt's cookie (to fetch info about a running scan). |
| visible | Returns if it exists in JSON result. |
| id | Returns if it exists in JSON result. |
| source | Returns if it exists in JSON result. |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched entity. The insight will be created when the number of detected engines equals or exceeds the limit set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult": [{
"visible": true,
"_id": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"_source": {
"size": 165888,
"malware": 0,
"sha1": "81bb895a833594013bc74b429fb1f24f9ec9df26",
"create_date": "2019-08-14T23:01:24",
"finish_date": "2019-08-14T23:07:40",
"imphash": "0a38e850afb4bc720ee47a34e25f5b35",
"filetype": "DLL64",
"ispublic": 1,
"tasks": [{
"metadata_compilation_ts": "2019-07-30T14:47:02"
}],
"region": ["us"],
"ssdeep": "3072:JYS22GGzr5yt8XBlkWj/ld/4Pq+HZk/4mQp39pXdxRvA6ppg+ea:ZIWRd/4PqI41QpTFpg+e",
"sha256": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"tag_groups": [],
"tag": [],
"md5": "385eab250b3164ef84bb71efca8e305d"
}}],
"Entity": "95.179.168.51"
}]
Hunt URL
Description
Hunt a URL and retrieve a list of associated tags.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed the limit. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| AutoFocus_Status | the state of the scan. 0 - running, 1 - completed |
| AutoFocus_Percentage | If scan is completed then list of hits, otherwise, the percentage of the scan. |
| AutoFocus_Cookie | Hunt's cookie (to fetch info about a running scan). |
| visible | Returns if it exists in JSON result. |
| id | Returns if it exists in JSON result. |
| source | Returns if it exists in JSON result. |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched entity. The insight will be created when the number of detected engines equals or exceeds the limit set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
[{
"EntityResult": [{
"visible": true,
"_id": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"_source": {
"size": 165888,
"malware": 0,
"sha1": "81bb895a833594013bc74b429fb1f24f9ec9df26",
"create_date": "2019-08-14T23:01:24",
"finish_date": "2019-08-14T23:07:40",
"imphash": "0a38e850afb4bc720ee47a34e25f5b35",
"filetype": "DLL64",
"ispublic": 1,
"tasks": [{
"metadata_compilation_ts": "2019-07-30T14:47:02"
}],
"region": ["us"],
"ssdeep": "3072:JYS22GGzr5yt8XBlkWj/ld/4Pq+HZk/4mQp39pXdxRvA6ppg+ea:ZIWRd/4PqI41QpTFpg+e",
"sha256": "1a0e60bdaed45635be8dfe2ada5b3897c5346604d9c29df3db6e6e2f7ea5f5fd",
"tag_groups": [],
"tag": [],
"md5": "385eab250b3164ef84bb71efca8e305d"
}}],
"Entity": "http://example.com"
}]
Ping
Description
Test connectivity to AutoFocus.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
JSON Result
N/A