Get AutoFocus Session Info Enrichment workflow

When the Security Operations Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed, it queues a search query with AutoFocus for gathering information about a specified source IP. If AutoFocus has knowledge about previous sessions originating from that IP address, a JSON-formatted report is returned.

Before you begin

Role required: sn_si.analyst

About this task

The Security Operations Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed when the Source IP field in a security incident is modified and the record is updated. The workflow fetches the IP address and submits a query request to AutoFocus. If AutoFocus has previously identified sessions originating from the IP address, a JSON-formatted report is returned.
Figure 1. Security Operations Palo Alto Networks - Get Wildfire Data Enrichment workflow
AutoFocus workflow

Procedure

  1. Navigate to Security Incident > Show Open Incidents.
  2. Click the Indicators of Compromise tab and populate the Source IPfield.
  3. Click Update.
    AutoFocus scans the information from the IP address and a text file in JSON format is attached to the security incident.